Cyber Threat Intelligence [by Adrien Petit, CEIS]

Guidance

At Webcom Montréal in May 2012, IBM estimated that 90% of the world’s data had been created in the last two years[1]. Furthermore, 2.5 billion gigabytes of data — from many and varied sources — are generated each day[2]. This report has helped to popularise the notion of big data. It has also made processing these large volumes of data a concern in marketing and business. For several years, big data has occupied a de facto prominent place in discussions revolving around the theme of cybersecurity.

Now, after big data, cybersecurity players are positioning themselves around a new trend, threat intelligence. The same players have come up with a variety of definitions for the phenomenon. However, it is useful to interpret the notion of threat intelligence according to its constituent terms:

• Threat: “any circumstance or event with the potential to adversely impact an asset through unauthorized access, destruction, disclosure, modification of data, and/or denial of service”[3]; and
• Intelligence: “information that has been analysed and refined so that it is useful to policy-makers in making decisions — specifically, decisions about potential threats to our national security”[4].

From an IT point of view, the notion of threat intelligence can be summarised as any intelligence operation of IT origin or interest able to protect any entity from a potential threat.

In this light, threat intelligence is useful in the first two phases in the cybercrime chain — context and preparatory actions in order to prevent progression to the third phase, operation:

Cybercrime chain

The Cyber Kill Chain[5] concept, introduced by Lockheed Martin, represents the seven actions taken by a group of cyber attackers in an attack. These actions are listed under the operation phase in the cybercrime chain above. The first action mentioned by Lockheed Martin — reconnaissance — appears in our diagram as identification of vulnerabilities and marks the start of the Cyber Kill Chain.

The use of threat intelligence in the cyber world comes up against certain limitations in the operation and advertising phases. Actions in these last two phases are taken in the context of the activated Cyber Kill Chain. The status of a threat thus changes from “potential” to “real/operational“.

Case study of a retail bank

The case study presented below brings together several pieces of feedback from experience in using threat intelligence.

Context

In July 2014, John Doe — the Head of Information Systems Security at a well-known American bank — gave an interview for a prestigious daily newspaper’s technology column.

In the interview, Mr Doe reported the positive results in the first semester of the year and announced that the bank would redesign its website for January 2015 to meet user demand for a user-friendly interface. This makeover will be accompanied by an investment in a strong authentication solution — a token — in the second semester of 2015.

The team in charge of anticipating threats — and thus protecting the retail bank from potential cyber attacks — was aware of the opportunity that this announcement represented to cybercriminals. This team therefore decided to adopt a proactive approach by monitoring communication channels (forums and IRC channels on the Dark Web) used by the groups of hackers documented in their previous investigations.

This monitoring made it possible to determine that the CISO’s announcement brought about the emergence of a motive for a group of hackers specialising in phishing. This group of hackers thus established a new objective, namely improving the return on investment (ratio of profits gained to costs incurred) of their activity. Indeed, they observed that their latest campaigns had been less and less profitable. The choice of procedure, which completed the context phase, rested on a phishing campaign adapted to the characteristics that the future website is to offer, specifically an overhaul in terms of graphics and the use of an authentication solution.

Preparatory actions

Once the motive had emerged, the objective had been established and the procedure had been chosen, the next phase was preparatory actions.

It started with the acquisition of capabilities, which may be technical, material, financial, logistical, etc. In the case in question, the group of hackers had to base their next phishing kit on the graphic charter of the future website, and decided to see whether or not test platforms were placed online. After a few weeks, they noticed that the target registered with a registrar the domain name “TESTNOMDELABANQUE.COM”. This domain name turned out to be a pre-production version of the retail bank’s future website, and contained its design and features.

The group of hackers subsequently updated its phishing kit and decided to market it on the Dark Web to buyers from their own trusted network. This human organisation and recruitment phase validated the phishing kit itself and the resources to use it in future campaigns. The introduction of a token also called for increased numbers and processes: while the first phase of phishing was automated by stealing username/password combinations using a recovery script, the second phase required human intervention and social engineering to steal the OTP (one-time password). Indeed, the fraudster had to convince the victim to transmit a sensitive piece of data by telephone in real time, as in a man-in-the-mobile[6] attack, thus completing the act of fraud.

The team responsible for acting on cyber threat intelligence decided to monitor the different black markets traditionally used by the group of hackers, and quickly picked up on the availability of two new phishing kits targeting the retail bank. The team proceeded to buy these kits using an avatar from an infiltration operation undertaken a few months before. Analysis of the kits highlighted the fraudsters’ capacity for near-instantaneous adaptation and their growing expertise: it was found that the second kit — certainly designed for a medium-term use — accounted for the two-factor authentication token.

A few days before the new platform was officially released, the group of hackers decided to identify vulnerabilities prior to launching their operations. Numerous websites were scanned by tools that revealed common flaws, largely related to out-of-date CMSs. The fraudsters exploited these flaws and then uploaded phishing kits to the hijacked websites.

While the group went about this, the CTI team collaborated with a large number of web hosts and informed them of the two versions of the new phishing kit. This allowed the administrators of the different web servers to set up safeguards that were triggered when one of the versions was uploaded to the network. To keep from alerting groups of hackers to their preventive measures by limiting the number of hijacked sites, the different web hosts did not immediately deactivate the phishing kits. Instead, they waited for the first round of the test campaign, which validated the fraud, and the operational round that quickly followed it.

Thanks to the implementation of spamtrap honeypots, the CTI team and the web hosts promptly detected the round of phishing that took place not long after it was officially announced that the platform had been placed online. The impact of the fraud was greatly limited by immediately deactivating the fraudulent pages broadly identified by the various cyber threat intelligence actions.

–Sources–

[1] https://twitter.com/bdescary/status/202470082402717696

[2] http://www.ibm.com/annualreport/2013/bin/assets/2013_ibm_annual.pdf

[3] https://www.enisa.europa.eu/activities/risk-management/current-risk/risk-management-inventory/glossary

[4] http://www.fbi.gov/about-us/intelligence/defined

[5] http://www.lockheedmartin.com/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.html

[6] http://blogs.gartner.com/avivah-litan/2010/09/28/smsotp-under-attack-man-in-the-mobile/