Current: Dragos Adversary Hunter Previous: Los Alamos National - PowerPoint PPT Presentation

• Joe Slowik, Threat Intelligence & Hunter • Current: Dragos Adversary Hunter • Previous: • Los Alamos National Lab: IR Lead • US Navy: Information Warfare Officer • University of Chicago: Philosophy Drop-Out

• Typical Attribution • Purpose of Attribution • Defining Activity Groups • Behavior-Focused Attribution • Examples

• Attribution typically focuses on ‘who’ • Identify signifying details in data • Tie these back to a concrete entity

• Satisfies a primal human need • Who is responsible • Frames matters in a way that is easily understood • Actor X is responsible for Event Y

• Attribution is really hard! • Typically collection only consists of technical artifacts • Obscures underlying actions and events • Leads to cognitive bias • Of course Country X performed action Y

• Attribution can get ‘just far enough’ to blame a ‘country’ • And take the resulting media ‘bump’ • But not far enough to develop meaningful breakdown of responsibility

• What does knowing Country X is responsible for Event Y tell you? • From a network defense perspective: • Likely nothing • Or, potentially damaging due to assumptions about Country X

• Determining who is responsible has specific value – but not for defense • Identifying how an attack took place informs network defense

• Align resources, identify TTPs, focus defense • If it doesn’t inform or benefit defense, what’s the point?

Attack Takes • Capture Data Place • Record Context • Transition Data Analysis & to Information Production • Formulate Conclusions Develop • How Does Adversary Act? Conception • What are Targets, Intentions, and of Adversary Infrastructure?

• Track how the adversary operates • Learn to anticipate activity Intelligence • Based on actions, define responses • Create SOPs for defense Playbooks • Knowing capabilities informs response • Reduce time to remediation Remediation

• Ultimately: • Prepare and enable defenders • Improve defenses, anticipate attacks • Other items are superfluous • Flashy media headlines • Provocative stories

• Methodology for defining actors by actions • Distinct from traditional attribution: • Focus on the how • The who is in many ways irrelevant

• Focus on observable items from events • Avoids speculation, inferring intention • Resulting picture is a composite for how an attack took place

Command Authority Development Teams Operations Operations Operations Group A Group B Group C

• Traditional attribution focuses on readily observed items: • Malware • C2 • As a result, focuses on development teams • Less relevance to operations

• Operations teams can mean many things: • Different military units • Contractors • Etc. • Main point: different elements implementing common capabilities

• Different operations teams can use similar toolset for different operations • Behavioral approach enables operations tracking • Goal: identify operations teams by behavior and objective

http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

The ‘who’ – just one part of whole

What enables the attack – relevant to target environment The required connection between adversary and victim

Purpose and focus for the action

• Analysis primarily focuses on technical observations: • Infrastructure • Capabilities • ‘Adversary’ can be abstracted, ‘victim’ useful for parsing campaigns

• The means through which a capability is executed • Provides the link from Adversary to Victim • Can be characterized as atomic or behavioral

• Typical ‘IOCs’: • IP addresses • Domain names • Relevant to an identified event • Not helpful for characterizing future activity

• Trends and patterns • Less likely to change, longer lasting • Examples: • SSL certificate creation • Infrastructure types and themes

• Compromised vs. Owned Infrastructure • Hosting and registration patterns • SSL certificate re-use

• What an adversary utilizes to achieve objective against victim • Primarily behavioral in nature when properly implemented • Can include indications of intent

• An ‘atomic capability’ is simply an observation from a specific instantiation of that capability • Examples: • Hash value • File name • Easily changed, highly mutable

• True understanding of capability gained by analyzing behaviors • How does the adversary operate • What actions are typically performed • Goal is to build a picture of adversary operations

• Intrusion techniques – malware vs. ‘living off the land’ • Coding and deployment consistencies • Tendencies for persistence, clearing artifacts

• Characterize adversary activity • Identify commonalities and general trends • Build a profile based upon observed behavior • Design detections and alerts around observations

• Leverage available evidence to group and define activities • Differentiation: two or more unique vertices of diamond model

• Multiple reporting on Russian infiltration of US energy companies in summer 2017 • Eventually combined several distinct attacks into one campaign • Resulting picture muddies situation for defenders

July 2017: ALLANITE October 2017: DYMALLOY October 2017: TA-293A March 2018: TA-074A

2013-2014: DRAGONFLY Dec 2015 – Mar 2017: DYMALLOY May 2017 - ?: ALLANITE

Initial Access: • Phishing • Strategic website compromise Deploy Implants: • RATs: Karagany.B, Heriplor • Backdoors: DorShel, Goodor Information Collection • Mimikatz integrated into broader credential capture tool • Framework for harvesting documents, intelligence info

Initial Access: • Phishing • Strategic website compromise Leverage Scripts and System Commands: • Credential capture and re-use • Unique LNK icon image to ensure continued credential capture Information Collection • Various publicly-available password cracking frameworks • RDP for connectivity and transfer

word/_rels/settings.xml.rels: Target="file://5.153.58.45/Normal.dotm" word/_rels/settings.xml.rels: Target="file://62.8.193.206/Normal.dotm" word/_rels/settings.xml.rels: Target=”file://62.8.193.206/Normal.dotm”

• DYMALLOY: • US, Europe, Turkey • Broad ICS targeting • ALLANITE: • US, UK and possibly Ireland • Energy sector

• DYMALLOY and ALLANITE look substantially different from each other • May be related, one may be evolution of the other • BUT based on available evidence, they are not the same

• Different targeting and techniques mean different responses, defense plans • Shift in targeting indicates change in tasking or priorities • Combining the two as one potentially impairs planning

• Dragonfly, DYMALLOY, ALLANITE – may all be the same ‘adversary’ but different teams • Different TTPs and targeting over time requires different defensive measures • Tracking OPS teams subordinate to larger entity

• COVELLITE initially discovered September 2017 • Targeted phishing of US electric companies • Review of TTPs indicated strong overlap with LAZARUS Group

• ‘LAZARUS Group’ is increasingly a catch - all for DPRK-linked activity • Ranges from disruption to intelligence collection to theft • Active in many forms since at least 2012

• Multiple technical overlaps: • Malicious document dropper format • Malware code, functionality • Infrastructure overlap: • Use of compromised, legit systems • Re-use of IPs across campaigns

• Phishing with malicious document attachment • Embedded EXE built via macros • EXE beacons via fake-TLS connection to compromised C2 servers

• Overlap in capabilities • Some unique aspects in COVELLITE • Multiple beacon IPs • Unique variant of phishing document • Otherwise very similar

• ‘LAZARUS’ simply encompasses too much activity • Makes tracking, identifying, and defending difficult • Multiple operations combined as a single group

• Ensure coverage against actionable, relevant threats • Don’t waste resources on unlikely items • Focus on threat model • LAZARUS approach is too broad in scope for meaningful defense

• COVELLITE is very specific in targeting • Focus on electric utilities • Overlap in TTPs can be distinguished by uniqueness in targeting • Filter TTPs only related to non-ICS LAZARUS actions

• Break apart activity into component parts • Track what matters • Focus defense on what fits threat model

• Break down entities: • Operational groups • Specific campaigns • TTP variants • Not all iterations will follow the same pattern