Cyber Threat Intelligence in the SOC
Last week was Halloween, and this week marks the end of Daylight Savings, so it's only appropriate we begin the transition of being afraid of every possible threat towards being more efficient and saving time by utilizing Cyber Threat Intelligence within a security program!
The typical Security Operations Center (SOC) in an organization has a daunting task: detect and respond to threats across all aspects of the enterprise. A survey in 2017 stated that nearly 80% of Security Teams are overwhelmed with the number of alerts they receive (Monahan, 2017), experiencing what is known as "alert fatigue." This phenomenon can be detrimental to a security program and result in inadequate response to threats or breaches. A significant part of tackling the alert fatigue problem involves proper tuning of detection technologies, which can help analysts focus on the more valuable alerts and shed benign noise alerts. Beyond basic tuning, incorporating a Cyber Threat Intelligence (CTI) program to influence detection and prevention controls in an organization helps find real and active threats while simultaneously reducing the workload on SOC teams, allowing them to focus on the things that have the most significant impact protecting the organization.
Using Cyber Threat Intelligence to Inform the SOC
As discussed in my previous post, CTI informs organizations and security teams about which threats facing an organization are most pertinent and "real." There is little value in spending significant resources detecting and preventing specific attacks against technologies non-existent in an organization or from threat actors who have motivations and targets that do not intersect with your organization. This is why every new vulnerability or threat must be explicitly contextualized for the organization to calculate the overall risk.
When a new threat is identified, the CTI team must understand everything they can about the threat, combining multiple sources into a deliverable package for review by the SOC. The "intelligence" in the deliverable can be broken down into three categories (Anomali, 2021):
Category | Question Framing | Description |
---|---|---|
Tactical | What | Tactical intelligence is most commonly associated with CTI, mainly because it's where Indicators of Compromise (IOCs) fall. These are indicators that have been observed as being malicious and related to an identified threat. These include IP addresses, domain names, file hashes, file names, email addresses, etc. A SOC can take a list of IOCs and feed them into their toolsets, checking to see if there have been any historical events that include them which may indicate an incident. |
Operational | How/Where | Operational intelligence focuses on how and where threat actors operate. By studying past attacks, methodologies and habits of threat actors become more apparent and can be turned into operational intelligence. For example, certain groups may leverage a specific Command & Control infrastructure, use a particular toolset, leverage specific techniques for persistence, etc. |
Strategic | Who/Why | Strategic intelligence is the more challenging type of intelligence to produce as it requires a vast amount of resources and data to be effective. Typically this type of intelligence is outsourced because organizations rarely can perform this internally at the scale required. Often it's thought of as strictly attributing an incident to a specific group; however, it encompasses more. It involves combining data from multiple past incidents to build a profile of the bad actors behind attacks to understand their motives and how they choose their victims, how they are funded, etc.—knowing who is targeting your organization and why dictates where defense resources should be allocated. |
This requires the CTI team to be well researched on threats and the organization's environment they're protecting. At the very least, it's expected a CTI team should be capable of the following:
- Inventory what technologies are used across the organization's enterprise, including patch level/versions
- Know the locations/systems that the business has identified as the highest risk (the crown jewels) to the organization
- Identify who the stakeholders are for any decision making
- An understanding of the organization's security policy as it pertains to technology and data handling standards
- Familiarity with the implemented security controls
AT&T has outlined the process of building a SOC on their Cybersecurity portal, which includes how to incorporate CTI into the program. Once a potential threat is identified, AT&T Cybersecurity suggests a CTI team must answer the following questions:
- What role does this indicator (or activity) play in an overall threat?
- Does its presence signify the beginning of an attack (reconnaissance and probing vs. delivery and attack)? Or a system compromise? Or data leakage?
- Is this threat actor known for this type of behavior?
- Is there significance in the asset that's been targeted?
- How sophisticated is this particular indicator (e.g., malware sample)?
- What are the motivations of the threat actor behind this activity?
- What are the other activities that occurred on the same asset before and after this one?
- What about my other assets now or in the past?
The answer to those questions, coupled with data points from the three intelligence levels, can inform the SOC how relevant a threat is to the organization and what opportunities for identification and prevention there may be.
Threat Actor Overview: FIN7 and Darkside/Blackmatter Ransomware
As a financially motivated actor, FIN7 has been active since 2013 and has targeted United States' businesses, primarily using point-of-sale malware to steal credit cards from retailers (MITRE, 2021). That also makes it one of the oldest eCrime/cybercrime groups still active today. FIN7 is a Russian group that has operated under a front company called Combi Security, with headquarters in Moscow, Haifa, and Odessa. There have been numerous job postings for Combi Security and individuals identified who were employed at certain times. Because of that, it is suspected some people may be unaware they had been working for a criminal organization (Carr et al., 2018). Within the last year, FIN7 began to change from selectively targeting businesses with point-of-sale machines to broadly trying to attack any organization they can. CrowdStrike, who tracks FIN7 as "Carbon Spider," noted in 2020 that the group made a shift from targeted point-of-sale malware to more lucrative "big game hunting" with broader ransomware attacks utilizing another group's REvil "ransomware-as-a-service" (RaaS) platform (Loui & Reynolds, 2021). Only a few months later, in 2020, they developed their ransomware and RaaS platform called DarkSide, which they leased out to other actors and took a cut of the ransom profits. DarkSide eventually shutdown with BlackMatter taking its place in July of 2021, but that too was shortlived, as they announced a shutdown in November of 2021 – possibly related to recent arrests of ransomware operators as part of an operation performed by international law enforcement (Henriquez, 2021). Researchers have linked BlackMatter and DarkSide as one-in-the-same, just a rebrand to distance themselves from the Colonial Pipeline attack, which garnered heavy government and media attention, making it one of the most prolific ransomware attacks. DarkSide and BlackMatter also stole data, which was used as extortion against the victims to pay the ransom or is sometimes sold for additional profit when the ransoms are not paid.
Attacks
From its November 2020 to July 2021 lifespan, DarkSide's most notable attack was the May 2021 Colonial Pipeline attack, which not only stole data but caused the pipeline to shut down for nearly a week, with production not fully developed recovering until another week after that. Because of the pipeline interruption, gasoline futures prices were at their highest point in three years (Osborne, 2021). Colonial Pipeline ended up paying nearly $5 million in ransom to DarkSide; however, in June, U.S. law enforcement could recover $2.3 million of that (Wilkie, 2021). In September of 2021, after DarkSide relaunched as BlackMatter, Japanese technology company Olympus was hit with a ransomware attack suspected to be BlackMatter. Between June and September of 2021, BlackMatter was responsible for at least 40 ransomware attacks (Hope, 2021).
IOCs
The indicators of compromise for Fin7 actors and their DarkSide and BlackMatter encompass an enormous list of tactical intelligence (the what), including phishing document droppers and malware hashes, IP addresses, and domain names. There is also a significant amount of operational intelligence on Fin7. Some sources for these indicators are below:
- Mandiant's Fin7 IOCs https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation
- CISA's STIX packages for DarkSide leading up to, and following, the Colonial Pipeline attack https://us-cert.cisa.gov/ncas/alerts/aa21-131a
- HHS's published report on BlackMatter, which include a sample of IOC's https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf
As indicators are compiled with intelligence to create a deliverable bulletin for the SOC, the CTI team should have a well-informed perspective on the severity of the threat actor against the organization, based on the understood tactical, operational, and strategic intelligence. Once the bulletin is delivered, the SOC can utilize the information found on the contextualized criticality and focus efforts to use their time and resources wisely – building detection or prevention capabilities, hunting on historical data, and tuning alerts appropriately.
References
- Anomali. (2021). What is Threat Intelligence? Anomali.com. https://www.anomali.com/resources/what-is-threat-intelligence
- AT&T Cybersecurity. (2021). How to Build a SOC: Threat Intelligence. Cybersecurity.att.com. https://cybersecurity.att.com/solutions/security-operations-center/building-a-soc/threat-intelligence
- Carr, N., Vengerik, B., Miller, S., & Goody, K. (2018, August 1). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation
- CISA. (2021, October 18). BlackMatter Ransomware. Us-Cert.cisa.gov. https://us-cert.cisa.gov/ncas/alerts/aa21-291a
- De Groot, J. (2020, November 25). What is a Security Operations Center (SOC)? Digital Guardian. https://digitalguardian.com/blog/what-security-operations-center-soc
- Henriquez, M. (2021, November 4). BlackMatter ransomware gang claims to have shut down. Www.securitymagazine.com. https://www.securitymagazine.com/articles/96446-blackmatter-ransomware-gang-claims-to-have-shut-down
- Hope, A. (2021, September 23). Olympus Suffers a Suspected BlackMatter Ransomware Attack. CPO Magazine. https://www.cpomagazine.com/cyber-security/olympus-suffers-a-suspected-blackmatter-ransomware-attack/
- Loui, E., & Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Crowdstrike.com. https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
- MITRE. (2021, October 19). FIN7, Group G0046. Attack.mitre.org. https://attack.mitre.org/groups/G0046/
- Monahan, D. (2017, May 17). InfoBrief: A Day in the Life of a Cyber Security Pro. Enterprisemanagement.com. https://www.enterprisemanagement.com/research/asset.php/3441/InfoBrief:-A-Day-in-the-Life-of-a-Cyber-Security-Pro
- Osborne, C. (2021, May 14). DarkSide explained: The ransomware group responsible for Colonial Pipeline attack. ZDNet. https://www.zdnet.com/article/darkside-the-ransomware-group-responsible-for-colonial-pipeline-cyberattack-explained
- Wilkie, A. M., Christina. (2021, June 7). U.S. recovers $2.3 million in bitcoin paid in the Colonial Pipeline ransom. CNBC. https://www.cnbc.com/2021/06/07/us-recovers-some-of-the-money-paid-in-the-colonial-pipeline-ransom-officials-say.html