Highway to the Danger Zone: Do APT reports hurt more than they help?
A discussion on sharing threat intelligence while balancing business objectives with cyber defense strategies.
I had the pleasure of attending the SANS CTI Summit a couple weeks ago. The red carpet was rolled out and all the industry’s biggest stars were there to talk about the most pressing topics facing the InfoSec world today. While there was a lot of consensus and agreement on items like what constitutes real intelligence and the power of harnessing internal resources, there were some lingering questions as well. Although everyone agreed that sharing with your friends is a good thing (circle of trust), there was some contention around publicly reporting Advanced Persistent Threat (APT) activity.
David J. Bianco, Security Technologist at Sqrrl Data, gave a great talk that tracked the statistics of APT reporting, including data such as page count, number of reports per year, as well as types and counts of indicators. He saw the average page length of reports was decreasing while inclusion of tactics, techniques, and procedures (TTPs), hashes, and IP addresses increased. Most importantly for this discussion, he found an exponential growth in the number of APT reports released per year from 2010 through 2015. Sounds like a good trend right? The more reports there are, the more everyone knows about cyber spies, and the better everyone’s defenses will be. That seems like a reasonable position to hold, but as the legend Lee Corso would say, “Not so fast, my friend!”
Quit hitting yourself
It’s always been assumed that public reporting burns intelligence, rendering the information all but useless. But for the first time (to my knowledge), we finally have the data to back that assumption up. Kristen Dennesen, Senior Threat Analyst at FireEye, gave a terrific presentation that revealed her work in tracking adversary reactions to public exposure. Interestingly, she noted a distinction between APT and cybercrime actors’ responses. Once exposed, cyber criminals tended to cease activities so as not to be prosecuted. However, nation state actors are not so easily cowed. She provided several compelling cases of APT actors shifting their TTPs shortly after the release of reports detailing their operations. Couple this phenomenon with observations that APT reports often lack substance (buzzword = actionable intelligence) and we appear to be accelerating down a dangerous path: reports furiously reveal what we know regarding APT activities while defenders are left to endure the consequences of continually shifting TTPs.
But why male models?
There have been hints of this dysfunction playing out in the coverage of the recent Ukraine power outages. A flurry of reports were released, but, perhaps in their haste to be first to press, not everyone seemed to be on the same page. Attackers don’t need exact or correct details about their own attacks - a simple mention of the target (Ukrainian utilities) and the attackers can recognize “Oh hey, that’s us!” and begin to adapt. And so, while it is immediately clear the jig is up to the threat actors behind these attacks, defenders are still awaiting the results of a full investigation (read: useful details) and must make do with the sparse information they have available. The irony is hard to miss (but I’ll spell it out anyway): reports meant to aid defenders and harm attackers often achieve the opposite.
I’d like to solve the puzzle Pat
While it would be great if we could all get together and agree to stop releasing reports that do more harm than good, I don’t think we’ll be reaching a consensus on that anytime soon. Refer to the tenants of the prisoner's dilemma from game theory which states that two completely “rational” individuals might not cooperate, even if it appears it’s in their best interest to do so. One of the driving factors behind the growth in reporting is the inherent marketing value, which translates to sales. With everyone and their brother releasing intelligence reports, the marketing value has dropped significantly while the self-inflicted harm has only increased. Conversely, if reporting were halted, the damage would decrease while the marketing value of being the only one to release a report would significantly increase. What might be helpful is a change in this calculus such that it is more attractive, both ethically and financially, to cease publicly reporting APT behavior and find smarter approaches to information sharing.
Teach a man to (detect) phish
One possible approach was discussed by Rich Barger and Rob Simmons, the CIO and Senior Threat Researcher at ThreatConnect respectively. In their talk (and corresponding blog), they observed that all too often, intelligence sharing consists of distributing the indicators of attacks as opposed to processes used by defenders to develop or detect those indicators. Such a solution might solve the “stop telling bad guys everything we know about them” problem, but what about the more important side of the coin – the monetary value of reporting? Theoretically, reports detailing defender TTPs might garner more attention – and hence be of more value – standing out from the crowd of Indicators of Exhaustion by providing actual (buzzword alert) actionable intelligence. So what would APT reports look like if they took up the “teach a man to fish” maxim and enumerated defensive TTPs as opposed to lists of IoCs?
APT hates him, find out why!
Conveniently enough, I briefed a Lunch & Learn on this very topic at the CTI summit. Using documents reported to have been utilized in phishing campaigns against Ukrainian utilities, I walked through the process of deriving threat intelligence from malicious VBA objects. I demonstrated how open source tools can be used to extract VBA from documents and in turn analyzed for useful information. This information was then developed into robust detections on the underlying weaponization methods used in the attacks - detections that can be used to prevent future derivations of these attacks. I used the Cyber Kill Chain® analysis framework to illustrate the power of detecting adversaries at the weaponization phase as opposed to later stages that are more susceptible to change. Finally, I examined how such a process could easily be operationalized using the open source Laika BOSS framework and extended to any other file type. Armed with this process and a concrete example, defenders are enabled to deploy similar methods to detect phishing emails with malicious attachments in their own environments.