using threat intelligence to track attackers -- part 2 advanced threat event analysis and defense matrix

Posted by tzul at 2020-02-28

Next to part 1, state that the threat intelligence data mentioned in part 1 can't help Party A predict the attack, but you can't believe that the threat intelligence can predict the attack when you hear the sales or pre-sales. Then someone might ask, Threat Intelligence can't predict what to do with the attack. Next, before event analysis, let's talk about the positioning of Threat Intelligence in the security operation system.

The positioning of Threat Intelligence in the security operation system is to assist in the detection of potential or initiating malicious acts or operations, with the emphasis on two words of assistance. In a strict sense, Threat Intelligence can only perceive potential threats with limited awareness. In other words, if someone is targeting all energy customers, then threat intelligence can remind those who are not attacked Customers may be attacked by the attacker, which is called limited perceived potential threat.

Back to the main point, since Threat Intelligence is an auxiliary means, there must be a main means. This main means is actually the analysis of events. Next, we mainly talk about two models used in the analysis - Diamond Model and kill chain model. These two models often need to be used together in the analysis, especially the relatively large targeted attacks Such as apt attack.

0x01 kill chain model:

The kill chain model is actually put forward by a company that makes airplanes, that is, the company that makes Raptors (Lockheed Martin). I won't say anything about the background. First, let's take a look at the model.

The kill chain model is divided into seven parts: reconnaissance, weaponization, delivery, exploitation, installation, C & C, and actives on objects

The meaning of each stage is basically understood by name:

In fact, kill chain describes a complete supply chain, which is similar to the PTEs process. It is shown in the following figure (from the PPT that was used previously):

0x02 diamond model analysis:

As mentioned before, the reference for a complete attack is the above-mentioned kill chain, which is used to describe the attack route and progress of the attacker. But kill chain can only explain the process and route of the attack, not the impact and purpose. Diamond model is a good targeted supplement to this point.

Diamond model is a model for single event analysis. Its core is to describe the attacker's tactics and purpose. The specific diamond model is shown in the following figure:

This model is actually a diamond model. I didn't explain it to you at the Defcon group meeting because of time and other reasons. Looking directly at the figure, the right side is actually a diamond analysis model. In fact, the diamond model consists of three parts: confidence, metadata, socio political influence and technical and tactical combination. Let's say one by one:

Socio political influence: in the top and bottom two vertices of the diamond model, the top vertex represents the attacker, and the bottom vertex represents the victim, which is the target. The conflict of interest or the opposition of social status between the attacker and the victim will produce the intention of attack and the cause of attack, which is the social and political influence. To talk big is to find out the intention of the attack according to the two men.

Technical and tactical combination: the technical and tactical combination is located in the cross section of the whole diamond model. The two vertices of the cross section are infrastructure and technical capabilities, which are actually relative to the attackers.

Metadata: This is actually listed on the left, including attack time, attack stage, attack result, attack direction, attack means and attack resource utilization.

Confidence: that is to say, the confidence level of the above analysis results.

What diamond model wants to express is actually aimed at a single security event. We can get why the attacker wants to attack the target and what means he intends to attack the target.

Here's a reminder. When analyzing based on Threat Intelligence, you must keep the following four points in mind:

For example, we have received a phishing email with a remote control Trojan attached to it, and someone opened the attachment and the machine was remotely controlled. Such an event is analyzed with diamond model as shown in the figure below (from the abandoned ppt).

In this way, it can be resolved into the following steps:

0x03 combination analysis of kill chain and diamond model:

The diamond model is characterized by: it can explain the attack purpose and tactics used by the attacker in a single event

The characteristics of kill chain model are: it can explain the attack route and attack process.

Complex attacks are often composed of a series of attack events. Different attack events point to the target and achieve the goal, which can show the attack process. OK, if we classify the events according to the kill chain and use the swimlane map to represent them at the same time, and divide different attack routes into different attack threads, then we can get one like this Swimlane map of.

In fact, this picture describes such an event:

1.攻击者先对目标进行了Google Hacking操作,获得了他们域名解析记录等一些基础的It信息 2.攻击者找到了一个目标新注册的域名,然后用搜索引擎搜索他们的网络管理员的电子邮件信息 3.攻击者使用鱼叉邮件方式对目标的网络管理员发送一封带有木马的邮件 4.目标的网管(我们叫他网管一号)打开了这封邮件的附件然后不幸中枪 5.网管一号的主机因为中了病毒,所以攻击者利用网管一号这台主机发送了一个HTTP Post请求到域控节点,然后域控节点返回了一个HTTP Response 6.我们通过对鱼叉邮件中附件进行逆向分析发现里面有两个IP地址,第二个IP地址作为备份,防止第一个失效 7.通过C&C请求到网管一号的主机,我们的恶意程序打开了一个TCP代理服务 8.通过网管一号主机上的代理服务,攻击者继续去Google上搜索其他的目标 9.攻击者检查网管一号邮件的通信录列表去寻找是否拥有目标二号的通讯方式,结果发现了目标二号的首席科学家的联系方式 10.攻击者使用攻陷的网管一号的邮箱对目标二号的首席科学家的邮箱发起鱼叉邮件攻击,工具使用和之前一样的 11.此时又来了一个攻击者,我们称他为攻击者二号,攻击者一号扫描了目标三号的web服务器 12.使用同样的漏洞利用工具攻击发现目标三号主机上的相同的漏洞 13.被攻陷的目标三号主机返回一个shell会话给攻击者三号 14.目标三号的所有数据被攻击者三号窃取

In this way, we can get the attacker's point and the target that we want to attack at the same time by using kill chain and diamond model analysis. At the same time, we also know his attack path, that is to say, we know the attacker at our fingertips at this time.

0x04 safety protection matrix based on kill chain:

In fact, according to kill chain, we can design a safety protection matrix based on kill chain, as shown in the following figure:

Of course, this is for reference only.

Part 2 is over. Part 3 hasn't figured out what to write yet. Let's do it later.

Related ppt: Utm_source = slideview & utm_medium = ssemail & utm_campaign = first_clip