Threat Geek

There has been a lot of discussion about indicators of compromise lately (not to mention the seismic APT1 report released by Mandiant. Do you feel like the guy in the CarMax commercial where you have a vague idea of what you want to do but may not know where to begin? You may be suffering from information overload and wondering what to attack first and what to put on the back burner. While I cannot make risk-based decisions for everyone, my aim in this blog post is to let you know that you are not alone and provide you some information that might help you develop an attack plan. 

This is a common issue for enterprise defenders. A majority of what passes for “threat intelligence” is a list of IP addresses, domain names and/or MD5 hash values. While these indicators can be useful for what is happening today, changing these values is very simple for adversaries and can often even be automated to some extent. I’m not suggesting that you ignore these types of indicators when they appear in your logs or SIEM solutions. It can indeed prove useful to identify any immediate infections based on these indicators. You may also want to consider what will cause the most headaches for your attackers when thinking about what indicators to implement in your controls.

A few days ago a guy named David Bianco wrote an article called The Pyramid of Pain. In this article he broke out the level of pain that each type of general indicator would cause an adversary if one were able to implement controls around those indicators. I would go one step further in suggesting that the pain pyramid should also show the level of difficultly it generally takes a team of defenders to obtain and/or implement such indicators.

In his article, Bianco mentioned that IP addresses and domain names are trivial for an adversary to change. This is evident in the case of malware samples that utilize fast flux, double flux or domain name generation algorithms built right into the code itself. These Techniques are not new. There are samples tracking back to the early 2000s. These indicators are trivial for the attackers to change and are therefore generally low on the pain scale for defense.

If you have been doing incident response for any government agency or larger private sector company in the past five years, you can probably relate to much of Mandiant’s APT1 report with a head nod and a mumble of “yup, seen that technique before”. The reason that a lot of APT groups have been using the same or similar techniques for a long time is that they still work! They only tend to change their tactics when they have to. For an interesting timeline of the change of the APT1 indicators, check out Mila Parkour’s awesome work over at this Contagio blog post.

The malware families listed in the Contagio post are the items that start to get into the upper part of the pain pyramid in the tools and start to get into the tactics, techniques and procedures (TTPs). They are high on the pain scale because of the pain it causes the adversaries if you find these items either by incident response or threat intelligence reports, and can alert on them or—better yet—stop the activities. The adversary now has to modify their modus operandi, which is indeed a lot of work for these groups. This could mean that they have to change the way they get into your environment, the way they write their tools, the way they maintain their access and/or the way they exfiltrate information from your network.

The challenge for enterprise defenders concerning these more painful indicators is, clearly, learning about these toolsets and TTPs. Some advanced adversary groups have continued to use commonly known tools and TTPs in government and private sector networks because they still work in those environments. Well-equipped defenders have learned about them long ago and have since put controls in place to stop or alert on signs of their use.

The other pain angle is actually finding controls that can track advanced techniques, as they tend to be wrapped in other protocols or obfuscated in some way that bypasses typical protections. Here is a good article by the Trend Micro lab team outlining some of the common toolsets used by Advanced Persistent Threats.

Many of the tools listed in that article, especially the ones used for command and control (C2), or lateral movement, can be caught using tools such as the Fidelis XPS Internal or Fidelis XPS Direct sensors. Devices such as the Fidelis XPS Mail Sensor can also catch some of the techniques involved in their TTPs. Some of these techniques include spear phishing e-mails containing suspicious links or attachments that appear to be documents such as PDFs that are actually executable files such as screen savers (.scr), general executable PE file types or XOR’d payloads. These techniques do not fool these systems because we decode the payloads to reveal their true file types and contents.

To conclude, there is no shortage of the “low pain” indicators available for defenders to use. They can be helpful for rapid identification and remediation of current infections. My suggestion is that defenders start implementing internal databases or utilize third party threat intelligence solutions that can provide context, tool identification and TTP correlation to implement controls to fight against the cutting-edge groups.

- Curt Shaffer

References:

http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/

http://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html