How can we put in place effective countermeasures if we donĀ“t know which approaches and techniques the attacker will use?
This problem can be addressed by using cyber threat intelligence. The Threat Intelligence process goal is to profile the adversary by making use of information that can be gathered from previous attacks, public and private repositories.
The intelligence process is the foundation of the CTI process, the very basic component of an intelligence process is the information. By the American Heritage Dictionary of the English Language, Information can be defined as
Any fact or set of facts, knowledge, news, or advice, whether communicated by others or obtained by personal study and investigation; any datum that reduces uncertainty about the state of any part of the world; intelligence; knowledge derived from reading, observation, or instruction.
In the cyber domain the information that we can collect comes from different sources, such as malware, monitoring tools, application logs, application servers, Operating System, and VPNs; information can be collected from external sources like public or private repositories or can be bought.
This huge set of heterogeneous information can be:
Information in its raw state is difficult to use, and only by putting together all the traces left behind by an attacker would be possible to construct part of the history of the attack. When an analyst is capable of producing a credible hypothesis, actionable improvements can be made in the mitigation and defense capabilities of an organization.
An analyst need actionable intelligence to produce a credible hypothesis, for this reason an intelligence process must be deployed to extract actionable intelligence from noise.
From the firs huge set of data collected defined as noise, the intelligence process extracts only the elements that are potentially relevant for the analyst. This first subset of information defined data, data can be organized in different groups according to defining characteristics. A subset of data with a specific purpose is defined as intelligence, intelligence has a specific strategic purpose but is made up of independent pieces. By connecting the dots actionable intelligence is obtained, the adjective actionable highlights the fact that the distilled information can be used to understand how a successful attack happened and how to act to avoid a similar attack in the future.
The Intelligence Process is complex and iterative, and it is mostly a human centered activity.
The Threat Intelligence process is made up of five steps: Collection, Processing, Analysis and Production, Dissemination, Planning and Direction.
By executing these five steps iteratively is possible to improve the next sub-sequences of the process. One approach consists on trying to identify the attackers, it does not mean to perform attribution, but to identify a specific source that uses specific techniques. Observing an attacker using different strategies and approaches can help us to understand its goals. By profiling an attacker is possible to pinpoint its motivations and key tactics.
In general terms the ideal goal of the analyst would be to reconstruct the attacker's playbook, or the instruction manual of the attack. A perfect reconstruction of the attacker's playbook would lead to setup the perfect mitigation for such attack, because every step of the attack killchain will be covered by a given defense mechanism.
Similarly to other process the intelligence process expands to different levels of the organization with different goals at each level.
Note that at every level the time frame needed for decision making increases.
The first assumption the analyst makes when distilling intelligence is that they are dealing with budget contrained attackers or rational human attackers; this assumption lead to the sub-sequent assumption that the attacker will find the best possible attack path that maximize its likelihood of success while minimizing the cost of the attack itself. The blue team strategy is to increase the overall cost of the attack and reduce its likelihood of success.
The cost factor of an attack depends not only on a monetary aspect but also on the expertise, time and resources needed. Another assumption taken is that the attacker acts as a good engineer, making sure that each tool built will be as much as possible reusable and scalable.
These aspects alone can be used to determine the possible actions preferred by the attacker.
Like the Attack Killchain is used to unroll the phases of an attack, the Intrusion Killchain can be used to represent and analyze tentative of intrusions and extract actionable intelligence.
The main components of the intrusion killchain are the indicators, and can be defined as any piece of information that objectively describes an intrusion. Indicators can be classified in three categories: Atomic, Computed and Behavioral.
Behavioral indicators are far more important because a collection of behavioral indicators represent a subset of the attacker playbook. In general all indicators are pieces of actionable intelligence, but the impact and the usage of different indicators on the analysis are quite different.
After an indicator has been identified the analyst have to understand which role played in the attack; atomic indicators can be used to put in place easy countermeasures, and they can be mapped on the intrusion killchain to construct behavioral indicators.
The indicators obtained and the intrusion killchain to align defensive capabilities to each specific steps planned by an attacker.
The actions to counteract an intrusion can be classified in six categories:
Measure effectiveness will drive defensive strategies overtime if there is a clear and organized plan that explain why each countermeasure is used. The whole process must be maintained over time via a good detection engineering process.
Taking into account the assumption of rational human adversary its possible to classify indicators on how costly is for an attacker to change is attack playbook for that indicator to not be present anymore. If an attacker is not willing to invest to change a particular aspect of the attack, the value of the indicator related to that aspect is higher.
Using the intrusion killchain and the Pyramid of Pain as a way to map indicators and organize countermeasures has some limits. The main limit is that the limited number of steps is not enough to increase the level of details and to identify gaps, for this reason complementary models can be used to improve the representation have been developed.
The idea on which the Diamond Model is based is that every incident can be represented as a sequence of events; each event represent a specific phase of the attack and generates indicators. When different events are collected and connected in a meaningful way an activity thread is created. Grouping different threads may represent activity groups.
An event is represented by a set of core features and optional meta features. Events model the aspect that:
For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over an infrastructure against a victim to produce a result.
Meta features can be considered as external resources that the attacker may need to fulfill their goal.
The Diamond Model provides a way to map how the features interact together:
The adversary interaction with the victim is never direct but it always mediated by the capabilities and the infrastructure, that are tightly related. The approach offered by the Diamond Model provides a way to observe data and extract intelligence to identify gaps to improve the ability of extracting useful data to be used in the planning and direction phase of the intelligence life cycle.
Besides the four core feature (attacker, capabilities, infrastructure and victim) the Diamond Model allows to describe additional features useful to characterize the attack. These optional features, called meta features are not organized in any way and can be grouped in clusters.
The capabilities are all the tools and techniques that the adversary can use against the victim. The full capabilities capacity is the set of all the vulnerabilities and exposures that the attacker can use regardless of the victim; while the arsenal is the complete set of tools that adversary owns.
The capabilities, in order to be used, must be supported by an infrastructure. This feature describes the physical and logical communication structure used by the adversary to deliver an attack. The infrastructure can be directly controlled, provided by an intermediary or can be a public infrastructure.
It's possible to model different entities as victim depending on the level of details that the analyst want to achieve. This feature could represent the whole organization or a specific host in a given subnet. Vulnerabilities used to attack the victim are represented as sub-features of the victim itself.
Meta Features are not strictly organized. Some meta features that could be used are timestamps, the phase of the killchain in which the event belong, and the results of the operation performed by the attacker. Software used to model Cyber Threat Intelligence information automatically map and organize these features on top of the model and are strictly dependent on the platform used.
The Diamond Model helps filling the gaps of the intrusion killchain, in fact it provide precise indications on what to loo for, and can be used operatively in order to drive the Threat Intelligence process.
Using the Diamond Model to describe a full attack would produce a cluttered visualization of the attack, that by its nature evolves on several steps that can be interleaved or iterative. A better way to use the Diamond Model is to represent the relationships among the features of an attack, while mapping them over the intrusion killchain in order to build an activity thread.
An activity thread is a collection of small events within an incident that are mapped with their own diamond; each diamond is then mapped on a specific phase of the intrusion killchain model, and may be related between each other.
This approach introduces another advantage: it is more easy to understand the relationships between different indicators in the same (or different) phase of the attack, improving the communication of the evolution of the attack.
A collection of activity threads is used by the analyst to find commonalities, and to check for gaps in the analysis to improve the overall result of the intelligence process. Vertical correlation is used to identify gaps, while horizontal correlation is used to find commonalities between threads. When the last diamond of an activity thread is related in someway to the first diamond of another activity thread a multi-step attack has been identified. Multi-step attacks are common in organizations in which, once the attacker as overcome the edge defense, the internal network is not as protected as the external one, allowing the attacker to easily repeat different phases of reconnaissance and exploitation.
The last step for the analyst is to distill TTPs from the activity threads by selecting few diamond that represent multiple commonalities between several incidents. TTPs can be then used in combination with an attack graph to represent all the possible activity threads identifying all the possible targets of the attacker inside the system. The resulting attack graph is finally used to identify mitigation and defense measures to be applied in order to reduce the success probability of the attacker.