This Solution Overview approaches the threat landscape from a holistic viewpoint and identifies strategies and techniques to establish a good defense. It discusses the concept of a "kill chain" and identifies key indictors for attack events with a focus on network analysis.
2. INTRODUCTION
Shady Rat, Aurora, Poison Ivy, ZueS, Spyeye, Ice IX, Stuxnet and Flame. This strange
combination of terms may have no immediate relation to the layman, but for those
involved in computer security and incident response, they speak of events that have
sparked press coverage, executive interest and late nights.
Admittedly, the information security threat landscape has drastically changed over the
past decade. What was once the realm of tricksters and troublemakers has become the
operational environment of professional hackers, nation-state sponsored teams,
hacktivists and organized crime. Each threat group seeks to penetrate organizations of
interest to accomplish targeted objectives, often with an intellectual approach and
backed with plenty of resources. Their overall objectives can be focused into four
primary areas:
-
-
Theft of Intellectual Property i
-
Theft of Financial Data ii
-
Denial of Service iii
Technology-based influence causing physical results iv
Among these objectives, a vital and persistent theme is the use of malicious software
and the leveraging of related network infrastructure to allow stealth remote manipulation
and control of compromised systems anonymously without an onsite presence at the
target location. This foothold is typically followed by “going quiet” with the attacker
using valid credentials and remote access systems to traverse through the network.
In this whitepaper, we will approach the threat landscape from a holistic viewpoint and
identify strategies and techniques to establish a good defense. We will discuss the
concept of a “kill chain” and identify key indicators for attack events with a focus on
network analysis within the context of the RSA NetWitness framework.
POSITION BEFORE SUBMISSION
In Brazilian Jiu Jitsu (BJJ), a modern martial art focused on ground fighting, a common
theme among practitioners is the concept of “position before submission”. In other
words, the fighter seeks to establish physical and positional dominance before ending
the fight with an attack resulting in submission. Embracing the concept allows the
fighter to increase his chances of winning the confrontation by making sure he is in
control of the situation prior to attempting a fight-ending attack. BJJ’s philosophical
approach has direct relevance to cyber security as the same approach can be taken to
establish a more proactive defense based on threat intelligence and network-wide
visibility. The notion of establishing an “active defense” can be approached using the
following guiding principles:
-
-
Know your enemy
-
Know your network
Know your people
Know Your Enemy
Advanced Persistent Threats (APTs) has been spoken of over the past few years as both
a descriptive term for a class of attacker as well as an industry buzzword to describe the
effectiveness of a particular product (“Our insert device here stops APTs!”). While this
term is most commonly applied to nation-states, the idea of an “Advanced Threat” can
be applied almost across the board in today’s threat landscape. Regardless of nation-
state attackers, cybercriminals, and hacktivists, all use similar tactics to penetrate a
target organization.
2
3. Advanced – All modern threats use advanced, blended attacks. This may include
targeting specific individuals or organizations with directed email attacks (spear
phishing), hacking websites to serve malware from a “known good” or at least “not
known bad” location, or using newly discovered zero-day attacks to increase the chances
of a successful exploitation. Once entrenched, the attacker may then use encryption or
other obfuscation techniques to further mask their presence and intentions.
Persistent – Threat actors understand that repeated and coordinated attacks are likely
to garner a penetration eventually. In the nation-state example, this may be repeatedly
attacking a “target list” with spear-phishing until someone “takes the bait”, but it could
also refer to being watchful for defender activity during a penetration operation and
changing tactics as defenders respond, allowing continuous presence in the network. On
the cybercrime side, this is increased to large-scale persistent modification of
infrastructure, malware and domain names to allow continued operation among the ebb
and flow of defender activity.
Threat – Ultimately, for an event to be considered a “threat” it must meet a set of
criteria.
Intent + Opportunity + Capability = Threat
Lacking any one of these criteria negates the threat, for example:
Attacker A wants to attack organization B with a PDF-based spear-phishing attack
against an HR manager. The attacker is using a known and reliable PDF exploit in Adobe
Reader, has a “builder” that builds an attack PDF in a way that makes it undetectable by
antivirus, and has the name of an HR manager that is responsible for hiring database
developers. Organization B has a patching policy for Adobe Reader, and all
organizational workstations are up to the current patch level.
In this scenario, the attacker has the intent to attack, the capability with his attack PDF
to compromise a workstation, and a target for the attack via the HR manager. He
doesn’t, however, have the opportunity in this case, because the target workstation is
patched and non-vulnerable to his attack. In this case, there is no threat because of
the lack of opportunity provided by the patched PDF reader.
While real-life scenarios are seldom this simple, it provides an example of things you
might want to know about how common attackers operate in order to intelligently
defend your network
-
-
What are the common threat vectors (e.g., spear-phishing)?
What exploits are commonly used? (Exploit kits target A, B and C
vulnerabilities, spear-phishing attacks are often launched using PDF and
Microsoft Office exploits)
Attacker groups, especially in the nation-state arena, commonly attack organizations by
industry vertical. It might be a good opportunity to establish relationships that may
help you identify tactics, techniques and procedures of groups targeting your vertical,
including:
-
-
Threat Research groups and vendors
-
Threat teams from competitors (the enemy of my enemy is my friend).
Industry Working Groups – Is there an ISAC v that supports your vertical?
Know Your Network
When an RSA NetWitness system engineer gets a new NetWitness deployment up and
running at a customer location, a common reaction when network traffic is first observed
is the customer being overwhelmed by the volume of data now readily available for
analysis. The complexities and idiosyncrasies of a large network are very hard for a
human being to visualize without additional framing, and NetWitness NextGen typically
becomes that frame among customers. This framing typically leads to a number of “I
don’t expect to see that, why is it there?” events over the next few weeks as the
customer becomes more intimately acquainted with their network.
3
4. The ability to pervasively know what your network looks like on a day-to-day basis is
CRITICAL in helping to identify advanced attacks.
If you’ve ever known a hunter that hunts a certain tract of land time and again, year
after year, you will have an understanding of how this concept works. The hunter can
typically look across a large field into a tree line, maybe even farther than he can really
“see” and pick out a deer with a glance. That same deer may be invisible to you and I at
that distance because the hunter is accustomed to his land, knows what it looks like on a
“normal” day, and can quickly pick out the variance - the deer.
The network hunter is similar. If I know what my network looks like on a day-to-day
basis, I can better pick out the anomalies. In NetWitness training courses, we modify
the “needle in the hay stack” analogy and refer to this concept as “removing hay until
only needles remain”.
This information may include:
-
-
How is my network laid out? What are my allowed paths out of the network?
Where are my likely weak points, either from a lack of visibility or business
-
needs that require a more relaxed security posture?
Where is my data? If I have intellectual property, where is it stored and who
has access to it?
Know Your People
Ultimately, the success of a modern attack often depends on the activities of the carbon-
based unit between the keyboard and the chair. That is, the human being operating the
computer and going about their daily business. While it is easy to get lost in the
minutiae of the technical, the human operator is decisively the weakest point; as a
result, the initial target of most attacks. The strategic objective may be financial data
related to the person, or information that the person has access to, or maybe even just
a tactical compromise of the computer that belongs to the person.
With this in mind, it’s important to understand a few concepts in the paradigm of your
environment.
- Who in your environment has “enhanced access”, be it to critical information or
-
intellectual property, or critical systems or pivotal locations on the network?
Does your enterprise have security policy that addresses common attack
methodology? It could be as simple as an information security policy that is
reviewed yearly, to as complex as common ideas on how to identify a spear-
phishing attack. Policy is often looked at as a simple “box-check” for
compliance reasons, but the ability to educate the end-user is one more layer in
-
a defensive strategy.
Who are my likely targets? Do I have employees that are commonly in the
press, speak at conferences, or have a job that routinely entails receiving “cold”
electronic correspondence from third-parties (e.g., HR, Marketing, Admin, etc).
If I search for “@mycompany.com” on Google, whose email addresses show
-
up? How about LinkedIn?
Am I continuously tracking employees that have been targeted or compromised
in the past? Repeat attacks are common and employee behavior that is risky
is likely to reoccur.
THE ATTACKER KILL CHAIN
In 2009, incident responder Mike Cloppert with the Lockheed Martin CERT, published a
series of articles that discussed security intelligence and leveraging indicators. In this
series, he introduced a concept known as the “attacker kill chain”.
4
5. This concept breaks attacker methodology into a series of sequential stages.
Each stage represents a focus on a particular aspect of an attack, both from an attacker
perspective, as well as a defender perspective.
“We have found that the phases of an attack can be described by 6 sequential stages. Once again
loosely borrowing vernacular, the phases of an operation can be described as a "kill chain." The
importance here is not that this is a linear flow - some phases may occur in parallel, and the order of
earlier phases can be interchanged - but rather how far along an adversary has progressed in his or
her attack, the corresponding damage, and investigation that must be performed.” vi
Reconnaissance
With the amount of publicly available information on the Internet, the ability for an
attacker to do target reconnaissance in an unnoticed fashion is almost unlimited.
Commonly used techniques include:
-
-
Reading company websites for information on key initiatives and personnel
Reading industry whitepapers to identify projects and personnel associated with
-
those projects.
Searching Google for email addresses, contact points and other bits of
-
information.
Identifying social network participation of likely targets, often providing attack
vectors through trusted friends and associates.
In the reconnaissance phase, the ability for the defender to take defensive actions is
limited, as attacker reconnaissance is often done in a covert and hard to detect manner.
Weaponization and Delivery
At this point, the attacker has established a target or collection of targets, and
weaponizes an attack payload and delivers it to the target. Let’s use a spear-phishing
attack as an example scenario.
In most APT-style spear-phishing attacks that NetWitness has observed a third party
document is used as the delivery method for a malware payload. Typically, it will be a
trojaned PDF or Office document. While 100% detection of this phase is difficult,
information sharing and intelligence gathering on previous attacks helps to identify
repeatable characteristics of attacker “playbooks” which can help identify recycled
exploit document filenames, shellcode, PDF structure, etc.
From a NetWitness perspective, the platform looks at the documents from a higher level,
by analyzing for threatening characteristics in the sessions rather than specific malware
or exploit signatures.
Example 1: Jim in HR receives a PDF via an email link for a job applicant. As Jim
downloads the PDF and it crosses from the Internet onto his workstation, the
organization’s NetWitness NextGen platform:
1. Identifies that the file is forensically a PDF.
2. Identifies that the PDF has a “Launch” action in it.
3. Identifies that the PDF has embedded javascript.
While these three factors don’t mean that the file is absolutely malicious, they identify
enough threatening characteristics to warrant a second look, and to pull it from the likely
high volume of PDFs that appear on the network daily; thereby “removing the hay until
only needles remain”.
5
6. Exploitation
Diverging from Cloppert’s approach here, consider immediate post-compromise activities
as secondary parts of the exploitation event. During the exploitation phase of the
attack, the host machine is compromised by the attacker and the delivery mechanism
typically will take one of two actions:
-
-
Install malware (a dropper) allowing attacker command execution.
Install malware (a downloader) and download additional malware from the
Internet, allowing attacker command execution.
Once a foothold is established inside the network, the attacker will typically download
additional tools, attempt privilege escalation, extract password hashes, etc.
At this point, defensive strategies have ultimately failed, and the attacker has control of
a resource. We would typically move to a detective model here and focus on identifying
second-stage malware and toolsets being downloaded to the compromised workstation
post-exploitation.
- Forensically identify executable download, both un-obfuscated and obfuscated.
Obfuscation and encryption methods vary, in some cases custom algorithms or none at
all in others. A few methods tend to be re-used:
-
-
Single-Byte XOR
-
Base64
Custom Base64
Command and Control
Once the attacker has successfully exploited and taken control of a workstation, he will
usually install malware that has a command and control mechanism. This allows
persistent connectivity for continued access to the environment as well as a detective
measure for defender activity.
Command and control of a compromised resource is usually accomplished via a beacon
over an allowed path out of the network.
Beacons take many forms, but in most cases they tend to be:
-
-
HTTP or HTTPS-based
Made to look like benign traffic via falsified HTTP headers
In cases that use encrypted communication, beacons tend to use self-signed certificates
or use custom encryption over an allowed path (often TCP 443)
Strategies for detection at this stage tend to revolve around:
-
-
Identifying the use of self-signed certificates during encrypted communication.
-
Identifying falsified HTTP headers via anomaly detection strategies.
Identifying recurring, consistent beacon activity to the same domain or IP
-
address over time.
Identifying the use of non-standard or unapproved encryption over allowed
paths.
Keep in mind that immediate takedown of hosts that have identified beacon activity may
clue attackers into defender activity (loss of a known beacon), causing them to switch to
secondary (and potentially unknown) infrastructure. While incident response, as a
program, is out of the scope of this whitepaper, this should be a consideration when
faced with this type of discovery.
6
7. Exfiltration
The final phase of the kill chain is exfiltration. In this phase, the attacker has
successfully entered the target network, taken control of a host and potentially:
-
-
Downloaded and staged tools
-
Elevated privileges
-
Moved laterally onto other hosts
Located and packaged information
At this point, the final goal is to gather the packaged information, and deliver it to a
location under control by the attacker. These locations are typically hacked hosts that
are used as temporary holding areas for stolen data or hosts that reside in an area that
is under complete control of the attacker (bulletproof hosting).
Exfiltration commonly takes the form of:
-
-
Encrypted .rar or .zip files
FTP’d or uploaded to a controlled host
However, in the case of malware such as ZeuS, SpyEye, etc., exfiltration and C2
beacons often take place at the same time (the compromised host will export stolen data
on a repeated schedule, basically an information stealing beacon).
Exfiltration marks the point that data loss has occurred. Detection at this phase leads to
damage control activities for lost data, invoking an IR process, and a move backwards
through the kill chain to establish root cause.
TYING IT ALL TOGETHER – STALKING THE KILL
CHAIN
The Single Event Mentality
Historically, security technologies tend to be focused in a single place, or at most, two
places on the kill chain, but lack the entire context behind an event that a complete
analysis system imparts. When using the phrase “stalking the kill chain”, we are focusing
on the ability to use a structured approach to watching the network with the idea of
identifying kill chain events in progress, across the entire kill chain.
Anti-virus is focused on the delivery and exploitation phases, attempting to detect known
shellcode, previously identified malware, or heuristically interesting binaries
Intrusion Detection is focused on detection of exploitation events or C2, based on known
signatures or communication methods.
7
8. Content Filtering and proxy technologies are focused on blocking of known C2 or exploit
sites or the categorization of sites for additional analysis.
Tracking an Event Holistically in RSA NetWitness
Ultimately, we seek to move our analysis techniques and ability from a single or dual
stage approach, to a seamless approach that allows free flowing movement in any
direction along the kill chain during an investigation, with the goal of being able to gauge
the scope and magnitude of the intrusion quickly.
If this is successful, the kill chain diagram would likely look like this:
Using RSA NetWitness Live, a user is able to consume and leverage related
content to help track events across the kill chain.
While the detection of malware is important, a holistic approach to threat detection also
needs to focus on the detection of “quiet” activity after a foothold is established by the
attacker.
According to industry reports on attack trends, attackers used malware in only 54
percent of a compromise and secondary detection was only possible through holistic
analysis.
Signs of Weaponization/Delivery/Exploitation
For detection of weaponization, delivery and exploitation events within NetWitness, the
following content can be consumed and utilized from NetWitness Live:
FlexParsers – Malware PDF, Fingerprint office2007, Fingerprint office97-2003,
Fingerprint pdf, Fingerprint jar, Exploit Web Pages, HTML Threat Analysis
(Spectrum Subscribers), Encoded File Fingerprinting, XOR Executable
(Spectrum Subscribers), Advanced Executable (Spectrum Subscribers)
To further augment the security analysis specifically, the following custom drills in
Investigator should be employed:
General PDF Identification
filetype = pdf
filetype = base64 encoded pdf
Anomalous PDF Identification
risk.warning begins pdf || risk.suspicious begins pdf || risk.info begins pdf
8
9. Office Documents
General Office Document Identification:
filetype = office2007 || filetype = office97-2003
filetype = base64 encoded office
Suspicious Web Pages (potential exploit or browser fingerprinting activity)
Existence of Java Applets:
filetype = jar
Existence of suspicious HTML elements:
risk.suspicious = js scan for adobe
risk.suspicious = iframe src pdf
risk.suspicious = iframe src cgi
risk.suspicious = iframe src htm
risk.suspicious = iframe src html
risk.info = embedded html applet
risk.info = embedded html applet with params
risk.info = embedded html codebase
risk.info = embedded html object
risk.suspicious = iframe embedded js
risk.suspicious = iframe hidden values
risk.suspicious = iframe inside hidden div
risk.suspicious = iframe src php
risk.suspicious = pdf inside hidden div
risk.warning = iframe src pdf
General Executable Detection
filetype = windows executable
filetype = base64 encoded exe
Anomalous Executable Detection
risk.info begins exe || risk.suspicious begins exe || risk.warning begins exe
risk.warning = potential binary from duqu group
risk.warning = hex encoded executable
risk.warning = xor encoded executable
Signs of Command and Control
For detection of command and control events within NetWitness, the following content
can be consumed and utilized from NetWitness Live:
FlexParsers – Botnet Traffic Patterns, Htran, ShadyRat, HTML Header, Verbose DNS,
Duqu Binary Detection, Windows Command Shell
To further augment the security analysis specifically, the following custom drills in
Investigator should be employed:
Specific Malware C2 Behavior
risk.warning ends “botnet activity”
risk.suspicious = “htran redirector”
risk.suspicious = “shadyrat encoded command”
9
10. Generic HTML and DNS Anomaly Detection
risk.info begins http
risk.info begins dns
Remote Windows Shell
risk.warning = windows command shell
risk.suspicious = windows cli admin command
Remote Desktop Connection
service = 3389
Signs of Exfiltration
For detection of command and control events within NetWitness, the following content
can be consumed and utilized from NetWitness Live. While this is not an exhaustive list,
it provides a basic guideline for analysis of advanced threats across the kill chain.
FlexParsers – Fingerprint RAR, Encoded Hashes, pkware
To further augment the security analysis specifically, the following custom drills in
Investigator should be employed:
Generic FTP Detection
service = 21
Generic Archive File Identification
filetype = rar
filetype = zip
filetype = base64 encoded zip
filetype = base64 encoded rar
Password Hash Exfiltration or Movement
risk.warning begins plaintext pwdump
risk.warning begins xor encoded pwdump
risk.warning begins base64 encoded pwdump
10