From the moment I stepped into the defensive computer operations (DCO) arena fifteen years ago, I noticed almost immediately an invisible but very real separation between DCO and its supporting intelligence components. It seemed the majority of network defenders I encountered paid insufficient attention to the intelligence which could be derived or made available through public and private partnerships. Defenders were largely disinterested in trends or attribution, but rather only wanted to react to “the now”, quickly clean up, and move on. Was this because at that point in time (circa 2000) the DCO community was mainly worried about worms, viruses and the occasional script-kiddie? Was it because the threats were more one off in nature as opposed to being characterized by the calculated persistent and sophisticated attacks that are pervasive in our community today? Despite these differences and the evolution that has occurred in the cyber domain over the last fifteen years, this invisible divide between defense and intelligence has not entirely disappeared. I was reminded of this after reading an article published by my colleague Andrea Little Limbago in Federal News Radio. Andrea asserts, “A spear phishing campaign by a state-sponsored group aimed at defense contractors to extract blueprints for next-generation technologies has extraordinarily distinct implications from a transnational criminal organization's spear phishing campaign aimed at stealing personal information to sell on the black market." The conflation of the various cyber actors, means, and objectives that Andrea describes epitomizes the importance of big-picture cyber intelligence to complete DCO.
Because I entered the world of DCO with an intelligence-oriented background, I carried into my new domain the same core analytical values that propelled my drive and curiosity throughout my former life. As I progressed through my DCO career, I always maintained my “Five W’s + H” mindset (who, what, when, where, why and how). But, as a network defender, my primary focus was “the now”. My priorities, as with any network defender, were to keep the bad guys out, keep the critical information in, and keep systems up and running. With so much focus on the immediate threat, it’s easy to miss out on the bigger picture, which provides a wealth of information for more comprehensive detection and prevention. The following four scenarios epitomize this tension between DCO and intelligence, and how a more comprehensive integration of all available data points can inform a multi-layer detection approach and more proactive defense.
Scenario One: Phishing Emails
An area where intelligence can add value to a network defender’s mission involves one of the most common ingress points into a network– email. Countless times daily, phishing emails are distributed across the globe, attempting to spread their nefarious wares. Fortunately, filters have become pretty good at thwarting those attacks by preventing the malicious email messages from reaching their intended recipients or dropping the attached payload. While this is great news for network defenders, these email messages are a potential source of useful intelligence.
Whereas traditional network defense might focus solely on the malware itself, looking also at the recipients may provide intelligence that can improve defenses against future attacks. If the recipients are all from the same department within an organization, this could indicate the source of the attack (thinking back to Andrea’s point that different types of actors should be more clearly delineated). An IT department with valuable IP and network diagrams might be more likely to be targeted by a state-sponsored element, whereas a finance and accounting department may be targeted by a criminal organization. Having this type of data could provide valuable situational awareness and help determine where to expend future defensive resources and measures.
For example, if every PKI Administrator from a nation-wide organization received an email directing them to apply updates by following the link in the body of the email, it would be wise to investigate this further. Determining whether the emails reached any of the intended targets, whether they were opened, and whether links were clicked is essential. In parallel, it can be equally important to find out what would take place in the event a user clicked and was exploited. This could provide network defenders, hunters, or incident responders with leads for identifying potential compromises within their network. These analytical finding can be incorporated into an overall network defense posture.
Scenario Two: Malware Trends
Some phishing campaigns are more ‘spray and pray’ than ‘targeted’. In the spray and pray case, the adversary’s intent is to hit a large number of targets and then take advantage of those that stick. The malware footprint can provide insight into the adversary’s intent, going a long way towards augmenting the overall big cyber intelligence picture. Malware variants can (and do) change over time, and some of those changes can provide valuable intelligence. In addition to providing big picture insights, this intelligence can also feed into dynamic detection capabilities, such as semi-supervised machine learning, that require both tactical but also big picture malware trends.
As a network defender, I routinely analyze different variants of a particular malware family associated with phishing campaigns, identifying their root cause, and taking the time to do the analysis even in cases where the email was blocked in transit or at the host. Changes that enable the new malware variant to bypass the current host based mitigations can be identified through this analysis. Our host-based strategies were immediately updated to focus on preventing these malware variants, and we were protected before a piece of that new malware variant ever made it through our email defensive layer.
For example, a remote administration tool (RAT) can be used to control a system through an unauthorized back door. There's a chance the attacker wouldn’t need to rely on a resolved DNS query in order to return to the victimized host - their backdoor would probably allow for that, especially if it were a very targeted attack (the attacker would most likely be very aware of the compromised host or the attacked entity). If the RAT’s C2 domain was on a DNS blacklist, and analysis stopped there, the attacker could have free reign to a network. Finding the root cause of malicious activity always has the possibility of great rewards from a defensive standpoint.
If I had worked only in “the now”, focusing on just thwarting the malware ingress point rather than doing a deeper analysis, intelligence on updates to the malware would have been lost, hindering our ability to preemptively deploy updated defensive strategies. Therefore, while delivery mitigations are critically important, focusing only on the delivery side can cause organizations to miss out on portions of the bigger picture that could lead to better intelligence and better prevention.
Scenario Three: Blacklisted Domain Names
One common practice in DCO is to place known bad domain names on a blacklist. The blacklist will most likely be populated with the malicious 3rd level domain (3LD) such as ‘bad.domain.com’, or at times at the 2nd level domain (2LD) such as ‘domain.com’. The blacklist will then prevent a system from connecting to that particular domain. Does this mean the blacklist will thwart an attack? Not necessarily—it simply means the attack may be incapable of reaching its full impact due to the blacklist. Therefore, if a system attempts to connect to the known malware reach back domain "bad.domain.com”, there's a reasonably high degree of certainty that malware is on the system.
To provide a real-world example, imagine ‘bad.domain.com’ is on a blacklist, and the DNS query doesn’t resolve to an IP address. At this point of malware failure, some organizations will cite it as a successful mitigation. After all, the malware couldn't connect out. Some would choose to move on to the next event while never attempting to find the system (or catalyst) for the malicious DNS query. In other words, a single attack may have been kept from reaching fruition, but the responsible malware could very well still be on the system or network. If not found and remediated, it will likely pick right where it left off as soon as the mitigation strategy is removed or the compromised system is relocated to an unprotected network (as can be the case with laptops).
Merely blocking a known malicious domain is insufficient, since finding the catalyst can lead to a plethora of other malicious findings. What if twenty or more DNS queries for ‘bad.domain.com’ were blocked or mitigated? What would this mean? It could mean that one system was infected, trying to beacon out or phone home. Conversely, it could indicate that twenty separate systems were infected. Let’s imagine it was the latter. It’s possible an attacker infiltrated the network and is moving laterally through the network, installing malicious implants along the way. I worked a case once where this exact scenario played out. Taking it one step further though, what if all the affected systems were part of the same group, let’s say the admin group? That would be scary.
Scenario Four: Hard-coded IP Addresses
One of the first things I get asked when analyzing a piece of malware is “where does it reach back to?” Most often the requester is thinking in terms of the 3LD acting as the C2 domain. However, not all malware reaches back to a domain; some reach back to a static IP address, while others reach back to both. The malicious 3LD or 2LD may be blocked, but when a static IP address is involved, a DNS blacklist won’t prevent subsequent network communications to the IP address. A direct connection to an IP address doesn’t require DNS. Therefore, it’s possible for a bad actor to bypass a DNS blacklist. I’ve had a love/hate relationship with more than a few pieces of APT malware with this exact communications profile. By identifying and analyzing the malware behind the DNS query, other tactics, techniques and procedures (TTPs) used by the malware can be uncovered, and fed back into an organization’s network defense posture.
Conclusion
These are just some examples to demonstrate the importance of incorporating more cyber intelligence and “big picture” thinking into the DCO community and of expanding its current focus on mitigations. To become better at containing and eliminating malware, we need to pay attention not only to the attack, but also, as Andrea suggests, to the critical delineations among various actors, means, objectives, and targets that can be derived from a deeper integration of intelligence and analysis into the DCO domain. Using intelligence to remain vigilant even after an attack is thwarted can improve a network defender’s chances of success. Rather than simply finding the malware and removing it from the system, it should be analyzed for potential future intelligence value, and feed into broader, proactive defenses that provide multiple layers of detection. Analyzing the malware as part of a broader intelligence picture and incorporating those insights into analysis and automated detection has enormous potential to help disrupt and prevent future attacks.