Threat intelligence and threat hunting encompass the strategies used to detect and protect against active threats. Threat intelligence describes gathering and analyzing data to help identify potential threats and determine the most effective way to mitigate them. Threat intelligence enables the proactive identification of malicious activity and the capabilities and objectives of different threat actor groups. In addition, threat hunting describes actively searching for signs of malicious activity on an organization’s network. It involves using various tools and techniques to search for potential threats, such as analyzing log files, monitoring suspicious traffic, and performing manual searches. Combining these two approaches allows an organization to stay one step ahead of threat actors and better protect its systems.
Exploring Threat Actor Concepts
Threat actors represent a person, group, or organization responsible for malicious activities. They are often motivated by financial gain, political gain, or simply a desire to cause harm. This lesson reviews different threat actor types, their tactics, and methods to identify and defend against them. Organizations and individuals can be more aware and better prepared to fend off malicious attacks by exploring threat actor concepts.
Types of Threat Actor
Because of the need to defend against unknown threats, threat intelligence is not simply a process of identifying malware signatures and technical attack vectors. Threat intelligence must also develop insights into the behaviors of discrete types of adversary groups. You can use threat intelligence reports to monitor nation-state, organized crime, and hacktivist groups and activities that pose relevant threats to your own organization. It is important to identify the level of resources/funding that different adversaries might possess, and whether they can develop sophisticated malware that can evade basic security controls.
When evaluating adversary behaviors, attacks can be characterized as either opportunistic or targeted. Opportunistic attacks might be launched without much sophistication or funding simply by using tools widely available on the Internet. Conversely, a targeted attack might use highly sophisticated tools and be backed by a budget that can allocate resources and skilled professionals to achieving its aims.
Nation-State
Most nation-states have developed cybersecurity expertise and will use cyber weapons to achieve both military and commercial goals. The security company Mandiant's APT1 report into Chinese cyber espionage units was influential in shaping the language and understanding of modern cyberattack life cycles.
Reading Resource: Mandiant's APT1 report into Chinese cyber espionage
Nation-state actors have been implicated in many attacks, particularly on energy and electoral systems. The goals of nation-state actors are primarily espionage and strategic advantage, but it is known that countries—North Korea being a good example—target companies purely for commercial gain. It is important to understand that each state may sponsor multiple adversary groups and that these groups may have different objectives, resources, and degrees of collaboration with one another.
Crowdstrike's blog provides an overview of currently identified APTs. Note the cryptonym system used for adversary classification.
Reading Resource: Crowdstrike's blog provides an overview of currently identified APTs .
Organized Crime
In many countries, cybercrime has overtaken physical crime both in terms of number of incidents and losses. An organized crime gang can operate across the Internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail.
Hacktivist
A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites. Political, media, and financial groups and companies are probably most at risk, but environmental and animal advocacy groups may target companies in a wide range of industries.
Insider Threat
An insider threat arises from an actor who has been identified by the organization and granted some sort of access. Within this group of internal threats, you subdivide the threat to 1) insiders with permanent privileges, such as employees, and 2) insiders with temporary privileges, such as contractors and guests.
An insider can be intentional or unintentional. An intentional insider is very much aware of their actions and has a clear intent and goal. Unintentional insiders cause damage through neglect or by being exploited by an outside attacker. An unintentional insider may cause a vulnerability to be realized by misconfiguring a system or service in IT, clicking links and opening attachments in phishing emails, or by acquiring and using unauthorized software and/or cloud services, also referred to as Shadow IT.
Script Kiddie
A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Script kiddie attacks might have no specific target or reasonable goal other than gaining attention or proving technical abilities. They can still cause significant harm and/or damage without proper safeguards and preparations.
Supply Chain Access
A common trend observed in attacks involves identifying the vendors and/or products an organization uses on an ongoing basis. It is common for organizations to use outside sources for parts, software, or maintenance services. These outside sources form the supply chain and can be exploited to gain access to an otherwise secured environment. For example, a vendor may supply software products so an attacker can work to gain access to the software supplier, whose security practices may be lackluster, to insert malicious code into the vendor software prior to delivery to the target organization. Similarly, an attacker can target a managed services organization that may have VPN access to several valuable targets. Lastly, an attacker may target an equipment supplier in order to insert malware, vulnerable hardware/software, or rogue components that are assembled into the final product.
Advanced Persistent Threat
The term advanced persistent threat (APT) describes the behavior underpinning advanced cyber adversaries, such as nation-states and organized crime groups. APT originally referred to the group behind a campaign but has been widened to describe the tools these groups use. The concept of an APT helps to model threats. Besides basic scanning for virus or Trojan signatures, scanning for the presence of command and control (C&C or C2) software and unusual network activity are also important actions. One of the defining characteristics of an APT is anti-forensics, where the adversary removes evidence of the attack.
APTs typically target large organizations, such as financial institutions, companies in healthcare, and other organizations that store large volumes of personally identifiable information (PII), especially when the PII describes important government and political figures. Historically, APTs have been observed targeting governments to carry out political objectives, interfere in elections, or spy on another country. As APT groups are identified and profiled, they are assigned unique number identifiers and code names. Government agencies and security researchers often refer to the same group using different names, and members of one group often participate in many others.
Information on the APT41 threat actor available from MITRE ATT&CK. (Screenshot courtesy of MITRE ATT&CK).
Description:
The page has a header that reads "MITRE A T T and C K."
Below is a header that reads "A P T 41" and text that reads:
A P T 41 is a threat group that researchers have assessed as a Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, A P T 41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. A P T 41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.
A text block on the right gives A P T 41 the I D of G 0 0 9 6.
A header below reads "Associated Group Descriptions," and below this is a table with two columns labeled Name and Description. There is one row in the table with Wicked Panda under Name and a link under Description.
Another header below reads "Techniques Used," and below this is a table with 4 columns labeled Domain, I D, Name, and Use. Each row represents a different technique used by A P T 41.
The "advanced" part of an APT is a crucial identifier, as these types of threats are rarely executed by lone attackers using publicly available exploits or exploit frameworks (such as Metasploit). APT threat groups can access considerable financial and personnel resources, including teams specializing in custom exploit development and execution. APTs spend considerable time gathering intelligence on their targets to develop highly specific exploits. APT groups often combine many different attack elements into a carefully planned and orchestrated attack that may unfold over several months or longer.
APTs have diverse overall goals, but since a significant focus of their attack activities includes custom software development and stealth, most APTs are interested in maintaining access—or persistence—to networks and systems. Because of this, APTs are some of the most notorious and harmful threats to organizations and governments.
Tactics, techniques, and procedures (TTPs)
Tactics, techniques, and procedures (TTPs) describe a core concept in computer security that is directly related to the study of threat actor behavior. Cybersecurity teams leverage the documented TTPs attributed to various threat actor groups to fingerprint how adversaries conduct cyberattacks to compromise organizations.
Cybersecurity analysts carefully deconstruct and document methods used by well-known threat actor groups to create a profile, or fingerprint, that identifies them. These profiles can also help improve an organization's defensive capabilities by understanding the methods attackers will use to gain access to their environment. TTPs can help security researchers associate an attack with a known hacker or threat group. By identifying threat actors and groups, security researchers can establish relationships that might exist with other threat actors, thereby helping them prioritize defenses against popular attack methods.
Reading: An overview of MITRE ATT&CK, as well as links to additional resources
Behavioral analysis often identifies abnormal behaviors, and threat information feeds provide insight into popular attack patterns and active threat actors. This information helps defensive teams identify if any associated TTPs appear in their environments. Many user and entity behavior analytics (UEBA) tools leveraged TTPs defined by the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) to identify activities indicative of an attack and can distinguish between normal and abnormal behaviors, making threat detection easier for security analysts.
A screenshot of the MITRE ATTACK Matrix which documents many different TTPs. (Screenshot courtesy of MITRE ATT&CK).
The MITRE ATT&CK Matrix for enterprise illustrates specific actions taken to accomplish the threat actor's tactical objectives. While each item described in the ATT&CK matrix is significant in its own right, holistically examining tactics allows the adversary's methods to be tracked, identified, and countered more easily.
