How Pre-ATT&CK Fits into Security & Threat Intelligence
In a different post, we discussed the Mitre Pre-ATT&CK framework and how it applies to an attacker using OSINT gathering and analyzing information on an individual or organization in order to ultimately stage an attack. These stages enumerated multiple paths an attacker can take to find important information, how he or she can analyze that information, and, ultimately, how that may inform his or her method of attack.
Understanding these steps is important because, if a security team understands what information is out there, they can request that this information be removed, and therefore make it unavailable to the attacker, or, if it cannot be removed, understand how an attacker may use that information in order to stage his or her attack. With this potential knowledge, the security team can more easily simulate attacks with exercises, thereby increasing situational awareness for all involved, and develop better contingency plans based on potential avenues of attack.
The internet is a vast and expansive place where one can hide quite easily. Even on websites that require someone to identify him or herself, anyone can create a fake name tied to a fake email address (and fake phone number) and populate the profile with fake information. This is known as persona development, as is used by good guys and bad guys alike, and some actors have gone to great lengths to nurture a persona over several years.
The majority of social media sites allow users to hide specific profile information from public view, making this information inaccessible to anyone who is not connected to that user. Thus, if an attacker is able to make some sort of connection, he or she can potential gain greater access to the information posted to the site (assuming the victim’s profile allows friends and connections to see this information). This may include friends lists, posts, groups, subscriptions, likes, job or education histories, etc.
Most of the time, sites do not inform the potential victim that his or her profile has been viewed, with the notable exception of LinkedIn, which plays an outsized role in information gathering on organizations. Even then, unless a user pays for LinkedIn, his or her view of those have viewed the profile remains limited.
Therefore, maintaining operational security in this sphere is relatively easy, even though there is limited view of who is monitoring potential victims. First and foremost, tight privacy controls, even blocking content from friends and known, trusted connections, can prevent malicious actors from viewing information.
Second, individuals in an organization must understand that anybody on social media can be anybody; it is often difficult to see behind the vail of the profile to know that the person on the other side really is who they say they are. In other words, connections should only be made with people known to the account owner, and no one else. There are exceptions here, but those fall within special use cases, such as job searching or conference networking. Otherwise, educating members of an organization to deny requests from random people is an important piece of any organization’s security plan.
Adversary Operational Security
Operational security on the part of the adversary is effectively the technical extension of persona development. This can essentially be broken down into three broad categories: acquisition of third-party tools and infrastructure, obfuscation, and DNS manipulation.
Although cyber attackers may be on the cutting edge of computer development practices (though this is actually quite rare), it is highly uncommon for an attacker to build and maintain his own internet infrastructure. After all, why go through the trouble and cost of building and maintaining all the constituent parts of DNS servers, name servers, FQDN networks, autonomous systems, etc, when you can get full access to these services via an ISP and a few dollars per month in registration fees? Nowadays, especially, many of these services can be purchased and maintained anonymously, so there is virtually no need to create it yourself.
Of course, that “anonymous” part of the previous sentence is quite important and maintaining sufficient levels of operational security to ensure that one remains anonymous is no trivial matter. This is where obfuscation plays a key role.
How? Well, let’s say an attacker uses cash to purchase a pre-paid Visa card, which he or she then uses to purchase various online services (VPN, domain names, cloud storage and server infrastructure, etc) while using a 4G/LTE connection (also paid for with a pre-paid card and persona for anonymity) while sitting in a public place which is known to not be under CCTV surveillance and using a virtual machine on his or her computer.
Even if your logs do pick up malicious activity coming from a specific source, there would be virtually no way to obtaining any sort of legal mechanism to pursue that source because evidence would be so scant.
On top of all of this, there are myriad technical means of obfuscating network traffic once malware has been deployed on a victim’s machine. Generally, these techniques center around various types of DNS manipulations, such as randomized algorithms tied to automatic registrations (which are, of course, protected by strict offshore anonymity practices), using DNS to bypass firewalls, and encryption mechanisms. Taken together, these tools are difficult, if not impossible, to detect at the first instance, but patterns generally emerge quickly which allow security administrations to stem the flow of compromised data.
How Can You Defeat or Defend Against a Ghost?
So how can I defeat someone who is unknown and untraceable? Well, that’s why we are discussing the Pre-ATT&CK framework, to understand these techniques in order to devise methods to complicate an attacker’s route along the kill chain (implementation of the Pyramid of Pain) and prevent the attack from ever occurring in the first place.
By understanding these tactics, techniques, and procedures, security teams can educate their organizations and implement policies to assist in mitigating such attacks. The good news is that the technical means of obfuscation are hardly a factor before the attacker begins his or her reconnaissance and phishing campaigns, and a little extra vigilance can go far in preventing attackers before they ever begin.
Thus, your security team shouldn’t have to concern itself with investigating some potentially unknown and undetected entity, because the team is already steps ahead of any potential attacker, rather than scrambling to contain disaster. There needs to be a shift in the discussion about implementing strategies that limit how threat actors can collect data, effectively exploit information and launch successful attacks without compromising the mission of your organization.