Modern Cyber Defense — Part 3 — Cyber Threat Intelligence
In continuation of my modern cyber defense series, this article explores the use of Cyber Threat Intelligence (CTI) in a modern SOC. CTI has revolutionized SOC in last few years, but unfortunately, despite being a potential game changer, I have seen many a flawed implementation leading to user dissatisfaction.
Read the earlier Articles here:
- Part 1
- Part 2
The typical manner of CTI implementation in SOC has been sourcing Indicators of Compromise (IOC) such as IP addresses, file hashes, domains, URIs etc. from free or commercial feeds and put them in deny list in security tools. This is the WRONG WAY!
Let’s talk software testing. Broadly, it comprises of static and dynamic testing. Why not only one? Why not only static? Because static misses the run time behaviors, which are also important.
Apply the same principle to Threat Intelligence. Why should static IoC, discovered by others, be good enough (even if it was purchased by spending considerable sum of money)? Why should not there be a dynamic threat intelligence? We will explore this in this article.
Attackers are not stupid. They evolve all the time and they typically evolve faster than cyber defenders. We are in the midst of one such evolution. Enterprises are not the only ones realizing the benefit of cloud based services; even attackers are. Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) are just two such areas that are allowing non-technical malicious actors to rent highly effective tools, supply few basic information and customize the tool for their target. This creates a new signature for every attack and will typically bypass all static indicator based detection. Check out the article from IT Pro below that cover this aspect in good detail.
Similarly, want to have your own ransomware and do not have coding skills? Guess what? No problems. You can buy your very own ransomware in various flavors. Just like buying your next antivirus, or Microsoft 365 subscription. There’s absolutely no barrier to entry.
Life’s definitely improving for attacker. On the other hand, security monitoring professionals are getting buried under tons of alerts, mostly false positive. This is leading to frustrations and drop in quality of triage and analysis.
The problem? We treat SOC as a product and not a process that needs to mature. Just because we bought some Next gen products, we think we are safe. Nothing could be farther from the truth, but doing the right thing is difficult. Continuous tuning of SOC requires experts, which are unfortunately lacking in many implementations.
This is the situation wherein a new brand of super solution comes in that promises to solve all the problems (just like every other cyber security product). Cyber Threat Intel feeds are a dime and dozen, both free and commercial. They promise that once integrated with the SOC, the false positive rate will drop. They provide a list of IoC that includes IP addresses, URIs, domains, file hashes etc., tied to some known malicious actor(s) that they have observed somewhere in the world. Why is that important to you? Just because there is a bad actor somewhere in the world, is it applicable to you? When was that discovered? Is it still relevant? Think about it.
This is the wrong way to implement Cyber Threat Intelligence (CTI). CTI is much more than static IoC.
Human beings, since their childhood have been taught to stay away from bad things, avoid them and hence “deny listing” comes naturally to us. That is our collective psychology. Almost all traditional cyber security solutions followed this. We took a bunch of known bad and black listed them at our perimeter. But the world kept getting pwned exponentially. Why? Attackers love black listing because they can bypass that. Can we possibly know everything bad in the world and block it? Food for thought.
Hat tip to David Blanco for conceiving the idea of “Pyramid of Pain” (see below). The more useful the threat data, the more difficult (or painful) it is to obtain and integrate into workflows. Imagine a pyramid formed by threat data values versus the level of integration difficulty:
At the top of the pyramid is intelligence on threat actor tools and TTPs. These are the most painful indicators to detect and verify but also the most useful for knowing context about threat actors, their intentions, and their methods to understand a threat well enough to respond. The bottom part is really trivial and promises an easy win.
The Pyramid of Pain is even applicable to the attackers. It’s trivial for them to make minor changes to the malware and change IP addresses, hashes etc. but is really difficult to change the TTPs. Moreover, they do not have to do that because most defenders have not reached maturity levels to detect based on TTPs.
IOCs are not the only way to implement CTI. There are many more from behavior based threat intelligence to attack surface monitoring. But the most prevalent still is IoC that is at bottom of Pyramid of Pain and also the least effective from black listing perspective. The below chart from SANS CTI Survey 2019 shows IoC as the most popular implementation of CTI.
Source: SANS CTI Survey 2019 (https://www.sans.org/reading-room/whitepapers/analyst/evolution-cyber-threat-intelligence-cti-2019-cti-survey-38790)
Consider this; in the 2015 Verizon DBIR Report, there was an analysis on Threat Intel feeds and they found that the many of these do not overlap (!). Huh? Research revealed that inbound TI feeds (scanning, spam, etc) overlap a lot (not surprising), while outbound feeds (exfil, malware C&C) do not (again, not surprising).
But pause and think for a moment. Has the situation changed? Yes, absolutely. It has become much worse. Cloud computing provides a globally scalable, boundary less environment for attackers to plan their attacks and trivially change the IoCs.
However, IOCs are not useless. When used in conjunction with modern solutions such as firewalls, proxies etc., they provide adequate value. But their contribution to SOC in a broader sense is suspect. They can be useful for enrichment or as part of wider analysis/ triage.
If blacklisting or “deny listing” based on IOCs are not the right approach, then what is? Let us explore that.
The right way to consume threat intelligence in SOC is through behaviors and this is where the full weight of MITRE ATT&CK framework is worth its weight in gold. Whilst TTP based threat intelligence was extremely challenging in the past, the MITRE ATT&CK Matrix documented them all beautifully for cyber defenders to focus their attention on risks that are affecting them.
It’s a great canvas capturing almost all known attacker behavior in terms of tactics, techniques and sub techniques. A vast majority of attacks, including the targeted ones, will invariably utilize one or more of the behaviors listed in the ATT&CK Matrix. Behavior based detection’s are always better than static indicators based on string searches because they are repeated by threat actors all the time. Attackers do not typically come up with new TTPs all the time. Why? Because they do not need to. If lazy works, why do the hard work?
As defenders, if we are detecting based on TTPs, we do not have to have different static IOCs for every threat actor out there. Also, we gain the capability to detect even unknown attacks for which signature does not exist. So, what should we be detecting? Things like:
- C2 detection: Almost all modern malware reaches out to the attacker. Detecting this will likely catch many known and unknown badness. But many legitimate tools also exhibit this type of behaviour, so correct tuning is very important.
- UEBA — behavior based detection: Using ML techniques, UEBA genuinely leverages behavior based detection techniques in base lining behaviors using analysis of large data sets and then alerting and assigning risk scores based on anomalous deviations.
- Lateral movement detection: Almost every malware will do this because they want to spread. What if we were looking for this behavior rather than specific threat actors based on static indicators? We would potentially catch much more badness. Below is a great article from JP Cert on doing this using event logs. https://www.jpcert.or.jp/english/pub/sr/DetectingLateralMovementThroughTrackingEventLogs_version2.pdf
There are many more possibilities but I’m not covering here in the interest of brevity. By now, the reader should get an idea of the approach here.
I have been thinking of writing a full article on the latest evolution of ATT&CK from MITRE, the Shield Matrix. Do let me know if you would like me to share my thoughts on it. This article does deserve a quick mention though. Shield matrix is a true revolution for cyber defenders. We now have a set of defensive actions, mapped to the ATT&CK matrix that provides a path for developing and maturing defensible architecture. Check out the mapping between the Shield and the ATT&CK matrices below.
How can we use this matrix effectively? By using it to make informed decisions on the next security investment. Lets consider just one of the techniques (and as of this date there are already 33 of them); Defensive Technique DTE0007 or “Behavioral Analytics”. Just implementing this provides coverage against 19 ATT&CK techniques. Also, the 19 use cases provides a great idea on how to build our requirement or assessing potential solutions before investing in them.
Another great and innovative use of in house Threat Intelligence is tools like PlumHound. It allows Blue and Purple teams to more effectively use BloodHoundAD in continual security life-cycles by utilizing the BloodHoundAD pathfinding engine to identify Active Directory security vulnerabilities resulting from business operations, procedures, policies and legacy service operations. Analyzing the output of PlumHound can steer security teams in identifying and hardening common Active Directory configuration vulnerabilities and oversights. You are not replying on some external events but on specific vulnerabilities within your own environment.
Modern enterprises uses multiple security tools, averaging over 40 tools. That’s a lot of tools to manage. How do you know whether all of them are effective individually? Or collectively? Are there gaps that attacker can leverage? This is a critical aspect, because if you do not know the effectiveness of the current security architecture, you cannot make intelligent decisions on the future investments and will invariably make sub optimal investments. But how can you know the state of your overall security posture? By proactively testing of your environment as a whole. There are multiple possibilities here, which usually goes by the category of “Breach and Attack Simulation (BAS)” tools or automated Red Team tools. There are many such possibilities including some great free ones and also a few good commercial offerings.
- Red Canary’s Atomic Red Team is an awesome tool that allows security teams to test their controls by executing simple “atomic tests” that exercise the same techniques used by adversaries (all mapped to Mitre’s ATT&CK). Tests may be run for specific techniques or tactics or all of them. https://github.com/redcanaryco/atomic-red-team
- MITRE’s CALDERA™ is a testing framework designed to run autonomous breach-and-simulation exercises. It can also be used to run manual red-team engagements or automated incident response. https://github.com/mitre/caldera
- Check out the set of tools under the Threat Simulation section at https://github.com/0x4D31/awesome-threat-detection
- Unfetter is a community-driven suite of open source tools leveraging the MITRE ATT&CK™ framework, shifting the focus from indicators to a behavior-based methodology. https://nsacyber.github.io/unfetter/
- Similar commercial tools include solutions such as AttackIQ (https://attackiq.com/), Scythe (https://www.scythe.io/) and many more.
As always, there’s no free lunch. There are always downsides and things to take care of. Many tools add signature for attack tools such as Mimikatz, Metasploit or Cobalt Strike rather than attacker behaviors and hence certain tests may give a false sense of protection. Hence, we need to run multiple tools to avoid tuning bias. Also, the free tools are a great way to start and mature your enterprise to a level where the BAS tools can become a fundamental part of the security architecture and run automated continuous scans. That will be the appropriate time to invest in better commercial tools. However, the most important aspect of this testing is the response. The entire purpose of testing is to ensure that existing defensive tools are tuned to start preventing and detecting such attack behaviors and get better at it over a period of time. If this tuning and continuous improvement exercise is not undertaken, the entire exercise will remain academic.
Finally, within the environment, threat hunting plays an important part in detecting erstwhile hidden and missed attacks and feeds the in house threat intelligence initiative. Internal IoCs detected by threat hunting needs to be added to Threat Intelligence that gets embedded in Security Monitoring. When attackers come back, you want to be able to detect them much faster next time around.
As usual, I am heavily influenced by the thoughts of John Strand on this subject. If you have time, I strongly recommend watching the video below.
There’s an entire segment of external threat monitoring or brand monitoring or deep/dark web monitoring or social media monitoring or attack surface monitoring; there are many components to it. These are excellent initiatives and should be done. But these are not independent activities; these need to be aligned to the overall CTI architecture and help in continuously improving security monitoring/ threat hunting. Without a valid response strategy, all the threat information is of no use.
To conclude, threat intelligence is a strategic initiative for cyber defense. When done right, it can uplift the defensive posture considerably. But when done wrong, it adds to the noise and leads to more analyst frustration.
You can also read the Part 4 — Active Defense and Cyber Deception now.
