Every incident is unique and can be approached differently, depending on the context and nature of the attack. You will work in a scenario regarding a fictitious company but use the intelligence information of actual attacks. Surely some colleagues could propose different work paths, and I do not mean to say that there is a unique way to do this. My only interest is to provide you with the means to apply what you have learned.
In this part two of the book, Knowing the Adversary, you learned that Cyber Threat Intelligence (CTI) is crucial when responding to security incidents. The knowledge you have about threat actors and malicious campaigns gives you a strategic advantage to identify Indicators of Attack (IoAs) or Indicators of Compromise (IoCs) associated with a security breach faster and more efficiently.
In this chapter, you will learn about the following topics:
In case you haven't already, you need to download and install VMware Workstation Player from this link https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html.
You'll also need to download the following from the book's official GitHub repository https://github.com/PacktPublishing/Incident-Response-with-Threat-Intelligence:
Before we start with the practical exercises, we will prepare the work environment. In this case, we will use the IR-Workstation VM.
Start the IR-Workstation virtual machine and log in using the following credentials:
Once you have logged in, you will download, install, and run the Docker containers that contain the tools we will use in this chapter.
To install and run MITRE ATT&CK Navigator from a Docker container, follow these steps:
git clone https://github.com/mitre-attack/attack-navigator.git
cd attack-navigator
sudo docker build -t attack-navigator .
You can see a visual representation of the build process in the following screenshot:
Note
If you receive any warning messages through the build, don't worry—it won't affect the practical labs.
sudo docker run -p 4200:4200 attack-navigator
You will see MITRE ATT&CK Navigator running locally on your VM, as shown in the following screenshot:
Now that you have a local instance of MITRE ATT&CK Navigator, you can use it offline. Next, we are going to install Threat Report ATT&CK Mapper (TRAM).
TRAM is an open source tool created by the Center for Threat-Informed Defense (CTID) of MITRE Engenuity to automatically map the content of CTI reports to MITRE ATT&CK TTPs.
The TRAM platform uses machine learning (ML) to identify techniques described in the reports, reducing the time and costs required to identify and classify this information.
To install TRAM on your IR-Workstation VM, proceed as follows:
git clone https://github.com/center-for-threat-informed-defense/tram.git
cd tram
vim docker/docker-compose.yml
DJANGO_SUPERUSER_USERNAME=analyst
DJANGO_SUPERUSER_PASSWORD=P4cktIRBook!
DJANGO_SUPERUSER_EMAIL=[email protected]
You can see a visual representation of this in the following screenshot:
sudo docker-compose -f docker/docker-compose.yml up
Note
If you receive any warning messages through the build, don't worry—it won't affect the practical labs.
You can see a visual representation of this in the following screenshot:
Now that you have prepared your work environment, let's review some TI concepts before starting with the practical exercises.
When we talk about TI, we don't only mean the IoCs integrated into monitoring and detection tools in the form of feeds.
In an IR modern approach, CTI information is vital for the early identification and containment of threats as it provides the necessary context for threat hunting and identifying malicious behaviors.
The Diamond Model of Intrusion Analysis was created by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz from the Center for Cyber Threat Intelligence and Threat Research (http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf).
This model has become one of the pillars for intelligence analysts and is based on four main components, as outlined here:
This model is represented in the form of a diamond, as shown in the following diagram:
The basis of this model is this: "For every intrusion, an adversary has the infrastructure and capacity to attack their victim."
That means that if we use this model, we will have the ability to know our adversaries better and thus develop robust defense strategies and respond better to security incidents.
In the next diagram, we are analyzing a cybersecurity incident from the perspective of the Diamond Model of Intrusion Analysis:
Once you have TI information about an adversary or a malicious campaign, you can map the diamond model with every stage of the Cyber Kill Chain framework, as shown in the following table:
This approach will allow you to know not just the IoCs related to a security incident but also be able to visualize adversaries' goals, the different routes they could follow, and the tactics and techniques used.
Later in this chapter, you will learn how to integrate the Diamond Model of Intrusion Analysis and MITRE ATT&CK TTPs in the IR analysis and investigation processes.
In the identification stage of responding to a security incident, obtaining enough information about IoCs and IoAs is crucial.
One of the main challenges of mapping CTI to ATT&CK is the approach used to create reports. When analysts document information about an attack or campaign, they focus more on providing technical details regarding the attack and IoCs, but the ATT&CK framework is based more on behaviors or IoAs.
So, let's learn how to identify behaviors from a TI report to map it to ATT&CK TTPs.
It is 3 A.M., and you get a call from an important manufacturing company in South Korea. The cybersecurity department reports that there has been suspicious behavior within their corporate network. The security operations center (SOC) team identified and blocked a connection from the production area manager's computer, PROD-SK07, to the mail[.]namusoft[.]kr domain.
According to the SOC team, the source of information from the intelligence feeds tagged the IoC as a domain related to a campaign of the threat actor Lazarus. For that reason, they opened a security incident ticket.
After the call, you connect to the company's cybersecurity team via a web meeting. They provide you with more details about the incident and share the IoC of the domain that was identified in the connection.
So, you have the connections that were made from the suspicious computer to the malicious domain. Using the Cyber Kill Chain model as a reference, we can determine that the attack is probably in phase 6 (communication with the C2 server).
At this point, you have the following information:
You could start by getting an image of the computer's memory or retrieving forensic artifacts to start the investigation, just as you did in Chapter 4, Applying First Response Procedures. However, in this chapter, we will focus on gathering intelligence information, which will help you identify, contain, and eradicate the threat.
From an IR perspective, you can begin validating with the TI area if the IoC is already known or something new.
You can start searching this IoC on Open Source Intelligence (OSINT) sources, a Threat Intelligence Platform (TIP), or directly on the IR system (IRS) with a TI-integrated module, as you will learn in Chapter 10, Implementing an Incident Management System.
In this case, we found this IoC was referenced in a published TI report by the antivirus company Malwarebytes at the following URL: https://blog.malwarebytes.com/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/.
According to this report, the threat actor behind this IoC is Lazarus (https://attack.mitre.org/groups/G0032/), a known state-sponsored cyber-threat group who, among other things, is attributed to attacks such as WannaCry (https://securelist.com/wannacry-and-lazarus-group-the-missing-link/78431/). So, you now have the profile of the potential threat actor, and you can calculate the risk level to which the organization is exposed, as you learned in Chapter 5, Identifying and Profiling Threat Actors.
At this time, it is crucial to identify other computers connecting to this C2 server, as you will learn in Chapter 13, Creating and Deploying Detection Rules, or find new IoCs related to this malicious campaign.
As you learned in Chapter 6, Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework, ATT&CK is a knowledge base to identify tactics and techniques used by malicious actors in cyberattacks.
Becoming familiar with ATT&CK tactics and techniques takes time and requires dedication and experience. I recommend using ATT&CK in a practical and applicable way instead of just reading the theory.
According to MITRE, the best way to map CTI information to ATT&CK techniques is by following the next steps.
We need to read the threat intelligence report and identify the techniques used by attackers. Sometimes, you will see a direct reference, but on other occasions, you must read between the lines and understand the context to deduce the possible technique used.
To analyze and find attackers' behaviors using TRAM, proceed as follows:
Now, we will import this intelligence report to the TRAM platform to map its content to ATT&CK more efficiently.
Note
TRAM supports the following file formats: .pdf, .docx, .html, .json, and .txt.
You will see a new report imported with a status of Queued, as shown in the following screenshot:
After a few seconds, the status will change to Reviewing, which means that the report is ready for processing.
You will see the two columns; on the left is the report's content in text format, and on the right are the mappings to the ATT&CK framework, as you can see in the following screenshot:
In one of their most recent campaigns, Lazarus used a complex targeted phishing attack against security researchers.
As you can see, phishing was one of the threat actor's techniques in this campaign. However, we don't know what kind of phishing this could be, so we will try to get additional information about the specific sub-technique used.
We could assume that phishing was at least one of the attack vectors and start looking for the characteristics and content of emails and the users who received them.
Sometimes, you may not be familiar with a particular behavior used by attackers, so you should go further and look at additional sources about it and try to figure out how you could better match some technique defined in ATT&CK.
To research malicious behavior, proceed as follows:
In this campaign, Lazarus resorted to an interesting technique of BMP files embedded with malicious HTA objects to drop its Loader.
This paragraph is shown in the following screenshot:
Suppose that you don't have background knowledge about this technique. In that case, you could search for sources about the use of HyperText Markup Language (HTML) Application (HTA) objects embedded in bitmap image (BMP) files.
Read about this campaign and analyze how the techniques could be used together by attackers to navigate under the radar or avoid detection.
To translate a malicious behavior into a tactic, you need to focus on what the threat actor is trying to accomplish, and which phase the attack is in.
To map a particular behavior into an ATT&CK tactic, proceed as follows:
In this campaign, Lazarus resorted to an interesting technique of BMP files embedded with malicious HTA objects to drop its Loader.
They are doing the following:
We now have an idea of the attacker's intention and what they were trying to do; if we use the MITRE ATT&CK Navigator tool, we can start looking at which of the possible techniques the attackers used.
Once you have identified the adversary objectives in the distinct phases of the attack, the next step is to find out which actions they take to achieve them. We could define ATT&CK techniques as the "what" and tactics as the "how".
Now, the next step will be mapping the behaviors identified in the CTI report to ATT&CK techniques. Proceed as follows:
If you carefully review the Execution techniques, the one that corresponds to the behavior described in the report is the Command and Scripting Interpreter technique.
The previous steps are shown in the following screenshot:
You could save this layer of ATT&CK with the identified techniques to share or consult later.
Next, we will see another way to find a technique or sub-technique in the ATT&CK browser quickly.
One of the attacker's behaviors described in the TI report was the use of a .hta file that executes JavaScript code. You can search for this term directly as follows:
In the Techniques section, you will see a list of techniques related to the hta search criteria.
The previous steps are shown in the following screenshot:
As you can see, we could find a technique and sub-technique without previously knowing the tactic and using only the method used by the adversary.
Now, go back to the TRAM report analysis dashboard to add the following sub-techniques:
In this way, you associated a malicious behavior described in the CTI report with a specific ATT&CK technique.
Sometimes, the ML functionality of TRAM will automatically recognize the behaviors in the CTI report and will assign them an associated technique/sub-technique. You can see an example of this next.
Process Graph This attack likely started by distributing phishing emails that were weaponized with a malicious document.
You will see that TRAM recognized the behavior and assigned the T1566.001 - Spearphishing Attachment sub-technique, as you can see in the following screenshot:
You will see the report status change to Accepted (in green). Now, you can export the analysis results in two different formats, JSON and DOCX, as you can see in the following screenshot:
In the first part of the analysis report, you will see a summary of the sentences accepted and reviewed. Additionally, you will find the ATT&CK techniques organized by identifier (ID) and the matched sentences, as shown in the following screenshot:
From an IR point of view and with the information obtained up to now, the chances that the company was the target of the same threat actor and this attack is part of the same campaign launched against other companies, is high.
Now that you have TI information about the potential threat actor and the related campaign, tactics, and techniques, you can start the threat-hunting process to identify compromised assets in the organization.
Note
In Chapter 12, Working with Analytics and Detection Engineering in Incident Response, and Chapter 13, Creating and Deploying Detection Rules, you will learn more about detection engineering and threat hunting.
There is another way to map behaviors from TI to ATT&CK TTPs—you can use Visual Studio Code (VS Code) with the VSCode ATT&CK extension as a valuable tool for your investigations.
In Chapter 5, Identifying and Profiling Threat Actors, you learned how to use this tool to create threat actor profiles using the Markdown language.
Before starting, we need to configure the VSCode ATT&CK extension settings. To do so, proceed as follows:
Now that we have configured the VS Code ATT&CK extension, let's begin documenting the techniques we found in various TI sources.
We are going to create a new ATT&CK techniques report using the Markdown language. To do so, proceed as follows:
# Incident Response Investigation - Threat Intelligence information
#### Report ID: IR-012_22-APT
## Executive Summary
The SOC team of the South Korean branch reported a suspicious connection from the PROD-SK07 computer to the domain mail[.] namusoft[.] kr.
According to threat intelligence sources, the domain is related to malicious campaigns operated by Lazarus's threat actor.
## Related campaigns
Lazarus APT conceals malicious code within BMP image to drop its RAT
https://blog.malwarebytes.com/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
## Tactics Techniques and Procedures (TTPs)
Your text should look as shown in the following screenshot:
You will see the name of the techniques related to the term Phishing, as you can see in the following screenshot:
Now, let's try providing a technique ID.
You can also insert a link associated with a specific technique/sub-technique.
By default, Markdown and YAML Ain't Markup Language (YAML) files support the VSCode ATT&CK extension; this is particularly useful for writing Sigma rules, for example. You can also add support to other languages; for more details, consult the official wiki at https://github.com/redcanaryco/vscode-attack/wiki.
Now that you have learned to map TI to ATT&CK techniques, you will next learn how to include CTI information in IR reports.
You can incorporate TI information into IR reports regarding threat actors and campaigns and correlate it with the Cyber Kill Chain framework and the Diamond Model of Intrusion Analysis.
There is no doubt that TI and the knowledge of threat actors' behaviors are critical in IR processes, especially in the Identification and Containment phases, but how can we make it actionable?
Lenny Zeltser (Twitter handle @lennyzeltser) created a handy template for the documentation of TI to trigger that information and use it in IR. The Report Template for Threat Intelligence and Incident Response is free for use and distributed according to the Creative Commons Attribution license (CC BY 4.0). You can download it from this URL: https://zeltser.com/cyber-threat-intel-and-ir-report-template/.
To learn how to use this template, we will use the same hypothetical IR case described in this chapter, whereby we will need to identify critical pieces of information to create a report.
To start collecting intelligence information and create a report, proceed as follows:
In the first part of the template, there is a brief description of the frameworks related to this document, as shown in the following screenshot:
Incident Name: Detection of IoCs related to a Lazarus Threat Actor's Campaign
Report Author: Investigator
Report Date: 05/10/2022
Once you complete the previous steps, your document should look like the following screenshot:
Next, you will document all the information you can get from different sources. For example, this is another good source with valuable information about this threat actor and the campaigns attributed to them: Andariel evolves to target South Korea with ransomware (https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/—Kaspersky).
You will find an example of this report with information in the book's repository in the Lab-files section.
As you can see, this template covers different models, such as the IR and Cyber Kill Chain frameworks, and the Diamond Model of Intrusion Analysis.
Also, it is a valuable tool for integrating the profiles of threat actors, malicious campaigns, and TI information into different stages of IR.
In this chapter, you learned the main concepts of the Diamond Model of Intrusion Analysis to create CTI reports.
You learned how to install local instances of MITRE ATT&CK Navigator and TRAM on your VM.
You also learned how to use VS Code with the VSCode ATT&CK extension to research and use ATT&CK techniques interactively.
Finally, you learned how to provide TI information to include it in IR reports.
In the next chapter, you will learn how to develop an IR capacity in an organization to facilitate activities and processes in different IR scenarios.
To learn more about the topics that were covered in this chapter, look at the following resources: