Assignment #3 – Applying Cyber Threat Intelligence Part 2
Please see the attached document for instructions. (only create a single rule, even though the instructions as for you to create a rule for each part of the kill chain.)
Yara Rule/Signature Example below:
In lecture 6, slide 12 it discuses briefely yara rules. To assit with homework 3, here is an example with each section as discussed in the lecture slides. So there is a metadata section, strings and hashes and conditions statements.
I don’t expect these to be perfect or even work perfectly. I just want to you take what you have learned about the APT group and do your best effort in coming up with rules. I know you are not all programmers and some of this seems difficult, but again I’m not expecting perfection, just a good-faith attempt. I want you to know the required sections and the kinds of IOCs you can put in here once you learn about your APT.
Here is an example of a yara rule that alerts to the installation of a blackenergy implant botnet. It shows known hashes for detecting versions of the malware and some known origination IPs used by the adversary. It is also good to read the discussion board this week as it talks about VirusTotal.
Rule APT_BlackEnergy_Installation {
Meta:
Description = “APT BlackEnergy Installation”
Author = “Zane Afzal”
Reference = “https://attack.mitre.org/software/S0089/,https://github.com/Yara-Rules/rules/blob/master/malware/APT_Blackenergy.yar”
Date = “04-20-2020”
$hash1 = “87FB0C1E0DE46177390DE3EE18608B21”$hash2 = “277FF86501B98A4FF8C945AC4D4A7C53”$hash3 = “C9F16F0BE8C77F0170B9B6CE876ED7FB”$hash4 = “A602A7B6DEADC3DFB6473A94D7EDC9E4”
Strings:$body_1 = “WARNING! Active Threat Detected!”$body_2 = “Please review and respond immediately!”$a_1 = “82.102.14.219”$a_2 = “94.23.172.164”$a_3 = “185.15.247.147”$a_4 = “185.181.8.246”
Condition:All of ($body*) ORAll of ($a*) }
IT 462 Homework #3: “Applying Cyber Threat Intelligence pt. 2”
This homework assignment builds on Homework #2 where you identified core characteristics and TTPs of a specific APT group. For this assignment, the focus is to develop actionable signatures that would detect your APT actor on a network.
This assignment is to create signatures aka actionable detection measures for your APT group. I am expecting that you will develop unique signatures based on the information you provided in Homework #2, not ones lifted from the Internet; plagiarism of this sort will result in an immediate 0 for the assignment and will be recommend to the University for an honor code violation.
Assignment Deliverables:
• A Powerpoint slide or Word document containing YARA-based detection signatures for each stages of the Kill Chain. These YARA signatures must include all three sections; you are the author of the signature, so make sure that is reflected in the meta section. Since reconnaissance is often outside of the control of network defenders, you do not need to create a yara or network-based (Snort, Bro, etc.) signature for phase 1 of the Kill Chain.
• In cases where YARA signatures are not applicable, SIEM rules/heuristics would also be acceptable, so long as it is tailored to your APT group’s TTPs and not a generalized measure.
• Also, identify any other relevant mitigations that would prevent this attacker from being able to gain a foothold into the network based on the TTPs you identified in Homework #2 that we would need to be put in place in our network security appliances and across the enterprise.
—
Applying Cyber Threat Intelligence IT 462
The APT Assignment
The sophistication of APTs has increased over time, as have the specifics of the vulnerabilities used. Knowing the APT actor’s motivations is critical for developing effective detection techniques against APT 39. Exfiltration or acquisition of sensitive information is one possible motivation for such behavior. The actor may have high-stakes objectives, such as infiltrating a system with a worm to gain access to sensitive data. The primary goal of this post is to discuss BlackEnergy, a prototype solution to a common ICS assault that employs a widely available TIP in conjunction with standard open-source invasion monitoring software.
A diamond model can be used to evaluate a company’s job environment. A critical insight from the diamond model is that a company’s strategic decisions should consider not only the structure of the sector and the resources at its disposal, but also the regulatory constraints. Every business has a sphere of influence, which is the ecosystem in which it was conceived and developed (Conti, Dargahi & Dehghantanha, 2018). The diamond model is a framework for discovering and analyzing the interplay of many factors that contribute to a region’s basic economic competence.
Threat intelligence, also known as cyber threat intelligence, refers to information gathered and analyzed by a company in order to better understand the threats that have previously targeted the company or are currently active. This type of data is used to prepare for, stop, and detect cyber attacks aimed at stealing valuable assets. Information security can be classified as strategic, tactical, operational, or technical in the context of relevant data (Deliu, Leichter & Franke, 2018). Each of these four knowledge categories has its own way of gathering, processing, and utilizing data.
IPS/IDS systems within organizations may be used to detect the ATP actor in action. This would be useful because it could detect APT behaviors and send alerts when there is suspicious activity on the host. A string of alerts is one way to get a better understanding of what APT 39 is up to right now. The use of Security Information and Event Management (SIEM) enables the correlation of signals (SIEM). A SIEM system, such as IBM’s QRadar, can gather data sets and alerts from various sources, connect them using accessible indicators such as times and dates, and then notify administrators of any potential problems (Deliu, Leichter & Franke, 2018).
The first step in combating APT 39 would be to issue alerts as soon as any low-level events occur. The main emphasis here is on warning generation, which aids in identifying potential APT attack phases while minimizing false positives. To enable effective matching with the use of representations for monitoring tools, a high level of inventiveness is required (Schaberreiter et al., 2019). The goal is to document the interdependencies between files and processes in terms of how information flows between them. In this scenario, TTP would be defined as strategies that make use of interconnections. The following step would be an alert association, which would involve combining warnings from various attacker-initiated actions to provide a reliable signal indicating APT 39. To find similarities between the attacking phases, a High-level Structure would be created to abstract the attribution graph. High-level situation graph components would serve as a substitute for paired TTP (Griffioen, Booij & Doerr, 2020). The edges would represent links between the paired TTP and the outside world.
Although CTI has primarily focused on traditional IT infrastructure, we believe ICS network administrators may benefit from it as well. Many risks to ICS arrive via regular IT networks. This article provides a high-level overview of CTI and its benefits. Following that, we discuss threat intelligence technologies (TIPs) as an emerging technology for dealing with massive amounts of CTI data (Conti, Dargahi & Dehghantanha, 2018). Finally, we consider a scenario in which an ICS connection is linked to an enterprise environment. We show how CTI and TIP technologies can be combined with traditional IT security mechanisms to improve ICS cable network defenses.
Finally, in order to be aware of the signs of an active APT operation, a cyber-analyst would require a presentation detailing an attack model. They were learning innocuous tendencies that are most likely causing TTP misdiagnosis, and heuristics could be combined to reduce positive results. The heuristics prioritize different arcs and vertices in the network based on their severity. This allows the High-level Scenario Graphs to be effectively ranked, and the top-ranked graph to be displayed to cyber analysts. Auditing-wise, the APT’s higher-level stages will be implemented using standard methods (Conti, Dargahi & Dehghantanha, 2018). The inspections’ findings would be critical in preventing the development of hostile operations. After that, appropriate safeguards can be put in place to protect the systems.
References
M. Conti, T. Dargahi, and A. Dehghantanha (2018). Challenges and opportunities in cyber threat intelligence 1-6 Cyber Threat Intelligence
I. Deliu, C. Leichter, and K. Franke (2018, December). I gather cyber threat intelligence from hacker forums in two stages using support vector machines and latent Dirichlet allocation. IEEE International Conference on Big Data (Big Data) 2018 (pp. 5008-5013). IEEE.
H. Griffioen, T. Booij, and C. Doerr (2020, October). Quality assessment of cyber threat intelligence feeds Applied Cryptography and Network Security International Conference (pp. 277-296). Cham: Springer.
T. Schaberreiter, V. Kupfersberger, K. Rantos, A. Spyros, C. Ilioudis, and G. Quirchmayr (2019, August). A quantitative assessment of the reliability of cyber threat intelligence sources. The 14th International Conference on Availability, Reliability, and Security Proceedings (pp. 1-10).
