Hunting Adversaries w/ Diamond Dashboard for Splunk

Action – the other half of the battle

hunting-your-adversariesAs a kid, G.I. Joe ranked somewhere below Star Wars, Legos, and Transformers for me in terms of toy box volume and hours of entertainment. Maybe a little above Masters of the Universe, depending on when you asked me. One thing I still remember very clearly (beyond the annoyance of loose torso bands) is the public service announcement that concluded every television episode – “Knowing is half the Battle.” I don’t think they ever explicitly told us what the other half was, but if I may be so bold as to put words in Flint/Duke/Scarlett’s mouth, I always assumed that “Action wins the battle.” After all – that’s why they’re called “action figures,” right?

We recently released a report, Project CAMERASHY, which investigates cyber espionage activity against nations and entities in the South China Sea. By correlating malicious infrastructure on the Internet along with social media habits of a suspect associated with that infrastructure, we were able to conclusively tie this campaign to a PLA staffer in unit 78020, also known as Naikon. As explained in a related blog post, one of our goals in producing the report was to demonstrate the value of a fuller approach to threat intelligence that not only seeks to collect a bunch of indicators, but understand the context surrounding them, associations among them, and, perhaps most importantly, the adversary behind them. IPs are fleeting; Adversaries are forever.

Important as it is, however, G.I. Joe would like us to remember that knowing your adversary is only half the battle. Winning the battle requires doing something about them. The Camerashy report shared a lot of knowledge about the Naikon threat, specifically Unit 78020 operative Ge Xing, but one might argue it doesn’t offer much for the “doing” half. I’d like to tell you how a new update to ThreatConnect’s Splunk app helps “do” just that.

“But wait…adversary intelligence isn’t actionable”

Before we get to the app, though, let’s talk a bit about adversary intelligence. I’ve heard on more than one occasion that adversary intelligence might aid ‘knowing’ but it doesn’t help much in the ‘acting’ half of the battle (maybe even counterproductive). In other words, it’s not actionable. Before you introduce me to Terry Tate, lemme explain. Apart from any aversions you might have to the phrase “actionable intelligence,” pretty much everyone agrees that they’d like to be able to actually *do something* based on the intelligence they receive or produce. Don’t get me wrong – I’m the kind of guy who’s perfectly happy just reading (good) threat research, but most infosec execs/practitioners want more than analyst pr0n. They want something useful that makes their job easier and their organizations more secure. Good threat intelligence should contribute to that end, and I think that’s the main point Adam and Rick make in the posts linked above. I don’t disagree with that sentiment.

But I do disagree with those that claim adversary intelligence isn’t actiona…er…useful. It is true that adversary intel often focuses a lot on attribution rather than action, and some don’t have much use for the former in their daily grind. I’m not writing this post to defend attribution, so let’s just agree for now that attribution eyes a different goal than tactical blocking and tackling in your local network environment.

Just to be sure we’re on the same page – adversary intel is not synonymous with attribution. Good adversary intel seeks to describe who’s attacking you (or might attack you), why they’re doing it, how they’re doing it and, ideally, what signs you can look for to know if/where they’re doing it to you. There’s a lot in there that’s actionable (bring it, Terry).

Go get more info to better prepare for them…
We’ll prepare differently if they’re determined…
Assess existing controls against their TTPs…
Scour our network for those indicators…

Introducing the Diamond Dashboard for ThreatConnect’s Splunk app

In addition to knowing your adversary better by reading the Camerashy report, it was very important to us to enable our users to act on that knowledge to protect their organizations. For starters, all indicators associated with the adversary persona Ge Xing as well as the broader Naikon threat were shared into the ThreatConnect Common Community prior to the release of the report. If you don’t have access to that, you can register for a free account here. But we didn’t want to stop there.

One of the last things I was involved in before joining ThreatConnect was helping to design a Splunk app companion to Verizon’s annual Data Breach Investigations Report. The basic idea was to give readers a way to search their network environment for evidence of the various threat patterns analyzed in the report. I really liked the way it bridged the knowledge-action chasm, and was excited about the opportunity to do something similar at ThreatConnect with the Camerashy report. We spoke to the good folks at Splunk about it, and they were happy to lend their expertise towards the goal of operationalizing adversary intelligence.

For those unfamiliar with v1 of our Splunk app, it allowed one to use Splunk to search/alert on indicators stored in ThreatConnect. That’s obviously an oversimplification, but it’s good enough for now. What it did not do was allow you to “search for anything associated with Adversary X.” Because Camerashy was very adversary-centric and heavily leveraged the Diamond Model of Intrusion Analysis, we knew an update was needed to support the level of act-on-intelligence we wanted the report to support. Enter the new Diamond Dashboard.



I’m going to spare you a complete walkthrough of the app in this post (you can get that here), but I do want to hit some highlights. In the upper left, you can select from any intelligence source or sharing community you have access to in ThreatConnect. You can search for threat groups like Naikon or a specific adversary like Ge Xing. Upon submission, the dashboard will populate an intelligence profile for the threat/adversary based on the Diamond Model (see here and here for examples of Diamond-driven analysis). The Capability table shows any malicious file hashes and vulnerability exploits associated with the selected threat/adversary, while the Infrastructure table lists IP, email, host, and domain indicators. Any other related threats, incidents, adversaries, etc are shown in the Associations table.

That’s all pretty slick, but the really useful info is found in the Matched Events timeline and table. That’s where Splunk uses the compiled indicator sets to search for any sign of Naikon/Ge Xing/Whomever/Whatever in your environment, when it was seen, where it was seen, and other info pertinent to the ensuing investigation. Nobody likes to see activity spikes as shown in the figure, but awareness is always better than ignorance.


yojoeFrom the main dashboard in the app, you can bounce back to ThreatConnect to get more information on indicator observations, do additional analysis, collaborate with peers, etc. There are some other nifty aspects to this update that take better advantage of the power of Splunk. For instance, Diamond Dashboard searches now leverage Splunk’s Common Information Model (CIM). But I’ll leave all that to to the user’s guide.

It’s no secret that the cybersecurity terrain often favors the adversary, so it’s critical that defenders take every advantage of opportunities that help turn the tide. Better ways of operationalizing everything we know about the adversary is one such advantage that, in my opinion, deserves our collective effort as an industry. That’s why I’m pretty excited about working with Splunk on this update, and I hope it helps you in the other half of the battle. Yo Joe!


About the Author
Wade Baker

Wade Baker is the Vice President, Strategy and Risk Analytics at ThreatConnect. He believes improving information security starts with improving security information. In keeping with this belief, he’s working to complete his doctoral thesis, “Toward a Decision Support System for Managing Information Risk in Supply Chains”. Previously, he served as Director of Cybersecurity Strategy and Research at Verizon Security Solutions where he led the overall direction of security services, technology capabilities, intelligence operations, and research programs. Baker spearheaded Verizon’s annual Data Breach Investigations Report (DBIR), the Vocabulary for Event Recording and Incident Sharing (VERIS), and the VERIS Community Database. Wade holds a B.S. and M.S. from the University of Southern Mississippi, and a PhD from Virginia Tech. He currently lives in Virginia with his incredible wife and 4 awesome kids.