Threat Intelligence and Orchestration can come together to defeat threats to your network, or D&D monsters…whichever you face.
When watching Stranger Things it’s easy to notice many incidents throughout the show worthy of further investigation. Many of the characters in the show could actually benefit quite a bit from the processes and techniques security professionals use everyday. Analysts are busy conducting various forms of research and constantly seeking more context and associations so they can better understand what and who is attacking them. The more information and knowledge analysts gain, the closer they get to determining the best course of action to solve their problems and defeat their adversaries. Hmmm… sounds pretty similar to what Mike Wheeler and company were trying to accomplish.
The heroes in the show could benefit greatly from an intelligence driven security automation and orchestration capability. Their investigative tasks and mitigation actions against the Demagorgan could be codified into a repeatable template as similar threats emerge.
So let’s apply this concept now to Stranger Things.
Demogorgon Incident Playbook
On the back of our Black Hat 2017 t-shirts, we have created a Playbook of actions that could be orchestrated to automate the process of managing and responding to a Demogorgon incident. With ThreatConnect’s Playbooks feature, you can automate almost any cybersecurity task using an easy drag-and-drop interface – no coding needed. ThreatConnect uses Triggers (e.g., a new IP address Indicator, a phishing email sent to an inbox) to pass data to apps which perform a variety of functions, including: data enrichment, malware analysis, and blocking actions. Once enabled, Playbooks run in real-time and provide you with detailed information about each run.
If you haven’t watched the show yet, stop reading this and log into your Netflix account. It’s only 8 episodes, we’ll wait…
CREATE AN INCIDENT
Will Byers Goes Missing
Okay, so the show kicks off with the escape of a monster-like creature out of a lab in Hawkins, Indiana in 1983. This is akin to kicking off an alert in the SOC – maybe due to a piece of suspected malware being created and sent out to execute and infect a network. For the purposes of the analogy, the everyday people of Hawkins make up the “network” that is potentially at risk and needs to be protected by our Playbook. The network is alerted that something bad has happened when Will Byers vanishes after confronting the monster – this is the malware taking its first victim. His mother Joyce and older brother Jonathan can’t find him and start to alert others of the incident. Joyce and Jonathan, along with Will’s best friends make up the initial team that will investigate this alert. This alert trigger has led to the creation of an incident, which we will label as “Missing Children”. In ThreatConnect an “Incident” represents a snapshot of a particular intrusion, breach, or other event of interest.
CASE MANAGEMENT – OPEN TICKET
Hawkins Police Department
Joyce notifies the police which starts the official process of filing a missing child report. A management ticket has now been opened via our Playbook so the activities of the case can be shared amongst the team and is recorded for future reference. Now the Hawkins Police Report will serve as our open ticket to manage this case and keep track of the workflow.
IF ASSET = BARB
Set Priority = Low
Now comes an interesting point in the process that most fans love to point out. In the course of the show there are two different kids that go missing: Will and Barb. With the disappearance of Will, the town is in a frenzy – parents, friends, teachers, and police all searching for answers. When Barb vanishes…. crickets. Her best friend, Nancy, seems to be the only one who noticed and brings any attention to the matter. Yet she inevitably gets swept up in the seemingly more important search for Will. Even Barb’s parents say she ran away and accept that scenario quite easily.
Playbooks can help prioritize your security team’s response. In ThreatConnect, you can quickly prioritize by using threat ratings, ThreatAsses, and CAL to gain deeper insight into how potentially malicious and relevant something is. In the context of the network, maybe Barb is a less critical asset than Will. As far as security processes go, a priority level of “Low” has been set for the asset Barb in our Playbook. This has informed the team to spend their time and efforts on the higher priority incidents, such as Will Byers. Poor Barb.
GET ENRICHMENT + ADD CONTEXT
In the show, the characters start out knowing almost nothing about their adversary; they certainly wouldn’t know where or how to begin containing it! Now that things are focused back on the higher priority incidents, the team’s next step is to enrich what they know and add context to learn more about the threat that is present in Hawkins. This is a crucial step for a security team looking for actionable knowledge that can inform their next moves. They will be looking to uncover what is already known about a threat hoping to identify details of their potential attack pattern and respond accordingly. In ThreatConnect you can easily find out where the indicator has been seen in other sources, its threat rating, its geolocation data, domain resolutions and passive DNS data, any tags assigned to that indicator, any other indicators that are related to that indicator, and more.
Here are some of the enrichment tools the team brings to bear:
Dungeons and Dragons Monster Manual
Much like analysts might turn to their peers and enrichment services to get details on an incident, . Will’s friends start searching for answers. They come across a young girl named Eleven, discover her telekinetic powers, realize that she may have some details on the whereabouts of Will, and ask her what happened. Eleven uses a Dungeons and Dragons game to explain about the monster that took Will, which they now identify as a Demogorgon using their Monster Manual (just as an analyst might reference ThreatConnect’s Intelligence Source). In our Playbook we use this new information to associate the Demogorgon Adversary to the Incident.
TRC 214 Walkie Talkie to Upside Down
The boys and Eleven use walkie-talkies to confirm Will has been taken by the monster and taken back to its origin called the Upside Down. In our Playbook we use this new information to associate Will as the Victim of the Incident.
Notify Incident Response Via Christmas Lights
Like any good Incident Response manager, Will’s mother realizes a regular communication system and process is needed. So, she hangs a set of Christmas lights and coordinates them with the letters in the alphabet. Will uses her communication system to transmit messages. In our Playbook, this is seen as our task to notify the Incident Response team. Joyce uses Christmas lights, but a real IR team could use a Playbook to notify others via Slack, email, or other means.
Based on a technique that Eleven used while at the Hawkins Lab, the boys build a makeshift sensory-deprivation tank from an inflatable pool to amplify her powers in an attempt to travel to the Upside Down. Their strategy works, and Eleven is able to confirm that the monster is in the Upside Down, has killed Barb (if anyone cared at this point), and is on the hunt for Will. Instead of a malware sandbox, it’s a malware kiddie pool! In our Playbook this is the DETONATE MALWARE step which is a form of dynamic malware analysis that is used to observe the behavior of the malware once it has been executed and to determine its potential impact.
The analysis of the malware paired with previous knowledge from Eleven’s past helps the team piece together a few items. In our Playbook we are able to add certain attributes that are associated to the Demogorgon adversary:
- Attack Pattern – Slime Cocoon
- Attack Pattern – Transdimensional Telepathy
- Attack Pattern – Slug Infestation
- Silver Fox – Matthew Modine
GET ADVERSARY ATTRIBUTE COURSE OF ACTION
Now that the team has identified the monster’s techniques and abilities, they seek to lure it out to destroy it. Hopper and Joyce were able to enter the Upside Down where they find Will, who is unconscious with a tendril down his throat that the monster has put there. Back at the boys’ middle school, the monster finds the children, but is pinned and eventually disintegrated by Eleven, who then vanishes. In our Playbook we have automated enrichment of the Incident, which leverages existing intelligence (like the Monster Manual!) to help inform possible Courses of Action, which can also be automated. We can branch our Playbook to take multiple Courses of Action based on what the analysis uncovers: in this case, the appropriate route is Disintegration! So to take the BLOCK DEMOGORGON action, Eleven uses disintegrate. It’s super effective!
Be an Eleven
We’ve shown here how threat modeling was used by a ragtag group in Stranger Things to defeat the Demogorgon. Now just imagine what a real-life team of trained security professionals would be able to accomplish. Security processes like this can be used to add context and enrich data to turn it into actionable knowledge and intelligence. Learn how our customers are using ThreatConnect to carry out processes like these on a daily basis to organize their data, identify cyber threats, and defend against them.