Threat Intelligence Platform

Posts

Growing a Threat Intelligence Program is like Growing a Beard

*Disclaimer: Limitations in beard growth do not correlate to actual ability to implement a threat intelligence program.

It was just after Thanksgiving dinner and my two-year-old daughter was sitting on my lap while I drowsily watched the Bears and Packers game. As she sat there patting my face and pinching my chin whiskers, she said “Daddy, I like your zebra.” Confused, it finally dawned on me what she was trying to say and I explained to her that my greying beard, while impressive, was not an exotic African species.  Maybe I was having one of those L-tryptophan overdoses, but the conversation triggered a synapse where a deep subliminal connection was made.

You see, I have been spending quite a bit of time looking at #BeardsofTI and thinking about how to help organizations mature their Threat Intelligence programs and get the most value out of their security investments by applying “process and platform.” Some of our customers are asking – Where do I get started with Threat Intelligence? Can you help us setup a Threat Intelligence Program? How can I take my Threat Intelligence Program to the next level?

brace-yourself-beard-threat-intelligence This is where things start to sound strange, please bear with me and settle into your seat for this ride to “crazy town”. I thought to myself that setting up and maturing a Threat Intelligence program was really no different than growing a sweet beard. Here is why:

coming-of-age-threat-intelligence

Coming of Age:

I see the Threat Intelligence community as coming of age, “threat intel” is that snarky industry whipper snapper stepping up to the plate while the old school “rainbow series” is collecting dust in the corner. Like all coming of age stories, there’s a young hero or heroine who has been called to action, they, like all those before them, lack experience and understanding. Though they are not yet fully capable (perceived or realized), it is the journey, the process and the adventure in which they become more capable as they go. No different from when many young “shavers” look themselves in the mirror, and for the first time begin to see that the youthful peach fuzz has now become darker and more coarse – it is here that the first visible signal of an important transitional point in their life is finally seen. In conventional terms this call to action may be in the form of a breach or some sort of motivator that has signaled to an organization or industry that they need to take the next step in their journey in establishing a Threat Intelligence Program, a transition that will thrust them forward to take decisive action to counter specific risks in a more mature and efficient way.

this-or-that-beards-of-threat-intelligence

Decide & Commit:

You will notice in the last sentence I used the term “decisive” to describe the type of action. Like growing a beard, establishing or maturing a Threat Intelligence program is going to require a decision, and that decision will require commitment to ensure that the investment of time, talent and treasure is well spent. Challenge yourself not to think about where you want your Threat Intelligence program to be in the short term, play the long game and think about the outyears. Where do we want to take this program? What are the investments that we need to make to ensure that we are not taking one step forward and two steps back? Are we building our program on rock or sand?

The higher up the corporate “food chain” you go you need to be prepared to speak in these terms and timelines to reinforce buy-in and obtain top level commitment. Be prepared to use process and routine metrics so that you can continue to promote the value of the Threat Intelligence Program or see where you can make process refinements as needed.

Just like all things in life, there is a right way and a wrong way to do something. There is no room for half-heartedness with Threat Intelligence or a beard, if you don’t decide you are going to do it the right way, you and others are going to be able to tell – and you are going to look stupid.

Barb-wire-threat-intelligence

If it Hurts it’s Probably Worth It.

So you have made a decision – and you are going to do this thing. If you are setting up a Threat Intelligence Program or growing a beard you have to accept that things aren’t going to be perfect at first, in fact there is a point where things become uncomfortable and painful. When growing a beard there is that week 2-3 mark where things are scratchy, itchy, breakouts may even happen – but you have to work through the discomfort because you have something awesome waiting for you on the other side. When establishing and growing your Threat Intelligence program understand that you may be in this season of pain and discomfort for some time as you begin to understand what your organizational needs are. It’s important to not rush through this phase, you must work through the crucible of pain and discomfort because this is where you are going to learn the most. Know this is coming and your willingness and ability to embrace it will depend on the velocity in which you work through it. Your Threat Intelligence program is going to involve many opinions and stakeholders, where the processes you establish will require you to work cross functionally and support other teams. One key principle to understand is that Intelligence always supports Operations not the otherway around.

cat-beard-threat-intelligence

The Awkward Stage:

Congratulations, you have made it through the gauntlet, you have endured the discomfort and pain and made out to the other side. The good news is that things don’t feel too bad anymore, bad news is that they look…awkward. You wake up in the morning, you look at your beard in the mirror and you can see in it a few things that can be tightened up, much like when you get to work and you see how your Threat Intelligence Program also has things out of place, processes are uneven or some people just aren’t fitting in.

This new found awareness is an indicator of maturity. The fact that you can see things that would not be so obvious a few months ago should give you encouragement. You may even have an idea on how to correct many of the observed shortcomings. As you navigate the road of maturity, be mindful that you do not become complacent and settle in to the point that you are not challenging yourself or your Threat Intelligence Program. You may find yourself asking – do I keep things simple, short and clean, or do I go all in where things may get complicated? By challenging status quo one can usually achieve greater things, by keeping things “simple” you may not be achieving your full potential or delivering the full value to your organization.

mature-beard-of-threat-intelligence

Maintaining Mature Decisions

Either route you decide to go (easy or complicated), you are going to have to do some sort of maintenance to keep things in order for the long term. Like snowflakes, all beards (and enterprises) are different, but made out of the same “stuff” while maintaining unique shapes, sizes, structures and use cases. Beard maintenance and grooming (cutting, trimming, combing, oiling, waxing) requires work, it is a new creation after all. Like it or not – your Threat Intelligence Program is going to require similar processes and regimen if it is going to be a long term success.

It is also important to remember that just like beards, Threat Intelligence Programs are not “one size fits all” they are very unique and customized to the organization they support. So be very wary when you are told that Threat Intelligence is just aggregating post-processed indicator feeds. A mature Threat Intelligence Program will know the futility in spamming your SEIM, understanding how this complicates processes, creates more work and ultimately distracts the organization. For organizations who cut corners and seek what they perceive to be the easy button will ultimately learn things the hard way.

The future success of your Threat Intelligence Program will be wholly dependent on the maturity of the decisions that you make moving forward. Over time you will find that through process, structure and organization things actually become easier and more efficient.

Share What You Know

Jedi-beard-of-threat-intelligence

Whenever I see a beard or Threat Intelligence Program for that matter – I can appreciate either for what they are. One can quickly study (or admire) the fruit of the time and effort that was placed into creating either one.

Individuals both from within and external to your organization are going to look at you. Some may be inspired to achieve similar successes. In doing so they may seek to obtain insights into how certain things were done, at what time, what were the choices that were made along the way and why, what worked and what didn’t work. All of these examples are forms of a higher order of information sharing. You have been there and done that, now that you are a Jedi Master you are in a position to help others out, so share your insights and experiences. Give others the necessary tools and feedback that they can leverage in pruning and maintain the growth of their own legacies and works of art.

yesbeard1 If you are looking at setting up and maturing your Threat Intelligence Program, register for a FREE ThreatConnect account and a follow up discussion. We would love to help you wherever you are with your Threat Intelligence Program. Looking to show off your beard? Check out our Beards of Threat Intelligence contest. Whether you are growing a beard or a Threat Intelligence Program, connect with us, and you will find that we will grow with you…and on you.

Best Practices: Indicator Rating and Confidence

ThreatConnect enables users to assign a Threat Rating and Confidence to every single indicator… but what do those numbers really represent?  In order to enable your organization to make the best decisions, it’s important to standardize on the connotation attached to these ratings.  When your analysts, defensive integrations, and leadership all speak the same language regarding indicator impact, you can make more timely and accurate decisions.


Indicator Rating and Confidence –> https://youtu.be/B-ZPaMcqozg

Understanding Threat Rating

ThreatConnect allows you to assign each indicator a Threat Rating, measured as 0-5 Skulls.  Within the scope of your organization, you can define the difference between a 1 Skull indicator and a 5 Skull indicator.  If you’re having trouble making such decisions, or want your indicator ratings to match those across the ThreatConnect Cloud, it may be helpful to look at the Skull level definitions implemented by the ThreatConnect Intelligence Research Team:

ThreatConnect-Skull-Chart-0

  • Unknown (0 Skulls): There is not enough info to assess Threat Level.

    Example “I’m still working on the indicators in this Email’s header; I don’t know anything about that SMTP server yet.”

    ThreatConnect-Skull-Chart-1

  • Suspicious (1 Skull): There has been no confirmed malicious activity, but suspicious or questionable activity has been observed from an unknown threat.Example “I’m not sure why our users’ laptops keep visiting this URL, but so far I can’t see anything wrong with it.”ThreatConnect-Skull-Chart-2
  • Low Threat (2 Skulls): This indicator represents an unsophisticated adversary — it may be purely opportunistic and ephemeral, or indicate pre-compromise activity.Example “We see scans on that port from IP’s in that netblock all day.”ThreatConnect-Skull-Chart-3
  • Moderate Threat (3 Skulls): This indicator may represent a capable adversary — their actions are moderately directed and determined, and the indicator corresponds to the delivery/exploitation/installation phase.Example “That file hash represents a document pretending to be a Corporate Memo specifically targeting our company’s HR Department.”ThreatConnect-Skull-Chart-4
  • High Threat (4 Skulls): This indicator can be attributed to an advanced adversary, and represents that targeted and persistent activity has already taken place.Example “The callback address from that targeted ‘Corporate Memo’ masquerade is all over our access logs…”

ThreatConnect-Skull-Chart-5

  • Critical Threat (5 Skulls): This indicator represents a highly skilled and resourced adversary — it should be reserved for those adversaries with unlimited capability and is critical at any phase of the intrusion.Example “Start ripping servers out of racks; we’re bleeding customer data to that man-in-the-middle host!”

Using a standard Threat Rating will enable decision making across your organization, both at a human and machine level. If your Threat Intel analysts decide that an indicator is 5 Skulls, your Incident Response analysts can respond accordingly when it’s discovered. The knowledge transfer of context surrounding indicators is essential to making sure you’re putting your best foot forward.

Understanding Indicator Confidence

Of course, Threat Ratings only capture one dimension of context surrounding an indicator. Analysts rarely see such an attribution as a black and white problem. To address this, ThreatConnect allows you to model the confidence in your assessment as an integer between 0 and 100.

Screen Shot 2015-11-23 at 8.50.46 AM

Analyst-Derived Confidence

Confidence can be set manually — perhaps an analyst has only found the tip of the iceberg in C2 redirects, and isn’t ready to commit to their assessment of that entry point. Likewise, your confidence in your Threat Rating assessment may vary based on the timeliness of the available data, or knowledge about your adversary’s tactics and techniques.

ThreatConnect assigns ratings on the following scale to denote separate levels of confidence:

  • Confirmed (90-100)
    The assessment has confirmed by other independent sources and/or through direct analysis. This assessment is logical and consistent with other information on the subject.Example “That executable is definitely dropping a known malware variant.”
  • Probable (70-89)
    Though this assessment is not directly confirmed, it is logical and consistent with other information on the subject.Example “That URL has the same nonsensical 15-character path at the end as other known bad URL’s, but is on another host.”
  • Possible (50-69)
    The assessment is not confirmed, and is somewhat logical, but only agrees with some information on the subject.Example “That email address has the same username as the My Documents path when we reverse engineered this malware…but it’s a pretty common name.”
  • Doubtful (30-49)
    This assessment is possible, but not the most logical deduction, and cannot be corroborated or refuted by other information on the subject.Example “The scans came from an IP address rented from this VPS provider…we’ll have to dig deeper to see if it’s actually bad.”
  • Improbable (2-29)
    This assessment is possible, but not the most logical deduction, and is directly refuted by other information on the subject.Example “The file calls back to a host which appears to have been taken down, maybe that C2 host has since been rotated.”
  • Discredited (1)
    This assessment is confirmed to be inaccurateExample “That’s not malware, that’s just a poorly-written PowerPoint presentation.”
  • Unassessed (0)
    No confidence has been assigned to this indicator.

Automated Confidence

As time goes by, your analysis may be less relevant as indicators become stale. ThreatConnect can actually decay the confidence of indicators over time if they’re not being touched. This allows you to “age out” indicators that you saw years ago… they may have been high Threat Rating at one point, but your ability to say that may decrease over time.

This rate of confidence deprecation is configurable within each Organization, Source, or Community. Every day that an indicator goes untouched, that indicator’s confidence will deprecate by the configured amount. ThreatConnect can even delete the indicator if its confidence reaches zero.

Putting Threat Rating and Confidence to Work

Threat Rating and Confidence are great measures for two separate dimensions of an indicator’s relevance. An adversary that aggressively rotates C2 infrastructure may result in a slew of 5 Skull, 0 Confidence indicators. A script kiddy launching attacks from his attributable hacker domain may result in a handful of 2 Skull, 100 Confidence indicators.

The important thing about Threat Rating and Confidence is that you use them to drive decision-making. By implementing the above best practices, you can begin to leverage the analysis that you’ve modeled in each indicator’s respective ratings. You can write a TC Exchange application to extract all high-confidence 5 Skull indicators to initiate scans within your network. Alternatively, you could leverage an existing TC Exchange application written in conjunction with one of our partners to automatically block or alert on indicators that meet such parameters.

Standardizing on the meaning of Threat Rating and Confidence allows you to take action within the scope of your organization or contribute to the greater community.   You worked hard to find and triage all those indicators; now make them work for you!

For more information on ThreatConnect’s Threat Rating and Confidence, please download our “Evilness Rating” tool here.

Screen-Shot-2015-11-19-at-1.19.29-PM

ThreatConnect and Maltego

ThreatConnect® has partnered with Malformity Labs LLC to develop a full transform set that allows for data from ThreatConnect to be integrated with the capabilities of Maltego.

All ThreatConnect customers can take advantage of our partnership with Malformity Labs LLC and use the Maltego transform set through the ThreatConnect®  API and a provided transform server. Customers can use this to:

  • Visualize the relationship between incidents, threats, adversaries, and indicators,
  • Uncover relationships between your private data in ThreatConnect and Community Data,
  • Leverage attributes belonging to indicators and threats to create Maltego graphs without losing any of the contextual data within ThreatConnect, and
  • Pivot from ThreatConnect data and external open source data sources using other transform sets within Maltego.

With more than 100 transforms to query and pivot through ThreatConnect’s data, users can easily model threat and the relationships between malware, domains, IPs, and other indicators to the incidents they were observed in, threats they are associated to, or adversary personas.  The use cases are numerous, but to help illustrate how it works we’ve picked a few scenarios to step through how a customer with access to ThreatConnect’s premium features could quickly visualize content and relationships. Click here to learn more about ThreatConnect’s premium service offerings.

You can click on any image below to view the graph larger. Want more?

Maltego Webinar Training

Take a deep dive into our 100+ Maltego transform set. View the webinar slides here.

Scenario1: Visualizing Incidents tagged with Ukraine

1. Imagine you are an organization that is particularly concerned about Ukraine themed targeting. The first step is to look for any instances of targeting, documented as Incidents, that are tagged with “Ukraine” within the ThreatConnect Subscriber Community.  This yields five results, shown below.

threatconnect-maltego-1

2. For additional high level context, you can then pull all other Tags related to these Incidents. This yields several other interesting results. You have a clear view of several interesting Tags now including multiple matches on the use of CVE-2012-0158. It is notable that all the Incidents are also tagged “Russia” and “Advanced Persistent Threat”.

threatconnect-maltego-2

3. Now, to take a deeper look at the context of the Incidents, you can pull all of their Attributesfrom within ThreatConnect. This yields more in-depth descriptions, sourcing, and write-ups of tactics, techniques, and procedures (TTP’s) used in the Incidents.

threatconnect-maltego-integration-3

4. Since the focus is not on targeting to or from China, you can focus on the Incidents that don’t contain that Tag and are only Ukraine focused. Using Maltego, you can pull all the Indicators associated with the incidents of interest.  This yields six IPs, 27 MD5 hash values (including imphashes), 4 Domains, and 2 URLs, all with their own unique context and associations.

threatconnect-maltego-integration

The indicators found can then be used to for monitoring and detection across the network. You can also continue to pivot to discover other relationship on the Indicators in the ThreatConnect Subscriber Community, in other ThreatConnect public Communities, within your own private organization data in ThreatConnect, or by leveraging other Maltego transforms to look for data sources external to ThreatConnect. The possibilities are endless.

Scenario 2: Pivoting on Malicious Registrants from Reverse Whois data, Passive DNS, and DNS monitoring.

1. In this scenario, you can start by taking a domain registrant email address* whose domains are known to show up as malware callbacks.

threatconnect-maltego-5

2. Next, pivot via a transform to pull the Adversary entity associated with this email address.threatconnect-maltego-6

3. Next, leveraging a running Track on the registrant email address within ThreatConnect, you can discover any second level registered domains associated with that email address. With passive DNS (pDNS) integration you can discover any third level domains that have been observed “in the wild” as well. One transform query on the graph below shows all domains associated to the Adversary. For the sake of the size of the graph, we’re looking at just a small subset of the known domains.

Logo-ThreatConnect-Partner-Maltego

4. Now, you can go even deeper and utilize the DNS resolution monitoring for domain indicators within ThreatConnect to observe any overlap in IP address resolutions with date and time of resolution annotated. This yields 22 IP addresses for the over 80 domains in your subset.

threatconnect-maltego-8

Some of the IP addresses will undoubtedly be parking IPs (such as the loopback 127.0.0.1), but others will show historic trending of use of the IP for Command and Control. Leveraging passive DNS again within ThreatConnect, you could check to see if any other suspicious domains have resolved to these IP addresses and assess them further.

This allows you to not only use these domains and indicators as IOC’s across your network, but you can now proactively monitor known infrastructure such as known Command and Control IP’s, domains, and the registrant address itself for activity. This creates a predictive defense against a known adversary, following their movements using concepts true to the Diamond Model of Intrusion Analysis.

For more information on how you can start taking advantage of the ThreatConnect and Maltego partnership, contact us today.

 

Is Your Threat Intelligence Platform Just a Tool?

“If the only tool you have is a hammer, you tend to see every problem as a nail.” Abraham Maslow

Throughout the enterprise there are security personnel using a variety of processes and tools to conduct their incident response, network defense, and threat and risk analysis. Generally speaking, either most security teams haven’t centralized their efforts at all, or they have done it incompletely, relying on rudimentary, outdated technologies such as email, spreadsheets, a SharePoint portal, or a ticketing system. These techniques, although better than nothing, do not scale as the team grows and as the number of malicious events and security processes increases. This same problem was once commonplace in other parts of the business, and platforms were created to address these concerns and to support the end user in their quest for automation, collaboration across use-cases, and better management processes. For example, PeopleSoft for human resources, Salesforce for sales, SAP for manufacturing, and Eloqua for marketing.

lego-dinosaurTool, a Means to an End

Tools are purpose built and difficult to extend beyond the original purpose for which they were built. Platforms are extensible, transformative and make up the foundation of a solution. As an example, picture Legos. Each individual brick is a foundational building block (literally) of  countless different types toys, from a Disney castle to the Millenium Falcon. You can buy specific sets of Legos that include the building blocks of specific things.  So rather than buy a dinosaur, you could buy the dinosaur Lego set and that could be integrated together to form a larger structure. Like Legos, a platform allows the specific need to be solved while at the same time providing an integrated solution for longer term solution development.

Tool vs. Platform

There are new tools coming on the market every day, but many are just that – a simple tool and not a true platform. A tool may solve immediate needs, but you must evaluate your needs across multiple stakeholders throughout your organization (i.e., SOC, IR, Threat Team, CIO, CISO, Board) and look to a single platform to bring everyone together. The platform must support the integration of all the stakeholders and data that is relevant to each in such a way that all interested parties  can work together as a team. Customization of the platform is key, as each organization will have different processes, and the need for data customization across those processes for aggregation, analysis, and action.

Leveraging a Solution

Unlike a tool, a Threat Intelligence Platform (TIP) enables personnel throughout the enterprise to manage processes on the relevant security data that they care about. Additionally, other personnel processes such as incident response and event triage in the SOC can be uniformly integrated on top of that same threat data all within a single, adaptive platform. Different processes may take advantage of different features within the platform as well. Additionally, newer, more efficient  applications can take the place of inefficient or outdated applications. From a management perspective, the platform must present trends, supply real-time updates, as well as support threat-driven strategic prioritization of risk across the business.

A platform is a foundational capability. It should be extensible, conducive to enterprise collaboration and evolve as your organization’s strategies shift. We agree with ExactTarget (Salesforce) in their definition of a tool vs. a platform, and in addition to that put forth our spin on the features you want to look for in a Threat Intelligence Platform:

  • Go Broad and Deep with Threat Intelligence Data: A Threat Intelligence Platform (TIP) must capture and aggregate all relevant data from across your internal network, partners, and vendors. This includes customizable data elements that require storage and management, processes and workflow capabilities across various teams, as well as the input fields that help staff more quickly support data entry tasks. Ability to extend the platform with compatible applications is also critical for extension of the platform to support new and evolving needs without requiring platform upgrades.
  • Numbers Matter: The TIP should support the specific metrics you want to track, filter, and analyze via customizable reports to understand risk to the business and efficacy across organizational processes for risk avoidance. It should provide analytics that can be reported to your team members and to the organization as a whole.
  • Go Beyond Sharing with Collaboration and Workflow: The TIP should mature with your security strategy with the ability to share data with your team, across the company, with the external supply chain, and in support of threat information sharing organizations, such as an ISAC. It should have the ability to coordinate intelligence informed action among your team which enables streamlined and efficient workflows. Access to the intelligence needs to be balanced with its operational sensitivity, so it must control data visibility with strong role-based access control to ensure data is given to only those who need to see it.
  • Single Source: The TIP must be able to coordinate, track, and measure all security data from within the platform. This avoids wasting time jumping back and forth from inside and outside multiple tools to capture valuable information.
  • Growth and Efficiency: The TIP should be able to integrate your security products across the organization. Verify that not only can the platform consume actionable information, but also that it can digest external information feeds for continued analysis and reporting of intelligence driven events across the organization. Additionally, a TIP should enable growth and automation across all aspects of your business.

For many, cyber security can be a tedious, foreboding challenge. This is particularly true without any automated features available to support your workflow.  Simply put, copying indicators from disparate information sources and pasting them into a platform will cripple your organization’s security capacity, and severely delay response-time. As your security program matures, analysts must prioritize threat detection, threat response and risk mitigation, relying on the platform to dot the i’s and cross the t’s on their behalf. Moreover, your team needs to spend that time focusing on the high priority information that a platform helps decipher, not spending time manually gathering information across multiple tools.

Stop looking for tools to solve your problems, rather look for a platform to manage all of your problems.

How do you draw the line between what is a tool and what is a platform? Learn more about how we define a Threat Intelligence Platform here.

The Anthem Hack: All Roads Lead to China

UPDATE: Premera Latest Healthcare Insurance Agency to be Breached

When news of the Anthem breach was reported on February 4th, 2015, the security industry quite understandably went wild. A breach of this magnitude was certainly unprecedented.  Naturally, many industry professionals were keenly interested in digging into this incident to see what could be uncovered, and the research team at ThreatConnect was no exception.  Thanks to our powerful API and third-party partner integrations, we were able to use ThreatConnect to quickly uncover a wealth of intelligence even when initially hindered by a relative lack of investigative lead information and context, a key requirement of any Threat Intelligence Platform (TIP). However, before we delve into what we were able to uncover, let’s briefly review the facts as they stood in the wake of the initial discovery announcement.

What We Know:                                                                                                                                                     

On the morning of February 4th, 2015, several major news outlets broke the story that Anthem, Inc.’s network defenses had been breached. According to a statement from Anthem’s CEO, the company fell victim to a “very sophisticated external cyber attack,” and the hackers “obtained” the personally identifiable information (PII) of approximately 80M customers.  This included social security numbers, birthdays, street addresses, phone numbers and income data – plenty of information to enable identity theft. This was a significant event for several reasons:

  • Anthem, formerly known as Wellpoint, is the largest managed healthcare company in the Blue Cross Blue Shield Association, and by extension, one of the largest healthcare organizations in the United States.  As such, any compromise, no matter how insignificant, would likely impact countless individuals.
  • Blue Cross Blue Shield provides healthcare coverage for about half the U.S. federal workforce.  This means that their information was potentially compromised too.
  • Unlike the Sony hack which was destructive in nature and meant to send a message for coercive purposes, the Anthem compromise was purportedly very covert, a fact which may suggest something about the adversary’s motives.
  • As of late February 2015, there have not been any indications that the exfiltrated PII data was immediately commoditized on the black market for the purpose of enabling identity theft, as was the case in the Home Depot Breach.

Filling the Gaps:

Obviously, these high-level observations do not provide cybersecurity researchers a great deal of information to work with. However, when presented within the context of a Threat Intelligence Platform (TIP), an incomplete trail of evidence can highlight intelligence gaps, a study of which can orient threat researchers towards their analytic objectives.  To this end, let’s examine what we wanted to discover in the context of the Anthem breach:

  • Who was responsible for the attack?
  • What was the objective of the attack?  Was it cyber theft, an espionage operation, or something different?
  • Who was targeted in the attack?  The answer to this question, obscured as it may be, would likely shed some light on the objective of the breach.
  • What was the timeline of the activity?

The real power of a Threat Intelligence Platform is demonstrated when you are able to collect and maintain a robust dataset of threat indicators, both past and present, which can help orient you in the right direction in the wake of a newly discovered breach.  Even when you do not have a good deal of information to start with (for example a file hash, or an IP address), you may find leads by pivoting through archived datasets until you uncover key pieces of the puzzle.  In the case of the Anthem breach, we were able to do just that.

Anthem Themed Infrastructure & Signed Malware:

In September 2014, the ThreatConnect Research Team observed a variant of the Derusbi APT malware family, MD5: 0A9545F9FC7A6D8596CF07A59F400FD3, which was signed by a valid digital signature from the Korean company DTOPTOOLZ Co. Derusbi is a family of malware used by multiple actor groups but associated exclusively with Chinese APT. ThreatConnect Research began tracking the DTOPTOOLZ signature for additional signed malware samples and memorialized them within our Threat Intelligence Platform over time.

Analyst Comment: The DTOPTOOLZ signature has also been observed in association with Korean Adware that is affiliated with the actual DTOPTOOLZ Co. This adware should not be confused with the APT malware that is abusing the same digital signature.

Later, in mid-November we discovered another implant that was digitally signed with the DTOPTOOLZ signature. This implant, MD5: 98721c78dfbf8a45d152a888c804427c, was from the “Sakula” (aka. Sakurel) family of malware, a known variant of the Derusbi backdoor, and was configured to communicate with the malicious command and control (C2) domains extcitrix.we11point[.]com and www.we11point[.]com. Through our Farsight  Security passive DNS integration, we uncovered that this malicious infrastructure was likely named in such a way to impersonate the legitimate Wellpoint IT infrastructure.

Passive DNS and historic DomainTools Whois data also provided insights that helped establish an initial timeline dating back to April 2014, when the faux domains came into existence and were later operationalized by the attackers. A Threat Intelligence Platform should allow for analysts to easily put together and organize such insights, collaborate around relevant analysis internally, and share the finished analysis with external industry groups and organizations. In the hopes that our community members could benefit from or provide further insight into this suspicious incident, we immediately shared our threat intelligence including indicators, signatures and analytical context to the ThreatConnect Medical and Health Community on November 13, 2014. This included sending out a notification to all stakeholders as well as our followers on Twitter.

When the Anthem breach later came to light in early February, we re-shared the signatures, indicators and context freely to the entire ThreatConnect user base. As we dug further, we expanded our understanding of the malicious we11point[.]com infrastructure, taking particular interest to the subdomains such as “extcitrix.we11point[.]com and “hrsolutions.we11point[.]com”. Note the “citrix”  and “hr” (human resources) prefixes that the adversary used to mirror legitimate remote infrastructure and employee benefits resources in the May 2014 timeframe. This provided initial insights as to the likely targeting themes and or vectors in which the adversary may have used when initiating their targeting campaign.

wellpoint-evil2legit

The fact that the malicious infrastructure closely mirrored other legitimate Wellpoint infrastructure supported our hypothesis that the Derusbi / Sakula malware was configured to operate and persist within a specific target enterprise.

Possible Premera Blue Cross Infrastructure:

Retrospective analysis of other targeted malware samples using the DTOPTOOLZ Co. digital signature led to the identification of an “HttpBrowser” / “HttpDump” implant MD5: 02FAB24461956458D70AEED1A028EB9C (OpenOfficePlugin.exe), which was first observed on December 11, 2013. Although this malware sample is not Derusbi / Sakula, it too is strongly believed to be associated with Chinese APT activity and in fact may have also been involved in a Blue Cross Blue Shield targeting campaign as early as December 2013.

premera-update

This particular binary is configured to connect to the static IP address 142.91.76[.]134. Passive DNS of this IP indicates that on December 11th, 2013, the same date as the malware sample was observed, the domain prennera[.]com also resolved to 142.91.76[.]134. It is believed that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the “m” with two “n” characters within the faux domain, the same technique that would be seen five months later with the we11point[.]com command and control infrastructure.

Section Summary:

  • The Derusbi / Sakula malware implant types are unique in that they have traditionally been seen within Chinese APT espionage campaigns.
  • The “HttpBrowser” / “HttpDump” malware implant (while a different family of malware than Derusbi / Sakula) is also believed to be of Chinese origin, and was also digitally signed with the DTOPTOOLZ digitalsignature. This implant connected to a C2 node that overlapped with prennera[.]com.
  • We believe that the prennera[.]com domain may be impersonating Premera Blue Cross (premera.com), using a similar character replacement technique seen in the we11point[.]com campaign.

MATURING A THREAT INTELLIGENCE PROGRAM

VAE Inc. Themed Infrastructure & Signed Malware

Another powerful attribute of ThreatConnect is the ability for analysts to logically group items such as atomic indicators, related documents or signatures, all of which may include individualized custom context enrichments and associations. Over time, the ability to memorialize groupings of related or like activity allows analysts to quickly uncover non-obvious relationships within their private datasets. This is exactly what happened as we continued to investigate these incidents.

As industry analysts and media speculated Chinese APT involvement in the Anthem breach, our focus into the Derusbi / Sakula malware signed with the DTOPTOOLZ Co. digital signature shifted from the we11point[.]com incident to another cluster of activity that occurred later in May 2014. We immediately reviewed Incident 20140526B: vaeit APT, an incident that we initially shared to our Subscriber Community on September 29, 2014 after conducting retrospective analysis.   Well-VAE-Overlaps Just as was the case with the we11point[.]com and prennera[.]com incidents, the VAE, Inc. incident is also believed to be associated with Chinese APT espionage activity. In this case the adversary also used Derusbi / Sakula malware that was signed with the DTOPTOOLZ Co. digital signature and configured to communicate with faux infrastructure appearing to be masquerading as internal resources for the Department of Defense Contractor VAE, Inc. Additionally, in response to an inquiry from KrebsOnSecurity, VAE, Inc. would later confirm that it had indeed been a target of a failed spearphishing attempt in May 2014 which used the malicious faux VAE, Inc. themed domain.

The targeted incident relied upon the Sakula executable MD5: 230D8A7A60A07DF28A291B13DDF3351F which had a XOR 0x9A encoded C2 callbacks to the IP address 192.199.254[.]126 (registered to Wehostwebsites[.]com – “Tom Yu” of Baoan, Shenzhen City, Guangdong Province, China) as well as a hardcoded callback to sharepoint-vaeit[.]com. Passive DNS of the static C2 IP 192.199.254[.]126 revealed a single suspicious domain of interest – topsec2014[.]com.  This domain had historic resolution around May 8, 2014 within a month of the first observed Sakula activity using the IP 192.199.254[.]126 as C2.

Using historic Whois, we discovered that topsec2014[.]com was initially registered by li2384826402@yahoo[.]com on May 6th, 2014. Although the li2384826402@yahoo[.]com registrant is likely a reseller given that it has been observed registering several thousands of other domains, the fact that it was used to register both the faux VAE, Inc. C2 infrastructure and the overlapping domain topsec2014[.]com within the same month suggests that there may be a relationship between the client of the reseller for the VAE, Inc. infrastructure and the client for topsec2014[.]com.

topsec2014-hist

Just four minutes after the initial registration of topsec2014[.]com, the Whois records were updated from the initial registrant, Li Ning – li2384826402@yahoo[.]com to TopSec China – TopSec_2014@163[.]com.  This domain record has been unchanged since May 7th 2014. The we11point[.]com infrastructure and by extension the faux VAE Inc. infrastructure is associated with Cluster 2 of the ScanBox framework by PwC. The latest PwC update to ScanBox states that there are “links between the domain allegedly used in the Anthem hack (we11point.com) to Cluster 2 through shared WHOIS details.”

OPM Themed Infrastructure

One notable pattern was how the domain Whois registration information for the VAE, Inc. themed infrastructure was quickly updated and obfuscated with pseudorandom 10 character gmx.com email addresses and using the names of various comic book characters from the Iron Man franchise. This comic-themed naming convention has been previously documented by our friends at Crowdstrike in what they characterize as being associated with a Chinese APT group they have dubbed “Deep Panda”.

Leveraging our DomainTools partnership, we were able to correlate the outlier domain opm-learning[.]org. This domain was also purportedly registered by the Iron Man movie hero “Tony Stark” on July 28, 2014. This infrastructure naming convention suggests a possible Office of Personnel Management (OPM) theme. However, in this case we lacked any specific sample of malware to verify our initial suspicions that this infrastructure was operational. The possible OPM reference in the domain name is noteworthy considering it was revealed in July of 2014 that OPM had been compromised by a likely state-sponsored Chinese actor in mid-March of that year. The fact this domain was registered after the breach occurred suggests that OPM could be an ongoing direct target of Chinese state-sponsored cyber espionage activity.

Our attention then turned to the FBI Flash Report A-000049-MW that was publicly reported by Brian Krebs on February 6th, 2015. This FBI Flash Report was issued on January 27th, 2015, the same day an Anthem administrator detected suspicious activity according to an internal memo. This memo goes on to indicate that the FBI would not be party to the Anthem breach until they were notified on January 29th, 2015; based on these facts we assess with high confidence that it is very unlikely that the FBI Flash Report was directly related to the Anthem breach. Rather, we suspect that the FBI flash report likely references the USIS breach that was announced on August 6, 2014, or the previous OPM breach, considering the statement that the breach involved “compromised and stolen sensitive business information and Personally Identifiable Information (PII) from US commercial and government networks through cyber espionage.”

The malware referenced within the FBI Report is associated with a Derusbi backdoor subvariant named “InfoAdmin” / “Kakfum” where the FBI specifically references open source reporting of “Deep Panda” as being related to the malware observed in the attack. The malicious infrastructure highlighted in the report are the domains images.googlewebcache[.]com and smtp.outlookssl[.]com. Both of these top level domains were included with other related domains, all of which were shared on September 16th, 2013 to the ThreatConnect Subscriber Community in Incident 20130823C: Some.Trouble APT Domains, roughly a year and half prior to the FBI Flash report.

It is important to mention that both the domains images.googlewebcache[.]com and smtp.outlookssl[.]comas were also previously identified in an October 2014 PwC blog post as seen within Cluster 1 of the Scanbox framework, while the Sakula activity with we11point and VAEIT is contained within Cluster 2 of that report. This implies that the actor referenced within the FBI Flash report uses shared capabilities (in this case the ScanBox kit) with the Sakula / we11point actor.

Section Summary:

  • The Derusbi / Sakula malware seen in both the we11point[.]com and VAE Inc. campaigns were structurally the same and digitally signed with the DTOPTOOLZ signature.
  • The emerging theme is that this particular signature and family of malware is highly indicative of a particular Chinese APT activity.
  • Within this web of malicious infrastructure, there is an interesting overlap with the topsec2014[.]com domain and attack infrastructure.
  • ThreatConnect Research identified a domain opm-learning[.]org that had a similar superhero themed WHOIS registrant to the Sakula / VAE Inc. infrastructure. The possible OPM reference is noteworthy considering the Office of Personnel Management (OPM) was compromised in March 2014. Additionally, an FBI Flash Report 0000-49MW referenced indicators that were possibly associated with the USIS hack and a Derusbi variant called “Kakfum” / “InfoAdmin”. Both the FBI Flash infrastructure and the Sakula / VAE Inc. infrastructure are tied to the capability usage of the ScanBox framework, residing in Clusters 1 and 2 respectively.

Unveiling Song Yubo and Southeast University:

The Professor

We conducted open source research in pursuit of further information on the TopSec_2014@163[.]com email registrant.  A keyword search returned several results for “topsec2014@163[.]com” in association with a number of academic institutions in Nanjing, China.  Although the email address wasn’t an exact match to the topsec2014[.]com domain registrant (notice the absence of the underscore), such a similarity warranted further investigation. Screen Shot 2015-02-25 at 5.20.37 PM We examined the links for any relevant intelligence, and discovered that nearly all of the search results led to pages that contained an announcement for an information security competition sponsored by the Southeast University-Topsec Information Security and Mobile Internet Technology Joint Research Center.  This entity appears to be a joint research venture between the University and Chinese networking giant Beijing Topsec Network Security Technology Co., a.k.a. Beijing Topsec.

Screen Shot 2015-02-23 at 9.22.35 AM

The announcements list a Professor “Song Yubo” as the point of contact for the event, and directs interested parties to his email address, topsec2014@163[.]com, for further questions.

Translation

According to his LinkedIn page, Song is a Teacher at the Southeast University, specifically interested in the field of telecommunications. Additionally, he is an avid researcher, and has published numerous academic papers on computer network exploitation on various e-journal publication sites, such as Google Scholar. Further, he lists skills such as “cryptography,” “penetration testing” and “computer network security,” etc. on his Research Gate profile.

yubo-stacked-china-hack

As we continued to develop a profile on Professor Song, we began to have the sense that his interest in information security research strongly overlapped with that of someone who might be interested in or at least capable of conducting sophisticated cyber attacks. However, interests alone are not enough to warrant reasonable suspicion, so we had to do more digging.

Additionally, the soft link between TopSec_2014@163[.]com and topsec2014@163[.]com alone was not sufficient to make associations with any reasonable confidence, but as it turns out, Yubo has in fact been previously named as a person of interest in the context of offensive Chinese cyber activity.

The University

In March 2012, Northrop Grumman presented a commissioned report to Congress detailing Chinese cyber warfare capabilities. The report asserts with high confidence that both Song and the Information Security Research Center at Southeast University have received numerous state-sponsored research grants, and by extension, cooperated with the Government of China in conducting information security research and development (R&D).  As stated on Southeast University’s own website, the main purpose of these grants are to develop technical acumen amongst its students via providing support for “state-owned scientific research institutions, state key enterprises, government agencies and People’s Liberation Army (PLA) units.” relationshipsSoutheast University is one of only three Chinese academic institutes that receives funding from all five of the State grant programs. Song himself has also conducted his fair share of state-sponsored research, notably under the National Ministry of State Security 115 Program – a highly sensitive research grant to fund ambiguous information warfare R&D, almost certainly in support of PLA programs.

The Competition

As we can see, the evidence continued to stack up.  The real smoking gun, however, was when we began to notice a strong temporal overlap with the various stages of the TOPSEC Cup that Song and Beijing Topsec were organizing, and the registration dates of malicious infrastructure as well as the malware compilation dates.

Based upon the translated registration form that we obtained from Song Yubo’s personal Baidu document sharing account, open registration for the “TOPSEC Cup” began on May 4th, 2014 and would close on May 14th, 2014.

The details of the competition that were shared on the announcement are extremely ambiguous, and probably for good reason. The introductory paragraph mentions that the primary goal of the event is to facilitate the training and discovery of new talent, noting that exceptional participants would receive priority consideration for internships and jobs with Beijing Topsec.

The event itself was broken down into several distinct rounds of competition.  Firstly, the preliminary round required that all eligible registrants would attempt to remotely access and navigate through the network.  Should a participating team perform exceptionally in the preliminary qualifying round, they would be invited to participate in the final round on-site in Nanjing.

In this final round, participants would be required to build their own “information systems and network environments.”  The announcement notes that the students must rely upon their own laptop and software tools to accomplish this task.  Further, the announcement notes that participants are prohibited from attacking the provided server as well as their competitors.

Section Summary:

  • Song Yubo and his research center at Southeast University appear to be central players in this narrative, as highlighted by their financial connections to the government of China, in particular the Ministry of State Security (MSS), China’s premier human intelligence agency.
  • If the MSS was involved, we can deduce that the Anthem hack could have been for the purposes of gathering sensitive information for follow-on HUMINT targeting via blackmail, asset recruitment or technical targeting operations against individuals at home.
  • Song’s use of the topsec email alias suggests a greater association w/ TOPSEC.
  • It seems as if the competition is almost certainly the cause for the topsec2014[.]com domain.  What is very curious, however, is the initial registration by the reseller li2384826402@yahoo[.]com, which is a tactic seen within the confirmed malicious faux VAE Inc.infrastructure.
  • The overlap between the competition website and the static command and control infrastructure seen in the Derusbi / Sakula implant is was likely an error made by the attackers.

GARTNER PAPER: HOW TO PLAN AND EXECUTE MODERN SECURITY INCIDENT RESPONSE

Tianrongxin, a.k.a. Beijing Topsec Technology Co:

The Company

To enhance our open-source capabilities, we partnered up with Dr. James Mulvenon and his team of China experts at Defense Group, Inc. (DGI).  We shared with them everything that we knew at the time, walking through the technical details which led us all the way to Song Yubo and the competition announcement.  From there, they were able to uncover a wealth of very consequential background information on Beijing Topsec Technology Co (Beijing Topsec), the sponsoring organization for Song Yubo’s information security competition.

DGI’s research indicated that Beijing Topsec is one of the largest information security hardware providers in China. In 1996, they were the first Chinese company to break into the market with the release of China’s first indigenously-manufactured firewall. Since then, they have expanded their business to include a consulting practice focused on issues such as vulnerability mining, software code analysis, threat intelligence, and encryption R&D, amongst other things.

The company served as a core technical support unit for network security at the 2008 Olympic Games – an event which was tightly controlled by the state.  Additionally, Beijing Topsec is a known partner of the Chinese military. Since 2009, the company has possessed information publication credentials for military network procurement. Since 2013, they have been publicly recognized as the Chinese equivalent of a cleared defense contractor.

The links between Beijing Topsec and the Chinese government are fairly substantial, highlighted by long-standing partnerships between even the most shadowy elements of the Chinese military.

The Leaked Cable

A very compelling piece of evidence is found in the contents of a leaked 2009 diplomatic security cable from the Department of State, published by The Guardian.  The cable is a daily digest of Diplomatic Security alerts – essentially a situational awareness primer for State Department employees to inform them of new and existing threats.  In one section, the cable highlights that the Founder of Beijing Topsec, He Weidong, had openly talked about receiving directives from the PLA in an interview with China News Network.  In the interview, the founder quite curiously states that Topsec is less a commercial entity, but rather a research institute, and that the company received about half of its start-up capital directly from the PLA.  The cable further claims that Topsec actively recruits for the PLA cyber army.

lin-yong-lion-china-hack

It would also appear that not only does Beijing Topsec have deep ties to state-run cyber activity, but also within the independent hacker community as well.  Of note, the company hired the notorious hacker Lin Yong, a.k.a. “Lion” (of the Honker Union of China) in the early 2000s as a security service engineer and to conduct network training.

Section Summary:

  • It is not surprising that the Chinese government would be interested in partnering with a private organization such as Beijing Topsec for use as a front for state-sponsored activity.
  • The association between Southeast University and Beijing Topsec as manifested in the joint information security research center highlights the possibility of growing links between state-sponsored activity and academic institutions, particularly those that receive funding from the central government.
  • All in all, it would seem that China is pursuing a unified approach to cyber operations, relying on all unique facets of the workforce: academia, private industry, and independent hackers, as well as the PLA to achieve their strategic goals.

Conclusion:

The Anthem breach exposes the insidious reality of modern Chinese cyber espionage as it continues its unrelenting strikes at the soft underbelly of the American way of life.  Moreover, it demonstrates the imposing yet increasingly common reality of conducting threat intelligence analysis without substantial threat intelligence to start with.  Fortunately for us, we were able to deduce informed answers to some of the outstanding questions to this breach by scrutinizing our archival data troves that are efficiently stored within our Threat Intelligence Platform and partner integrations.  In the field of cyber security, industry professionals must learn to play the long game in order to generate a proactive sense of situational awareness, allowing for greater efficiency and flexibility in mitigating future threats.

Additionally, this incident underscores the frustrating disparity of the industry when it comes to naming conventions.  With so many threat actors and indicators floating around, it is can be frustrating to keep track of all the disparate pieces of evidence, especially when countless naming conventions are applied.  Without the use of a Threat Intelligence Platform to keep track of the flood of incoming threat data, this task would be extraordinarily time consuming at best and crippling at worst.

Moving forward, it is important to bear in mind that the adversary, regardless of country of origin, shall almost certainly leverage our every weakness against us.  Even something as seemingly innocuous as confusion over names can easily consume analytical bandwidth, creating a window of opportunity to strike.  We – that is security professionals, private industry and governments alike – must proactively harden our network defenses and hasten our incident responses as a united, synchronous entity.

We have shared details on Song Yubo and affiliated indicators within the ThreatConnect Common Community.  This share also includes the full-text DGI “BLUE HERON” research which provides greater insight into Song Yubo, Southeast University and Beijing Topsec.

All things considered, industry must learn to adopt a cooperative defense mindset in the hopes of rebuffing future attacks. The most resolute defense we have is each other, so be like ThreatConnect Research and start actively defending your own community from the next big breach. Register for a free ThreatConnect account today to get started fill out the form below to start sharing and analyzing your threat intelligence.


 

ThreatConnect How To: Importing Indicators

There are many advantages to having a centralized Threat Intelligence Platform (TIP) to aggregate, analyze and act on your own threat intelligence. Among them, is empowering the threat analyst to interact with new threat data as it is aggregated by providing a direct interface to speed up their workflow. This makes collaboration easier and essential to the threat analysis process. Analysts using ThreatConnect can take a set of raw indicators from any source, be it human or machine generated, and use the features of the platform to breathe new ‘life’ and relevancy into their raw data set. What do I mean by ‘life’? I mean, having a collection of indicators that are just as dynamic as the adversary who leverages them. The indicator auto-enriches and is associated with relevant details tying them to the key infrastructure components used in a malicious campaign or attack. Indicators that are “alive” are not stagnant; they are not sitting idly on a spinning disk waiting to become obsolete, and with ThreatConnect, you can put them to work for you. Consider the time an analyst saves by having ThreatConnect answer a few questions that should be asked of any new indicator:

  • Who in my community, or among my internal ThreatConnect Organization, has seen these same indicators?
  • Has anyone already associated these indicators with another incident, threat or adversary?
  • For my host and IP indicators, what DNS and WHOIS lookup data can I obtain and how frequently has it changed?
  • Can I be alerted if this indicator updates or if someone else has seen it?

Having the ability to quickly and easily get answers to these questions is just part of what makes a community-driven approach to threat intelligence so powerful.

So, let’s begin with the basics of importing content into an incident:

Create an Incident:

One of the key features of ThreatConnect is being able to quickly organize your data, group it and associate it, developing an ever increasing amount of context over time. In this example, we will create an Incident but other groupings are available to us depending on what our analytic usecase may be.

Step 1:  Create

SS_Using_Create

Step 2:  Categorize and Enrich

We can apply as many system level or custom attributes to an Incident as we need to capture all of the relevant details. We can also apply Security Labels and custom Tags (a feature we will address later on in the context of indicators).

Now that we have an Incident created, it is time to populate it with raw information or finished analysis, depending on your preference/individual usecase. Let’s take a look at how we import data within ThreatConnect.

Importing indicators: Structured vs. Unstructured

Within ThreatConnect, structured data imports allow for maximum levels of user control over the data before it is imported and require less overhead afterwards. Since finding and aggregating indicator data in a structured format is not always possible, ThreatConnect also provides a powerful feature for parsing indicator data from unstructured sources such as text, PDF and other document formats. It also maintains analytic creature comforts such as “find and replace” features that can defang malicious URLs, domains, or IP Addresses that have been modified so they cannot be clicked on. This means you can grab any text from your favorite analysis blog or the latest PDF write up provided by <insert your favorite security vendor name here> and load it directly into ThreatConnect for indicator parsing and extraction. This dramatically speeds up analyst workflow and threat discovery by allowing analysts to completely bypass what would otherwise be a lengthy and unwieldy process of manual extraction and data massage. It also allows you to includeindicators in your analysis that may otherwise have fallen by the wayside in unread technical whitepapers or blogs.

ThreatConnect Research TIP: There are times you may want to just use only Structured or Unstructured imports,  other times, you may want to use both. It all depends on how the data is presented to you. Consider using the filtering feature to assign common attributes (Descriptions, Sources etc.) or ratings and confidence values. These can always be updated or changed manually or programmatically via the ThreatConnect API.

What follows is a quick, step-by-step guide on how to import a structured set of indicators:

Step 1: Import

To import data from within my ThreatConnect Account, I simply select import indicators from the top right menu bar:

SS_of_import_pull_down

I’ll want to select ‘STRUCTURED CSV’ since I am using a spreadsheet. For more information on how to structure your CSV, please reference the tool tip within the STRUCTURED CSV option.

SS_Structured_vs_Unstructured

Note that my CSV contains the correctly formatted indicator TYPE with the appropriate indicator VALUE. I have included a default DESCRIPTION and SOURCE attribute for additional context and referencing. Of the populated fields, the last two contain a ‘1’ and are optional as they tell ThreatConnect to enable automatic historical WHOIS and DNS lookup information for HOST indicators. It is important to note, that if your WHOIS and DNS results are not immediate post-import, don’t worry – ThreatConnect has scheduled them and they will be auto-enriched.

ThreatConnect Research TIP: It is a good rule of thumb to enable the WHOIS and DNS tracking feature because you want ThreatConnect to update any infrastructure or registration changes. ThreatConnect will also make associations to overlapping WHOIS metadata and DNS resolutions, revealing any non-obvious relationships over time.

By default, the target destination you will import your data into will be your private individual or organization account. However, you have a choice to import data directly into a community to which you may belong – such as the Common Community.  Keep in mind that these communities may have their own anonymity and data sharing policies and code of conduct, so it is important to first understand the differences between private imports and community imports.

ScreenShot_Import_target

Step 2: Validate

In this step, I simply need to validate that all eight fields were correctly identified. Thankfully, ThreatConnect helps you during this validation process. If you happen to have errors at this point, just double check the structure of your CSV and make sure it conforms with the format outlined in the import tooltip. After clicking next, I can then validate that all ten of my indicators were found.

Step 3: Confirm

In this step, I will confirm which of my indicators are new and which already exist within my communities. Here, I can see that all ten of my indicators already exist. This is good news because it means somebody else within my organization or community has already done some initial analysis and it ensures that nobody has to do the same work twice. I also have the option to view existing indicators to ensure they are not already associated with the Incident, Threat or Adversary I am currently working. If your indicators already exist in the system, re-adding the existing indicators, will append any new Description and Source to any existing indicator Attributes you have access to, capturing new information regarding indicators that may be “repeat offenders”.

Step 4: Security Labels and Tagging

Once confirmed, I want to select Security Labels appropriate for my intended audience. Security Labels allow me to set custom security controls around the Indicators themselves as well as associated context within the Attributes. I may also want to tag my indicators. Tagging is a powerful way to make it easier for other analysts to quickly identify and categorize my data and associate them with similar intelligence themes.

ThreatConnect Research TIP: Security Labels are very handy when classifying Indicators, Groups or Attributes. Security Labels allow you to convey your intent as to whether the content can or cannot be shared, as well as how the information can be used. Examples that ThreatConnect Research have created and used are CLIENT CONFIDENTIAL or APPROVED FOR RELEASE.

Step 5: Create New Associations and Save

Finally, in this final step,  I will associate my Indicators with an existing corresponding Grouping, e.g., Incident, Threat, Email or Adversary, I created and hit save. Note that Indicators can also be associated with specific adversaries, threats, signatures, emails, tasks and documents.

Unstructured Data Import

When importing an unstructured set of Indicators, I will mostly follow the same process. The key difference only applies to steps 1, 2 and 3, so these next instructions will focus only on what is different during an unstructured import.

Step 1: Import

I begin by importing a PDF file that I obtained from a great whitepaper on the “Inception Campaign” from the Blue Coat Labs blog.  This write up contains a plethora of indicator data that would take far too long for me to manually parse myself, but I want to immediately capture it, enrich and go hunting for some of the content within my defensive integrations.

Step 2: Validate

When importing from unstructured data, it is important to note that the parsing engine will extract anything and everything that looks like an indicator. This will often include hostnames, email address, URLs and IP addresses that are not malicious but referenced in the document. Analysts will need to validate that the indicators are of interest and prune those not of interest before the import to ensure that the desired content is captured.

SS_Parsed_Indicators

Step 3: Confirm

After validating the data, I have the option to add Description, Source, Rating and Confidence. Note: Any change I make here is applied to all of my Indicators. Since these values will vary with each indicator, I will choose to skip this step and apply the necessary changes to each indicator individually, after I finish my import.

SS_Confirm_Indicators

Conclusion

Unfortunately, for far too long, the state of the art for many Threat Intelligence Teams was email and spreadsheets. Keeping track of multiple dynamic threats over extended periods of time no longer scales to the features of basic office automation. Content and context are everywhere, from analyst inboxes to download folders. With ThreatConnect, analysts can now resurrect what would otherwise be forgotten threat intelligence, allowing analysts to put that data to work within a Threat Intelligence Platform. Getting data into a Threat Intelligence Platform should be as quick and efficient as possible so that time is spent analyzing threats, not munging and massaging data. This is why ThreatConnect gives our users several interface options to Import and populate their Individual or Organization accounts. In future “How-Tos”, we will cover the ThreatConnect API and explain how to automate the ingestion of threat intelligence. Want to breathe new life into your Threat Intelligence? Register for a free Community ThreatConnect account to get started, or choose one of our premium account options for more robust features. Learn more about how ThreatConnect can enrich your organization’s data.

Operation SMN: From Sharing to Acting on Threat Intelligence

We at ThreatConnect are proud to be part of an industry-led Coordinated Malware Eradication (CME) initiative known as Operation SMN. The collaborative effort has targeted specific malicious capabilities used by what is largely suspected to be a Chinese Advanced Persistent Threat (APT) espionage group that has been operating since at least 2010. Operation SMN is led by Novetta, and supported by a coalition of notable industry partners including Cisco, FireEye, F-Secure, iSight Partners, Microsoft, Symantec, Tenable, ThreatTrack and Volexity.

From inception, the intent of Operation SMN has aligned with core principles of ThreatConnect – to aggregate, analyze and act on threat intelligence. In our eyes, Operation SMN serves as a historic inflection point in which the industry proactively demonstrated how private sector organizations can collectively share threat intelligence regarding a common threat actor and quickly put it into action.

Operation SMN evolves upon the industry standard of individual participants aggregating knowledge and producing the research. Thus, demonstrating how the industry can further itself by jointly collaborating, planning and operationalizing shared intelligence, acting as one, to disrupt and mitigate an advanced threat actor.

For more details visit the following blogs of the Operation SMN members:

ThreatConnect applauds the work of all of our partners in Operation SMN and looks forward to future opportunities to work with them and others within the security industry who wish to collaborate and act on shared threat intelligence. As additional information regarding this threat becomes available the ThreatConnect Research Team will be sharing any publicly available details and signatures associated with this threat within the ThreatConnect Common Community. Look for a full report to come later this month. Register for a FREE community account on ThreatConnect for access to our Common Community, or upgrade to our Team or Enterprise versions for access to additional premium data and capabilities, including our API.

There are more signatures to come, but ThreatConnect is sharing what is available now within our Common Community – accessible with a free account.

operation-smn-signatures

Getting the Most out of Crowdsourcing Threat Intelligence

Earlier this week, we saw an article by Robert Ackerman Jr. on Dark Reading about crowdsourced threat intelligence and cyber security. Of course we were excited to see more discussion on threat intelligence and the value of collaboration.

Robert states that challenges remain, and while we agree that some organizations have not yet found the right balance and rhythm to effectively collaborate with others around their threat data, we built ThreatConnect to be the solution to some of the challenges he mentioned.

“The challenge, of course, is how to source from the crowd when trust and transparency are the watchwords of cyber security. How do you ensure the veracity of submissions (“attribution”), represented as the work of good guys and not a potential “Trojan Horse,” in a world where anonymity is the norm and may in fact be a legal requirement? How do you establish an audit trail of accountability to ensure trust and transparency? How do you create an incentive system that rewards contributions from the best and brightest?”

Security teams are notoriously cagey, and for good reason. Once trust is established, then you’re good to go – but how do you know what shared data you can trust? To Robert’s point, how do you ensure that the data is “good” and trustworthy? The first step is to make sure you’re working within a secure platform that has vetted organizations. That’s why the security email list “Fight Clubs” and ISACs of the world have thrived based on trusted networks and referrals. Our community driven threat intelligence platform, ThreatConnect, gives users the flexibility to use anonymous or attributed profiles, based on the trust level of the community they are participating in. This is valuable because you know that the data you are giving and receiving is coming from a real person from a vetted organization.

Working within ThreatConnect ensures that accountability is king, every action within the system is logged and attributed. Trust and transparency are key cornerstones of a platform. The audit trail is open to anyone who has access to that data. Our private communities of industry leaders and organizations have the ability to view any changes or additions to data made, similar to a Wikipedia log.

While some companies may “collect threat intelligence from a spectrum of sources and package it for distribution to customers, often as part of an integrated security management platform”, we take it two steps further.

We certainly agree that the collection piece is important. Whether you’re importing data from multiple sources, from within your own network, or from third party vendors (like iSIGHT Partners), there should be a way to have all of your data aggregated in one place. ThreatConnect was built to be vendor agnostic. We recognize that threat analysts have multiple sources of intelligence.

The next step is analysis. We built our analytic capabilities off of The Diamond Model for Intrusion Analysis, and we allow any user to quickly pivot between datapoints, dig deeper and find relationships with pDNS and reverse WHOIS queries, and easily visualize using our integrated Maltego transform sets or other tools. Back to the sharing of threat intelligence, our platform was built to allow different communities to have unique privacy settings and share information only with the connections that they want to share with. It’s helpful to analyze and find new data and patterns with a little help from your friends.

The final step is action. ThreatConnect allows you to take all of that data and analysis and put it into action, right within the platform. Interacting with your SIEM and other end-point capabilities, security teams are able to automate and move faster because of the deep data analysis that takes place right within ThreatConnect.

Threat intelligence sharing is not a new concept. But, what makes it new is the rise of platforms like ThreatConnect, which put power directly into the hands of users much in the same way that Salesforce.com gave sales teams a platform, and PeopleSoft gave HR a platform. Threat intelligence platforms and collaboration capabilities are just the beginning of the next phase of the security market.

Interested in learning more or checking out ThreatConnect for yourself? Sign up for a free trial and get started right away. It’s easy to stand up a community with ThreatConnect in 30 minutes or less.

How To Streamline Threat Intel Sharing Before Lunch

We saw recently that GCHQ is poised to create a threat intelligence sharing community between public and private organizations in the UK. We applaud this effort and hope that more organizations follow suit. In May, we launched a European Community of Interest  to achieve a similar goal of bringing together public and private organizations.

A challenge that many organizations face is how to establish an sharing community to collaborate within your organization or with other groups. With ThreatConnect, it’s easy to create a collaborative community. We allow any Team or Enterprise Subscribers, as well as Partners, to create a public or private community, a process that usually takes 30 minutes or less. For those who want a private platform to discretely build their own communities, we offer private cloud and on-premises deployment options as well. Here are a few steps that we followed to create our public and private communities.

Characterize the need:

  • Before standing up a ThreatConnect community, you need to understand the problem you are trying to address. Determining if the community will be addressing a general set of threats, or perhaps focused around threats to a specific topic, event or geography.

Determine Community Privacy Policy:

  • A community privacy policy allows the owner to choose whether they will require publicly attributable user profiles or anonymous pseudonyms.  Many of our more mature ThreatConnect Communities use publicly attributable profiles because the users have pre-established working relationships and want to know who they are collaborating with.

Customize Your Community:

  • With our latest release, we allow any organization or community to customize their user experience to their existing processes and procedures. With the Attributes 2.0 feature, users can create and order their own attributes for indicator groupings in addition to individualized indicators. Additionally, with “Security Labels” users can customize labels for their organization and any of their communities.  Security Labels can then be applied to indicator groupings, individual indicators and attributes in accordance with organizational and community requirements. These labels can be used classify information within ThreatConnect and either allow or restrict what content and context is shared when it is time to publish information externally.

Establish Community Rules & Policies:

  • ThreatConnect allows users to customize rules and policies to suit them, they can be as simple as the rules of “Fight Club” or more complex if needed. These policies establish the guidelines of how the community will interact with and protect one another as well as the way information that is shared.

Invite Your Community Members:

  • Building your ThreatConnect community is as easy as sending an invitation, not unlike many other social media platforms. Once your community is operational, you may choose to delegate control to others using granular permissions to establish a variety of roles for your ThreatConnect community members.

Start Sharing:

  • ThreatConnect started with a vision of developing a platform for anyone to aggregate their threat intelligence data, analyze it quickly, and act against threats. More than just a sharing platform or threat intelligence feed, we allow our users to create and analyze threat intelligence, distilling the most relevant information from the complex security challenges that are facing organizations today. We are thrilled to see more public and private sector organizations draw closer within communities and share their threat intelligence and are hopeful that ThreatConnect will be recognized as the threat intelligence platform of choice as those communities mature.

For more information on our communities feature or on how to stand up your own community within ThreatConnect contact us today! Register for a free account to get started.

Learn more about how community collaboration can help enrich your threat intelligence data and more.