Posted
Research One: A ThreatConnect Story
We’re excited to announce the availability of our newest product: TC Identify™, a threat-driven, context-enriched intelligence source provided through, and enabled by the ThreatConnect Platform. As we are wont to do with many of our notable announcements, we decided to draw a corollary to the Star Wars universe.
Wait a minute… I’ve just received word that ThreatConnect is now using Princess Bride themes. Well that’s silly, there’s only one of those movies and the scariest villains in the movie are Rodents of Unusual Size. How are we supposed to apply threat intelligence to the ROUS and the Fire Swamp? INCONCEIVABLE! You know what, we’re sticking with Star Wars because that’s what we know (and love).
We admit that we reference the Star Wars movies a lot (too much?), because of both our nerdy love for the movies and their applicability to real-world threat intelligence issues. The most recent movie, Rogue One: A Star Wars Story, is no exception. In fact, it is incredibly relevant to our newest product. **SPOILER ALERT**: In case you haven’t seen it, Rogue One follows the story of a rag tag group of individuals from different planets and backgrounds that reluctantly come together in pursuit of intelligence on the Empire that informs the Rebellion’s future attack plans. The members of the group all have different capabilities and strengths that impact the mission, ranging from the jilted yet determined heroine; a Force-loving, blind monk; and a snarky reprogrammed Empire droid.
Whereas both the Rebellion and Empire in many other Star Wars movies often significantly miss opportunities to leverage threat intelligence to accomplish their objectives (more on that later), it’s front and center in Rogue One. There are plenty of explosions and action sequences, but unlike the other movies, the pinnacle of Rogue One isn’t the destruction of a planet-killing death machine. This film is unique in that the mission objective is garnering intelligence on the Empire and transferring it to the Rebellion.
Our objective with TC Identify is similar. The ThreatConnect Research team, a similar amalgamation of personalities and capabilities, seeks to identify and provide intelligence on a range of adversaries that operate against a variety of targets around the world. We exploit knowledge of adversaries’ tactics to identify their capabilities and infrastructure, and then supply enriched indicators that detail context going above and beyond indicators of compromise (IOCs) typically provided by intelligence feeds. Ultimately, our adversary research seeks to enable an organization to implement intelligence-driven defense by providing intelligence and enriched indicators on pertinent advanced persistent threats (APTs) and cyber criminals.
The Diamond Model and Exploiting the Adversary
There’s something that really irks us about Star Wars Episodes V – VII. Did you ever notice how the Rebellion and the Republic fail to recognize that a moon-sized planet-killing laser machine is the Empire’s go-to capability? After the initial Death Star is destroyed, the Empire is still able to build two additional, functional equivalents. The good guys really fail to exploit their adversary’s tactics and ultimately wind up scrambling to disable the Empire’s greatest capabilities.
The Diamond Model below shows the Empire’s capabilities and infrastructure, as well as the dependencies or tactics that enable them.
The dependencies here, and for real-world cyber events, are exploitable aspects of the adversary’s activities that can be researched and leveraged to enable proactive defensive efforts. For example, Rebel/Republic threat intelligence analysts could have researched and monitored planets with Kyber crystal sources to identify where the Empire was mining, and potentially the location where the death machine was being built. Conversely, reconnaissance probe droids deployed around systems with Republican or Rebellion strongholds may have helped identify the presence of a death machine in the system before it was put to use. Can you imagine if the Rebellion or the Republic had actually used this threat intelligence to stop the Empire early in their construction process or even hamper the Empire’s ability to build it at all? The movies wouldn’t have been as exciting, but a couple of Republic planets would still be around.
Similarly, ThreatConnect Research seeks to exploit knowledge of the adversary and their capabilities, infrastructure, targets, and relevant tactics to proactively identify, and potentially predict, indicators for their activity. TC Identify is the output of our adversary research, the malware they are using, and the infrastructure they are leveraging.
Getting Closer to the Adversary
Now consider a more realistic, general Diamond Model summarizing a cyber adversary’s activity.
TC Identify is the output of ThreatConnect’s efforts to exploit adversary tactics. Focusing on the adversary’s malware, we might identify hashes for variations of openly available crimeware or a spear phishing platform that an APT used to target individuals in a political organization. Conversely, looking at an adversary’s infrastructure, we might identify other domains they have registered or IPs they’ve used based on registration information or associated name servers.
Malware Hunting
ThreatConnect Research has developed a system and processes to ingest thousands of malware samples from hundreds of signatures for APT groups and crimeware. The team employs reverse engineering and malware analysis techniques against these samples to identify unique aspects of the malware and corresponding callback infrastructure that go beyond what might typically be provided in an intelligence feed. The enriched indicators from these hunting efforts are then provided in TC Identify.
For example, our February 2015 research into the Anthem BCBS attack led us to indicators for the US Office of Personnel Management (OPM) attack that wouldn’t be announced until June. In reviewing an incident targeting Department of Defense contractor VAE, Inc., through sandboxing and reverse engineering we identified a Derusbi / Sakula malware sample that was signed with the same DTOPTOOLZ Co. digital signature used in the Anthem attack. This malware was configured to communicate with the IP 192.199.254[.]126 and spoofed infrastructure (sharepoint-vaeit[.]com) masquerading as internal resources for VAE, Inc. As was the case with the Anthem attack (we11point[.]com and prennera[.]com), the VAE, Inc. incident is believed to be associated with Chinese APT espionage activity.
The Research team reviewed the IP and domain identified from the malware callbacks. One notable pattern we identified was how the domain Whois registration information for the VAE, Inc.-themed infrastructure was quickly updated and obfuscated with pseudo-random 10 character gmx.com email addresses and used the names of various comic book characters. This comic-themed naming convention had been previously documented by our friends at Crowdstrike in activity associated with a Chinese APT group they dubbed DEEP PANDA.
Leveraging our DomainTools partnership to exploit this tactic, we were then able to identify the domain opm-learning[.]org. This domain was also purportedly registered by the Iron Man movie hero “Tony Stark” on July 28, 2014. At the time, we lacked any specific sample of malware to verify our initial suspicions that this infrastructure was operational, but several months later the domain resurfaced when the OPM breach was announced. This example highlights the utility of using reverse engineering and malware analysis to identify the capabilities and infrastructure that are being used in campaigns. From there, we pivot to additional indicators associated with the adversary, get closer to the adversary, and ultimately minimize the delta between operations and identification
Infrastructure Hunting
Whenever we come across infrastructure being leveraged by an APT or crimeware, we pour into that infrastructure to identify additional infrastructure that the adversary is using, or has registered but is not yet operational. For domains, we’ll look at the IP hosting history and WHOIS information for the email registrant, registrar, name servers, phone numbers, address, creation dates, etc. to identify any unique pivot points that may lead us to other IPs or domains associated with the adversary. For IP addresses identified as part of malicious activity, we’ll take a look at their hosting history to identify domains they’ve hosted during the timeframe of the malicious activity, co-located domains, and other IPs hosting similar domains to proactively identify other infrastructure the adversary is using.
By way of example, consider the research we did into the Democratic National Committee attack. Through researching an IP address identified in the CrowdStrike report on FANCY BEAR’s DNC activity, we identified the domain misdepatrment[.]com, which spoofs an IT contractor the DNC used. Further delving into registration information for misdepatrment[.]com, we identified name servers, like bitcoin-dns[.]hosting, that were hosting concentrations of FANCY BEAR domains. Upon reviewing other FANCY BEAR activity, we identified several small and seemingly-random name servers that FANCY BEAR domains used. This was an aspect of the adversary’s tactics that we could exploit and, in doing so, get closer to the genesis of their infrastructure. In essence, it allowed us to provide enriched indicators for and alert on newly-registered domains using those name servers that also had other consistencies with FANCY BEAR activity.
What does it look like?
We’ve mentioned this idea of enriched indicators several times at this point in the post, and we’ve previously mentioned them in a blog on GRIZZLY STEPPE too. Most intelligence feeds provide unenriched IOCs that might indicate the associated adversary, but generally don’t detail how/when the indicator was identified, its threat or confidence rating, or relevant adversarial information – also known as context. TC Identify is driven by and provides enriched indicators that contain this additional detail enabling organizations’ cybersecurity efforts beyond what a typical intelligence feed can do.
The screenshot below shows an entry for a recently-identified indicator provided by the Research team. The description, details, tags, and associations for this domain provide context for how and why we identified the domain, our confidence and threat rating for the domain, and what its other associated indicators and groups are.
The intelligence that we provide in TC Identify isn’t limited to enriched indicators. We’ve also generated profiles for dozens of threat groups and adversaries based on our own research and open source intelligence. Below is a screenshot from our entry on EMISSARY PANDA, which provides a significant amount of context on the adversary, their capabilities and attack patterns, aliases, origin, the associated incidents and campaigns, and external sources for additional context.
These entries typify the intelligence that is provided through TC Identify and how organizations can use it as both a tactical and strategic intelligence source when defending their digital assets.
Conclusion
Indicators aren’t always binary; there’s an important area between good and bad on which threat intelligence should capitalize. Let’s call a spade a spade and make a somewhat bold statement: In some cases, we won’t know if the indicators that we identify are actually, currently malicious. We think that if that’s what you’re looking for, then you’re already a step behind the adversary and playing catch-up. Instead, we seek to exploit adversary tactics to identify indicators consistent with the adversaries’ attack patterns while minimizing false positives and capturing appropriate confidence and threat ratings for each indicator.
TC Identify provides vetted, actionable threat intelligence compiled from more than 100 open source feeds, crowdsourced intelligence from within our dozens of communities, the ThreatConnect Research Team, and the option to add intelligence from any of our TC Exchange™ partners. Ultimately, our aim is to minimize the time between when capabilities or infrastructure are acquired by the adversary and the time those indicators are identified and exploited for defensive purposes.