Anomali’s slogan is “Tracking The Adversary,” or as I like to say it, “Tracking Your Adversary.” Many of my prospects and customers ask me, “How does your platform help me to track my adversaries?” My response is that it takes a lot more effort than what I typically demo. However, anyone who sets the right objectives for their Cyber Threat Intelligence (CTI) program and has the required resources available to run it, will experience the benefits that Threat Intelligence Platform’s (TIP) provide. In this article, I will explain the essentials steps that should be taken when it comes to “Tracking The Adversary.”
Identify Your Adversary
There are a lot of threat intelligence feed providers claiming that threat actors named on the lists they provide are your adversaries. While some of these threat actors are targeting the vertical your organization is in, you could consider them as “potential” adversaries until your organization has sufficient evidence showing that they are. Based on the risks stated in your organization’s threat landscape, select the threat intelligence feeds that will help mitigate these.
Once you have selected threat intelligence feeds, and these are consumed into your TIP, you should familiarize yourself with the content. Instead of just forwarding the indicators to your security control systems or to other organizations, you should ask yourself, “Is this information relevant to us?”
If the information is relevant, you should flag it for further analysis. If the information is irrelevant, you should flag it as “to be determined” or “insufficient for action.” The is a chance that irrelevant information could become meaningful based on your analysis of relevant information. Create rules in the TIP to alert on new relevant information. By automating this process, you will relieve the analysts’ workload. They will be able to avoid having to search through thousands of indicators consumed per day.
A vital step of being proactive is “contextualization.” Contextualization means to add additional context to the intelligence consumed into the TIP. In general, open source Intelligence (OSINT) lacks the necessary context to derive immediate value, whereas commercial feeds have been processed and analyzed to deliver the context needed to take action. However, the context provided by commercial feeds may not be appropriate to your threat landscape or satisfy your CTI objective. Therefore, it is good to define your own taxonomy within the TIP. Taxonomy should contain terms that are familiar to your organization or industry vertical. Your taxonomy will be definitely used for contextualizing the consumed threat intelligence.
There are three methods of contextualizing the intelligence in a TIP:
- Graph/Link Analysis
Drafting a report after you have completed an analysis is the standard method of providing a complete contextualized deliverable. The report should be shared within the organization, informing the pertinent teams of a threat or potential threat. It also can be shared with other organizations in the same vertical or with whomever it might be of interest to.
It is a common practice to tag indicators or any other entities in the threat data model. By leveraging a taxonomy to tag indicators or entities, the workflow processes are streamlined for the analysts who are analyzing a particular topic. Although tagging is a good method to contextualize intelligence, the context is only around one indicator or one entity. You cannot provide context to all related indicators or entities into a single tag.
One of my favorite methods of contextualizing intelligence in a TIP is using the Graph/Link Analysis. When the indicators and other entities are consumed in the TIP, they are like puzzle pieces. They are not always interconnected with other indicators or entities (except for threat reports). It is the task of the analysts to put these pieces together to illustrate the connection between indicators and entities. The end result illustrates the overall context of a potential or actual threat or adversary.
Today, the following three models are mainly used for Graph/Link Analysis:
- Structured Threat Information Exchange (STIX)
- The Diamond Model
- The Cyber Kill Chain
STIX is an industry standard used to structure threat intelligence, which can be shared via Trusted Automated Exchange of Intelligence (TAXII). The Diamond Model, my personal favorite, is a straightforward model that describes an adversary and its known capability used on a known infrastructure to target a victim. The following diagram illustrates the diamond model.
The “Cyber Kill Chain” is an industry-accepted methodology for understanding how an attacker will conduct the activities necessary to cause harm to an organization.
Threat Modeling in the TIP
In this example, I will show how we use the Diamond Model to represent the intelligence in the Anomali Threat Platform. Later on, I will explain the advantage of this approach.
I defined a broad rule in the TIP to search for any indicators that are hosted in the Netherlands. The indicator office[.]windown-update[.]com was flagged by my rule. Furthermore, this indicator was tagged with information that came from the feed provider and as well from automatic tagging rules we set up in the TIP.
The indicator is mapped to the infrastructure vertex of the Diamond Model. Now, my objective is to identify the remaining vertices in the Diamond Model, i.e. the adversary, the capability and the (targeted) victim. Easily, the following two questions come to mind:
- Who is behind this infrastructure (adversary)?
- Who is this infrastructure targeting (victim)?
After enriching this indicator and searching on the web for more information, I was able to identify the adversary (threat actor) and the targeted victims.
As I focused on the adversary vertex (Ocean Buffalo), I became curious to know what capabilities this adversary is using. Tactics, Techniques, and Procedures (TTPs) is another way of describing the capabilities of the adversary. The MITRE ATT&CK Framework is a knowledge base of adversary tactics and techniques. We have consumed the ATT&CK Framework in the TIP and they are illustrated as TTPs. By linking the adversary to the spearphishing TTP, my focus shifts to linking the targeted victim, which is the financial services sector. Normally, the name of the organization is listed. However, I chose to generalize the target. The end result is illustrated:
As you can see the model is a diamond shape. To further continue our investigation, we have expanded on the indicator office[.]windown-update[.]com by enriching it using Passive DNS. This returned an IP address. I enriched the IP address, which resolved to service[.]windown-update[.]com. By enriching this domain, it resolves to yet another IP address. I can continue this process, which will lead to a finite number of domains and IP addresses. For each new domain, I could associate these domains to the adversary. In this example, I decided to skip it and focus more on the adversary vertex.
As I now focus on the adversary vertex, I expanded all known capabilities of this adversary, which leads to the following:
My interest is to find any indicators (infrastructure) associated to these TTPs that map to this adversary. Selecting the masquerading TTP and expanding on it illustrates the following result:
Looking at the graph, we can see that there are two diamonds that contain the same adversary. This tells us the significance of this adversary. More importantly, the capabilities this adversary leverages when conducting malicious actions.
The cool thing about graphs is that we can apply analytics or machine learning algorithms that use graph-based algorithms. These algorithms provide us meaningful information on the graph-analysis we have created. Imagine, every new indicator or entity is automatically augmented to an existing graph, you are automatically informed of these new augmented indicators or entities. As an analyst, your focus shifts to your graph-analysis that has seen, for example, a 2 percent increase of new relevant indicators or entities. Another example is that the weight of the adversary being analyzed has increased due to an increase of the connected vertices. The TIP can leverage the following to graph-based queries to provide meaningful insight of the Graph/Link Analysis.
A simple query we can execute based on some known graph algorithms is, ”Find all cycles from a particular vertex.” This query is equivalent to, “Give me all indicators associated to the adversary with a path length n greater than 1.” The output will be a list of indicators. This provides meaningful information of on-going or new threats that your organization may face.
Path Between Two Vertices
Another query we can execute is, “Find two vertices that are connected.” This query is equivalent to, “Find two threat actors that are linked via a capability, infrastructure, or victim.” As new threat actors emerge, you can ask what are the chances that they are linked to the current threat actor that you are currently analyzing.
One query that is definitely beneficial to a large CTI team is, “Find all the islands in the graphs.” This is equivalent to, “Show me all Graph/Link Analysis in all investigations (cases) that do not overlap.” The result of this query will lead to the question, “How efficient are the analysts working or how many investigations could be merged into one?”
These queries provide key insights to the analysts to make informed decisions or adapt their CTI objectives based on the information discovered.
Identifying a potential adversary based on your threat landscape is a vital step you need to take in order to start tracking your adversary. Be objective and critical of the threat intelligence consumed in the TIP. Contextualizing the data in the TIP using graph/link analysis, illustrates way more context then tags and reports. The Diamond Model is a good method for graph/link analysis. Analytics and Machine Learning Algorithms may be applied to these models to answer the simple and complex questions concerning new threats.
If you are curious to know more about modeling in the TIP and the analytics that can be used, feel free to reach out to me by emailing Anomali.
About the Author
Gino Rombley is a Solutions Consultant based in The Netherlands. Gino has worked for several cyber security vendors, which provide enterprise solutions to solve complex business challenges. He is passionate on advising prospects and customers on how to enable and secure their business using the Anomali Threat Platform.