(1) Introduction
Threat tracking is an active and iterative method to detect threats. As mentioned in on the sliding scale of cyber security (www.sans. Org / reading room / whitepapers / Analyst / sliding scale cyber security-36240), tracking is an active defense category because it is mainly implemented by human analysts. Although the threat tracker needs automation and machine help, its process itself cannot be fully automated, and no product can replace the analyst in tracking. Analysts initiate the initial concept of tracking and try to discover malicious activity in the environment. We usually refer to this preliminary concept as the hypothesis of tracing, but it is only a statement of the potential threats to the environment and how to find suspicious ideas.
There are two key components to making reasonable tracking assumptions. First, the analyst's ability to create hypotheses comes from observation. An observation may be simple, it may be to notice a "seemingly incorrect" or more complex specific event, such as assuming the activities of the threat party based on the combination of past experience with the attacker and external threat intelligence.
The second concept is that the hypothesis must be verifiable and testable. That is to say, there is at least a chance to find data to test the hypothesis. Good tracking depends on the ability of the tracker to know what data and techniques are needed to test the hypothesis. In order to fully test the hypothesis, it is also necessary to be able to make good use of the information of the environment. A good threat tracking platform supports analysts to make assumptions, and reduces the obstacles of testing these assumptions by providing the data and tools needed for testing.
There are three typical types of assumptions that can be combined, and assumptions can be derived from these sources:
• Threat Intelligence
• situational awareness
• domain expertise
This guide explores these three types of assumptions and outlines how and when to develop them.
(2) Intelligence driven assumptions
The concept of intelligence driven defense has entered the mainstream of network security, bringing out Threat Intelligence, attack indicators (IOC) and adversary means, technologies and procedures (TTP). Hypothesis can't be generated by tools. The process of hypothesis generation is a human-oriented process. Intelligence can be used as the basis for analysts to ask questions to form hypotheses.
Even if IOC search does not directly lead to hypothesis generation, they may still lead to discovery of alarms and logs, and the tracker can decide which investigation is the priority. Search results can lead to an assumption because the tracker begins to ask questions about the data and what activities it might represent. In this case, even if the initial IOC does not generate assumptions, the IOC search results help generate assumptions.
There are many ways IOC can help analysts ask questions, including:
• where defenders find IOC in their environment
• how opponents hide
• overlap between C2 servers and multiple adversary intrusions or actions
• how adversaries gain access to C2 servers, and the complexities associated with adversaries
The tracker must pay attention to where the IOC comes from, not only considering the credibility of the source, but also considering the stage of the kill chain. IOC with the "planted and reconnaissance" phase will help the analyst's analysis, which is completely different from the "utilization" or "installation" phase, and may generate different assumptions.
Tracers should be cautious about relying on IOC. In today's industry, there are many threat data feeds that lack context and are not real attack indicators. If the analyst wants to make the assumption that he needs to analyze the data in the feed or the IOC in the intelligence report, but because of the low quality matching, the analyst will soon be overwhelmed. Bad attack indicators may still find data, but a lot of false positives usually waste analysts' time. IOC can speed up the process, but we should pay attention to the top of pyramid of pain (http://detect-response.blogspot.com/2013/03/the-pyramid-of-pain.html) to understand the opponent's technology and tactics (TTP).
However, good IOC often leads to the discovery of other high-quality indicators. So do good tracking and tracking assumptions. Don't think of "what if" as a static process. Even if you don't have enough time to fully explore from the beginning, you can use the assumptions assumed in the follow-up.
Good intelligence driven hypothesis considers the evaluation of geopolitics and threat panorama, and tries to combine low reliability warning and indicators with additional information to help determine whether it is useful. The threat tracker should use refined and contextual threat intelligence to make assumptions and initiate a trace. Intelligence driven assumptions may lead to the fastest discovery, but analysts still have to understand their operating environment.
Make assumptions for future tracking
The generation of assumptions is not a static process. Consider this example. When investigating activities,
The threat tracker makes two assumptions:
1. The adversary keeps the attack persistent by modifying the registry key.
2. The opponent maintains the persistence through the rootkit in the graphics card memory.
Result: the threat tracker decided that it was more likely to modify the registry key, and it would take less time and resources to investigate it; she followed this assumption. This proved to be true. Instead of giving up on the assumptions about the video card rootkit, the tracker will record it and explore the technology for testing the assumptions in the future.
(2) Situational awareness
Situational awareness needs to visualize and understand the network environment and elements so that analysts can understand its dynamic nature in terms of time and change. In short, defenders must understand their environment and be able to identify when changes have occurred in an important way. With this situational awareness, analysts can make appropriate assumptions about the attack activities of attackers that may occur in their environment.
Situational awareness enables defenders to focus on the most important assets and information. This focus is that the resources critical to the organization's mission are identified as crown jewels analysis (CJA). If the tracker has this knowledge, he can ask questions about what he might look for if his opponent enters the network. This leads the tracker to consider the most useful types of data collected in the environment (and where it should be collected) so that they can start looking for the attacker's activities.
Crown jewels analysis (CJA) process
Preparing the CJA requires the organization to do the following: • identify the core tasks of the organization. • map tasks to the assets and information they depend on. • discover and record resources on the network. • build an attack map. – identify dependencies on other systems or information. – analyze potential attack paths for assets and their interconnections. – assess any potential vulnerabilities based on severity. This analysis allows the tracker to prioritize actions to protect their most important and most likely threat to the organization.
A threat tracker who understands the assets and software in the network can rule out assumptions backed by technology or data not found in the environment. Analysts are creative, but avoid spending too much time on assumptions of unsuccessful tracking.
To help understand rapidly changing infrastructure, software, and vulnerabilities, threat trackers should take advantage of automation, especially in dashboards, reporting, and risk scoring. Manually observing and recording all assets and data flows in one environment is a waste of analyst time. This will prevent analysts from focusing time or mental clarity on generating assumptions.
Situational awareness should not be limited to purely technical aspects. People, processes, and business requirements are also key parts of an organization's threat profile. Failure to consider these factors often makes defense more difficult. Consider them in combination with technology assets and resources to maximize defensive advantage.
Examples of situational awareness assumptions
Analysts first looked at the non-technical impact of the organization. Analysts received information that the company was about to acquire a new company. The new company is located in different parts of the world and its infrastructure will be connected to the new parent company network. Analysts know that the parent company will also inherit the assets, data and vulnerabilities of the acquired company.
The tracker assumes that the connection point between the two corporate networks will be abused by the threat (the attacker who has attacked the acquired company). To test this assumption, analysts set up additional monitoring to treat data flowing in and out of new network connections as suspicious.
(3) Domain expertise
In any aspect of analysis, analytical experience is important. Different analysts bring different experiences, backgrounds and skills, all of which affect the assumptions they generate.
In addition to domain expertise, previous interactions with the opponent by the tracker will affect assumptions made later, even unrelated threats in the new environment. Analysts should not only strive to develop their own skills through these, but also record the lessons learned and knowledge from previous tracking. In addition, the tracker should share this document with the team as a training material and knowledge resource for the new analyst. This approach enables the team to grow and develop together.
Track people with good domain expertise, understand the environment and threats, ask questions and generate assumptions. In many ways, domain expertise combines situational awareness with intelligence driven (including context). They are not immediately relevant, but their knowledge shapes today's threat tracker. These two types of information help the tracker to ask good questions and generate good assumptions.
Experience has an unnecessary side effect: prejudice. Stalkers must be aware of biases and other adverse analytical habits that may affect them and make prejudices. For example, if an analyst works only in a government agency that focuses on threats to China, she may find that her domain expertise introduces prejudices that affect her and generate assumptions that are primarily related to threats she has faced before. Bias can lead to defensive attitudes about sharing threat data and analyzing conclusions poorly, and analysts continue to analyze the threat even when it no longer exists.
Analysts often rely on models and analysis frameworks to help structure data to reveal attack patterns. An example of a model is the diamond model of intrusion analysis, which requires tracers to translate the data they find into categories of adversaries, infrastructure, capabilities, and victims. A model is a method of structuring data for analysis, which does not mean it is suitable for every situation. Threat trackers take advantage of their domain expertise and understand their limitations and how to prevent cognitive bias.
(4) Best practices
The best way to generate hypotheses is to combine three different types of hypotheses. Intelligence, combined with situational awareness and analysts' domain expertise, will generate assumptions that are more likely to succeed in detecting environmental threats. This process should be guided, for example, by tracking the maturity model.
Assumed maturity
Not all assumptions are good ones. The following example illustrates the difference in assumed maturity between novice trackers and experienced trackers who combine use intelligence, situational awareness, and domain expertise.
IOC alerts are identified by new files that the tracker runs on a domain controller in one of the business units of the organization. The tracker assumes that the new file will also be found on domain controllers in other business units and verified on each domain controller.
In contrast, more experienced trackers start with crown jewels analysis, and the data of R & D network is the most important for the organization. From intelligence reports, the tracker learned that a new threat organization had stolen proprietary research information from similar organizations, and that the organization would use malware similar to that found on domain controllers. Therefore, the tracker will assume that IOC is one of the multiple files that the adversary is using, that sensitive research files are the target of the adversary, and may be leaked from the network through encrypted communication.
Good hypothetical generation requires technology to support answering questions. Assumptions must be testable. If assumptions are not testable because they are not reality based, analysts should reassess how they generate and prioritize them. However, if the hypothesis is untested due to the lack of data or analysis tools, it is a technical problem that should be remedied as soon as possible. Analysts should not rely on automation alone, but should require automation of the tracking platform. In essence, platform support is the key to the threat tracker process.
Can tools support it?
One way to determine if there is a problem in your organization's security architecture is to examine the tools used to analyze assumptions. If an analyst can generate a reasonable hypothesis and the tool answers, it's a technical question. If the lack of appropriate data makes it impossible to answer questions, it is a question of data collection. Similarly, if analysts are unable to generate assumptions for testing, they may be inexperienced. Let analysts participate in technical training, especially structural analysis training (http://christsanders.org/2016/05/how-analysts-approach-investments/), or recommend community resources to them, and communicate with other trackers, for example, as the "the threathunting project" project.
Automation enables the traceability to be repeatable and sustainable. Technology also helps to reduce the barriers that organizations have to track today. There is a lack of analysts with domain expertise to deal with all threats currently observed. The platform can help the hypothesis based on intelligence driven and situation awareness to increase the ability of analysts. Through this process, these threat trackers will also become better analysts, gaining valuable domain expertise over time. Successful track experience helps track people to be more successful.
Suppose generation is only the first step in discovering opponents. The tracker must be careful not to focus on hypothesis generation for such a long time, which reduces the time and opportunity of investigation. Good assumptions lead to good tracking, but defenders must not be timid about tracking assumptions and testing through tools and techniques. Failure is often part of the process and encourages better practice. In fact, many tracking activities result in no new attack activity being detected because the activity does not exist. Tracking is an agile process, and even "failed" tracking increases security. The tracker should not hesitate to try new things. Threats are evolving, but threat trackers need to make the most of their tools, data sets, and analysis skills to track them.
Original link https://www.sans.org/reading-room/whitepapers/threads/generating-hypertopics-successful-thread-hunting-37172