Many of us read the recent news stories and advisories about APT29 (a.k.a. Cozy Bear)’s targeted assault on COVID-19 vaccine developers with some trepidation, writes Neil Wyler (a.k.a. Grifter), Principal Threat Hunter at RSA Security.
After all, what chance does a pharmaceutical company – even a big one – stand against a state-backed, purpose-built hacking collective, armed with customised malware? This story was a particularly raw example of the “worst case scenario” task that organisations’ security teams face today.
That said, thankfully, many SOCs will never find themselves sizing up against such a laser-focused hacking group. Yet, this story should, at the very least serve to highlight why it’s so important to know your adversary and where you’re weakest. Just because you don’t expect to be a target, doesn’t mean that you shouldn’t act as if you aren’t one. This is where threat intelligence comes into play.
TTPs: understand your adversary
Knowing why your attacker behaves the way they do, and how they are targeting you, is the best way to fully understand the risks they pose and how your team can best manage them.
Start by examining your industry and why you may be an interesting target. Will attackers be politically or financially motivated? Will they be after PII or Intellectual Property? Teams can then key in on known groups or nation states that have a history of targeting similar organisations.
You can then look at how these attackers operate and the TTPs (tactics, techniques, procedures) at play, for example, starting attacks with spear phishing or using malicious word documents to drop payloads. Once these have been spotted, teams can put additional effort into tracking and blocking. This process can be repeated to close any gaps attackers may try to exploit.
While it may be easy for an attacker to change a specific file or IP address, changing the way they conduct their operations, their TTPs, is difficult. If you’re a “hard target”, often, attackers will move on to someone else.
A needle in a hash stack: finding real threat intel
Threat intelligence is vital to understanding the security landscape. However, threat feeds are often just a collection of file hashes, IP addresses, and host names with no context other than “This is bad. Block this.” This tactical information is only useful for a short time, as attackers can easily change their approaches and the indicators of an attack. If security analysts don’t understand the context around attacks – the tools adversaries were using, data they were after and malware deployed – they’re missing the real intelligence.
Intelligence comes from taking all of the feeds you can consume – blog posts, Twitter chatter, logs, packets, and endpoint data – and spending time to analyse what’s going on and how you need to prepare and respond. SOC teams need to shift their mindset to defend against behaviours. Simply subscribing to feeds and blocking everything on them is just a false sense of security and won’t help spot the breaches that haven’t been detected yet.
Hunting the hunters
Many organisations have recognised the need to augment threat intel with threat hunting to actively seek out weak points and signs of malicious activity. Today, threat hunting isn’t just for large enterprises; every security team should conduct some regular incident response exercises, starting by assuming they have been breached and looking for signs of an attack.
To start threat hunting, you simply need some data to look through, an understanding of what you’re looking at and looking for. You need someone who understands what the network or host should look like if everything were fine, and an understanding of the underlying protocols and operating systems to know when something looks wrong. If you only have log or endpoint data, hunt in that data. The more data you have, the better your insights will be, as you‘ll be able to spot anomalies and trace an attacker’s movements. To see what tools an attacker is using, you can pull binaries from packet data and detonate them in a lab environment. By learning how the attacker moves and behaves, their actions will stick out like a sore thumb when you trawl the rest of your environment.
Uncovering your blind spots
Penetration testing and red teaming exercises are another way to boost threat hunting and intelligence activities. The best way to gain value from pen testing is to understand exactly what it is and the skillset of the pen tester you’re hiring. Pen tests are not vulnerability assessments – you’re not clicking “Go” and getting a list of issues back. Pen testers will look for gaps in defences, try to find ways to exploit them, then actually exploit them. Once inside, they’ll try to find further vulnerabilities and misconfigurations and they’ll try to exploit those as well. Ultimately, they should deliver a report that details all the holes, what they exploited successfully and what they found on the other side. Most importantly, the report should offer advice, including how to fix any weaknesses, and what they recommend defensively before the next pen test is scheduled.
Pitting offense against defence
Red teaming means using an in-house, or external, team of ethical hackers to attempt to breach the organisation while the SOC (“blue team”) protects it.
It differs from a pen test because it is specifically designed to test your detection capabilities, not just technological security. Having an in-house red team can help you see if defences are where they should be against targeted risks aimed at your organisation. While pen tests are often numbers games – looking for as many ways as possible to find a way into an organisation – red teaming can be run with a more specific goal, for example, emulating the TTPs of a group who may target your organisation’s PII or R&D data. The red team should take their time and try to be as stealthy as a real adversary. And of course, make sure you plug any gaps found during these exercises.
Get ahead of your attacker
The adversaries we face today means that security teams need to look beyond threat feeds to really understand who may try to attack them. By building out threat hunting capabilities and using pen testing or red teaming exercises where possible, organisations can give themselves a more complete picture of their security landscape and know where to focus security efforts. If there’s one thing you take away, it’s that the time for tick-box security is over. Only by thinking creatively about your attacker, can you effectively limit the risk of attack.