Understanding the Threat Landscape


In today’s cyber threat landscape, you need to be familiar with most of the threat intelligence concepts, such as IOCs (Indicators of compromise), APTs (Advanced Persistent Threats) and MOM (Motive, Opportunity and Means). With this knowledge, you’ll be able to understand what a threat is, how to classify it and how to respond to the incident.

Types of malware

Malware (malicious software) is a type of software that can be used to compromise a system. The most common objectives of malware are stealing data, bypassing access controls or causing any kind of harm to the system.

Now, malware is a broad term used to make reference to a variety of malicious programs. The most common types of malware are:

  • Virus - This is a type of program that, when a user executes it, performs a malicious activity on the system. This type of malware needs user interaction to replicate and spread through the network.
  • Worm - Just like the virus, this is a type of program that performs a malicious activity on a system. The big difference is that the worm doesn’t need user interaction to replicate or spread its actions.
  • Spyware - As the name suggests, this is a type of malware that tries to steal data from a person or a company in order to gain some type of advantage over that person or company.
  • Trojan - This is a type of malware that hides its intentions under a legit program or activity. Once the user executes the program, the legit activity is performed along with the malicious activity.
  • Rootkit - This is one of the most dangerous types of malware since one of the rootkit’s characteristics is that it provides continued privileged access to the attacker, i.e. once the system is infected, the attacker can come back many times to perform malicious activities.
  • Adware - This is considered the least dangerous type of malware. An adware is a piece of software designed to show advertisement tailored to the user, most of the time based on the online behavior.

Threat models

All of these malware types have something in common, and it’s that they try to attack either the confidentiality, integrity or availability (a.k.a. the CIA triad) of the systems, which are the three cornerstones of cyber security.

  • Confidentiality - means that only authorized people can see the information.
  • Integrity - means that the information can change only in a controlled manner.
  • Availability - means that the information should be available to the right people whenever needed.

As of today, many companies do not have a clear understanding of their information assets’ threats. To cover that knowledge gap, we have several threat classifications models which allows us to study the threats’ impact and behavior over time.

OCTAVE

The Operationally Critical Threat, Asset, and Vulnerability Evaluation is a method that is based on risk, which means it considers the impact of losing an asset and the probability actually losing that asset.

Many of these models try to address different criteria of information, impact, vulnerabilities, risk regarding different threats.

Although we have these models and many more, one of the most popular is the MITRE ATT&CK.

MITRE ATT&CK

According to their webpage:

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

In other words, this is a framework that describes the well known and most used techniques that hackers use to gain control of a system. The main goal of this framework is to help cybersecurity professionals to detect a malicious activity before, during and after it has occurred.

STRIDE

This is one of the first threat modeling methods that existed. This model evaluates the design of a system by comparing the data flows and the security countermeasures in place.

  Threat Property Violated Threat Definition
S Spoofing identify Authentication Pretending to be something or someone other than yourself
T Tampering with data Integrity Modifying something on disk, network, memory, or elsewhere
R Repudiation Non-repudiation Claiming that you didn’t do something or were not responsible
I Information disclosure Confidentiality Providing information to someone not authorized to access it
D Denial of service Availability Exhausting resources needed to provide service
E Elevation of privilege Authorization Allowing someone to do something they are not authorized to do

CVSS

The Common Vulnerability Scoring System tries to compare the vulnerabilities of a system and the possible countermeasures in place. With that, it provides an impact value of that specific threat. A higher number means that the impact is high and should be addressed immediately.

Indicators Of Compromise

As a SOC analyst, you’ll see a lot of unusual behavior of an organization’s technology assets. Sometimes, these might be false positives but other times, it’ll mean that the company is under a cyberattack.

SOC analysts will often search for well-known threats by using the Indicators of Compromise (IOCs).

IOCs are pieces of data, often known as “artifacts”, that can be found in many sources, such as log entries, and can identify potentially malicious activity on a system. Some examples are:

  • Unusual Outbound Network Traffic. For example, traffic going through port 4444.
  • Anomalies in Privileged User Account Activity. For example, an administrator erasing a database.
  • Geographical Irregularities. For example, a user that lives in the US trying to log in from Asia.
  • Log-In attempts. For example, a high quantity of failed login attempts.
  • Signs of DDoS Activity. For example, an increase of database queries.

As an example, check the following network connections:

-----------------------
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:4444            0.0.0.0:*               LISTEN      2279/nc             
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 10.0.2.4:42498          91.189.92.41:443        ESTABLISHED -                   
tcp        0      0 10.0.2.4:42500          91.189.92.41:443        ESTABLISHED -                   
tcp        0      0 10.0.2.4:4444           10.0.2.45:50718         ESTABLISHED 2279/nc             
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 ::1:631                 :::*                    LISTEN      -                   
-----------------------

As mentioned before, unusual network traffic can throw an alert. In this case, communication over port 4444 is not usual activity, hence, it’s our IOC for this case, especially because is being executed by one of the most popular hacking tools, netcat.

Insider Threats

Sometimes, the threats are not outside the company. A disgruntled employee is one of the most dangerous threats of all, that’s simply because they have intimate knowledge of the company’s system.

They pose a threat over the three cornerstones of cybersecurity, as they can reveal private information (confidentiality attack), modify information (integrity attack) or eliminate information (availability attack).

Other times, employees can unintentionally pose a threat as well, either because they’re not aware of a situation or because there are not enough controls on the company to prevent such mistakes.

To prevent this, you can enforce administrative controls (such as NDAs), physical controls (such as badge cards) and technical controls (such as Anti-Virus).

As you can see from our previous network trace snippet, an internal IP (10.0.2.4) is listening on port 4444 and another internal IP (10.0.2.45) has connected to it.

After reviewing some logs and traces in the machine with IP 10.0.2.45, you found that the employee downloaded several files to a thumb drive. These files were previously marked as classified and top secret.

This means that someone inside the company is creating that connection and possibly trying to exfiltrate sensitive information.

An NDA could help in this case by having clear penalties for the employees that don’t adhere to this code. A Data Loss Prevention tool could also help in this case by triggering an alert of a suspicious network activity. An IPS, such as Suricata or Snort could also help as they monitor unusual network traffic and compare it to a set of predefined rules.

Conclusion

As a SOC analyst, you’ll see several IOCs and you need to understand how to classify the threats and how to handle each situation to guarantee the CIA triad of your company’s data.

Alejandro Guinea