Connecting the Dots. A Cyber Detective Story A CYVEILLANCE WHITE PAPER JANUARY 2015

Transcription

1 Connecting the Dots A CYVEILLANCE WHITE PAPER JANUARY 2015

2 Executive Summary Defining Cyber Intelligence Where Intelligence Comes From Table of Contents Case Study: Correlating Internal and External Data to Create Intelligence....7 I. Three Ways to Develop Context with External Data II. Phishing on BOREC.CZ III. Malware Activity on BOREC.CZ IV. Linkages and Contacts V. Third-Party Corroboration VI. Summary of the Data...19 VII. Conclusions VIII. Recommendations Summary

3 Executive Summary Cyber threat intelligence is unquestionably a hot buzzword in the security industry these days. It is being used to seek venture capital and fund start ups. It is being pitched to the enterprise market by providers and consultants. However, in this paper, we argue that the majority of what is being billed as threat intelligence isn t. It s data. From lists of bad IPs or application vulnerabilities to malware signatures, social media data or indicators of compromise ( IOCs ), none of these things are intelligence. They re data. In this white paper, we define the difference between intelligence and data, and then illustrate the theoretical discussion in a concise case study in the tangible terms of a real-world practitioner and an actual event. 3

4 SECTION 01 Defining Cyber Intelligence Data (the stuff so often marketed as intelligence ) is typically a machine-readable feed. While many are extremely useful, almost none of them are considered intelligence. True intelligence results from the logical and analytical evaluation of data, but often requires human manipulation to place that data in context. In rare cases, these processes can be entirely automated, but only if the outcome allows an action, a change in security or defensive posture, or a decision that was not possible before the process. However, whether the data is transformed, distilled, or otherwise turned into usable intelligence by software or by human intellect, the output must meet at least the following three requirements to meet the definition of intelligence. True intelligence must be: Relevant Information must relate to or potentially relate to your enterprise, industry, networks, and/or objectives Actionable It must be specific enough to prompt some response, change, action or decision, or to inform an explicit decision not to act Valuable Even if relevant and actionable, if the data (and the action) do not contribute to any useful business outcome, there is no value 4

5 Defining Cyber Intelligence The information must be relevant to your enterprise, your industry, your business objectives, or some other aspect of operational reality within your organization. Take for instance a company that runs Linux for all its servers and all workstations are Macs. A vendor offering vulnerability threat intelligence that is comprised entirely of Windows application vulnerabilities may have excellent quality data, rich context, and timely discovery, but given that your enterprise has no exposure to these vulnerabilities, the data are in no way relevant. While this example seems quite simplistic, it is simply meant to illustrate the following point: data must be relevant to the organization or it can be the world s most interesting data for the sake of intellectual exercise. However, if it does not impact the organization and is not relevant to it, it cannot be intelligence that can actually be applied to serve that organization. Actionable Relevant The data must be actionable, which can be a misleading term. By our definition, the concept of actionable means that it must be specific enough to do one of two things. It must either: 1. Prompt, enable, or inform some response, action, decision, or change in security posture, configuration, level of sensitivity, or other organizational network or human change to the environment; OR 2. Provide sufficient information to support making an informed decision not to act. That is, not acting is in fact an action, so long as it is an informed choice that is made out of considered evaluation, rather than just inaction made out of ignorance. Valuable Once processed, the information must be valuable and at the organizational (not departmental) level, value must translate to the business. Even if the data or information is relevant, actionable, and capable of allowing the security function to do something that they believe is useful from a security perspective, it may not meet the requirement of value. The organization will be robbed of value if its security experts cannot translate or align their operational activities with the business objectives of the company such as increasing revenue or margin, lowering costs, mitigating risk or increasing regulatory compliance. If the security activities do not translate to these higher-level objectives, value may be very difficult to demonstrate, communicate, and support when budget reviews come around. 5

6 SECTION 02 Where Intelligence Comes From A final thought before we jump into our case study. Despite some confusion in the market, there is, in our view, also a clear difference between cyber intelligence and cyber security. Firewalls, IDS/IPS, logs, antivirus and malware detection all these traditional components of network security and many more are necessary and important parts of protecting your organization, your digital assets and your network. In our view however, these things are more in line with cyber security, which is really an extension of classic network security. Here s what has changed the perimeter or firewall used to define the distinction between your organization and the outside world. The enterprise controlled the network and what was on it, from the pipes to the endpoints there was self and there was other. Today, with BYOD (bringyour-own-device), remote workforces, cloud-based providers, and social media all forming indispensable parts of running an organization, the perimeter is becoming more like a chain-linked fence than a brick wall, allowing information to pass freely into and out of your network....there is, in our view, also a clear difference between cyber intelligence and cyber security. Intelligence most often arises not from the traffic racing around inside the network, but from the correlation of what you know well and control tightly with that which you do not. Intelligence is the result of connecting the proverbial dots linking and correlating what you can see inside with what is known, or can be learned, from what goes on outside. It is that connection which puts data, whether vendor-sourced or internally developed, into context, and with context data begins to become usable intelligence. The following case study demonstrates in a simple, succinct example, the role of external information in the creation of intelligence that actually meets our definition of relevant, actionable, and valuable. 6

7 SECTION 03 Case Study: Correlating Internal and External Data to Create Intelligence We will now illustrate the principles outlined in the introduction based on a single piece of digital evidence from a real customer event. In this case, a spear-phishing successfully reached a bank employee, and the recipient clicked on a malicious link, triggering infection. The client s SIEM recognized anomalous network traffic and alerted the security group, which led to a rapid response from IT. The workstation was taken offline, logs were checked for data exfiltration, the PC was re-imaged and so forth, at which point, from an IT standpoint, the checklist was essentially complete. The event had been addressed, the right steps taken, and the case closed. From a business standpoint, however, many questions remained unanswered. And it is in this management desire for context, for insight, and for recommendations that create the need not just for network defense but for intelligence. What might not matter to the IT staff, but mattered very much to security and management were questions of context, motivation, risk and action. Management wanted to know answers that only intelligence, not IT, can answer, e.g.: 1. What context do we have around the attack or event? 2. What insights do we have into who might have been behind it? 3. What was the motivation for the attack? Financial? Competitive? Ideological? 4. How sophisticated an attack was this? How would you assess the risk of this event? 7

8 Put in simpler terms, management wants to know what anyone would want to know when faced with a new adversary Who is this? Why are they after me? How tough are they? How worried should we be? These are not IT questions, these are questions for an analyst, and this type of context will not come solely from an analysis of the internal evidence, logs or data. Context cannot typically be established when looking only inside. From this desire for context came the actual tasking to the analyst. Here is the crux of the request sent to our analyst, a typical example of the day-to-day reality for a cyber analyst or investigator. The client contacted us and said: We have an artifact from the attack, the domain name used in the malicious link: BOREC.CZ Management wants an analysis of the event, an assessment of the risk, and any recommendations by the COB today (i.e., four hours) We have no knowledge of this artifact beyond today s spear-phishing ; can you provide any additional context to aid our response to upper management? That was it. The background was no more than you see above, the assignment no more specific than tell us anything you can. This may not be as clear and specific as the analyst might wish, but it is very much the reality of someone in that job role. Below is the step-by-step process by which this network artifact was transformed into intelligence that actually met the definition of relevant, actionable and valuable to the business. 8

9 I. Three Ways to Develop Context with External Data Cyber Threat Center Client Intelligence tab With more than 15 years experience providing online monitoring of the web and social media, we have found that there are, at a macro level, three ways in which external context around a security issue, risk or threat can be identified. These are: 1. Company-specific data: In many cases, there are online indications and warnings of a client-specific risk or threat, i.e. the chatter or documents, specific to a customer, that indicate a future risk or event that has already happened 2. Threat activity data: In other cases, there is no customer-specific data, but information about threats, actors, techniques and events within a region, an industry or a time period provide important context 3. Reference and lookup data: Finally, cyber threat analysts, once given a specific artifact, keyword, actor or indicator, can then perform very specific investigations given the right tools and data sources. Our proprietary platform, or Cyber Threat Center, designed and built specifically with the security or risk professional in mind, has three primary areas, aligned directly with these three principal sources of potential information. 9

10 Cyber Threat Center Global Intelligence tab First, the Client Intelligence area provides customers-specific monitoring, ingesting and harvesting web, search engine, social media, IRC, RSS and other online sources of content related to the company, its assets, networks, and people. In this instance there was no data related to this specific event or artifact found in the open-source material harvested for this client. Second, the Global Intelligence area provides daily reporting on threat activity, upcoming events, planned actions, and groups and actors. Here again, in this particular case, there was no data related to the event or artifact found in our overall or global reporting. Finally, and most applicable to these types of investigative requests, the Cyber Threat Center provides a series of reference databases and tools designed specifically for the ad-hoc investigation of a digital artifact such as a domain name, IP address or malware signature. These are brought together for ease of use in what we call the Analyst Toolbox. It provides hundreds of millions of searchable records, accumulated over many years of Cyveillance s work, on domain names and the servers that host them, phishing attacks, malicious URLs, and the payloads they delivered. This section of the platform was built based on years of fielding exactly this type of request for artifact-based investigation. Here are the results of that inquiry. 10

11 II. Phishing on BOREC.CZ Given nothing but an artifact, in this case the BOREC.CZ domain, our starting point was simple. First, using an anonymous connection, we visited the root domain to see what it displayed to the casual visitor. The result was a generic placeholder page from Webzdarma, a large, legitimate hosting provider in the Czech Republic. On the date of this investigation, the domain was hosted on the IP address Since the domain name was identified in a phishingtype activity, our next step was to query the domain against our historical phishing database. Within seconds of entering our query, we discovered that this domain name been involved in hundreds of documented cases of phishing. Sorting the findings by date revealed that this activity was over a five-plus year period, up to and including the previous day. Putting the data into Excel for easy filtering revealed two additional insights almost immediately. The impersonated brands being phished during that period spanned more than 30 companies in six countries, and the actual content pages were scamming customers in four languages. 11

12 A quick filter on the IP column also revealed two very interesting additional data points. First, this domain name had been hosted on a single IP for all that time except for one day in 2010, when it moved within the same local block to Second, and quite interestingly, the IP to which it shifted for that single day four years ago was none other than.155, the one on which it was now hosted on the day of our investigation, though it had been on.138 as recently as the previous day. The obvious next step in building out our context was to repeat the query on the.138 host, since it was the box serving BOREC.CZ in all but a tiny number of cases. 12

13 This revealed two additional domain names, UNAS.CZ and WZ.CZ, both hosted on this shared IP address, which increased the phishing count for this IP from 200+ to 500+ documented cases over the same five- to six-year period. Repeating the query for the alternate.155 IP address on which BOREC.CZ was briefly hosted (today and one day four years ago) added six incremental domain names, and brought the total number of documented cases to well over a thousand. czweb.org (294 phish, mostly on another IP, ) euweb.cz (106 phish, mostly on two other IPs, and ) nazory.cz (71 phish, mostly on , one on ) prodejce.cz (115 phish, mostly on ) webz.cz (101 phish, mostly on and ) webzdarma.cz (145 phish, mostly on ) We could obviously iterate the process through each of those domain names and alternate IPs, or expand the query to the entire * netblock as well as the other IP ranges implicated in this web of linked activity. However, this case was not an academic exercise, but a real-world tasking on a short deadline, and one of the key skills of a good threat analyst is understanding the point of diminishing returns. In the conflicting demands for analysis and speed, a good analyst should know when to stop one line of inquiry and pivot to another that will add more of the actual context or value needed to answer the question. So let s sum up where we are at this point in the investigation. In less than 30 minutes, here is what we found, based on the original artifact. 1. This domain name has been phishing unabated (200+ documented cases) for 5+ years, up to and including yesterday. 2. It has phished more than 30 targets in six countries in four languages 3. It has been observed on the same IP for all that time except one day in 2010, and the last day or so. 4. The regular IP (.138) is a shared host supporting multiple domain names, including UNAS.CZ and WZ.CZ, which are known to have hosted another 300+ attacks 5. Adding in the alternate IP (.155) expands the criminal activity we can link directly to the original artifact to more than 1,100 cases over nearly six years 13

14 We are not yet really doing any analysis; we are just in data-gathering mode. Put more visually, here is what we know in the first half hour. 14

15 A historical check of the BOREC.CZ domain name for malware-related activity also produced both results and insights. Specifically, our data indicated 38 documented cases of malware hosting or infection from the BOREC.CZ domain name, infections which leveraged a total of 26 unique executables. To add an external perspective on these payloads, each hash was checked against VirusTotal, which told us a number of points that would be key to our eventual analysis. III. Malware Activity on BOREC.CZ Specifically, the VirusTotal checks corroborated and enhanced some of our own data such as first seen dates for several of the malware programs. In perhaps another 15 minutes, we had now learned that: Nearly all are observed payloads are well-known, garden variety malware such as keyloggers Most are detected by nearly every standard A/V product Both our database and third-party sources can demonstrably prove all but one of the packages are several years old, despite the fact that a number of the infections were extremely recent With this information in hand, we moved on to our next line of inquiry. 15

16 IV. Linkages and Contacts By this point in the investigation, we have identified In many cases, criminals and threat actors are as a number of domain names that are demonstrably lazy as anyone else, and contacts, even when linked to our original artifact. Our next step was one falsified, are re-used, i.e., it may be fake data, but of the oldest and most basic elements of any do- it is often the same fake data, providing concrete main name investigation: a lookup of the WHOIS linkages between activities. This proved to be the or registration information for each of the domain case in this example. Leveraging the built-in tools names. While many might argue that WHOIS infor- in the Cyber Threat Center, we quickly ran look- mation is often hidden, or so often falsified by bad ups on the domain names and IPs indicated in our actors as to be useless in identifying an actor, even investigation so far. bogus WHOIS contacts can prove valuable. 16

17 Here is a visual summation of just the first four lookups performed, a pattern which recurred all the way through the process. Simply put, we learned several key data points in a matter of minutes: The domain names shared a common contact (i.e., they are indisputably and concretely linked) These domains were registered more than a decade ago and remain in live use, in contrast to today s more common trend of one-year registrations and use and discard domain names The contact listed is physically located in proximity and shares language with the hosting provider, increasing the likelihood that this very old set of records might actually indicate a genuine identity of a relevant individual 17

18 V. Third-Party Corroboration Up to this point, our analysis has been driven entirely from the starting point of our own data. However, there are a great many valuable open sources, from search engines to security firms, which can provide important and credible corroboration in many cases. Leveraging this potential line of inquiry was the final step in our data-gathering process. As it turned out, third parties had a lot of data on spamming, malware, and other bad behavior for the domain name, across long periods of time, and mostly (but not always) on the.138 host. Below are just three examples of such third-party support, documenting a wide range of malicious and criminal activity across years and thousands of additional URLs. Malware Activity: Piracy/Copyright Infringement Spamming Activity: (Ref: viruses.php?response=alive&domain=borec. cz&limit=12) 18

19 VI. Summary of the Data In approximately one hour, we had examined phishing history, malware activity, hosting history, ownership linkages, and third-party corroboration. Could we keep going? Absolutely. The information gathered so far is rich with data points that could be investigated in turn. However, as stated earlier, this is a real-world case with a short deadline, not an academic exercise. Given a waiting audience and business decisions to be made, we ceased the data-gathering process at this point. From here we moved on to drawing conclusions based on the available data in the available time to support an assessment of the risk and creation of specific recommendations. Let s recap what we knew: The original domain name had a long history of cyber-crime activity, including phishing, malware distribution, and digital piracy It was linked to many other domain names that share a common owner The domain names were registered more than a decade ago, and malicious activity spanned at least the last six years Multiple external sources corroborated that the domain name, observed IPs and entire netblock are rife with criminal endeavors over a long period The activity appeared to be garden variety in all observable cases 19

20 Adding the malware, contact, and third-party findings to our earlier visualization, this is a quick representation of what we learned: 20

21 VII. Conclusions Based on just the data in hand, we drew the following conclusions: The domain name is part of an extensive network of profit-oriented crime. The domain/infrastructure is resilient. Much illicit activity has been documented across the industry, yet the domain name, IP, and entire netblock remain in current, uninterrupted, and sustained operations over many years. The motivation of the actor is likely financial gain rather than data destruction, ideology, or IP theft. There is nothing in the data to indicate complex, competitive, or nation-state interests. This actor or operator is not a beginner. This is based on: o The sustained length of activity and age of the illicit domain names o The ability to target, spam, and monetize phishing across many countries and languages o The variety of malware types deployed off this domain name bely someone who knows what they are doing. That said, the available data do not indicate a particular sophisticated just prolific operator. The activity appears based on quantity over quality, focusing on consumer scams, piracy, and garden variety malware. 21

22 Finally, with this analysis in hand, we were ready to turn the information we gathered into intelligence that met our definition. Based on the conclusions above, our recommendations to the client were as follows: VIII. Recommendations 1. Check logs for any connection to all domain names and IP ranges in this investigation, which have no demonstrable legitimate reason to be in contact with the corporate network 2. Investigate and remediate all additional cases as required 3. Update blacklists, firewall rules, gateways etc. as required to prevent future connections to this entire dirty neighborhood of the Internet 4. Communicate to employees that the attempt was made to penetrate the organization; this dispels any we re not a target misperceptions 5. Conduct/refresh Cyber Safety Awareness or phishing training for employees and contractors 6. Communicate to management the event, analysis, and actions taken By implementing these recommendations, we fulfilled two of the three conditions required by our definition to transform the results of our investigation into intelligence: first, it must be relevant, actionable, and valuable, and second, it must translate back to the business in order to be demonstrably worthwhile. Obviously the data was relevant, as the case was opened based on an artifact from an attack against the company s network and targeting an individual employee. With these recommendations the data now become both actionable (per the list of actions outlined) and, most importantly, it become valuable in a tangible link to business objectives. This is not security activity for its own sake, but rather a series of steps to: 1. Reduce risk of additional theft/fraud losses by confirming whether this artifact reveals any other not-yet-discovered penetrations or infections 2. Increase awareness among employees to reduce risk of future theft, fraud, or IP loss through training and communication 3. Reduce additional remediation costs by preventing future infections from a known bad IP space 4. Update security posture and details to reduce future exposure 22

23 Summary This detective story in which we built out our knowledge, our conclusions, and a course of action from a single piece of digital evidence is, in practical terms, a simple example. In fact, this paper takes only slightly less time to read than the entire investigation required. And therein lies the point: with the right tools, data, and skill sets available, it is possible to combine internal data with externally sourced information and create usable intelligence in very short order. The key is not simply to ingest, derive, or accumulate huge quantities of data, but to leverage that data in ways that translate into action that links to business objectives. It is only by clearly linking security activity to risk exposure, expense, customer retention, or other business objective that, in our view, data becomes intelligence. If it does not create value, it is interesting reading at best, a waste of resources at worst. Security groups must always strive to derive, and communicate, the value of their work back to the larger organization. When that aim is achieved, the case for intelligence (and the resources it requires) is well justified, even self-evident. 23

24 Cyber Threat Center While your network may be secure, do you have visibility beyond the perimeter? Security is no longer about what you can see. What you can t see is where the true threats hide. Cyveillance offers an easy-to-use platform that provides security professionals the ability to see beyond the perimeter. Our solutions identify cyber and physical threats and risks across the globe, allowing you to mitigate and eliminate them before they disrupt your business. We go beyond data to provide the threat intelligence that you need to achieve your organization s business goals. Contact us today to learn more and get a free trial. Using security intelligence technology can save companies up to $2.6 million when compared to companies not using security intelligence technologies Global Report on the Cost of Cyber Crime. Ponemon Institute; HP. 3 Dec A study by Verizon has shown that the targets of 85 percent attacks are small businesses with less than 1,000 employees. Verizon, 2012 Data Breach Investigations Report, rp_data-breach-investigations-report-2012-ebk_en_xg.pdf

25 Cyveillance is the leading provider of cyber threat intelligence, enabling organizations to protect their information, infrastructure, and employees from physical and online threats found outside the network perimeter. Founded in 1997, Cyveillance delivers an intelligence-led approach to security through continuous, comprehensive monitoring of millions of online data sources, along with sophisticated technical and human analysis. The Cyveillance Cyber Threat Center, a cloud-based platform, combines web search, social media monitoring, underground channel information, and global intelligence with investigative tools and databases of threat actors, domain names and IP data, phishing activity, and malware. Cyveillance serves the Global 2000 and the majority of the Fortune 50 as well as global leaders in finance, technology, and energy along with data partners and resellers. For more information, visit Cyveillance is a wholly-owned subsidiary of QinetiQ, a FTSE250 company which uses its domain knowledge to provide technical support and know-how to customers in the global aerospace, defense and security markets. For more information, visit Sunset Hills Road, Suite 210 Reston, Virginia info@cyveillance.com Copyright, Inc. All rights reserved. Cyveillance is a registered trademark of Cyveillance, Inc. All other names are trademarks or registered trademarks of their respective owners.