Cyberthreat Intelligence: Get the basis of analysis right
One of the best things cybersecurity professionals can do for their organisations, involves the simple act of observation. According to Hong Leong Bank, Head of Group IT Security, Dr. Suresh Ramasamy, “You don’t have to be a techie to do it, just make sense of things around you.”
And if there were phases to this whole endeavour which we can call ‘cyberthreat intelligence’ or CTI the most basic phase and perhaps also the most critical foundation to be laid when conducting the whole exercise is the analysis of elements in the organisation’s ‘ecosystem’.
Dr. Suresh emphasised, “Get the basis of analysis right first.”
Starting cyberthreat intelligence
It can start with a question as simple as “Who would be interested to attack my organisation?” A list of threat actors can be made, along with their motivations. Depending on the industry your organisation operates in, these motivations can range from getting access into a financial system to manipulate it, to stealing data for blackmail, to gaining access to computing facilities to mine cryptocurrencies, and so on.
By asking these kinds of questions and increasing one’s area of observation and analysis, one may learn some interesting things.
Dr. Suresh also opined, “You could make a good map of people who are targeting your industry.”
Why CTI at all?
The CTI endeavour is a call for businesses to start applying some good old-fashioned common sense and wisdom to some long-held views about good cyber hygiene and best practices.
Patching, for example. Dr. Suresh pointed out that if organisations haven’t experienced it already, then they are well on their way to experiencing patch fatigue.
The typical organisation would be patching their systems. Ironically, some of these patches aren’t even tested before they are released, so likely a patch would come later to fix the earlier one. This is already known to have happen and a famous example is the Meltdown and Spectre patches.
It gets to a point where there is too much time spent on patching without any visibility into whether it is helping to mitigate attacks, or whether IT departments are patching just for the sake of patching.
What if there could be a way to devise a patch policy, by first discovering which ones should be prioritised? This is helpful in staving off patch fatigue.
Tools to help
PDF Parser https://pdfparser.org/ is one tool that is great at discovering more about suspicious files. What it does in summary, is analyse data in PDF files, and even extract metadata like author, description and keywords in a PDF.
So, this tool is useful for discovering dodgy elements for example a second PDF embedded in a PDF, that has stealth commands. Once this is established, you would have entered Stage one of your CTI exercise: Indicator of Compromise (IOC) or ‘is an artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion.’
According to Wikipedia also, IOCs are typically, ‘virus signatures and IP addresses, MD5 hashes of malware files or URLs or domain names of botnet command and control servers.’
In our particular example which Dr. Suresh demonstrated, he described the IOC as ”a random string of rubbish” or the file hash.
After identifying this hash, one enters the threat hunting stage.
“If someone got infected, the second PDF would be in the machine or its memory,” Dr. Suresh said.
In his demonstration, the malware he used had 31 variants, and this is a second level of information which threat hunters can use.
Tools like ThreatMiner at www.threatminer.org is useful to further research. The website describes the resource as “The emphasis of ThreatMiner isn’t just about indicators of compromise (IOCs) but also to provide analysts with contextual information related to the IOC they are looking at. Without contextual information, an IOC is just a data point.”
The more one delves into their research and deepen their analysis, some of the things they could learn, is the interesting tricks malware use to evade detection.
For example, malware can query operating systems about the temperature of the CPU. This determines if they are in a virtual machine (VM) environment, as CPU temperature tend to be at 0-degrees. This could mean the malware is in a sandbox, which it wants to avoid.
From hereon, the resource offers a multitude of options that your research and analysis can turn towards. But Dr. Suresh is quick to point out, the last stage of the whole exercise, would be threat attribution, or the identification of persons or parties responsible for a breach or attack.
It addresses the 5 factors of What, Why, When, Where and How, to be able to answer finally, “Who did it.”
Dr. Suresh cautioned however, “If you analyse a bit more, you could discover misdirection.” He said misdirection is possible because a lot of malicious code involves a lot of copying and pasting. That said, the Tools, Techniques and Practice (TTPs) of a hacker of hacker group, typically will not vary much.
He also advised, “Do not get hung up on IOCs which has limited time (before they are replaced). TTPs on the other hand, last longer.”
(Suresh Ramasamy is the Head, Group IT Security, Hong Leong Bank Berhad. Opinions expressed were his own and do not represent the views or opinions of his employer).