Thursday, March 25, 2021

Leveraging adversarial data for security control validation

 Nowadays defenders have at their disposal a big amount of data describing how attackers proceed in their malicious campaigns, including TTPs (Techniques, Tactics and Procedures) and artefacts used. Threat Intelligence is the discipline that, in simple words, tries to make sense of all of this - then it is up to us how to make this knowledge actionable. The decision on how to use it in the most effective way depends on every organization, but there are different well-established methods gaining traction in the industry that will provide you with immediate valuable feedback about your defenses. Let’s explore them in more detail.

One way of leveraging this adversarial data is using it to check that our defenses are up to date to protect us against current real threats and campaigns. But before we go on, if you want to know more about this topic join us in our webinar with AttackIQ next March 31st 15:00 UTC.


In this blogpost we will discuss a few scenarios and examples where this data can be used for adversary-driven red-teaming. 


Checking the last sound campaign


The idea behind this is pretty simple. Every time details about a new relevant campaign are made public (how to define relevance depends on every organization) we can simply take a look at different artefacts available and see how they are being detected by our defenses. Let’s take as an example Sunburst malware discovered last December. We can start by finding some indicators to start with.


We could start by checking a couple of hashes in VTGraph to check if there are any graphs already shared by the community. Sometimes graphs are a more up-to-date and more enriched source of information than the original release of IOCs, typically more static. In this particular case we can find a few interesting graphs; we simply select one of them


Now, what to select from this investigation? It depends on what we want to check, but we could start by taking a look at all the documents or executables used in the attack. Here we should export the IOCs (you can go to Selection>Select All>Files, then export this data). At this point we can choose, for instance, Hashes with Detection and then open in VTI:


In this view it is simple to filter by file type. By clicking on the Commonalities button, we will find all the different types in the samples resulting from the query, which we can copy or directly open in VTI, but this selection of samples are ready to be used in our red-teaming exercise.   


Minimizing our infection surface against ransomware


In this scenario our first step would be understanding how fresh ransomware campaigns are being spread. We can do this in different ways, a simplistic approach would be checking by verdicts including “ransom” for recently seen malware:


Good news is that we can use many different angles for finding suspicious files, including crowdsourced YARA rules. For instance, from the previous query we could enforce finding results already spotted by some crowdsourced YARA rule, this way we can identify what rules are interesting for further pivoting:

engines:*ryuk* fs:2021-01-01+ type:peexe have:crowdsourced_yara_rule

Once we find any interesting rule, we can use it to find additional artefacts, like in this example where we use one of the crowdsourced YARA rules to find new Ryuk samples


Keeping an eye on fresh suspicious attachments


This is a use case I strongly recommend implementing to any organization. Given spear-phishing continues to be the most used infection vector, why not regularly monitor anything new coming this way? There are many different ways to do that, a generic approach could be something like this query to find fresh docx files suspected of being malicious and having macros.


We can be a bit more specific by adding additional search modifiers, for instance, which ones of the previous files we have seen being distributed as attachments in spear-phishing attempts:

tag:attachment type:docx fs:2021-03-01+ p:5+ s:2+ tag:macros

Once we have this information in front of us it is relatively easy to spot some patterns. For instance, the visual aspect of this file seems pretty common in the list of suspected samples, we can simply use visual similarity to find more artefacts.


The resulting set of samples not only have the same visual aspect, they also share a pattern for the file name, they have similar file size and were created around the same time. Armed with this information, we want to make sure we detect this new campaign before it spreads further. 



A must for our security strategy


Including adversarial data in our security strategy provides us with real world validation for our defenses. We can use this on a regular basis and shape it to our needs and weaknesses. Continuing monitoring particular adversaries, malware families and campaigns will help us understand how attackers evolve and how to shape our defenses. Not only that, crowdsourced intelligence allows us to stay one step ahead of adversaries by learning from other attacks and making sure our defenses are up to date before being hit by attackers.


We presented here just a few ideas we encourage everyone to explore with an open mind. For instance, in addition to the previous examples we could also use PCAP files generated by malware for replaying traffic in your infrastructure and check how effective your networking monitoring and detection capabilities are.  


Make sure to join us in our webinar to get additional pro tips!


Happy hunting