Modeling Attackers and Their Motives

by adam on November 11, 2014

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. You should look at the reports for facts you can use to assess your systems, such as filenames, hashes and IP addresses. Most readers should, at most, skim their analysis of the perpetrators. Read on for why.

There are a number of surface reasons that you might reject or ignore these reports. For example, these reports are funded by marketing. Even if they are, that’s not a reason to reject them. The baker does not bake bread for fun, and the business goal of marketing can give us useful information. You might reject them for their abuse of adjectives like “persistent”, “stealthy”, or “sophisticated.” (I’m tempted to just compile a wordcloud and drop it in place of writing.) No, the reason to only skim these is what the analysis does to the chance of your success. There are two self-inflicted wounds that often happen when people focus on attackers:

  • You miss attackers
  • You misunderstand what the attackers will do

You may get a vicarious thrill from knowing who might be attacking you, but that very vicarious thrill is likely to make those details available to your conscious mind, or anchor your attention on them, causing you to miss other attackers. Similarly, you might get attached to the details of how they attacked last year, and not notice how those details change.

Now, you might think that your analysis won’t fall into those traps, but let me be clear: the largest, best-funded analysis shops in the world routinely make serious and consequential mistakes about their key areas of responsibility. The CIA didn’t predict the collapse of the Soviet Union, and it didn’t predict the rise of ISIS.

If your organization believes that it’s better at intelligence analysis than the thousands of people who work in US intelligence, then please pay attention to my raised eyebrow. Maybe you should be applying that analytic awesomesauce to your core business, maybe it is your core business, or maybe you should be carefully combing through the reports and analysis to update your assessments of where these rapscallions shall strike next. Or maybe you’re over-estimating your analytic capabilities.

Let me lay it out for you: the “sophisticated” attackers are using phishing to get a foothold, then dropping malware which talks to C&C servers in various ways. The phishing has three important variants you need to protect against: links to exploit web pages, documents containing exploits, and executables disguised as documents. If you can’t reliably prevent those things, detect them when you’ve missed, and respond when you discover you’ve missed, then digging into the motivations of your attackers may not be the best use of your time.

The indicators that can help you find the successful attacks are an important value from these reports, and that’s what you should use them for. Don’t get distracted by the motivations.

8 comments

Well said!

by Anthony on November 11, 2014 at 9:44 pm. Reply #

This blog post was going so well until right after your bullet points. Then it goes completely downhill.

First of all, the CIA’s job isn’t to predict anything, nor is US intelligence in general. You have the wrong word because you are misinterpreting the meaning: prediction is a verifiable number, while national intelligence can only provide a range, forecast, or foresight (all the same thing). You have your reference class incorrect.

Secondly, I’m a hundred percent positive that national intelligence organizations, even the ones that don’t work with the US, had plenty of warning intelligence on all of their adversaries. That’s basically what they do. They may not have had better than 95 percent accurate indicators, and even less indications analysis. Yes, they did not know the intentions of their adversaries at all times — that is a weakness of every national intelligence program (which is often why they need better and fully-successful counterintelligence, whereby a takeover occurs of the adversary C4I). However, national intelligence does know the direction adversaries are going, and can forecast plans and capabilities.

We are not yet there with respect to cyber, and we should get goosebumps and thrills for trying, even if you work for the Home Depots and Postal Services of the world. We must look at the big picture.

That said, maybe we are more in agreement than not. I definitely hold a lot of value to the current-running theory of threat replication. Exchange data using the fusion-center model, the NIST Special Pub 800-150 framework (although I prefer the Cyber Operations Maturity Framework), and the Solar Edge platform (again, I prefer a much richer analytical platform, but this suggestion will do for the purposes of this post). Make sure you are exchanging data with your partners, i.e., the people you connect to and do business with — get them “on board”. You will likely also want to exchange data with your peers. Collect and reduce the IOCs important to you, and then use Armitage (or Cobalt Strike) Malleable C2 as the threat replicator to test your detective and responsive controls.

What you are clearly missing is that you don’t understand the intentions, plans, and capabilities of live adversaries. It’s not just about phishing and Citadel malware (or whatever the next breed is) against your HVAC contractor. It’s about the bridge between those components, and the subsequent attacks. If you had IOCs on a timeline (Soltra Edge is especially helpful in this regard), you can get inside the minds of the adversaries. In the Target breach, the HVAC contractor’s laptop was screencasted back to Russia, and they watched the contractor log in to the Target procurement website and upload a file. Then, the adversaries uploaded their own file, a PHP webshell with the name xmlrpc.php. They escalated privs and noticed that they had access to the Microsoft AD on the network — and kept escalating across the network until they breached the ADC and domain-accessible SQL Servers.

Let’s compare another story: JPM. JPM’s partner’s site was breached due to the Hold Security credential dump combined with a bit of phishing and malware. The adversaries screencasting some poor-soul partner of JPM and watched them login to another procurement site — this time owned by JPM and on the JPM network. This app was vulnerable to remote code execution because web server log files were able to be included from a local file inclusion attack. Another PHP shell and AD environment exposed.

If I’m on the receiving end of this STIX data, I want the full I&W — not just IOCs. I want to be able to pick up the phone and have a conversation with my partner about their attacks. Yes, someone in my SOC might be “all over” those IP prefixes from the shared IOCs, but even better would be having a reverser all over the MAEC data embedded in that STIX data. If there is a common mutex or other element of the malware that stands out, a hunt team should get involved — and a red team should be proving out the threat replication activity as a cyber excercise.

Be more prescriptive. There is a lot we can do with data. Perhaps we cannot predict the future, but we can and should move beyond BAU.

by Andre Gironda on November 12, 2014 at 3:42 pm. Reply #

I agree with Dre, further I would like to add that the mission of all intelligence is to stop *VIOLENCE* or *KINETIC* actions against the civilian population, they look for *INDIVIDIUALS* however to really destroy an opperation you must first understand the “OPERATIONS” something no INTEL agency is tasked to provide – they instead look at social networks links – as opposed to howe they can make it to expensive for a threat agent to even undertake their operations becasue understanding operations in difficutlt, and identification of *attackers* is easy. We must progress past social networks and start to destroy the business operations the enemy. We must make it to expensive to undertake the attacks in the first place as one example out of four I have identified to incapacitate the enemy. Individiuals are not the group, and attacking idividuals doesn’t stop the activities of the group. Only when we progress to operations can we begin to realisticly make *impotent* the oposition.

by Dennis Groves on November 13, 2014 at 5:29 am. Reply #

I think you’re getting lost with the whole CIA/military intelligence debate.
I believe the most important point made in this publication (which is written very well!) is that intelligence is useless if it is not actionable. There are literally hundreds of “intelligence” suppliers out there, each thinking they know best how to predict “the next Pearl-Harbor”. But at the end of the day, like written in the article, if you can’t defend yourself against simple phishing/watering-hole attack vectors than all the hype about large-scale attacks, APTs and sophisticated espionage groups is irrelevant.

One more thing, I don’t think it’s exactly wise to completely disregard motivations. Motivations lead to Objectives on you Assets. A financially-motivated attacker will use different attack methods and vectors on different assets than a politically or sensation-motivated attacker.

Other than that, great writing!

by Dan Pastor on November 13, 2014 at 8:13 am. Reply #

Whacking moles individually is much more lucrative than releasing a colony of ferrets. The bureaucratic and financial imperatives force security organizations to be somewhat incompetent. If anti-terrorist organizations were actually successful at providing actionable intelligence that prevented terrorist attacks, they would eliminate public support for their work, and if the intelligence was good enough to put the terrorist organizations permanently out of operation, they would put themselves out of jobs.

by Dean on November 22, 2014 at 11:51 pm. Reply #

You guys are getting lost in the weeds and missing the point. Adam’s point was to admonish people not be overly confident or dismissive of the reports, but to use them in conjunction with other tools and processes in the infrastructure to discover and respond to threats better and faster. The cyber security industry is filled with know it alls – it’s nice to demonstrate how much you know and have read, but let’s not miss the point of the article.

by cciegirl2012 on December 16, 2014 at 8:57 pm. Reply #

wow, sick read… from start till end of comments.
iam a german guy. iam interest in technics and security for very long times, but i ever missed to make it my job.
but i can definately tell u guys 100% that you are right in what u say.

ty for everything.

by Tom on December 17, 2014 at 12:21 am. Reply #

Leave your comment

Not published.

If you have one.