WIXLIB

21 January 2022Webinar: The 4 Qualities of GoodCyber Threat IntelligenceTom W inst on, Ph.D . Dire ct or of Int e llige nceDragos, Inc.

OVERVIEW OverviewIn today’swebinar: Cyber Threat Intelligence Sourcing and Confidence in threatintelligence How to apply the diamond model.IOIOIOIO How threats differ across industries.2

Overview What is Threat intelligence? Threat intelligence is the actionableknowledge and insight on adversaries andtheir malicious activities enabling defendersand their organizations to reduce harmthrough better security decision making

Overview Generic Threat Intelligence Not good enough for industrial controlsystems Threat intelligence Context Action Threat Assessment Impact Recommend action

Overview Not all threat intelligence is equal Good Threat intelligence follows CART An organization consuming high-quality threat intelligence will be able toleverage it across their cybersecurity program to improve detection,response, and prevention informing the most technical defenders andoperators to the most strategic decision makers. High-quality threat intelligence applied diligently, can differentiatemediocre cybersecurity programs from great programs. For industrialcontrol networks where the impact of a cybersecurity incident can meanmillions in business losses, reputational damage, an environmentaldisaster, or loss of life, the diligent application of high-quality threatintelligence is now an absolute necessity.

Overview: With good CTI Orgs can leverage: Improved detection Response Prevention Sharing critical information with technicaldefenders and strategic decision makers

Overview: Value of Good CTI It can differentiate mediocre. Vs. high quality cybersecurity programs ICS cyber security incidents can:Halt OperationsCost millions in damageDamage reputationCause loss of life, orEnvironmental disaster

CTI must follow CART Completeness Accuracy Relevance Timeliness

Good CTI and CART Clear gradient, Not Binary Qualities Based on use case Timeliness is a good example of this gradient Some intelligence (likely more strategic) has amore fluid timeliness requirement Tactical threat intelligence,however, has stricter requirements.

Cyber Threat Intelligence: Is knowledge – the outcome of an analytic processusing hypothesis-led and evidence-based analysis froma variety of data sources. Produces insights on adversaries and their maliciousactivity. Enables defenders, and their organizations to improvetheir security decision making. Reduces harm when teams use the insight to improvetheir entire cybersecurity posture.

CTI When integrated into a security program: Reduces both mean time to recovery during cybersecurityincidents, and adversary dwell time Both metrics of high interest to ICS asset owner-operatorsand information technology operators Much like weather forecasting: Allows organizations and individuals to shelter and prepareDetails how adversaries compromise and disrupt systems Enables defenders top better prepare to protect themselvesbefore, during, and after an incident.

CTIDelivers on this goal by using a variety of data to produce knowledge onadversaries such as: Who adversaries are, comprising the actors, sponsors, andemployersWhat adversaries use, including their capabilities and infrastructureWhere adversaries target, detailing industries, verticals andgeographic regions When adversaries act, identifying timelines and patterns of life Why adversaries attack, including their motives and intent How adversaries operate, focused on their behaviors and patterns

CTI: 3 Question RuleThreatImpactActionWhat is the threat? Addressingwho, what, where, when, whyand how.What is the impact to anorganization if the threat wererealized?Which actions mitigate thethreat in both the near- andmid-term?

CTI – Two ElementsContextContext Describes the threatand proves or disproves therelevance and impact to theaudienceActionWhat is the impact to anorganization if the threat wererealized?

CTI Threat Intelligence Actions Include: Detective guidance such as technical indicators orsignatures of the activity to support identifying breachesin an environment Policy guidance to protect the organization from apotential disruption hopefully leading to threat prevention Detailed threat behavior to enable hunting for similarbehavior Data collection suggestions to support effective detection Threat scope and impact details supporting risk-basedstrategic decision-making

CTI – 3 categoriesThreat Intelligence TypeAudienceDescriptionTacticalSecurity OperationsNetwork DefendersIncident ResponseTechnical indicators andbehaviors to inform networklevel action and remediationOperationalThreat HuntersIncident ResponseSecurity LeadershipIntelligence on adversarybehavior informing: holisticremediation, threat hunting,behavioral detection,purchasing decisions, and datacollection.StrategicSecurity LeadershipOrganizational LeadershipPlaces threat into a businesscontext and describes strategicimpact informing riskmanagement andorganizational direction.

CTI - Using threat intelligence There is no one-stop shop for solving thecomplexities of protecting critical assets in anyenvironment. CTI compliments: Detection Response Prevention

CTI Uses There is no one-stop shop for solving thecomplexities of protecting critical assets in anyenvironment. Detect Respond Prevent

CTI: IT vs OT Threat Intelligence There is no “universal” threat intelligence. Threatintelligence products should be tailored for theuse cases and security demands of specificclasses of environments. ICS Threat Intelligence Interested Adversary Direct ICS Threat Indirect ICS Threat

CTI: ICS Threat IntelligenceInterested AdversariesIntelligence on activities of adversaries known to haveDirect ICS ImpactIntelligence on threats directly affecting the operationof industrial control systemsExample: CRASHOVERRIDE is a malware frameworkdesigned and deployed to disrupt electric powertransmissionIndirect ICS ImpactIntelligence on threats not associated with industrialcontrol systems but have a high likelihood of disruptingtheir operationExample: WANNACRY ransomware does not targetindustrial control systems, but its capability has shown tobe debilitating to organizations when it can accessoperational networksan interest in control systems and operationsnetworks.Example: DRAGONFLY compromises victim networksto gather information on the industrial control systemand related operations but have not yet beenidentified disrupting or directly interfacing withindustrial control systems

CTI: Three Distinguishing ProductsData Sources and VisibilityA producer must have the data sources andvisibility into the threats affecting thecustomer’s environment. Without the properdata, there can be no relevant intelligence.Contextual AwarenessA producer must have an understanding of thecustomer’s business in order to makeintelligence immediately relevant. Otherwise,the customer must translate all intelligence intotheir domain themselves.Action, RelevanceA producer must understand the customer’soperations so that they may recommend properactions without causing any undue harm orsimply stating generic best practices.

Intelligence Sources CTI Sources are typically: Data sources (PCAP, other forensicartifacts such as logfiles, physicalmedia) Telemetry / Net flow data Endpoint devices (third party) Data Historians, or databases

Intelligence Sources Can have blind-spots Exhibit collection bias Require corroboration For ICS must have specific ICS honeypots to gainactionable insight: Beyond port 502 (MODBUS), 20000 (DNP3) Need asset visibility to understand context Subject matter expertise on intricacies of ICSenvironments

Sources and Confidence All sources need confidence levels Good assessments use corroboratedsources Sources should be described in terms ofcontext If data comes from a third-party tool, itmust be attributed to that tool

Intelligence Sources and Confidence Assessments in CTI require confidencelevels Sherman Kent (CIA Kent School of Analysis)defines confidence levels as Kent’s words ofEstimative Probability

Intelligence Sources and ConfidenceCertainAlmost CertainProbableChances about evenProbably notAlmost Certainly notImpossible100%93%75%50%30%7%0%

CTI – Low Confidence A hypothesis that is supported with availableinformation. The information is likely single sourced andthere are known collection/information gaps.However, this is a good assessment that is supported. It may not be finished intelligencethough and may not be appropriate to be theonly factor in making a decision.

CTI Moderate Confidence Assessment A hypothesis that is supported with multiplepieces of available information and collectiongaps are significantly reduced. The information may still be single sourced butthere’s multiple pieces of data or informationsupporting this hypothesis. We have accounted for thecollection/information gaps even if we haven’tbeen able to address all of them.

CTI High Confidence Assessment A hypothesis is supported by a predominant amount of theavailable data and information. it is supported through multiple sources, and the risk ofcollection gaps are all but eliminated. High confidenceassessments are almost never single sourced. There will likely always be a collection gap even if we donot know what it is but we have accounted for everythingpossible and reduced the risk of that collection gap; Even if we cannot get collection/information in acertain area it’s all but certain to not change theoutcome of the assessment.

Diamond Model It’s all about context Dragos defines 4 qualities of an activitygroup: Infrastructure Adversary Capabilities Victims

Dragos Activity GroupsThe Diamond Model C2 nodesDomainsHostingObfuscation ACTIVITYGROUPAssociations with other groups/activitiesHome baseLanguages/cultural referencesWorking hoursPattern of life Expertise Operational discipline Malware type:operational, opensource, bespoke Exploit development Tools Espionage or disruptionor both? Target description Apparent target objectives At Dragos, an AG is only named if the adversary aimsfor or purposefully affects ICS and/or OT of its target35

ParasiteICS IMPACT: Operations focus on ICS-related organizations, limited to ITnetwork actions for initial access and information collection2017 - 2020 No links to tracked activity groups Adversary controlleddomains & infrastructurefor C2 & delivery Tor exit node to launchattacksACTIVITYGROUP Exploiting known VPNvulnerabilities; SSH.NET,MASSCAN, dsniff,Impacket Oil & Gas, Aerospace, Utilities, Government, NGOs US, Middle East, Australia, Europe36

ParasiteICS IMPACT: Secondary disruption to OT networks and the risk of sensitiveOT data leakage through ransomware deployment2020 - 2021 No links to tracked activity groups Adversary controlleddomains & infrastructureutilizing self-signed SSLcertificatesACTIVITYGROUP Deployment of Pay2Keyransomware Critical infrastructure and Oil & Gas entities Israel, Europe (unconfirmed)37

XenotimeICS IMPACT: Demonstrated capability to execute disruptive ICS attacks,such as the 2017 TRISIS incident.SINCE 2014 Unique tool development Virtual Private Server andcompromised legitimateinfrastructure European web hostingproviders Asian shipping companyACTIVITYGROUP TRISIS Custom credentialharvesting Off-the-shelf tools Oil & Gas, Electric Utilities Middle East, Europe, North America, Australia38

Every Industry is Different but Different industry Verticals ONG Electric Pharma Chemical What differs? Environments Impacts

Industry Vertical Context is key (I said this before) Subject Matter Expertise Each vertical has potentially uniqueenvironment What about OT? OT is OT, but how it is implemented candiffer How it interfaces with IT

OT Interfaces with ITThis will likely differ greatly acrossverticals