H 1

Intelligence Driven Computer Network Defence Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

Summary(Hutchins et al., n.d.)

· Conventional Incident response method flawed assumptions:

The response should happen after the point of compromise.

A resolvable flaw led to compromise.

· APT (Advanced Persistent threat) - Adversaries with extensive resources and training who undertake multi-year penetration campaigns aimed against highly sensitive economic, private, or national security data.

· Enables adversaries to harvest sensible information

· Current approaches like anti-virus and patching are not sufficient to protect sensitive intellectual properties against APT actors.

· Most of the intrusions intend to collect sensitive information

· Infrastructure management tools have advanced to the point where best practices for enterprise-wide patching and hardening are now possible, minimizing the most easily accessible vulnerabilities in networked services. APT actors, on the other hand, continue to demonstrate their capacity to penetrate systems by employing advanced tools, bespoke malware, and "zero-day" exploits that anti-virus and patching software cannot detect or neutralize.

· Analysis, methodology, and technology must evolve in response to APT attacks; knowledge of the threat can be used to predict and mitigate future incursions.

· This article outlines a threat-focused, intelligence-driven strategy to investigate intrusions from the adversary's perspective. The detection, mitigation, and response courses of action are linked to each distinct step of the incursion.

· Kill chain – Thr structure of the intrusion and corresponding models – analysis to inform actionable security intelligence.

· For APT caliber opponents, the defender can get an advantage over the attacker by using an intelligence-driven response.

· Breaking or intervening in any stage of the APT intrusion can be one mitigation.

· As described kill chain stages (US DoD).: Find, Fix, Track, Target, Engage, Assess (F2T2EA), anyone deficiency will disrupt the entire process.

· Intelligence-driven Computer Network Defence, continuous process that addresses: threat components of risk, incorporating analysis of adversaries, their capabilities, objectives, doctrine, and limitations.

· When defenders create countermeasures quicker than adversaries evolve, the expenses an opponent must incur to attain their goals rise. (Tactical advantage)

· Indicators: A piece of information that describes the intrusion

· Phases of intrusion: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), Actions on objectives: extraction of data or lateral hopping to another system inside the network.

· Fundamental of Intelligence-driven CND: deciding and measuring security based on a thorough understanding of the adversary.

· Courses of action: Detect, Deny, Disrupt, Degrade, Deceive and Degrade.

· Zero-day exploits: Unknown vulnerabilities or unknown mitigation.

· Adversaries must reuse the tools and infrastructures for an economical intrusion.

· Information on pre-compromise phases is also needed to analyse what could have happened.

· Campaign Analysis: Tactic, Technique, and Procedures (TTP), how they operate rather than what they do?

· Inflection points of various intrusions can be key indicators.

· common APT tactic: targeted malicious email (TME) delivered to a limited set of individuals, containing a weaponized attachment that installs a backdoor that initiates outbound communications to a C2 server.

To sum it up: Defenders against the APT need to be a step ahead by utilizing various technologies, previous intrusion indicators, patterns, etc to mitigate the damage in the early phase of the intrusion as possible. Intelligence-driven CND necessitates the development of resilience against adversaries.

Darknet Diaries “The Pizza Problem”(Darknet Diaries “The Pizza Problem,” 2021)

Summary:

The case of hacking via sim swapping is discussed in this darknet diaries narrative. As a result of being an early adopter, an anonymous person named Miles receives a simple animal name as his social media handle. Several offers to buy his handle were made to him. Because these handles are one-of-a-kind, they can be sold for a lot of money on the internet.

Miles was once contacted through text message to discuss the possibility of selling his Instagram handle. When he refuses to sell the account, his phone's cell connection stopped working, and he's forced to use Wi-Fi to access the internet. He then discovered that his phone number had been changed as a result of a request to the network provider, which he had never made. By using his hacked phone number, the hacker gained access to all his social media accounts. Miles was able to regain access to his accounts with the help of some of his friends in technical fields. He began using different security measures for his accounts after this occurrence, such as two-factor authentication, third-party authenticator, and so on.

Miles received additional threats the following year to relieve his account handle, but thanks to his security protocols, he was able to hold control of his various accounts this time. For a while, he didn't receive any threats or hacking attempts. During this time, however, the hacker was gathering information to create Miles' profile. Later, the hacker started launching informed social engineering attacks on him and even on his family. It began with him and members of his family receiving pizza delivery without him or his family placing an order. The pizza delivery escalated quickly with his family members getting threats to ask Miles to release his Instagram handle. Miles' reports to the police and FBI were ignored as well, hence he did not have any option.

As this case was so-called the magic middle, which means it is too small for the FBI and too weird for police to handle. After the threats started coming to his family, Miles decided to give up his Instagram handle to the hacker.

ATT&CK (ATT&CK, n.d.; ATT&CK Enterprise Matrix, n.d.)

The acronym ATT&CK stands for Adversarial Tactics Techniques & Common Knowledge. The ATT&CK framework lays out common tactics, techniques and procedures used by adversaries for intrusion.

Tactics: Tactics is the main agenda of the adversary to perform the intrusion. e.g., defense evasion and execution, this demonstrates the attackers' desire to remain undetected by security systems. To get around security systems, they are continually creating new evasion and execution approaches.

Techniques: Techniques are the actions that an adversary does to attain a tactical goal. e.g., Obtaining credentials from the operating system and software to perform lateral hopping to access restricted information through credential dumping.

Sub-techniques: Sub-techniques are a means to go into greater detail about a specific implementation of a technique. OS Credential Dumping has 8 sub-techniques to cover techniques in more details.

Procedure: A procedure is the specifics of how an adversary executes a technique to achieve a tactic. For example, an adversary may use PowerShell to inject into lsass.exe and scrape LSASS memory on a victim to spill credentials.

Comparison Cyber Kill Chain and ATT&CK Enterprise matrix (MITRE ATT&CK Framework: Everything You Need to Know, n.d.)

Both methods, in general, follow the same pattern of accessing into user system without getting caught and execute the mal operation. However, the ATT&CK matrix differs from the other in that it is more of a collection of approaches arranged by tactics rather than a fixed order of operations. Cyber kill chain has well defined sequence of events starting from Reconnaissance to Action on Objectives. Whereas ATT&CK uses techniques from various tactics at various moments throughout the process, depending on the context. In an ATT&CK scenario one can jump back and forth from techniques depending on the tactics. E.g., In an ATT&CK scenario, you might start with a Hardware Addition from the Initial Access tactic, then move on to Bypass User Account Control from the Privilege Escalation tactic, and then execute PowerShell from the Execution tactic. ATT&CK matrix delves much deeper into how each stage is carried out using ATT&CK procedures and sub-techniques. ATT&CK matrix is updated with industry input on a regular basis to stay up with the latest approaches, allowing defenders to continuously update their own procedures and attack models. The Cyber Kill Chain ignores the many strategies and approaches used in a cloud-native attack. The Cyber Kill Chain concept presupposes that an adversary will send a payload to the target environment, such as malware; however, this strategy is far less relevant in the cloud. Since this model has not been modified since its creation it has some security gaps. E.g., The methodology fails to recognize or defend dangers when used for threat assessment and prevention. Because the initial stages of the attack occurred outside of the protected network, this is the case.

Tactics and processes in a cyber attack scenario can be shown as:

Table 1 Att&ck Tactics and Cyber Kill chain process in cyber attack

ATT&CK

1. Initial Access

2. Execution

3. Persistence

4. Privilege Escalation

5. Defense Evasion

6. Credential Access

7. Discovery

8. Lateral Movement

9. Collection

10. Exfiltration

11. Command and Control

Cyber Kill chain

1. Reconnaissance

2. Intrusion

3. Exploitation

4. Privilege Escalation

5. Lateral Movement

6. Obfuscation/ Anti-forensic

7. Denial of Service

Beneficiaries

ATT&CK Enterprise Matrix: Focuses on adversarial behaviour in OS environments. Cloud Services.

Cyber Kill Chain: Malware prevention and detection.

Security Incident details (Parmanand Mishra, 2021; Saheed Oladimeji, 2021)

On March 26, 2020, a significant cyberattack believed to have been carried out by a Russian-backed group attacked hundreds of institutions around the world, including multiple elements of the US federal government, resulting in a series of data breaches. SolarWinds is a software-based company that provides system management tools for network and infrastructure monitoring and other technical services to hundreds of thousands of organisations around the world. Hackers gained access to networks, systems, and data of thousands of SolarWinds customer by compromising one of the SolarWinds IT monitoring system called SolarWinds Orion. Customers of SolarWinds weren't the only ones who were harmed. Because the intrusion exposed the inner workings of Orion users, the hackers may potentially obtain access to their customers' and partners' data and networks as well, allowing the number of impacted people to expand enormously.

The hackers used the supply chain attack method where a weaker or comparatively less secured links in an organization were targeted first and moving up to the chain. Hackers were able to insert malicious code into the Orion system and hence, was released to more that 18000 customers as a SolarWinds update. The period span from when the hackers gained access to the network to when the malicious code was released as an update was September 2019 to December 2020, when it was publicly reported. According to some reports, hackers were controlling the breach through various servers based in the United States, simulating normal network activity, and so avoiding threat detection systems used by SolarWinds and its clients. The threat actors turned the Orion software into a weapon to gain access to several government systems and thousands private systems around the world.

SolarWinds hack analysis (Parmanand Mishra, 2021; Saheed Oladimeji, 2021)

The complete scale of the SolarWinds attack is still unknown. Attackers were able to acquire access to the SolarWinds software development and delivery pipeline, allowing them to inject malicious code into SolarWinds.Orion.BusinessLayer.dll, one of the SolarWinds Orion platform drivers. The infected dll was digitally signed as a result of the supply chain attack, which allowed the malware to go unnoticed for a long time, allowing the adversary to have a large impact.

As per the cyber kill chain, SolarWinds hack can be analysed in following phases:

Reconnaissance: Hackers were collecting information about the SolarWinds processes, pipeline information and update process and schedules via various customer of SolarWinds itself. As per the timeline adversaries were able to gain unauthorized access to the SolarWinds network in September 2019. This might have been possible by targeting customer mailing list of the company and sending multiple spam mails to gain a slightest bit of information possible.

Weaponization: Hackers were able to inject their malicious code into the Orion of SolarWinds.

Delivery: Due to the supply chain attack, the infected file was digitally signed which helped the malware remain unnoticed for a long time and might have been delivered via one of the pipeline processes.

Exploitation: As the file was digitally signed and hence unnoticed, the malicious code starts executing.

Installation: Via SolarWinds update processes this malicious software was distributed to the customers.

Command and Control (C2): After the installation of the new malicious software update, hackers can have access to unknowing extent of data from users.

Actions on objectives: Hackers gained access to SolarWinds' customer information technology systems using this code, which they then used to install more malware to spy on other businesses and organizations.

Debian Installation on VirtualBox (Install Debian on Virtualbox, n.d.)

Installation Environment

· Mac OS Monterey

· Intel chipset Mac (Not M1 silicon)

· OS prompted that later version of OSx might not support the application from Oracle America Inc.

Some hiccups during installation and configuration:

· Downloaded the cinnamon iso. It was quite unfamiliar desktop, icons, top panels all were hidden. It was difficult to configure the top panel with activities and other icons. Hence, end up downloading xfce as suggested.

· The screen for Virtual machine (VM) was appearing small. Solved it as follow:

Close the VM. iSO selected in virtual box go to setting, Display. Change the Video memory to 128, enable 3D acceleration and select graphic controller VMSVGA if not. Start the VM then, Video memory icon >> Virtual Screen 1 >> Scale to 200% (auto scaled output). From the Debian desktop, go to settings, display, and change the resolution. However, these attempts only lead getting bigger screen inside the grey bars window.

References

ATT&CK. (n.d.). Https://Attack.Mitre.Org/Resources/Faq/.

ATT&CK Enterprise Matrix. (n.d.). Https://Attack.Mitre.Org/Matrices/Enterprise/.

Darknet Diaries “The Pizza Problem.” (2021, July 20). Https://Darknetdiaries.Com/Episode/97/.

Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (n.d.). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.

Install Debian on Virtualbox. (n.d.). Https://Terokarvinen.Com/2021/Install-Debian-on-Virtualbox/.

MITRE ATT&CK Framework: Everything you need to Know. (n.d.). Https://Www.Varonis.Com/Blog/Mitre-Attck-Framework-Complete-Guide#:~:Text=MITRE%20ATT%26CK%20vs.-,Cyber%20Kill%20Chain,A%20specific%20order%20of%20operations.

Parmanand Mishra. (2021, January 4). Technical Deep Dive into SolarWinds Breach. Https://Blog.Qualys.Com/Vulnerabilities-Threat-Research/2021/01/04/Technical-Deep-Dive-into-Solarwinds-Breach.

Saheed Oladimeji, S. M. K. (2021, June 16). SolarWinds Hack explained. Https://Whatis.Techtarget.Com/Feature/SolarWinds-Hack-Explained-Everything-You-Need-to-Know.