Current: Dragos Adversary Hunter Previous: Los Alamos National - - PowerPoint PPT Presentation

• Joe Slowik, Threat Intelligence & Hunter
• Current: Dragos Adversary Hunter
• Previous:
• Los Alamos National Lab: IR Lead
• US Navy: Information Warfare Officer
• University of Chicago: Philosophy Drop-Out

• Typical Attribution
• Purpose of Attribution
• Defining Activity Groups
• Behavior-Focused Attribution
• Examples

• Attribution typically

focuses on ‘who’

• Identify signifying

details in data

• Tie these back to a

concrete entity

• Satisfies a primal human need
• Who is responsible
• Frames matters in a way that is easily

understood

• Actor X is responsible for Event Y

• Attribution is really hard!
• Typically collection only consists of

technical artifacts

• Obscures underlying actions and events
• Leads to cognitive bias
• Of course Country X performed action Y

• Attribution can get ‘just far enough’ to

blame a ‘country’

• And take the resulting media ‘bump’
• But not far enough to develop

meaningful breakdown of responsibility

• What does knowing Country X is

responsible for Event Y tell you?

• From a network defense perspective:
• Likely nothing
• Or, potentially damaging due to

assumptions about Country X

• Determining who is responsible has

specific value – but not for defense

• Identifying how an attack took place

informs network defense

• Align resources, identify TTPs, focus

defense

• If it doesn’t inform or benefit defense,

what’s the point?

Attack Takes Place

• Capture Data
• Record Context

Analysis & Production

• Transition Data

to Information

• Formulate

Conclusions

Develop Conception

• f Adversary
• How Does

Adversary Act?

• What are Targets,

Intentions, and Infrastructure?

Intelligence

• Track how the adversary operates
• Learn to anticipate activity

Playbooks

• Based on actions, define responses
• Create SOPs for defense

Remediation

• Knowing capabilities informs response
• Reduce time to remediation

• Ultimately:
• Prepare and enable defenders
• Improve defenses, anticipate attacks
• Other items are superfluous
• Flashy media headlines
• Provocative stories

• Methodology for defining actors by

actions

• Distinct from traditional attribution:
• Focus on the how
• The who is in many ways irrelevant

• Focus on observable items from events
• Avoids speculation, inferring intention
• Resulting picture is a composite for how

an attack took place

Command Authority Operations Group A Operations Group B Operations Group C Development Teams

• Traditional attribution focuses on

readily observed items:

• Malware
• C2
• As a result, focuses on development

teams

• Less relevance to operations

• Operations teams can mean many

things:

• Different military units
• Contractors
• Etc.
• Main point: different elements

implementing common capabilities

• Different operations teams can use

similar toolset for different operations

• Behavioral approach enables
• perations tracking
• Goal: identify operations teams by

behavior and objective

http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

The ‘who’ – just one part of whole

What enables the attack – relevant to target environment The required connection between adversary and victim

Purpose and focus for the action

• Analysis primarily focuses on technical
• bservations:
• Infrastructure
• Capabilities
• ‘Adversary’ can be abstracted, ‘victim’

useful for parsing campaigns

• The means through which a capability is

executed

• Provides the link from Adversary to

Victim

• Can be characterized as atomic or

behavioral

• Typical ‘IOCs’:
• IP addresses
• Domain names
• Relevant to an identified event
• Not helpful for characterizing future

activity

• Trends and patterns
• Less likely to change, longer lasting
• Examples:
• SSL certificate creation
• Infrastructure types and themes

• Compromised vs. Owned Infrastructure
• Hosting and registration patterns
• SSL certificate re-use

• What an adversary utilizes to achieve
• bjective against victim
• Primarily behavioral in nature when

properly implemented

• Can include indications of intent

• An ‘atomic capability’ is simply an
• bservation from a specific

instantiation of that capability

• Examples:
• Hash value
• File name
• Easily changed, highly mutable

• True understanding of capability gained

by analyzing behaviors

• How does the adversary operate
• What actions are typically performed
• Goal is to build a picture of adversary
• perations

• Intrusion techniques – malware vs.

‘living off the land’

• Coding and deployment consistencies
• Tendencies for persistence, clearing

artifacts

• Characterize adversary activity
• Identify commonalities and general trends
• Build a profile based upon observed

behavior

• Design detections and alerts around
• bservations

• Leverage available evidence to group

and define activities

• Differentiation: two or more unique

vertices of diamond model

• Multiple reporting on Russian

infiltration of US energy companies in summer 2017

• Eventually combined several distinct

attacks into one campaign

• Resulting picture muddies situation for

defenders

July 2017: ALLANITE October 2017: DYMALLOY October 2017: TA-293A March 2018: TA-074A

2013-2014: DRAGONFLY Dec 2015 – Mar 2017: DYMALLOY May 2017 - ?: ALLANITE

Initial Access:

• Phishing
• Strategic website compromise

Deploy Implants:

• RATs: Karagany.B, Heriplor
• Backdoors: DorShel, Goodor

Information Collection

• Mimikatz integrated into broader credential capture tool
• Framework for harvesting documents, intelligence info

Initial Access:

• Phishing
• Strategic website compromise

Leverage Scripts and System Commands:

• Credential capture and re-use
• Unique LNK icon image to ensure continued credential capture

Information Collection

• Various publicly-available password cracking frameworks
• RDP for connectivity and transfer

word/_rels/settings.xml.rels: Target="file://5.153.58.45/Normal.dotm" word/_rels/settings.xml.rels: Target="file://62.8.193.206/Normal.dotm" word/_rels/settings.xml.rels: Target=”file://62.8.193.206/Normal.dotm”

• DYMALLOY:
• US, Europe, Turkey
• Broad ICS targeting
• ALLANITE:
• US, UK and possibly Ireland
• Energy sector

• DYMALLOY and ALLANITE look

substantially different from each other

• May be related, one may be evolution
• f the other
• BUT based on available evidence, they

are not the same

• Different targeting and techniques

mean different responses, defense plans

• Shift in targeting indicates change in

tasking or priorities

• Combining the two as one potentially

impairs planning

• Dragonfly, DYMALLOY, ALLANITE – may

all be the same ‘adversary’ but different teams

• Different TTPs and targeting over time

requires different defensive measures

• Tracking OPS teams subordinate to

larger entity

• COVELLITE initially discovered

September 2017

• Targeted phishing of US electric

companies

• Review of TTPs indicated strong overlap

with LAZARUS Group

• ‘LAZARUS Group’ is increasingly a catch-

all for DPRK-linked activity

• Ranges from disruption to intelligence

collection to theft

• Active in many forms since at least 2012

• Multiple technical overlaps:
• Malicious document dropper format
• Malware code, functionality
• Infrastructure overlap:
• Use of compromised, legit systems
• Re-use of IPs across campaigns

• Phishing with malicious document

attachment

• Embedded EXE built via macros
• EXE beacons via fake-TLS connection to

compromised C2 servers

• Overlap in capabilities
• Some unique aspects in COVELLITE
• Multiple beacon IPs
• Unique variant of phishing document
• Otherwise very similar

• ‘LAZARUS’ simply encompasses too

much activity

• Makes tracking, identifying, and

defending difficult

• Multiple operations combined as a

single group

• Ensure coverage against actionable,

relevant threats

• Don’t waste resources on unlikely items
• Focus on threat model
• LAZARUS approach is too broad in

scope for meaningful defense

• COVELLITE is very specific in targeting
• Focus on electric utilities
• Overlap in TTPs can be distinguished by

uniqueness in targeting

• Filter TTPs only related to non-ICS

LAZARUS actions

• Break apart activity into component

parts

• Track what matters
• Focus defense on what fits threat

model

• Break down entities:
• Operational groups
• Specific campaigns
• TTP variants
• Not all iterations will follow the same

pattern

• Attribution is beneficial when properly

focused

• Identifying activities provides actionable

information to defenders

• Focus on observable items avoids

guesswork and assumptions

Activity

• Note
• bservable

items

• Determine

Operational Purpose

• Align
• bservations

to own- network

• perations

Characterization

• Group
• bserved

activities

• Orient to

targets and perceived interests Definition

• Define a

group around characteristics

• Focus on
• bservable

behavior

• Build

detection and defenses around result