Cyberthreat on the Internet

Understanding the Threat Landscape: Basic Methodologies for Tracking Attack Campaigns

headshot-josh-rayThe indicators of compromise (IOCs) outlined in my last blog post can be used as a baseline for developing intrusion sets and tracking attack campaigns and threat actors. When launching an attack, threat actors use a variety of vectors and infrastructure, which Verisign iDefense analysts – as well as analysts across the cybersecurity community – correlate to group attacks, tracking actors and determining attack methods. Tracking and analyzing how an adversary targets your organization, and developing insight into their tactics, capabilities and intent, contribute to an organization’s effective risk mitigation strategy. Campaign analysis allows an organization to focus its monitoring, incident response procedures, training efforts and internal security controls more effectively on those assets and personnel that a threat actor will likely target for compromise.

Below are some basic approaches that can be employed by an organization to help move toward an intelligence-driven security approach.

Approaches to Tracking Campaigns

The attack vector is the initial tactic or entry point used by an attacker to infect his or her intended target. Common avenues of attack include spam and phishing emails, malicious advertisements and watering holes. The initial attack vector will lead the victim to the infection stage, during which the victim’s computer is infected with some sort of malicious code. Malicious software, or malware (such as a virus, Trojan horse or worm), is often used to damage or disrupt a targeted system. Malware reverse engineering can help identify unique malware characteristics, which can be used to classify and correlate different malware samples. Once malware analysts have identified specific defining characteristics, they create a signature to track and classify that malware. One tool used to accomplish this is YARA, an open-source multi-platform pattern matching utility that allows analysts to identify and classify malware based on specific attributes identified during the reverse engineering process. Another way analysts track malware is by identifying additional malicious samples and associated attacks based on other shared malware properties.

Passive Domain Name System (pDNS)

The pDNS provides analysts with a fairly easy way to see historical resolution data (i.e., DNS resolutions that were valid at that time) available in the global DNS and compile it into a central database where it can be indexed and queried. This allows analysts to query a database for an IP address or domain and return any information the database has on a particular indicator of interest. This is helpful in providing context about an attack campaign when an IP address or domain has had associations to previously identified malicious activity.

Unfortunately, pDNS resources are not comprehensive; they have IP address or domain information only if a resolver within their network has previously requested the information.

Phishing

Phishing techniques use fraudulent, socially engineered electronic content (websites, emails, etc.) from a seemingly legitimate source, prompting victims to provide confidential information. Phishing attempts often come in the form of targeted socially engineered emails. The most successful of these usually couple certain themes like current events and celebrity news with known source addresses in an email message. By analyzing phishing email themes, senders, subjects, target lists, attachments and content, analysts can classify attacks based on the target and specific indicators, or tactics, which attackers used when sending these emails.

Organizations may also look to conduct targeting profile analysis on individuals within their organization to determine where the targeted email address exists in open-source (on the Internet) and to what role, function, program and assets the targeted employee supports and has access.  These activities help an organization understand what an adversary might be after and drive more efficient IT security resource allocation. Organizations should quarantine suspicious email messages and (provided they have the resources) analyze them for additional threat indicators, and the tactics being employed.  Proactive monitoring for socially engineered email messages usually requires close interaction and interoperability between an organization’s security operations and mail teams.

Strategic Web Compromise

In recent years, actors have revived the “drive-by attack” or “watering hole attack” to infect a large number of victims by compromising a specific website that correlates to the industry or victim profile they wish to target. Attackers compromise a Web server to inject a malicious script and when a visitor browses the compromised server the malicious script loads and exploits the vulnerability in the browser. Upon successful exploitation, the script will often install a Trojan horse on the compromised system allowing the attacker to interact with it.

Figure 1: Watering Hole Attack Overview
Figure 1: Watering Hole Attack Overview

To track and connect attacks, analysts can use strategic Web compromise as a correlation point by understanding the types of compromised sites and industries, and the code used to compromise or serve up malicious content on these websites.

Threat Infrastructure

Additional information about threat actors can be ascertained through a process called threat infrastructure enumeration. Using known command-and-control (C2) IP addresses and domains, analysts can conduct open-source research against WHOIS (to include historical WHOIS) data and pDNS databases. This method allows analysts to identify key analytical indicators and build out a larger picture of an attacker or intrusion set’s attack infrastructure. With this information, security teams can proactively block and alert staff to these threats and enhance network defenses with attack-sensing and warning capabilities.

Analysts can also conduct open-source research of key analytical indicators found in WHOIS data to develop threat actor profiles.

WHOIS Data

WHOIS records serve as a good source when conducting infrastructure analysis against known malicious C2 domains used by malware. Since the WHOIS database is open for anyone to query, it is useful in connecting disparate malware and attack campaigns to the same actors. When working with WHOIS data, analysts can look for information reuse and patterns in WHOIS registration information.

WHOIS data analysis allows researchers to proactively identify additional domains of interest connected to known malicious domains and monitor for or block those domains.

As outlined here, there are many different methods and sources analysts use when researching attack campaigns, developing IOCs and classifying attacks.  Security executives and practitioners need to be able to consume dynamic intelligence from multiple sources to quickly understand the diverse threats they are facing, investigate additional risks to their organization, allocate resources effectively and determine the proper courses of action to take.

In the weeks to come I’ll be blogging about specific use cases outlining how the  Verisign iDefense IntelGraph (an innovative new tool to capture and link all facets of the cyber threat landscape together) can help address these critical business and security requirements.

For more information on Verisign iDefense Security Intelligence Services, visit Verisign.com/iDefense.

Share:
Josh Ray

Josh Ray

As Vice President, Verisign iDefense Security Intelligence Services, Josh Ray is responsible for developing operational plans for the organization, overseeing the fulfillment of client commitments and providing the strategic direction for the iDefense product line. He has more than 12 years of combined commercial, government and military experience in the field of Cyber Intelligence, Threat Operations, and Information Security.

Leave a Reply