Category: Threat Hunting

Profiling the adversary : Target Determination

fl0x2208Leave a comment

Readers!

As mentioned on my recent LinkedIn update, this is the first blog article in this series about what our adversaries do and from their objectives/actions how a target can learn.

Executives or higher management asks mostly following questions :

  • What is current threat landscape ?
  • How do we protect our organisation ?
  • What is targeting us ?
  • What are our current cyber security risks ?
  • Are we getting return on investment from the the products we have ?

Mostly the executive summary is trying to answer these questions – sometimes other. We always looks for the answers to these questions from our vendors, internal teams etc. However, are we asking right questions ? How about,

  • Why are they targeting us ?
  • What kind of information they are after ? Why ?
  • What kind of data/information they are leveraging ?

To answer these questions we need a combination, to profile what adversaries are doing and what we know about our own organisation.

Based on my experience, I have noticed that there are very few documentation or approaches out there with regards to what Targets (organisations not individual users) should be doing before and after any adversary targets and attacks them. Normally, vendors or organisations follow a framework or a model that is out there.

Lockheed Martin’s Cyber Kill Chain is a good model to understand attackers actions  and understanding their objectives and how an organisation as a victim can defend themselves. However, in my hypotheses before targeting an individual or an organisation or a nation, one must first determine the target. This determination is based on INTENT, MOTIVE and CAPABILITY of an attacker/adversary.

Mission of the blog is to understand what steps does attackers/adversaries take, profile them based on the steps taken and as a target what we are suppose to do. Seems like we perform reconnaissance ourselves. Many organisations put this under Reconnaissance phase (Information Gathering), which is wrong. Consider you are traveling :

  • Target : I have 4 days of holidays I will go to place A.
  • Reconnaissance : How do i get there, means of transportation, which hotel to stay in etc

You can see clear differences between the two.

At the end of series, the goal will be to profile attackers, their objectives and what tools, techniques and procedures they use and how we can defend ourselves or at least be pro-active in our incident response. Of what I have mentioned, likely is known globally but, still hoping to spread the word. Later, will also try to match with Diamond model which is very useful in understanding an Attacker and their capabilities.

Every attacker/adversary has an INTENT and MOTIVE to perform an attack or target an entity and for a successful attack their capabilities are also important. From highly sophisticated to script kiddies they have certain objectives. However, intent and motives are majorly used in law and justice field and not on threat report. At-least the reports that I have seen does not mention it. In my opinion, the fields is not only when we have to go to court, but we can also use it to understand our adversaries and  prepare ourselves.

This being said, for me the first phase should be Target Determination or Determining a target, that fits attackers/adversaries objectives. Recently, MITRE has updated the TTP matrix with Pre-ATTACK. The matrix provides the ability to prevent an attack before the adversary has a chance to get in.

We can distribute attackers/adversaries into two groups :

  1. Insiders – Disgruntled employees,
  2. Outsiders – Ex-Employees, Nation State attackers, cyber criminals, script kiddies, hacktivists etc.

Few motivations/intentions :

  1. Financial gain
  2. Fame or generate vouches – Require to gain trust of underground or group of hackers
  3. Intellectual challenges
  4. Damage or disrupt services
  5. Cyber espionage
  6. Personal grievances.
  7. Political motivation
  8. Terrorism

Intentions are sometimes hard to prove, but mostly our adversaries will have malicious intentions.

Only after deciding a Target, they will perform Reconnaissance or Target Profiling. Now, where the attackers/adversaries look is depending on the target or what motivates them. Target can be a single entity or an organisation or a nation/country that accomplishes their intentions/motivations.

Single entity as a target – Individuals are mostly targeted for their personal data. Their personal data such as credentials of their email address, online banking, medical data etc. These information are normally sold on forums and/or marketplaces. Other example is targeting individuals with high positions in corporate places or an institution.

Organisation as a target  An attacker have varied intentions in targeting organisation. Damaging reputation, personal grudge, financial gain or sometimes part of conspiracy and/or nation state attacks.

Nation/Country as a target – This is mostly politically motivated and intentions are mostly malicious towards harming the nation or a country and its infrastructure. Disrupting day to day services that affects human life is also an intent. Recent example – NotPetya malware attack to Ukraine. Here, attackers/adversaries understood their target and profiled them and launched the attack.

In all cases, the better an attacker/adversary profiles their target the better the attack will be.

For individual users, beside security awareness, being careful is the key here. The information that they share or provide can be used to target them. During a presentation I came up with the following tagline.

“Charity begins at home and intelligence begins with your logs”

So attackers/adversaries spend days, weeks or months to collect information about their target, as an organisation for example, you already have this information but,  not using to gain tactical advantage over our adversaries. So what should a targets do ?

  1. Take time to understand your organisation. Understand what information do you have floating on the network and sitting on the systems.
  2. Should know type of information available publicly and understand the risk and how it can be used by an attacker and type of attacks that can leverage these information.
  3. One must take this into consideration that attackers will use available tools to assist them. Mostly these tools are available or sold in underground marketplaces. Being aware of the tools is good way to start. These tools are their weapons and we must know how an enemy weapons work to defend against them. For every poison there is an antidote.
  4. Further action on any successful breaches and data exfilteration beside incident response and BAU activities. If email address were seen on pastebin don’t just change credentials but also understand that these email addresses will be used for phishing or spoofing. Ideal is to change email address and convert the breached one into honeypot email addresses. This will help understand type of attackers targeting your organisation. If not feasible have a mechanism to monitor those email address and profile the incoming spam if any.
  5. Brand monitoring and domain registration – Organisation should be monitoring their brand mentions and/or any domain registration that can be used for phishing or a fraud or to launch attacks.
  6. Phishing is wildly used to lure users and entry points of malware. Organisations should also have a team looking for phishing sites and pro-actively perform takedowns.
  7. It is also ideal to share information of any attacks or compromise within peer industry to understand the possible exposure of an organisation.
  8. Understand your service providers and contractors as they can be a exploited to launch the attack.

Following points are few examples of what kind of information gets out or available that aids an attacker in launching the attack:

  1. It is important to know how your security controls are responding to inbound attacks. The information that they send back (for example a reconnaissance attempt) can also be used to map the network or understand type of device that is stopping adversaries. For example inbound scan blocked by firewall and responding with ICMP network unreachable message.
  2. Websites such as Google and Shodan can be used to collect lot of information about a target and therefore should be monitored. Especially accidental upload by internal employees. Eg – Employee uploading an excel sheet with organisation data on VT, just to make sure there is no malware. Pro-actively monitoring this can assist us to contact respective parties to take the data offline before entities with malicious intent get there hands on.

A Threat Intelligence and/or Hunting team must have this kind of approach. Organisations where there is budget limitation, can also engage their security operations or security service providers to perform these actions on their behalf. Frequency depends on organisations capability to invest in resources.

With this I will end part 1.