Profiling and Cyber Threat Intelligence — 3
Before you leave, the fortune teller reminds you that the future is never set in stone.
Let’s continue.
As a result of the process mentioned in previous articles, two types of information are obtained. Forecasts (estimations) and indicators (signs / signals). Forecasts are actually the end product of this process and it contain the predictions being made. This information is communicated to the customer in an appropriate format.
Indicators, on the other hand, are sources of information that will inform us of a possible development related to a situation, while this change takes place. These sources of information are determined by the analysts according to which changes they want to follow. It shall not be confused with Indicators of Compromise. Let’s instantiate it through our example case:
- Sign-1: A reputable data broker advertises a combolist for a renowned cryptocurrency exchange website.
- Sign-2: A threat actor who is known to provide SIM cloning / 2FA bypass services was observed contacting with the aforementioned data broker.
- Sign-3: Some recently registered domain names are utilizing an email address associated with the threat actor.
As can be seen, what is done here is determining the necessary preconditions for the formation of a situation and monitoring them. When one or more of our indicators take place, we assume that the event we predict will occur.
The type and number of indicators you choose will directly affect your predictive ability. Of course, none of these indicators will directly point to an event. In other words, no indicator will provide you with certainty as if you heard the words of the perpetrator, “Look, I will attack company X tomorrow with A B C methods”. So the main thing is to use diversified indicators as much as possible. Also, when choosing your indicators, it is important that you choose them from the things you can always access. Otherwise, if your indicators become difficult to monitor, they cannot achieve their original purpose (early warning).
Another method I like is to assign a score to each of the signs I have defined, and then calculate the probability of the event occurring based on the sum of these scores. If we apply it on the same example:
- Sign-1: A reputable data broker advertises a combolist for a renowned cryptocurrency exchange website. — (Risk Score: 2)
- Sign-2: A threat actor who is known to provide SIM cloning / 2FA bypass services was observed contacting with the aforementioned data broker. — (Risk Score: 3)
- Sign-3: Some recently registered domain names are utilizing an email address associated with the threat actor. — (Risk Score: 1)
Accordingly, if only the Sign-2 event occurs, the probability of a similar attack occurring is 3/6, ie 50%. If Sign-1 and Sign-2 events occur together, this means that this attack will occur with a 5/6, 83% probability. Of course, the numbers given here are completely up to you.
As a technical example, let’s look at the Leery Turtle campaigns. When these attacks were investigated, some characteristics were discovered in the C2 servers used in the attack. The following signs were defined for the observed characteristics.
- Purchase of a new domain with the same pattern as Leery Turtle, containing at least two of the words google, drive, cloud, share, upload. (Sign 1: potential Leery Turtle domain)
- Having ports 80 and 8080 open at the same time on the server directed by the domain name. (Sign 2: potential Leery Turtle host)
A domain/server was tagged as “Leery Turtle” when both of the conditions we defined met simultaneously. Then, customers were informed that attacks could come from those IP addresses and domain names. After a while, one of these domains was indeed used in a Leery Turtle attack.
The most important difference of indicators/signs from other information like IOC or TTP is that they focus on the events prior to an incident, not on the incident itself. It also deals with patterns, not signatures. Therefore, it does not require that the elements in one incident exactly match with another incident. Because of these features, it is flexible and makes it possible to detect the incident before it happens, unlike IOC/TTPs.
Well, we’ve talked enough about how it works. Now I would like to return to the main subject of my article, namely, what is marketed to the industry as “proactive defense” or “intelligence-led defense”.
Models such as Kill Chain and ATT&CK are at the center of the dominant CTI approach in the industry. Related to this, you often hear the terms TTP and IOC. Those familiar with these concepts and models know that they are the methods used to identify the techniques and tools used in an attack.
This information is essential for attack detection and threat hunting activities. However, it is quite strange that these models are at the center of an approach that stands out with its “proactive” argument. Because both attack detection and threat hunting are reactive activities, not proactive ones. TTP/IOC information produced within the framework of these models is not predictive but definitive.
It is this approach that has largely shaped CTI practices today. However, neither ATT&CK nor the Kill Chain model is capable of producing predictive intelligence alone. So is this intentional, or is it just another marketing disaster? Regardless, it would be useful to change our perspective on CTI as soon as possible.
I hope you liked this article series.
See you next time.
