Friday, July 19, 2013

On the Misuse of Indicators

This being only my third blog post, you might think it's too early to make predictions about my most commonly-used terms, but I'm ready to go out on a limb.  You can pretty much rest assured that you'll be reading the word indicator pretty frequently in these posts.  You would think that most of us in the DFIR field probably already know what an indicator is, but I'm not so sure.  There are at least two different but confusingly-similar types of indicators we deal with every day, and the meaning of "indicator" has a lot to do with who is using the word, and the context in which they are using it.

What is an Indicator?

"Finger-pointing-icon" by debivort,
http://commons.wikimedia.org/wiki/File:Finger-pointing-icon.png,
19 July 2013
In non-technical terms, an indicator is a piece of information that points to a certain conclusion.  An individual indicator may or may not be enough to effectively support the conclusion to which it points, but as you collect more indicators that agree with each other, the conclusion becomes more likely.  Given enough of these indicators, you may end up with a defensible statement about the likelihood of your conclusion being true.  Your indicators serve as the data points by which you prove your argument. 

An indicator can be almost any type of data that you think captures some sort of repeatable occurrence or pattern.  It could be a simple domain name or IP address known to be used by a piece of malware, a piece of recurring data in a transaction, a combination of adversary actions that make up a distinct behavior, or nearly anything else.  Both of my previous posts dealt heavily with indicators, so please refer to them if you need specific examples. 

Attribution vs. Detection

In my experience, there are at least four different types of indicators:

  1. Attribution Indicators are used to distinguish activity or artifacts traceable to a specific threat actor.
  2. Detection Indicators (often called "Indicators of Compromise" or IOCs) are observables that you look for to help find security incidents.
  3. Prediction Indicators are behavior patterns that foreshadow other events ("We just announced a major new business initiative, therefore we can expect recon from this adversary within 30 days.").
  4. Profiling Indicators help predict which of your users, facilities or projects are likely to be the subject of targeted attacks.
Although all four types are definitely interesting, almost no one collects types #3 or #4, so let's ignore those for now.

Attribution indicators are used primarily for doing intelligence analysis to determine the actor behind an attack or artifact (e.g., "Who wrote this malware?" or "Which actor is most likely responsible for this set of recon scans against my web server?").  Attribution indicators attempt to answer the question "Who?"  This is a pretty difficult question, and there's a lot of ambiguity in the attribution process.  You typically need several indicators that all agree with each other pretty well to even arrive at the ballpark of a successful attribution, and even that is an oversimplification.  It leaves out the vital contribution of the human analyst to make decisions, weigh evidence and arrive at defensible conclusions despite ambiguous and possibly conflicting information.  Still, indicators are at the heart of the attribution process.

Detection indicators are linked to observable events on your hosts or network.  You can monitor for these indicators, and if you find them, you may have a security incident.  Detection indicators attempt to answer the questions "Is?" (e.g., "Is this web transaction a SQL injection attack?" or "Is the XYZ trojan active on my network?").  

So Which Is It?

Confusingly, both attribution and detection indicators share many of their data types.  A domain name could be an attribution indicator, a detection indicator, or both.  

For example, consider the once-notorious (but now defunct) Chinese Dynamic DNS site 3322[.]org.  In most networks I've ever monitored, any traffic to *.3322[.]org domains was at least highly suspicious, if not outright malicious.  These domain were pretty good detection indicators, because they were highly likely to serve drive-by downloads or act as C2 nodes for banking trojans (just to give two examples).  However, the simple fact that it was a very popular DDNS site made it nearly useless for attribution.  There were probably hundreds of threat actors active on those domains at any one time, and except for a few who were lazy enough to re-use their subdomains, it was basically impossible to tell who was who. Without additional information, *.3322[.]org usually wasn't a very good attribution indicator.

The opposite situation is also a frequent problem.  Suppose the PANDA BALLS group is known to have a fondness for the popular grammar website eats-shoots-and-leaves.com, which they deface and use to serve malware drivebys in a watering hole attack.  That domain would be a great attribution indicator; when you have an artifact from a confirmed compromise and it references eats-shoots-and-leaves.com, it's a little piece of evidence that begins to support a conclusion about which adversary is responsible.  On the other hand, if you treat that domain name as a detection indicator, you're going to run into trouble when your IDS throws a constant stream of alerts on legitimate traffic from your technical writing staff!

What To Do About It?

An indicator is not an indicator is not an indicator.  Print that out and paste it to the monitors of your entire intel and detect staff.  There are different types of indicators, with different purposes according to the type of work at hand.  If you have an "indicator database" you're probably already in trouble, because you are likely mixing your indicator types indiscriminately.

At the very least, you should start tagging your indicators according to their purpose.  Consider how you would dump a list of all the detection indicators for signature-generation purposes, or how you could take an artifact and compare it to only your attribution indicators.  If you can't do this, you may need to rethink your indicator management strategy.





Thursday, March 7, 2013

What Do You Get When You Cross a Pyramid With A Chain?

In my last post, I described what I call the Pyramid of Pain, a simple model to visualize the effect that your use of different types of indicators can have on an adversary's operations.  I think that single post probably got more positive feedback than anything I've ever blogged about before.  I got a lot of great ideas for future posts by reading the comments people made on Twitter, so thanks everyone for the feedback.

One recurring theme has to do with the interaction between the Pyramid and the concept of the Cyber Kill Chain put forth by Hutchins, Cloppert and Amin.  If you're not familiar with the idea behind the Kill Chain, I recommend you take a break right now and go read these articles before proceeding.

How the Pyramid and the Kill Chain Fit Together

Gizah Pyramids ["All Gizah Pyramids.jpg", Liberator, Ricardo,
http://commons.wikimedia.org/wiki/File:All_Gizah_Pyramids.jpg,
Checked 2013-03-06]
Let me start by making a clear statement:  The Pyramid is not a replacement for the Kill Chain, it is a complement.  The Kill Chain model shows the various states an adversary must move through to complete their objective(s).  At each phase, you have the opportunity to detect their actions using certain indicators.  This is where the Pyramid comes in: it serves as a guide for knowing how to prioritize your limited detection resources in order to achieve the maximum benefit.
The Cyber Kill Chain
The Cyber Kill Chain ["Security Intelligence: Attacking the Cyber Kill Chain", Cloppert, Michael, http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain/, Checked 2013-03-06]
To see how you might combine these two concepts, let's examine some use cases from one of the Kill Chain phases.

Bringing the Pain to Reconnaissance

The first phase of the Kill Chain is all about information gathering to plan the attack.  This can involve anything from probes and scans to find potential weak entry points to examining publicly available information to map out the sorts of valuable information they might expect to find once they are inside. 

Let's examine that latter use case.  Since we are talking about indicators you might be able to detect, that probably means we are limited to discussing the adversary's direct interactions with our own systems (e.g. our web servers or other Internet facing infrastructure.  Things like checking the Google caches or examining SEC filings are not likely to leave indicators where we can see them, so they don't really count here.)

Starting at the lower level of the Pyramid, you could try to keep track of all the IPs that you know the adversary uses for reconnaissance operations, but this is not likely to be very effective.  You may potentially be tracking hundreds of individual IPs, each of which may only be used for a short time.  This is a lot of effort on your part to manage that data, and it is likely to generate a significant amount of false positive alerts which will consume analyst time.  

The adversary has effective countermeasures against this, too.  They can rent access to a botnet, giving them thousands of throwaway IPs, or they could simply use any of a number of anonymizing services such as Tor, I2P or even a VPN.  The best part (the worst for you) is that not only are these easy to use, but they are usually free or very low cost. It costs you a lot of resources to effectively track at this level, and it's free and easy for the attacker to counter your efforts.  Sound like a win?

Moving up the Pyramid, though, makes things a bit moe complicated for the attacker.  Detecting the network artifacts of their tools (e.g., a distinctive URL pattern or User Agent string they use when spidering your website) puts the burden on them to change up their toolset.  Once your monitoring structure is in place, creating new signatures for new tools is usually not too difficult, and can be done at only an incremental cost to you.  

If you can move even further up, perhaps operating at the TTP level, you're forcing the adversary to rewrite their playbook, something that is extremely time consuming for them.  Again, there will be a cost associated with gaining the ability to operate at this level, but once you pay it, the costs for future detections are likely to be incremental.  In other words, once you reach that plateau, you can stay there with modest resources.  On the other hand, every time you force the adversary to relearn new TTPs, they pay the cost.  Again, and again and again.

Integrating the Models

The preceding is really just a cursory review of a couple use cases, but it shows the value in combining the Pyramid and the Kill Chain.  Ultimately, though, you must do the actual integration yourself, using your own detection program's capabilities along with your own threat intelligence.  

I recommend starting with a single threat domain (a specific actor or group if you're dealing with targeted attacks, or for something more general, a topic like "Banking Trojans").  Comb through your intel for that domain and organize your indicator types by Kill Chain phases.  Some indicator types may fit in more than one phase, and that's fine.  You may discover gaps or ambiguities in your data, and that's OK, too.  Note these issues and follow up later.  

Once you have your indicator data arranged by Kill Chain phase, you essentially have a dossier on how that threat acts as it tries to accomplish its missions.  

Now revisit each Kill Chain phase in your dossier, and rank the indicator types according to their position on the Pyramid.  This is not entirely a precise mapping, so don't be discouraged if you have to make some best guesses.  Also, don't worry so much right now about whether you have any detection platforms in place that cold actually detect those types in those phases.  That's the next step.

After prioritizing the indicators for each phase according to the Pyramid, go back through and mark the ones you are currently detecting.  Also take note of the ones you have the technology to detect now, but may not actually be detecting (e.g., you have access to DMZ web server logs, but you are not currently mining them for indicators of hostile activity).  What you have marked are both your current detection stance and your likely candidates for short term improvements.  Anything that is not marked is a potential candidate for medium or long term improvement (depending on your detection needs and resources).

The End Result

If you've been following closely, you may have already figured out what all this is driving to, but just in case, I'll spell it out.  By sorting and prioritizing your Kill Chain dossier on a threat and applying the Pyramid to the potential indicators you have, you have developed a detection plan for that threat across your Enterprise.  

I cannot overstate the importance of this plan.  As a living document, you should constantly revisit it to update the intel and revise the priorities and detection capabilities that went into the analysis as your own detection program changes over time.  The document captures not only your current state, but also your goals and gaps.  It's a reference for where you are and a roadmap for where you want to go.  What's more, the compilation of detection plans for all your key threats will make your detection program leaner and more effective, because you'll be operating on actual data about your detection posture rather than guesses and generalizations.

The Thrilling Conclusion

Ok, I lied.  It's not really that thrilling.  But it is important. The combination of the Kill Chain methodology to organize your threat indicators and the Pyramid of Pain to prioritize your detection of them is an extremely powerful one.  The resulting document not only shows you a "snapshot in time" of your DFIR effectiveness against that threat, but also points out gaps which are potential areas for growth and improvement.  It is these plans which help an organization realize the full potential of the intel-driven model of detection and response.  Everything else is just a guess.

Friday, March 1, 2013

The Pyramid of Pain

Update 2014-01-17
I'm updating this post to include a slightly revised version of the Pyramid.  The only real change I made was that I added a new level for hashes.  I also updated the text to account for this.  



On February 18th, Mandiant put a major hole in the APT intelligence dam when they released their APT1 report profiling a group commonly referred to as Comment Crew.  There followed a small flood of reports from other entities like the Symantec (and this) and the DHS/FBI.  Most of the furor over the APT1 report was regarding it's findings suggesting that APT1 is actually the PLA's Unit 61398.  This is solid work, and a real breakthrough in the public policy area, but I was a lot more excited about the detailed technical information included in the reports' seven appendices (not including the video appendix).

After seeing how these indicators were being applied, though, I came to realize something very interesting: almost no one is using them effectively.  

I put that statement in bold, because it's a little bit of a challenge, and I'm sure it will surprise many readers.  The entire point of detecting indicators is to respond to them, and once you can respond to them quickly enough, you have denied the adversary the use of those indicators when they are attacking you. Not all indicators are created equal, though, and some of them are far more valuable than others.

The Pyramid of Pain

To illustrate this concept, I have created what I like to call the Pyramid of Pain.  This simple diagram shows the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them.  Let's examine this diagram in more detail.


Types of Indicators

Let's start by simply defining types of indicators make up the pyramid:
  1. Hash Values: SHA1, MD5 or other similar hashes that correspond to specific suspicious or malicious files.  Often used to provide unique references to specific samples of malware or to files involved in an intrusion.
  2. IP Addresses:  It's, um, an IP address.  Or maybe a netblock.
  3. Domain Names: This could be either a domain name itself (e.g., "evil.net") or maybe even a sub- or sub-sub-domain (e.g., "this.is.sooooo.evil.net")
  4. Network Artifacts: Observables caused by adversary activities on your network. Technically speaking, every byte that flows over your network as a result of the adversary's interaction could be an artifact, but in practice this really means those pieces of the activity that might tend to distinguish malicious activity from that of legitimate users.  Typical examples might be URI patterns, C2 information embedded in network protocols, distinctive HTTP User-Agent or SMTP Mailer values, etc.
  5. Host Artifacts: Observables caused by adversary activities on one or more of your hosts.  Again, we focus on things that would tend to distinguish malicious activities from legitimate ones.  They could be registry keys or values known to be created by specific pieces of malware, files or directories dropped in certain places or using certain names, names or descriptions or malicious services or almost anything else that's distinctive.
  6. Tools: Software used by the adversary to accomplish their mission.  Mostly this will be things they bring with them, rather than software or commands that may already be installed on the computer.  This would include utilities designed to create malicious documents for spearphishing, backdoors used to establish C2 or password crackers or other host-based utilities they may want to use post-compromise.
  7. Tactics, Techniques and Procedures (TTPs): How the adversary goes about accomplishing their mission, from reconnaissance all the way through data exfiltration and at every step in between.  "Spearphishing" is a common TTP for establishing a presence in the network.  "Spearphishing with a trojaned PDF file" or "... with a link to a malicious .SCR file disguised as a ZIP" would be more specific versions.  "Dumping cached authentication credentials and reusing them in Pass-the-Hash attacks" would be a TTP.  Notice we're not talking about specific tools here, as there are any number of ways of weaponizing a PDF or implementing Pass-the-Hash.

The Pyramid Explained

Now that we have a better idea what each of the indicator types are, let's take a look at the pyramid again. The widest part of the pyramid is colored green, and the pinnacle of the pyramid is red.  Both the width and the color are very important in understanding the value of these types of indicators. 

Hash Values

Most hash algorithms compute a message digest of the entire input and output a fixed length hash that is unique to the given input.  In other words, if the contents of two files varies even by a single bit, the resultant hash values of the two files are entirely different.  SHA1 and MD5 are the two most common examples of this type of hash.

On the one hand, hash indicators are the most accurate type of indicator you could hope for.  The odds of two different files having the same hash values are so low, you can almost discount this possibility altogether. On the other hand, any change to a file, even an inconsequential one like flipping a bit in an unused resource or adding a null to the end, results in a completely different and unrelated hash value.  It is so easy for hash values to change, and there are so many of them around, that in many cases it may not even be worth tracking them.  

You may also encounter so-called fuzzy hashes, which attempt to solve this problem by computing hash values that take into account similarities in the input.  In other words, two files with only minor or moderate differences would have fuzzy hash values that are substantially similar, allowing an investigator to note a possible relationship between them.  Ssdeep is an example of a tool commonly used to compute fuzzy hashes.  Even though these are still hash values, they probably fit better at the "Tools" level of the Pyramid than here, because they are more resistant to change and manipulation.  In fact, the most common use for them in DFIR is to identify variants of known tools or malware, in an attempt to try to rectify the shortcomings of more static hashes.

IP Addresses

IP addresses are quite literally the most fundamental indicator.  Short of data copied from local hard drive and leaving the front door on a USB key, you pretty much have to have an network connection of some sort in order to carry out an attack, and a connection means IP Addresses.  It's at the widest part of the pyramid because there are just so many of them.  Any reasonably advanced adversary can change IP addresses whenever it suits them, with very little effort.  In some cases, if they are using a anonymous proxy service like Tor or something similar, they may change IPs quite frequently and never even notice or care.  That's why IP Addesses are green in the pyramid.  If you deny the adversary the use of one of their IPs, they can usually recover without even breaking stride.

Domain Names

One step higher on the pyramid, we have Domain Names (still green, but lighter).  These are slightly more of a pain to change, because in order to work, they must be registered, paid for (even if with stolen funds) and hosted somewhere.  That said, there are a large number of DNS providers out there with lax registration standards (many of them free), so in practice it's not too hard to change domains.  New domains may take anywhere up to a day or two to be visible throughout the Internet, though, so these are slightly harder to change than just IP addresses.

Network & Host Artifacts

Smack in the middle of the pyramid and starting to get into the yellow zone, we have the Network and Host Artifacts.  This is the level, at last, where you start to have some negative impact on the adversary.  When you can detect and respond to indicators at this level, you cause the attacker to go back to their lab and reconfigure and/or recompile their tools.  A great example would be when you find that the attacker's HTTP recon tool uses a distinctive User-Agent string when searching your web content (off by one space or semicolon, for example.  Or maybe they just put their name.  Don't laugh.  This happens!).  If you block any requests which present this User-Agent, you force them to go back and spend some time a) figuring out how you detected their recon tool, and b) fixing it.  Sure, the fix may be trivial, but at least they had to expend some effort to identify and overcome the obstacle you threw in front of them.  

Tools

The next level is labelled "Tools" and is definitely yellow.  At this level, we are taking away the adversary's ability to use one or more specific arrows in their quiver.  Most likely this happens because we just got so good at detecting the artifacts of their tool in so many different ways that they gave up and had to either find or create a new tool for the same purpose.  This is a big win for you, because they have to invest time in research (find an existing tool that has the same capabilities), development (create a new tool if they are able) and training (figure out how to use the tool and become proficient with it).  You just cost them some real time, especially if you are able to do this across several of their tools.

Some examples of tool indicators might include AV or Yara signatures, if they are able to find variations of the same files even with moderate changes.  Network aware tools with a distinctive communication protocol may also fit in this level, where changing the protocol would require substantial rewrites to the original tool.  Also, as discussed above, fuzzy hashes would probably fall into this level.

Tactics, Techniques & Procedures

Finally, at the apex are the TTPs.  When you detect and respond at this level, you are operating directly on adversary behaviors, not against their tools.  For example, you are detecting Pass-the-Hash attacks themselves (perhaps by inspecting Windows logs) rather than the tools they use to carry out those attacks.  From a pure effectiveness standpoint, this level is your ideal.  If you are able to respond to adversary TTPs quickly enough, you force them to do the most time-consuming thing possible: learn new behaviors.  

Let's think about that some more.  If you carry this to the logical extreme, what happens when you are able to do this across a wide variety of the adversary's different TTPs?  You give them one of two options:  
  1. Give up, or
  2. Reinvent themselves from scratch
If I were the adversary, Option #1 would probably look pretty attractive to me in this situation.

Effective Use of APT1 Indicators

Now that we've covered all that background, we can finally turn our attention back to the APT1 indicators.  I said that almost no one was making effective use of them.  What did I mean by that, and what constitutes "effective use"?

What I meant was that I see a lot of discussion about the long list of domain names included in Appendix D (and to a lesser extent, the domains and IPs included in the DHS/FBI and Symantec reports as well).  Seth Hall of the Bro-IDS project even put out a neat Bro module that you could use to search for those domains in your network traffic.  

This is all good and proper, but I haven't seen a lot of discussion centering around the data they provided on the behavior of the Comment Crew tools themselves.  Appendix A is a giant data dump of some very good information regarding host and network artifacts for 40+ tools known to be in use by this group.  

Emerging Threats has published a set of Snort signatures that cover many of these, and I'm quite sure many of us have produced our own, but I find the lack of attention to these curious.  Maybe the ET rules are already serving everyone's  needs and so there's no need to talk about them?  More likely, though, I think a lot of organizations have not properly reviewed the reports for detection indicators.

Whenever you receive new intel on an adversary (whether it be APT1/Comment Crew or any other threat actor), review it carefully against the Pyramid of Pain.  For every paragraph, ask yourself "Is there anything here I can use to detect the adversary's activity, and where does this fall on the pyramid?"  Sure, take all those domains and IPs and make use of them if you can, but keep in mind that the amount of pain you cause an adversary depends on the types of indicators you are able to make use of, and create your plan accordingly.