Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
The standard tactics can be implemented by any security professional. However, any of the advanced tactics should be run through your organization’s key stakeholders or even legal representatives to ensure your team has leadership coverage.
Engaging the Threat
Now that you have determined the allowed actions that can be taken, ranging from the legal to the illegal (not recommended), you are prepared to begin engaging your threat and start removing the threat from the network. However, one of the most important pieces of any action of engagement of an active threat is the ability to act all at once or not at all. Similar to a botnet or live criminal infrastructure, if just one position is left for access, the threat will try to reenter your enterprise, especially if this is a highly resourced criminal or state-sponsored organization. By now, you should be asking yourself, “What can I do then?” Well, here we go…
Within Your Enterprise
From within your enterprise network, you have almost every right to actively engage a real-time threat and remove it from your network. At the network layers is where the battle is initially fought. As stated in previous chapters, focusing on your hosts during a real-time intrusion is highly unreliable for actionable intelligence observables.
Once you have identified how the threat is getting in and out of your network, you need to sever those connections in order to begin remediation of your hosts, as they will continue to beacon out and attempt to communicate with the remote threat and try to take survivability measures on behalf of the focus.
From within your enterprise, you can perform almost any level of actions, including content staging, content filling, deception, and enticement. Honeypots can also be used as highly interactive IDSs that enable profiling at the network and session layer. Sandbox technologies can also have a high impact on enabling you to determine a threat’s method of exit, exfiltration, and return.
Just remember that once active targeted threats learn of your knowledge of their activities, they can become highly unpredictable, and their actions can range from not returning to taking a virtual crowbar to every system they have touched. Acting within your own enterprise is the highly recommended action versus external methods, which will be discussed next.
External to Your Enterprise
Threats operating across the Internet require numerous data points and variables. Network locations; IP addresses; static, dynamic DNS, or fast-flux domain names; server-side applications, such as SQL or FTP accounts; and a lot more techniques can be used. One of your tasks is to do as much intelligence collection as possible and learn as much as you can about all of these observable data points. Then you can take some actions against an active threat external to your enterprise.
If you know an IP address, you should report the abuse of the IP address to the hosting provider. You should also block the IP address across your network. But be aware that just blocking an IP address does not eliminate the threat. Also if a source IP address is actually a gateway IP address of an ISP, for example, blocking it may end up blocking many other legitimate users. Determine whether the source IP address belongs to the individual/residence/attacker’s unique IP address versus an IP that is a gateway of a network segment.
If you learned a domain name, report the abuse of the domain name to the registrar. Also, block the domain name across your network.
For server-side applications, scan the IP address/domain and attempt to identify which services are running on the host (remember that port scanning is not illegal). If you reside in a country that allows you to analyze and exploit any malicious services on that server, you can gather a plethora of information about the criminal operator via this method.
Working with Law Enforcement
A large topic of debate for almost every industry is whether or not to report the incident. Well, believe it or not, every world government’s law enforcement (LE) agencies have a top-ten list of threats they are interested in and actively investigating.
If you believe the specific threat is of a targeted nature and you may be one of many organizations hit by a specific threat, you can privately report the incident to LE. The members of the LE agency will work with you if you are willing to share your data with them. You’ll also need to let them know about every action you have performed against the remote CnC server to identify the threat level of the specific criminal campaign. Most LE agencies are highly interested in organized and state-sponsored threats, and will work diligently with your organization to try to attribute and apprehend the actors behind the criminal campaign.
You’ll need to determine whether you want to bring in LE early in the decision process, as this will inhibit some of the things you are allowed to do as a private researcher. If you commit a crime while performing adversary analysis or attribution, and then bring in LE after the fact, this could open you or your organization up to a legal can of worms. Several IT security professionals have taken the law into their own hands, only to be fired or worse for trying to do the right thing.
Working with LE can be a powerful asset, especially when dealing with highly motivated and well-funded threats. However, there are drawbacks that can land you in the hot seat, so please be careful how you approach each situation, and identify up front whether LE is an avenue you want to take.
To Hack or Not to Hack (Back)
There are several situations where hacking back can yield highly valuable results, and then there are times when it will simply land you in jail. For example, suppose you hack into a CnC server currently being investigated by LE, and they are monitoring the wire when you do this. You are trying to do good for your organization’s security posture, but in the end, it comes around to bite you in the ass. We know people who have done this and now are without a job or security clearance.
Now that you have been warned, here is a short list of things that can be gained from hacking into a criminal’s CnC back-end server (typically performed via attacking the server):
Look for vulnerabilities in the CnC back end, such as cross-site scripting (XSS), SQL injection, and session management.
You can get help with attribution of the bot master and bot operators.
Generally, the first one to five connections are the operator setting up the infrastructure. If you can circumvent their security of the CnC, you can identify some of the operator’s information:
Registrar site login/password
E-mail login/password
Virtest (resilience provider services) login/password