Always A Bad Day For Adversaries

Category: Best Practices Page 1 of 2

Chronic Stress and a Life: How Stress Almost Killed Me

I started getting sick two years ago: headaches, irritability, mood swings, poor sleep, and sinus congestion.  I started a new job not too much earlier and working hard at a non-profit simultaneously.  Several years earlier I began to get seasonal allergies.

It wasn’t constant.  The symptoms would come and go; again, like allergies.  I worked hard with long days and late nights on the equivalent of two tech start-ups.  Stress is normal. You work hard at start-ups.  You hustle day and night.  If you’re not stressed, you’re not working hard enough. The joy of a start-up is a struggle.  Right?

I worked in high stress environments before, in national cyber operations centers at the National Security Agency dealing with major national crises.  I had worked 18-hour days regularly simultaneously dealing with high stress and constant fatigue while also thriving.  So, I thought I knew I could handle stress.  I thought this was a bad allergic episode.

For six months the symptoms worsened.  Headaches constantly.  I couldn’t focus for long. It was harder to breathe through my nose and I diagnosed myself with worsening allergies.  I went to the doctor.  They suspected a sinus infection and proscribed a light steroid, nasal drops, and antibiotics.  I was on increasing doses of antibiotics for two months.  I had several international trips with long hours in the plane – a nauseating and painful experience with inflamed sinuses.  Nothing changed – it got worse.  Now, I was unable to focus on any task for more than 15 minutes.

I visited an ENT (ear, nose, throat) specialist.  After a 15-minute consultation they saw it was bad enough to order a CT scan to examine my sinuses immediately.  My sinuses were filled by inflamed sinus tissue – an extreme case of sinusitis.  That explained all my symptoms.  A question I asked the doctor: why?  Why was this happening?  His answer: they don’t really understand sinusitis and it could be caused by many factors.  But it wasn’t an infection being addressed by antibiotics; so, either it was a strain of resistant bacteria or something else.  Either way we needed to reduce the inflammation to get the sinuses to drain so they can heal.  They put me on lots and lots of steroids.

The steroid treatment was terrible.  Absolutely terrible.  It helped the inflammation but caused horrendous mood swings.  I didn’t like the person I was anymore.  After 30 days on steroids without improvement I opted for surgery as there were no other options.  I would have stents placed in my sinuses to force them to drain.  I would have my septum straightened and turbinates reduced to widen the nasal passages.  It was hell.  I lived and slept for a week in a reclining chair sipping apple juice only for 3-4 days unable to lay down and feeling too poor to do much else.  I couldn’t breathe through my nose and my entire face swollen and in pain.

After the post-surgery removal of the stints, packing, and everything else and weeks of follow-up appointments to clean out my sinuses with a small vacuum, it seemed to have worked.  I was feeling better.  I was breathing better than ever before.  My headaches were gone, and I was feeling more normal.  Case closed.

Fast forward 3 months.  I began feeling depressed.  The mood swings appeared again.  I was getting seriously anxious.  I would get angry at my family for little things.  I would wake up angry and anxious – I could feel my blood pressure rise within the first five minutes of being awake.  I channeled all that excess energy into cleaning – constantly cleaning the house and then being angry at everyone else when it wasn’t clean enough.  I was a complete wreck.  Interestingly, I also began to feel my sinuses again.  I could tell my stress level by how well I could feel their inflammation.  I would tell my wife, “I feel my sinuses” when I was getting anxious or stressed.

Luckily, I have the most intelligent and caring spouse, partner, and friend in Sherrie.  She was clear with me that I needed to get help.  Things were not good.  I was a different person.  I was ruining my relationship with my children.  I was ruining our relationship.  So, eventually I went back to the doctor.

This time, I went specifically to discuss depression, stress, and anxiety.  They increased my antidepressants which worked much better and helped manage generalized anxiety.  I also stayed away from Benadryl which I was using as a sleep aid because one of its side effects is anxiety.  I cut back on caffeine to reduce stimulants.  I also got out of the house more often which was a constant trigger.

Eventually I learned that what my sickness had a name: Chronic Stress.  I was dealing with an insidious demon.  One normalized and even encouraged by society.  After decades of working in high stress situations and environments my body was caught in a vicious cycle.  It was destroying itself.  The actual physiological components are complex and still not fully understood so I won’t explain them here but there are resources linked at the end which explain stress better.

I never knew this.  Of course, I heard about the risk and damage of stress in the abstract.  People saying “take care of yourself” or such.  But, hell, I worked in computer security. I hunted hackers and human traffickers from my desk.  I wasn’t taking bullets in my job.  My job wasn’t the usual work associated with high stress or PTSD.  But, unknowingly, that’s what it was leading to.  What was a manageable amount of stress earlier in my career had slowly destroyed me over time and now made me unable to handle normal situations.

I was likely terminally ill and didn’t know it.  My cognitive function was declining.  My blood pressure was out of control.  I stopped sleeping well.  I was very depressed.  Left uncontrolled I would have likely lost my family and even my life.

I battled chronic stress.  Not just stress – that makes it seem like a weekend off would have made things better. I now battled metabolic syndrome and likely long-term cognitive damage caused by stress.  I had physical surgery on my sinuses because of stress.  I had more common depressive episodes.  I had a reduced attention span.  I was more irritable.  Likely, permanently.  You see, stress is something that hurts you permanently and physically over time if left unmanaged.  There are thousands of studies that support this.  Importantly, chronic stress destroys brain synapses possibly permanently.  What was easy before becomes more difficult.

I’m doing better now.  I’m not “well.”  Chronic stress is now like an addiction recovery.  The effects are something I’ll now live with forever.  I’ll always be managing it.  I’ve permanently changed who I am neurologically and psychologically.  It may get easier over time if I can control it, but nobody knows.

So, I now take more time off.  I try to sleep longer going to bed earlier.  I spend more time outside in the sun.  I keep taking my prescriptions which help.  I am open with my coworkers and family about how I’m feeling and let people help me.  I tell people what I need more.  I take more time to contemplate and meditate.

Don’t let this happen to you.  Occasional stress is normal, but constant stress will destroy you.  Not tomorrow but, like a silent killer, over time changing who you are and what you can do.  If you see these or any similar symptoms – DO SOMETHING NOW.  Because you too may get caught in a vicious cycle caused by your own body before you recognize it.

Yes, I risk a lot by saying all of this.  It’s true that mental health is stigmatized.  We send cards to people who break their legs but never to those who struggle with mental illness.  It’s true that a future employer could find this post and hold it against me.  But if I can help at least one person recognize their symptoms and save a life from being ruined or ended then it will have been worth it.  The only way we make the world better is through empathy and positive action – not only with others, but with ourselves as well.

Image result for be excellent to each other

Resources which have helped me:

https://www.mayoclinic.org/healthy-lifestyle/stress-management/in-depth/stress/art-20046037

https://www.apa.org/helpcenter/understanding-chronic-stress

https://humanstress.ca/stress/understand-your-stress/acute-vs-chronic-stress/

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5137920/

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2568977/

https://www.nhs.uk/conditions/stress-anxiety-depression/mindfulness/

Enabling Skype Two Factor Authentication

Skype is an important communications medium.  This importance also lends itself to targeting by adversaries.  Two factor authentication is one of the most important defensive actions you can take to prevent successful attacks.  Therefore, you should enable two-factor authentication for Skype!

However, this is not straightforward.  Here’s how you do it.  THE THIRD STEP IS THE MOST IMPORTANT – otherwise an adversary can bypass two-factor authentication by logging in via the Skype name still.

  1. Link Skype and Microsoft Account
  2. Enable two-factor authentication for the associated Microsoft account
  3. Disable login via Skype username (via this sign-in preference panel)

Building Threat Hunting Strategies with the Diamond Model

Hunting cyber threats (especially those never seen previously) is the most expensive and difficult threat intelligence endeavor.  Hunting is a risk because you’re betting that there is something there to find – and that you can find it.  An effective hunter may come up empty most of the time.  Creating an effective threat hunting strategy ensures greater chances for a return on the investment.

An effective strategy includes answering four critical questions and employing the right approach to achieve the goal.  The Diamond Model identifies several “centered-approaches” enabling effective threat hunting.  Tying these approaches together creates the basis for a hunting strategy.  Without a strategy your chances of failure increase dramatically.

Hunting cyber threats is the most expensive and difficult threat intelligence endeavor.

Building a Hunting Strategy with the 4 Hunting Questions

Throwing out “I’m going threat hunting” is akin to saying, “I’m going fishing.”  Both are such vague phrases that they generally require a follow-up question: “For what?”  Some may answer “malware” or “lateral movement” the same as others answer “salmon” or “bass.”  The next question asked, naturally, “where?”  This leads us to the first critical element of a hunting strategy: answering the critical questions.

If you can’t answer these questions well.  You might as well go back to what you were doing because you’ll likely end up just wasting time and resources.  Hunting requires patience and discipline.  These four questions are the core of any hunting strategy.

The 4 Hunting Questions

There are four critical questions necessary to build a hunting strategy, and they’re best answered in this order:

  1. What are you hunting?
    • Hunting is expensive and risky.  You must narrow down exactly for which activity you are hunting.  Is it exploitation?  Is it lateral movement?  It is exfiltration?
  2. Where will you find it?
    • What you are hunting will determine where you will find the activity.  You must next narrow down the sources of telemetry which will provide visibility into the activity AND access to stored telemetry
  3. How will you find it?
    • Once you’ve identified what you’re looking and where you’ll likely find it, next you must identify the tools to hunt.  You don’t catch salmon and bass in the same way – you won’t catch exploitation and lateral movement in the same way.
  4. When will you find it?
    • Have a time bound for your hunting.  A never-ending chase will lead you nowhere.  Allot a specific amount of time necessary to achieve your goal, and if you come up empty at that time – move on to the next target.  If you have to feed your family, and you go out salmon fishing but catch nothing – it’s probably best to instead go after another fish or game before everyone dies of starvation 🙂  Likewise, management may likely lose patience with your hunting if you don’t deliver value.

From Strategy to Approach

Once you’ve answered the four critical hunting questions – you must then design the approach.  The approach not only describes the modes and methods of your hunting but, more importantly, addresses the “why.”  The “why” establishes your hypothesis.

Hunters must build and test many hypotheses at once.  Each failed hypothesis can lead to a failed hunt.  For instance, the hunter hypothesizes that they’re breached.  Why else would they be hunting?  Of course, if they’re not – the hunt fails.  The hunter hypothesizes the adversary leverages identities to move across assets.  So, this hypothesis leads the hunter to examine Active Directory logs.  Of course, if the adversary uses file shares they may not show up in AD – the hunt fails.

This step is critical because hunting is a big risk and cost.  And, establishing not just the “how” but also the “why” will help hunters critically examine their approach and look for other methods possibly overlooked.

When hunting adversaries you must always question your approach and look for more creative and effective methods.

The Diamond Model Centered Approaches

The Diamond Model establishes the event as the most basic element of any malicious activity and composed of four core features: the adversary, the victim, infrastructure, and capability.  All malicious activity contains these features (as established in Axiom 1).  Therefore, any hunting is ultimately based on these features and any hunting approach contains a mix of these “centered approaches.”

However, don’t consider these approaches in isolation.  Instead, a mix of approaches used in concert achieve greater coverage.

The Diamond Model of Intrusion Analysis. An event is shown illustrating the core features of every malicious activity: adversary, victim, capability, and infrastructure. The features are connected based on their underlying relationship.

The Diamond Model of Intrusion Analysis. An event is shown illustrating the core features of every malicious activity: adversary, victim, capability, and infrastructure. The features are connected based on their underlying relationship.

Named for the feature on which they’re based, the approaches are:

The Victim-Centered Approach

The news of several determined adversaries targeting a single human rights activist is an excellent example of the victim-centered approach.  A victim-centric approach uses the victim as the central element for hunting and looks to illuminate the other Diamond-connected features (i.e., capabilities, infrastructure, adversaries).  The victim-centric hunt is equivalent to a “honeypot.”

Network defenders will most likely focus on the victim-centered approach.  It provides the greatest benefit and easiest approach with the highest likelihood of actionable results.  There are many modes and methods provided by this approach.  Chris Gerritz (@gerritzc) details several victim-centered approach modes and methods in his post: Approaches to Threat Hunting.

Advantages: catches many adversaries, many hunting opportunities (e.g., network attacks, malicious email delivery, etc.), easily obtained data (usually)

Disadvantages: possible overwhelming amount of malicious activity, too many hunting opportunities can dilute an undisciplined hunting effort

Tips: focus hunt on a single phase of the kill-chain at a time

See Diamond Model Section 7.1.1

An Example Victim-Centered Hunting Strategy

[Why] We hypothesize that several adversaries target a specific victim.

[Why] We further hypothesize that adversaries deliver their capabilities via email (as most do).

[Why] Our hypothesis is strengthened through data that most attacks are delivered via email and our organization has previously received email-borne delivery attacks.

[What] Our hunting goal: collect intelligence on adversary attacks in the email delivery phase.

[Where & How] Therefore, our victim-centered hunting approach includes gaining visibility into the victim email and apply tools which illuminate likely malicious elements (links, attachments).  Our primary method will involve detonating attachments and hyperlinks.  Our secondary method will involve sender-receiver graph analysis and header inconsistencies.

[When] We will apply this approach and methodology for 2 weeks after achieving access to data.

This hunting strategy reveals:

  • Capabilities: the tools and techniques used by an adversary to compromise and operate against a victim (e.g., in our example: the malicious attachments)
  • Infrastructure: the logical and physical elements necessary to manage capabilities (e.g., in our example: the email source, malicious attachment C2, URLs)

The Infrastructure-Centered Approach

While network defenders will generally take the victim-centered approach.  That’s not the only hunting approach available.  The infrastructure-centered approach enables hunters to identify malicious infrastructure and possibly pivot to identify capabilities, victims, and more infrastructure.  Most importantly, because generally infrastructure must operational before capabilities and victims connect – new infrastructure can provide preemptive defense.

There are several methods to leverage this approach.  Depending on access and visibility some are easier than others.  For instance, one method is to monitor domain name servers known to host malicious domains.  Another may be to monitor all new domain registrations for a known pattern used by an adversary.

Another popular method is SSL certificate chaining.  PassiveTotal has written a post, “Harnessing SSL Certificates Using Infrastructure Chaining” detailing the method.  Mark Parsons (@markpars0ns) has a great presentation on “Hunting Threat Actors with TLS Certificates.”

Lastly, and one of the most difficult is direct observation of malicious infrastructure.  This could be done through a service provider – or via infrastructure take-over (such as a sinkhole).  Through this method, significant intelligence can be gained including: capabilities used through the infrastructure, victims contacting the infrastructure, and potentially other related infrastructure.

Don’t forget about the opportunities to use the Diamond Model to chain multiple approaches together.  For example, after discovering new infrastructure an analyst is able to pivot an ask for additional information about Diamond-connected features, such as capabilities.  This might be through pivoting across a malware zoo like Virus Total for any reference to the infrastructure.

Advantages: Good tools exist to support the approach (PassiveTotal), finding infrastructure prior to operational use provides preemptive defense

Disadvantages: Limited data access, findings not relevant to many organizations

Tips: Data, Data, More Data

See more in the Diamond Model Section 7.1.3

Example Infrastructure-Centered Hunting Strategy

[Why] We hypothesize adversaries establish infrastructure prior to operations

[Why] We hypothesize adversary X continues to structure their domains using the pattern badstuff-<victimname>.com

[Why] We hypothesize adversary X continues to use the name server baddomains.com to host their infrastructure and the same

[What] Our hunting goal: monitoring the name server for new names matching the pattern we may find new names prior to their operations providing proactive defense.  Further, because the adversary uses the victim name in their domain we will likely identify victims.

[Where] The baddomains.com name server

[How] Monitor the baddomains.com name server by querying the server every morning for all domains and identifying the domains not seen the previous day.  Further, looking for any domains on the server with the known pattern.

[When] We will leverage this strategy for 1 month to provide for any dips in adversary activity during that period

The Capability-Centered Approach

Aside from the victim-centered approach employed by most network defenders, the capability-centered approach is the second-most popular.  This is largely due to the broad accessibility of a massive malware zoo – VirusTotal.  If VirusTotal didn’t exist, this approach would likely be limited to only anti-virus vendors and others with potentially large collections of malicious binaries.

The capability-centered approach focuses on discovering intelligence from adversary tools – namely “malware” (but the category is larger than malware and includes legitimate tools used illegitimately).  The most advanced hunters using this approach take advantage of the VirusTotal retrohunt feature enabling analysts to run YARA rules over the VirusTotal zoo looking for lesser known samples.

Advantages: easy access to large malware library (VirusTotal), easily written analytics (YARA)

Disadvantages: without your own malware zoo – limited to VirusTotal features

Tips: take advantage of VirusTotal

See more in the Diamond Model Section 7.1.2

Example Capability-Centered Hunting Strategy

[Why] We hypothesize that network defenders share adversary capabilities via VirusTotal

[Why] We hypothesize that we can identify unique malware via a malware zoo using static analysis

[What] Our hunting goal: find undiscovered malware and its associated command and control (C2) channel to feed host- and network-based detection to enhance protection

[Where] VirusTotal

[How] Author and execute YARA rules over the VirusTotal data and monitor the zoo daily for new samples meeting our criteria

[When] We will author and improve rules for 2 weeks and run them perpetually

The Adversary-Centered Approach

The adversary-centered approach focuses on visibility on the adversary themselves – meaning few organizations have the requisite visibility.  Usually, limited to only service providers and those with extraordinary capabilities.  However, achieving visibility directly on the adversary themselves generally provides tremendous, almost perfect, insight.  This includes infrastructure creation and management, capabilities (sometimes those in development), attribution details, and at times victim information.

However, others may access some methods within this approach.  For instance, knowing an adversary persona may allow an analyst to leverage open source intelligence (OSINT) to track the persona across sites potentially gaining insight into operations.  Further, an analyst may leverage adversary operations security (OPSEC) mistakes to achieve attribution based on their persona.  ThreatConnect’s CameraShy work illustrates the adversary-centered approach to achieve attribution through persona development and tracking.

However, while this approach leads to “newsworthy” items regarding attribution – their direct application to network defense is limited.  Therefore, generally only those with a vested interested in attribution leverage this approach.

Advantages: possible adversary attribution, deeper visibility into

Disadvantages: the most difficult approach requiring significant (and sometimes extraordinary) visibility or adversary mistakes, does not generally result in actionable intelligence, adversary “false flag” mis-attribution may trip up undisciplined analysts

Tips: leverage OSINT and pray for a mistake 🙂

See more in the Diamond Model Section 7.1.4

Example Adversary-Centered Hunting Strategy

[Why] We hypothesize adversaries use personas to register malicious domain names

[Why] We hypothesize that some of these domain registration aliases relate to real people

[Why] We hypothesize that adversaries have mistakenly tied their operational alias to their real personas revealing their personal details

[What] Our hunting goal: uncover the real people behind malicious domains providing attribution

[Where] Domain registration data and other open sources

[How] Take 500 known malicious domains, extract aliases details from their registration, pivot across open sources looking for correlation with real people

[When] Spend 3 days collating known malicious domains, 2 weeks pivoting across open sources

Why Threat Intelligence Sharing is Not Working: Towards An Incentive-Based Model

The juggernaut known as the “threat intelligence sharing imperative.”  Security and industry conferences fill their time with “sharing.”  How many sharing groups and platforms do we require?  Too many exist.  Alien Vault recently reported that 76% of survey respondents reported a “moral obligation to share threat intelligence.”  McAfee says sharing threat intelligence “is the only way we win” (that isn’t even remotely true).  However, it’s not working.

According to Robert Lemos in eWeek, even with the most recent US cyber security legislation providing legal immunity organizations are not rushing to share.  The reason is simple.  That was only one component of a complicated problem.  While the legislation addressed one policy element, it didn’t address that sharing has never been proven (with data) to benefit sharing organizations.

We must move beyond these “religious” arguments and provide clear incentives for defenders to share.

In January, President Obama signed the Cybersecurity Act of 2015, but companies remain in a holding pattern, waiting for legal clarity and demonstrable benefits before sharing sensitive information.

– Robert Lemos, eWeek “Cyber-Threat Data Sharing Off to Slow Start Despite U.S. Legislation” [2016-10-02]

The Loudest in the Room

There is one thing I notice – security vendors yell the loudest about sharing. I don’t claim their sharing narrative is FUD, but the sharing narrative is a net positive for them.  The more data and intelligence they receive strengthen their products and services adding value to their organization. Security vendors have strong incentives to promote threat intelligence sharing.  But, what is the case that the cost of sharing to defenders is a net benefit to them?

Security vendors have strong incentives to promote threat intelligence sharing.  But, what is the case that the cost of sharing to defenders is a net benefit to them?

Sharing is Costly

I’ve been involved in threat intelligence sharing for a long time.  I am the first to support the notion of sharing.  I have story up on story which supports the sharing narrative.  But, I qualify my support: the value of sharing must exceed the cost.

Most network defenders will agree: sharing is costly.

  1. It requires significant cost to integrate externally shared threat intelligence effectively.
  2. Once you consume that threat intelligence you quickly discover it may consume your security team with poor quality – and requires significant tuning.  There is risk.
  3. Establishing a sharing mechanism, program, and process is costly.  It usually requires engineering effort.
  4. Management support for sharing usually requires political capital from network defense leaders.  They must prove that the resources spent on sharing are more important than the 20 other components competing for resources.  Also, let’s not forget about the legal support.

An Incentive-Based Approach

Sharing must go beyond a “religious” argument.  Instead, we must take an incentive-based approach.  We must create and promote incentives for defenders to share – with demonstrable results.  Therefore, those promoting sharing must provide a coherent and consistent data-driven case that sharing overcomes these costs to defending organizations.  “Share because it is good for you” is not enough.

So, next time you advocate for sharing – enumerate why network defenders should share.  Make it meaningful.  Make it data-driven.

The Laws of Cyber Threat: Diamond Model Axioms

Many confuse the purpose of the Diamond Model.  Most believe the Diamond Model exists for analysts, but that is an ancillary benefit.  Instead, think of the Diamond Model like a model airplane used to study the principles of aerodynamics.  It is not an exact copy but rather a good approximation of the full-scale airplane being studied.  The model exposes elements to test and study in a controlled environment improving the performance of the plane in an operational environment.  The Diamond Model does the same, except for cyber threat analysis.

When describing the Diamond Model to others, I usually start with, “we didn’t create the Diamond Model, we simply expressed some fundamental elements which always existed.”  Surprisingly, I learned while writing the Diamond Model how exposing this fundamental nature improved cyber threat intelligence.

The Diamond Model captures this fundamental nature about threats in seven axioms and one corollary.  This post will highlight those axioms.

Axiom 1

For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result.

What it means: every malicious event contains four necessary elements: an adversary, a victim, a capability, and infrastructure.  Using this fundamental nature we can create analytic and detective strategies for finding, following, and mitigating malicious activity.


Axiom 2

There exists a set of adversaries (insiders, outsiders, individuals, groups, and organizations) which seek to compromise computer systems or networks to further their intent and satisfy their needs.

What it means: there are bad actors working to compromise computers and networks – and they do it for a reason.  Understanding the intent of an adversary helps developing analytic and detective strategies which can create more effective mitigation.  For example, if we know that an adversary is driven by financial data, maybe we should focus our efforts on assets that control and hold financial data instead of other places.


Axiom 3

Every system, and by extension every victim asset, has vulnerabilities and exposures.

What it means: vulnerabilities and exposures exist in every computer and every network.  We must assume assets can (and will) be breached – other express this notion as “assume breach.”


Axiom 4

Every malicious activity contains two or more phases which must be successfully executed in succession to achieve the desired result.

What it means: malicious activity takes place in multiple steps (at least two), and each step must be successful for the next to be successful.  One popular implementation of this axiom is the Kill Chain.  But, the Kill Chain was not the first to express this notion – another popular phase-based expression is from the classic, Hacking Exposed.


Axiom 5

Every intrusion event requires one or more external resources to be satisfied prior to success.

What it means: adversaries don’t exist in a vacuum, they require facilities, network connectivity, access to victim, software, hardware, etc.  These resources can also be their vulnerability when exploring mitigation options.


Axiom 6

A relationship always exists between the Adversary and their Victim(s) even if distant, fleeting, or indirect.

What it means: exploitation and compromise takes time and effort – adversaries don’t do it for no reason.  An adversary targeted and compromised a victim for a reason – maybe they were vulnerable to a botnet port scan because the adversary looks to compromise resources to enlarge the botnet, maybe the victim owns very specific intellectual property of interest to the adversary’s business requirements.  There is always a reason and a purpose.


Axiom 7

There exists a sub-set of the set of adversaries which have the motivation, resources, and capabilities to sustain malicious effects for a significant length of time against one or more victims while resisting mitigation efforts. Adversary-Victim relationships in this sub-set are called persistent adversary relationships.

What it means: what we call “persistence” (such as in Advanced Persistent Threat) is really an expression of the victim-adversary relationship.  Some adversaries need long-term access and sustained operations against a set of victims to achieve their intent.  Importantly, just because an adversary is persistent against one victim doesn’t mean they will be against all victims!  There is no universal “persistent” adversary.  It depends entirely on each relationship at that time.

Corollary

There exists varying degrees of adversary persistence predicated on the fundamentals of the Adversary-Victim relationship.

What it means: not all persistence is created equal.  Some adversary-victim relationships are more persistent than others.  Sometime a victim will mitigate a years long intrusion only to be compromised again by the adversary that same week; at other times the adversary will never return.

Diamond Model or Kill Chain?

Rob MacGregor at PwC in “Diamonds or chains” asked , do you choose the Diamond Model or Kill Chain?  I get asked this question often.  The question assumes that the models are mutually exclusive when, in fact, they are not only complementary but interconnected.  Both models express fundamental elements of network exploitation in methods usable by network defenders.  You can’t expect complete intelligence or network defense without using both the Diamond Model and the Kill Chain.

Most understand that the Diamond Model expresses the first axiom encompassing the basic components of any malicious event: “For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result.”  However, most readers stop there, at page 15 – only 25% of the model.

Adversaries don’t just conduct one activity and move on – no, they must conduct several in a phased approach each successfully completing before the next.  As expressed on page 15 via Axiom 4: “Every malicious activity contains two or more phases which must be successfully executed in succession to achieve the desired result.” Axiom 4 effectively describes the Intrusion Kill Chain (section 3.2 of the Kill Chain).  Therefore, Events interconnect via Activity Threads which describe campaigns.

One may notice a great similarity between the figure describing key campaign indicators (Kill Chain pg. 8) and the Activity Threads illustration (Diamond Model pg. 31).  The two approaches interconnect at this point!

Diamond Model Activity Threads; The Diamond Model of Intrusion Analysis pg. 31

Diamond Model Activity Threads; The Diamond Model of Intrusion Analysis pg. 31

 

 

 

 

 

 

 

 

 

 

Dependent Events (composed of a victim, adversary, capability, victim) create Activity Threads across the Kill Chain.  These threads compose (using key campaign indicator analysis) adversary campaigns.  Ta Da!  The first interconnection between the two models.

The Diamond Model and Kill Chain analysis are highly complementary. Kill Chain analysis allows an analyst “to target and engage an adversary to create desired effects.” (Kill Chain pg. 4) The Diamond allows analysts to develop tradecraft and understanding to build and organize the knowledge necessary to execute the Kill Chain analysis.

  • Once an analyst develops an activity thread, courses of action for each event along the thread can be identified using the Kill Chain’s course of action matrix. As illustrated in the figures, courses of action for each of the Kill Chain stages are identified for activity threads. The power of the Diamond Model is that courses of action can be designed to span multiple victims and across the activity of an adversary making the actions even more powerful as they further reduce the capacity of the adversary.
  • Activity groups clustered by same likely adversary (i.e., clustering by attribution) with analysis of the largest common feature set amongst the events in a group can provide the Kill Chain’s required key campaign indicators necessary to focus and prioritize courses of actions.

In the end, don’t ask: do we use the Diamond Model or the Kill Chain. Instead ask: are you using them both effectively?

Keeping up with the Stream: How I Maintain External Situational Awareness

In any field related to intelligence and security it is critical to stay abreast with external news and developments.  But, your time is a zero-sum game and all security and intelligence analysts must balance their time “reading the news” (consuming news from others) with “creating the news” (generating new intelligence and insight for others) – this is how I view my work time strategically.  Building tools and techniques to more efficiently “read the news” allows you to spend more time “creating the news.”  So it is no surprise that I get asked regularly what I do to stay connected with the world and the community.  Here is my answer, for my particular situation and need.  Mileage will vary.

For me, the key is to take advantage of curated news/information streams instead of curating it myself.  However, just like relying on any one news source, relying on one or a few curators for your news will quickly introduce you to the bias of the curators themselves.  Therefore, I don’t rely entirely on this method and also self-curate to a small extent to lower that risk.

I organize my professional reading into three categories: world, profession (computer science/security/analysis/data science), and discipline (threat intelligence).  Usually, I begin by reading the world news, followed by threat intelligence, and lastly information I need about my profession.  I feel that this appropriately prioritizes my time and gives me the best perspective to solve problems throughout the day.

Here is my particular strategy:

  1. I begin with the top stories on Google News and then to the Economist.  I then browse the front page of Reddit.  Together this gives me a healthy sense of major events in the larger world.  This is critical because my discipline is heavily influenced by larger world events.  However, within this set I also focus my time reading articles which have direct impact on areas of world my daily work touches.
  2. I read curated security and intelligence emails: Team Cymru Dragon News Bytes; SANS NewsBites (weekly); and two others which come from paid services via my employer.
  3. Twitter.  I use key hashtags and user lists to pare down the stream to a consumable chunk.  This is very much an art form and I’ve yet to feel a mastery.
  4. RSS Feeds.  I use Feedly to curate my RSS feeds.  However, over time I’ve found that my other strategies tend to surface most of the gems from the feeds.
  5. If I have time, I’ll then use a financial news site to browse the news about my company as well as major players in cyber security to maintain awareness about the larger business pressures and events which may impact my work.
  6. Return to Twitter.  About 2-3 times/day I’ll return to Twitter to scroll through tweets by key hashtags and user lists to make sure I find anything critical right away.

The Long & Important Ones

About once-per-day I find a white paper or article on which I want to focus and absorb.  For those, I print them out (yes, on paper) and read them later with a pen in my hand so that I practice Active Reading; making marks, underlining, and making comments which help me absorb the material and create an internal conversation.  I find this a highly enjoyable activity which stimulates creativity and engagement helping to foster new ideas.

How do you maintain your external situational awareness?  Please comment below or tweet @cnoanalysis

13 Principles of Threat Intelligence Communication

I have written at length about bad threat intelligence.  However, I think it is time that I spend the effort communicating my key principles to making great threat intelligence.  One aspect of great threat intelligence is great communication.  As I have said before, you may be the greatest analyst in the world, but if you can’t effectively communicate your knowledge then it is of little use.

I’ve found these principles apply to all modes of my communication when discussing threat intelligence with others.  They’ve guided me well and I hope they do the same for you.

Answer the Three Questions

All threat intelligence communication should work towards answering three critical questions, if you clearly articulate the answer to these questions your communication will be generally successful.

  1. What is it? (give me the information)
  2. Why should I care? (tell me about the threat and its relevance to me)
  3. What am I going to do? (enable my decision and action)

Maintain Your Focus

Focus is key to your communication – understand your audience and your objective and maintain that throughout.  Here are some elements which help me:

  • Remember the four qualities of good intelligence (CART): completeness, accuracy, relevance, and timeliness.  Fulfill them as best you can.
  • Remember the purpose of threat intelligence to inform and enable effective decision-making, whether that be tactical/technical, operational, or strategic.  You don’t need to provide EVERYTHING, only that which will support and enhance the intelligence.
  • Length matters: your communication should be as long as it needs to be but never longer than it should be.  Here’s a secret: it’s okay to not communicate everything in one vehicle – sometimes separating the material makes the threat intelligence more effective.
  • Don’t derail your audience.  After reading your 30 page report, make sure I know the value of the information and that you’ve addressed the key questions.  For example: don’t all of a sudden drop an unrelated element in your conclusion just because you want to make a point.

Analytic Integrity is All You Have

Intelligence is about trust.  When people can’t independently verify your findings and conclusions (which most won’t/can’t) then they must trust you.  You must create, support, and encourage that trust by practicing analytic integrity in your communications.  If you break that trust you lose your integrity and nobody will listen to you. Here are some of my rules to creating and encouraging trust with your audience:

  1. Don’t lie – if you don’t know, just say that
  2. Don’t embellish – don’t use hyperbole or language which might cause an over-reaction
  3. Don’t plagiarize – never intentionally (and avoid accidents) copy the work of another
  4. Practice humility – hubris infers overcompensation for weakness, be bold but not stupid

Be a Storyteller

Threat intelligence is a story – tell it as one.  Threat intelligence should have a beginning, middle, and an end.  Engage your audience.

The Summary IS the Communication

I know it sounds weird, but your summary is the most important part of your communication.  This is what people will remember and what they’ll rely on most afterwards.  For many, this is the only part to which they’ll pay attention.  The summary (or key points, etc.) should be par excellence.  I instruct analysts to spend at least 20% of their time on their summary and conclusion – it is that important.

As the old adage goes: “tell them what you’re going to tell them, tell them, tell them what you told them.”  This is CRITICAL advice and not often heeded by technical analysts.

However, I want to caution you.  Others suggest that following this old adage only bores an audience.  I agree that it is a pitfall for most, only because many follow the guidance without understanding it.  Avoid the summary and conclusion containing the same bullet points or phrasing – that is boring.  However, your summary/introduction/key points/etc.  and your conclusion should carry your key message and information, but in different ways.

Language Matters

The language you use greatly determines the effectiveness of your communication.

  • Use Active Voice – this isn’t some joke or regurgitation of high-school English.  It matters.  Active voice has been proven to decrease ambiguity and increase comprehension.  It improves your intelligence.
    • Science: “Certain syntactic constructions are known to cause the processor to work harder than others. Sentences with passive verbs are more difficult to comprehend than those with active verbs (Gough 1966; Slobin 1966; Olson and Filby 1972; Ferreira 2003) since they not only reverse the standard subject-verb-object order of the participants but are often used without a byphrase , which omits one participant altogether and can obscure the grammatical relations.”
  • Use Estimative Probability – judgements, hypotheses, and conclusions are never 100% certain; use words of estimative probability to clarify your certainty to your audience.
  • Clarity wins over all – don’t use complex language when simple will do.
  • Minimize subjective qualifications – avoid words/phrases like (sophisticated adversary) or (complex encryption) unless you can measure them either objectively or in comparison with others.  These phrases only add ambiguity.
  • Words mean things – don’t dilute your language or create a phrase when one already exists.
  • Analysis is not a religion – don’t use the word believe; hold measured judgements expressed in language differentiating fact and hypothesis.

Value Your Audience

Value their intelligence and their time.  They are not fish caught by click-bait or hyperbole but respected for their interest in your work.  Your audience is spending time with you because they think you have something valuable to communicate and they have come to learn something new – GIVE IT TO THEM!  Or, they will leave you.

Images are Powerful

Use images strategically to tell your story, reinforce critical concepts, and increase accessibility and understanding.  Images should not become overwhelming, distracting, or superfluous.

Write for Your Future Self

Communicating intelligence and analysis is HARD.  It’s hard because you’re trying to take a very complex cognitive process and share that with others.  I’m not the only one who has read something they wrote a year ago only to scratch my head and wonder what I was smoking.  I’ve found that to make this easy I simply imagine that I’m communicating to my future self – say 1, 2, or 3 years from now.  This helps ensure that I include important details which are obvious now but will be lost later.  Further, it ensures that I make my logic chains clear and easily followed by others.

Don’t be an Island

Be part of the community.  Respect the community.  Expand on the work of others and fill in knowledge gaps.  Confirm others’ findings and add support to their conclusions or hypotheses.  Add exculpatory evidence and provide alternative hypotheses.  And here’s a secret: it’s okay to point to the analysis of others in your communication – you don’t always have to self-reference.  This actually adds value for your audience and makes you more valuable to them because they trust you’re going to tell them the whole story – not just your story.

Respect Your Adversaries

Don’t belittle adversaries in your threat intelligence.  Don’t give them undue credit, but also don’t take away from their effectiveness.  This will only lead to hubris – and hubris is deadly.  We all know of an analyst who called a threat “unsophisticated” or “simple” only to later report a massive compromise.

Be Bold, Be Honest, Be Right, But Always Be Willing to be Wrong

I’ve said it before, I like my analysis like I enjoy my coffee, bold.  I want analysts to be analysts – not reporters.  I want to hear ideas, conjecture, assessment, opinions.  I want those clearly separated from the facts.

Separate Fact From Everything Else

This is a pretty simple rule.  But harder to follow in practice while working through a complex analysis.  Strive to use language, format, font, etc. to separate fact from hypothesis.  Because threat intelligence enables decision-making, decision makers (whether a SOC analyst, a CIO, or whoever) should make their own judgement based on your analysis.  If your facts and hypotheses are indistinguishable it is highly likely they’ll make poor decisions based on misinterpreted analysis.

Names…Names Everywhere! The Problem, and Non-Problem, of Name Pollution

Naming pollution is real.  It’s a real problem.  First anti-malware/AV malware detection names, now APT group names – and their campaigns – and their malware.  Analysts are in love with names – and marketing is in love with their names.

You see, naming is powerful.  It’s why we agonize over a child’s name.  It’s why (in the Judeo-Christian tradition) God’s name was truncated and not to be uttered.  At about 2 years old we start learning the names of things and are able to start uttering them back.  This gives us power, because when the 2-year-old is able communicate a thing’s name – we give it to them!  It’s powerful to a 2-year-old and that same power follows us throughout life – see “name dropping” – or the honor of naming a new geographic/astrological feature.

EveryoneGetsAName

It’s followed us into the information security space – for both good and bad.  You see, we need names.  Names are important.  It’s part of how we organize cognitive information and make sense of our world – through abstraction.  It’s important to how we communicate.  But, like any power, it can be misused and misappropriated.  Every organization now loves to name “adversaries,” “actors,” “activity groups,” or whatever you call them.  They can blog about it, tweet about it, produce nice glossy materials and presentations.  It gives them power – because that’s what names do.

The problem isn’t names, it’s the power we attribute to them and their use in our analysis.  When ThreatToe calls something BRUCESPRINGSTEEN and CyberCoffin identifies a similar activity and names it PEARLJAM, everyone else starts updating their “Rosetta Stone” and makes the association BRUCESPRINGSTEEN = PEARLJAM.  Everyone else now starts attributing their intelligence to these two named groups.  But, nobody actually knows what the heck these things are aside from a few properties (e.g. IPs/domains/capabilities/etc).  That is not enough to understand.

I can’t tell you how many time’s I’ve heard: “Did you see the recent report from CyberVendor – can you believe they attributed that activity to PEARLJAM?!  That is clearly STEVIEWONDER – those guys don’t know what they’re talking about.”  The problem with that statement is that assumes: (1) you actually know what you’re talking about (you’ve correct correlated activity) and (2) you understand their definition of PEARLJAM.  Within their own analytic definition the correlation could be absolutely correct.  It’s that we’ve made unfounded assumptions and assigned too much power to the names.

NamesEverywhereBut, WHY CAN’T WE JUST ALL AGREE ON NAMES!!!!! (as this is usually said in an elevated tone and usually while slightly-intoxicated)  Because we can’t.  That’s why.  It’s not about the names.  The names are just crutches – simple monikers for what is very complex activity and analytic associations which we still don’t know how to define properly.  To understand this, you need to understand how we’re actually defining, correlating, and classifying these into groups – read the Diamond Model section 9 for this information.

The simple answer: it’s hard enough to correlate activity consistently within a 10 person team let alone across a variety of organizations.  The complex answer: correlation and classification is a complex analytic problem which requires us to share the same grouping function and feature vector.

What we shouldn’t do is to start using each other’s names – because, again, it’s not about the names.  If you begin to use the names of others you start to take on their “analytic baggage” as well since you are now intimately associating your analysis with theirs.  This means you may also take on their errors and mis-associations.  Further, it may mean that you agree with their attribution.  Its highly unlikely that you’ll want intertwine your analysis with that of others whose you don’t really understand.

Instead, we need to rely on definitions.  We need to openly share our correlation and classification logic and the feature vectors which we’re applying.  But to those who are now saying, “Finally! An answer!  Let’s just share this!” sorry, it’s not a silver bullet.  Because, the feature vector is highly dependent on visibility.  For instance, some organizations have excellent network visibility, some have outstanding host visibility, others may have great capability/malware visibility, etc.  It means that generally, I need the same visibility as another organization to effectively use the shared functions to produce accurate output.

So, reader, here I am, telling you about this problem forcing poor analytic practices on daily basis causing us all these issues but without a real solution in sight.  Yes, I think that sharing our definitions will get a LONG way towards improving correlation across organizations and giving those names real value – but it is by no means a silver bullet.  I’m a proponent of this approach (over pure name/Rosetta stone work) but I know we’ll still spend hours on the phone or in a side conversation at a conference hashing all of this out anyways.  But maybe, just maybe, it will reduce some analytic errors – and if that is the case it is better than what we have today.

Questions for Evaluating an External Threat Intelligence Source

I’ve spoken before on the cost of poor threat intelligence and its risk to an organization.  I’ve also spoken about the 4 qualities of good intelligence: relevance, timeliness, accuracy, and completeness. To better evaluate threat intelligence sources – DRIVE FOR TRANSPARENCY!  If you treat threat intelligence like a black box you’re going to lose.

Here are questions to use when evaluating an external source. These are just a starting point or additions to your own list based on your unique needs.

[Relevance] Why do I need threat intelligence?

Before you go out evaluating threat intelligence sources, you need to know what you’re looking for.  This is best done using a threat model for your organization and asking where threat intelligence supports visibility and decision making within that model.  Remember, your own threat intelligence is almost ALWAYS better than that produced by an external source.  External intelligence should complement your own visibility and reduce gaps.

Kudos: Thanks to Stephen Ramage for his comment highlighting the exclusion of such a critical question.

[Relevance] What types of intelligence are available?

Strategic country-level reporting? Cyber threats mixed with political threats?  Technical indicators?  Campaign behaviors?  Written context?  These all determine how useful, actionable, and relevant the intelligence will be for your organization.

[Relevance] Give me your context!

Make sure you understand the context provided with any data.  There is a difference between threat data and threat intelligence.  Intelligence helps drive effective decision-making.  Context makes data relevant.

[Relevance] Which threat types?

Is it limited to botnet C2 nodes?  Commodity threats in general?  Does it cover targeted threats?  Does the threat intelligence provide insight into your threat model?

Related Questions: How many unique threats are distinguishable in the intelligence?

[Relevance] How many direct threats to my organization or those in my industry has your intelligence identified?

Has the source ever shown direct success in highlighting threats in your industry?

[Relevance] How is the intelligence made available to consumers?

If the intelligence is not provided in a usable form, it will not be successful.

[Relevance] What types of use-cases produce the best experience/feedback?  In which use cases has your intelligence failed?

This is a soft-ball question but one which should provoke a good question-answer session.  The answers will illuminate their decisions developing the intelligence and highlight where the intelligence may fit best (or not fit at all).

Related question: What threat model is this intelligence attempting to address?

[Completeness/Relevance] What is the source of the intelligence?

Is this intelligence derived from human sources crawling the dark-web?  Global network apertures?  VirusTotal diving?  This question should frame their visibility into threats and inform the types of intelligence expected.  This also highlights any natural biases in the collection.  Look for sources of external intelligence which complement your own internal threat intelligence capabilities.

[Completeness] What phases of the kill-chain does the intelligence illuminate?

Understand how wide, against any single threat, the intelligence goes.  Does it only show C2, or will it also illuminate pre-exploitation activities as well.  The wider the intelligence, the greater the likelihood of it being useful.

[Completeness] What is the volume and velocity of the intelligence?

“How much” intelligence is actually produced?  Numbers don’t matter that much – but if the number is ridiculously small or ridiculously large, it is an indicator of possible issues.

[Accuracy] How is the intelligence classified and curated?

Drive for transparency in their process which helps improve your evaluation on accuracy. Be wary of “silver bullet” buzz-word answers such as “machine learning” or “cloud.”

[Accuracy] How is the intelligence validated?

Do you want to track down false positives all day?  No!  Do you want to rely on poor analysis? No! Make sure this question gets enough attention.

Related questions: How often is it re-validated?  How are false positives handled?  How can customers report false positives?  What is your false positive rate?  How many times in the last month have you had to recall or revise an intelligence report?

[Accuracy] Does the intelligence expire?

Expiration of intelligence is key.  Is there a process which continuously validates the intelligence?

[Timeliness] How quickly is the intelligence made available to customers after detection?

Related questions: What part of your process delays intelligence availability?  What is the slowest time to availability from initial detection?

Page 1 of 2

Powered by WordPress & Theme by Anders Norén