Incident response with Threat Intelligence

By Roberto Martinez

Early Access

This is an Early Access product. Early Access chapters haven’t received a final polish from our editors yet. Every effort has been made in the preparation of these chapters to ensure the accuracy of the information presented. However, the content in this book will evolve and be updated during the development process.

Learn more
    Advance your knowledge in tech with a Packt subscription

  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. 1 Threat Landscape and Cybersecurity Incidents

About this book

With constantly evolving cyber threats, developing a cybersecurity incident response capability to identify and contain threats is indispensable for any organization regardless of its size. This book covers theoretical concepts and a variety of real-life scenarios that will help you to apply these concepts within your organization.

Starting with the basics of incident response, the book introduces you to professional practices and advanced concepts for integrating threat hunting and threat intelligence procedures in the identification, contention, and eradication stages of the incident response cycle. As you progress through the chapters, you'll cover the different aspects of developing an incident response program. You’ll learn the implementation and use of platforms such as TheHive, ELK, and MISP and tools for evidence collection such as Velociraptor and KAPE before getting to grips with the integration of frameworks such as Cyberkill Chain and Mitre ATT&CK for analysis and investigation. You'll also explore methodologies and tools for cyber threat hunting with Sigma and Yara Rules.

By the end of this book, you'll have learned everything you need to respond to cybersecurity incidents using threat intelligence.

Publication date:
April 2022
Publisher
Packt
Pages
328
ISBN
9781801072953

 

1 Threat Landscape and Cybersecurity Incidents

Cyber attacks against organizations worldwide, regardless of their size or geography, are growing in a sustained way, and every day we see more news about security breaches.

According to a study of the Identity Theft Resource Center, between January 1, 2005, and May 31, 2020, there were 11,762 recorded breaches, and just in the first half of 2020, about 36 billion records were exposed according to a report from the company Risk Based Security.

In the ninth annual study of the cost of cybercrime, elaborated by The Ponemon Institute and the firm Accenture, security breaches have increased by 67% in the last 5 years, and according to the security company, McAfee, in their report entitled The Hidden Costs of Cybercrime, the monetary loss was around 1 trillion dollars.

The significant impact that cyber attacks have on a world in which we increasingly rely on technology to do business, keep the industry running, or in terms of national security, and our daily activities, are clear. Unfortunately, many organizations are not prepared to deal with a security incident and, in many cases, react when it is too late.

There is a whole ecosystem around cyber attacks and it will depend on the motivation and skills of the attackers so that they can be realized. That is why it is important to understand that beyond a conventional risk assessment, it is necessary to know the potential threats to which the particular organization is exposed.

A proactive posture on cybersecurity involves focusing on monitoring and detection by betting everything on the front line of defense and developing an ability to identify and respond early to a cybersecurity incident by minimizing its impact.

In this chapter, we’re going to cover the following topics.

  • The current threat landscape
  • The motivations behind cyber attacks
  • The emerging and future threats
 

Knowing the threat landscape

When a Cybersecurity strategy is based solely on a defensive posture, without an understanding of current threats and the capabilities of adversaries to achieve their goals by evading security controls and avoiding detection, there is a risk of developing very limited capabilities that will rarely be efficient. It is the equivalent of being in a completely dark room, without being able to see anything, knowing that at some point, someone could try to hurt us, but without knowing the exact moment or the way in which this will happen. It's like walking blind without seeing the way.

The increase in the number of cyber attacks in the world on major sectors such as government, finance, manufacturing, health, education, critical infrastructures, small and medium-sized enterprises, and individually, finally turned on the alert to the strategies and investments needed to raise the level of protection and response of organizations to the possibility of becoming the next target.

In that sense, one of the biggest challenges for cybersecurity professionals is first to evolve and create protection and response strategies at the same speed with which new threats appear and then go one step further using threat intelligence information. The threat landscape is changing every day, cyber threats are evolving and becoming more dangerous, and the forms of protection that worked before may not be efficient enough today, which is why organizations need to develop the ability to adapt and switch from a reactive posture to a proactive attitude. Any regional or global context or situation can generate new risks and change the threat landscape drastically.

Is COVID-19 also a cyber-pandemic?

The COVID-19 outbreak completely changed the course of things and showed that countries around the world were not in a position to deal with it, and although scientific and technological advances enabled the development and manufacture of a vaccine in record time, the coordination and budgets required failed to solve the problem in the short term. This incident, in the same way as a cybersecurity incident, shows us once again the importance of being prepared and having a plan in case a threat materializes.

This global health crisis formed the perfect storm, many things changed in the workplace and at home, more people started using their digital devices, made online purchases, used financial apps instead of going to the bank, subscribed to streaming services, and took their classes online. The companies sent their employees and collaborators to work at home and, in some cases, asked them to use their own devices to do their job.

Cybercriminals and Advance Persistent Threats (APT) groups know how to find and use the time and circumstances to launch their offensive campaigns and operations successfully, and this was an amazing opportunity for them.

In August 2020, Interpol published the report Cybercrime: COVID-19 Impact about the increase in cyber attacks, especially against individuals, companies, government, and healthcare infrastructure. According to this report, in the period January – April, the key cyber threats were phishing and scam fraud, accounting for 59% of incidents, malware and ransomware – 36%, malicious domains – 22%, and the dissemination of fake news – 14%. In all cases, the common factor was content or topics related to COVID-19. Meanwhile, according to the FBI, the number of complaints in relation to cyber attacks stood at 4,000 per day, roughly a 400% increase since the start of the pandemic:

Figure 1.1 – Distribution of the key COVID-19 inflicted cyber threats based on member countries’ feedback (source: Interpol’s Cybercrime COVID-19 Impact report)

In the words of Jürgen Stock, Secretary-General of INTERPOL, Cybercriminals are developing and driving their attacks on people in an alarming way, and they also exploit the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.

Cyber espionage against pharmaceuticals

The urgency of developing a COVID-19 vaccine began a race against time in the pharmaceuticals industry. Unsurprisingly, these companies became a natural target of threat actors. Kaspersky discovered in late September 2020 that a group known as Lazarus had started a cyber espionage campaign against a pharmaceuticals company and a health ministry. Although different tactics, techniques, and procedures (TTPs) were used in both attacks, common elements were found that could attribute the attack to that group.

Cyber attacks targeting hospitals

Although some cybercriminal groups reported that they would not attack health organizations at the beginning of the pandemic, some of them did attack hospitals, including the Department of Health and Human Services.

In October 2020, The Department of Homeland Security (DHS) and the FBI issued an alert about an imminent threat of Ransomware attacks on the U.S. healthcare system.

In the Czech Republic, a COVID-19 testing center hospital was compromised by a cyber attack, affecting its systems and disrupting the normal functioning of its operations, so that some urgent surgeries had to be postponed and several patients had to be sent to nearby hospitals.

Insecure home office

The need to adopt a home office model as a preventive measure to reduce the expansion of the pandemic surprised many organizations and their employees. According to the Kaspersky study How COVID-19 changed the way people worked, 46% of respondents said that had never worked from home before and 73% of workers did not receive security awareness training about the risks of working from home.

This scenario increased the demand for remote working applications and services such as video conferencing, collaboration, file sharing, and remote connection. Employees also began to perform a practice known as Shadow IT, which involves the use of unauthorized or company-evaluated applications; for example, 42% of respondents said that they were using their personal email accounts for work and 38% used personal instant messaging apps, making it a security problem because, according to Kaspersky’s telemetry, there were 1.66 million Trojans detected related to such applications.

Additionally, IT teams had to adapt their infrastructure in some cases in an impromptu manner and without considering the security measures. For example, enabling remote connections directly to the company's servers from the internet opened a potential attack vector that was at once exploited by cybercriminals. According to Kaspersky, the number of brute-force attack attempts on the Remote Desktop Protocol (RDP) has soared significantly since the beginning of March 2020, reaching 3.3 billion attempts, compared to 969 million in the same period of the previous year.

Supply chain attacks

Supply chain attacks have been increasing in recent years. The main reason is that organizations have not considered these attacks within their threat modeling and cannot visualize them as a relevant attack surface.

The main risk of this threat is that it is difficult to detect. Usually, third-party services or tools are considered part of the company's ecosystem and are reliable, having a high trust level. Hence, the levels of security assessment and monitoring are more relaxed.

There are several cases related to supply chain attacks, including the compromise of the application CCleaner, which is a tool used by many companies around the world, or the attack known as shadow hammer, where the ASUS live utility that comes pre-installed on that brand's computers and serves to update various components such as firmware, UEFI BIOS, drivers, and some applications, was compromised.

Without a doubt, however, one of the supply chain attacks that has had the most impact was the attack on the SolarWinds company discovered in December 2020. On December 8, the FireEye company revealed that they had been the victims of a cyber attack. The attackers had stolen tools that their Red Team teams used to conduct security assessments, and the attack vector was a SolarWinds tool installed in the company.

The attack's impact is unprecedented and affected even large technology companies such as Microsoft, Intel, Nvidia, Cisco, VMware, and at least 18,000 other companies worldwide and changed the threat level of this kind of attack for organizations.

 

Understanding the motivation behind cyber attacks

Each action taken by a threat actor has a motivation behind it, as it requires time, planning, and resources to launch offensive activities against a target.

This motivation can often be financial when it comes to cybercriminal groups. Still, there are scenarios when sponsored state threat actors or industry competitors look to gain a position of power or a competitive advantage over an adversary by spying and stealing information.

There are also groups of cyber-mercenaries who sell their services to the highest bidder and use their resources and skills to perform offensive actions. In this case, the motivation is mainly financial.

The ransomware that was not

In May 2017, the entire world was shocked when news broke that ransomware had disrupted the operations of several major companies in Spain, as well as the British health service. In a single day, more than 140,000 computers had been affected. It was the first time that malware of those features had self-replicated without control over the networks:

Figure 1.2 – Ransom note left on an infected system (source: Wikipedia)

This malware exploited a vulnerability known as EternalBlue related to a failure in the implementation of the Server Message Block (SMB) protocol labeled CVE-2017-0144, and particularly affected Microsoft Windows operating systems and could self-replicate without control and without the need for human interaction.

In the following days, this ransomware began to replicate around the world, becoming one of the most important threats of recent years. The most ironic thing is that by the time this ransomware appeared, there was already the patch that prevented the computers from being affected.

The world had not yet recovered from the impact caused by WannaCry when, the following month, a ransomware variant appeared that exploited the same vulnerability, but with different behavior, and with some similar aspects in terms of its code, to ransomware known as Petya, which had appeared just 1 year earlier:

Figure 1.3 – The ID shown in the ransom screen is only plain random data (source: Securelist.com)

A peculiarity of this ransomware discovered by my fellow researchers in Kaspersky's GReAT team, and which they called Petya/ExPetr, was that in the information encryption routines, the creators of the ransomware themselves could not recover the information again, even if the victims paid the ransom.

This is completely unconventional because the reason a threat actor develops ransomware is to get a ransom payment in exchange for handing the key over to the victims to retrieve the information encrypted by the malware, so the motivation behind this campaign was not financial, but was aimed at interrupting business operations of the affected companies.

Another interesting fact about this campaign is that according to the detection telemetries, the most affected victims were companies from Ukraine, Russia, and Eastern Europe:

Figure 1.4 – Petya/ExPetr infections by country (source: Securelist.com)

As you can see in the preceding graph, this information is relevant and especially useful to find the specific targets to which a cyber attack was directed and supplies some elements to understand the possible motivations behind it.

Trick-or-treat

In May 2018, unknown threat actors, later linked to the Lazarus group, attacked a South American financial institution. This attack provoked damage by destroying information on 9,000 computers and 500 servers in several of its branches.

In their initial findings, investigators discovered that malware damaged the Master Boot Record (MBR) on the hard drive, preventing it from booting and showing the following message on the screen: non-System disk or disk error, replace and strike any key when ready.

Trend Micro conducted research on this malware, which was identified as a variant of Killdisk.

In the next hours, the real motive behind the attack would be discovered. Suspicious financial movements began to be detected. The attackers did not seek to disrupt the company's operation or remove information on computers, but to compromise the International Transfer System known as SWIFT, which allowed the attackers to make fraudulent transfers of about $10 million to multiple accounts in Hong Kong.

Nothing is what it seems

But what do these cyber attacks have in common? Clearly, the attribution points to different threat actors and both operations were carried out in different contexts and places. The key elements here are Distraction and Deception.

In the first case, the threat actors used the ransomware as a front to make the affected companies believe that they were being attacked by such malware, when the real reason was to completely remove the information from their computers without the possibility that it could be recovered; that is, what the attackers were looking for was an interruption of the company's service and operations.

In the second case, the goal was the opposite. The threat actors had a purely financial interest, using malware that prevented computers from continuing to function normally while making money transfers from other computers undetected.

What were the threat actors looking for? Masking their attacks long enough to achieve their goals while confusing investigators to take longer to respond to these incidents.

But why is it so important for an incident response professional to try to find the true intent behind a cyber attack? This is quite simple. As we will see later, when an incident occurs, the nature of the attack must be identified according to the context, motivation, and key indicators to ascertain the type of attack, its characteristics, and scope. This can lead to several hypotheses and define the actions to take to contain the offensive actions and minimize the impact of the attack.

 

Emerging and future cyber threats

Technology is changing every day, so technological advances allow us to experience new ways of doing things, the way we work, the way we learn, and even the way we relate to other people. These modern technologies are developed to make them more usable and functional so that anyone without having too much technical knowledge can take advantage of them.

However, the architecture, design, and production of these technologies often does not consider the security part and many of the new devices you use daily are unsafe by design and exposed to potential cyber attacks.

Cyber attacks targeting IOT devices

Years ago, few people would have imagined that a simple light bulb, our smart TV, or our toilet could become an attack vector from malicious actors. According to Gartner, there will be 25 billion global IoT connections by 2025 The problem is that many devices are manufactured at a low cost to achieve greater market penetration, regardless of the threats to which these devices would be exposed.

Moreover, the risks are not just for home users; in enterprise environments, these devices could be connected within the same network infrastructure of computers and servers, raising the risk of compromising the organization's critical assets and information.

On October 21, 2016, DynDNS (Dynamic Network Services, Inc., a domain name system) was the target of an attack against the infrastructure of its systems. As a result, many Netflix, PayPal, and Twitter users, to name a few, could not access these services for hours.

The attackers provoked a denial of service (DDOs) using a botnet known as Mirai, which turned millions of Internet of Things (IoT) devices into zombies that sent traffic in a coordinated manner against specific targets, which primarily affected the operational infrastructure in the United States. The estimated economic impact was $10 million:

Figure 1.5 – Live map of the massive DDoS attacks on Dyn's servers (https://twitter.com/flyingwithfish/status/789524594017308672?s=20)

In November of the same year, several DSL service users in Germany reported problems with their Internet connection devices due to traffic saturation on TCP port 7547 by Mirai that affected their access to the network. In January 2018, a variant of the same botnet appeared, targeting the financial sector and affecting the availability of its services.

In that year alone, the percentage of botnet-related traffic for deletions on IoT devices was 78%, according to a NOKIA study. In 2019, Kaspersky detected around 100 million attacks targeting IoT devices using honeypots.

In July 2020, Trend Micro found that Mirai's botnet exploits the CVE-2020-5902 vulnerability on IoT devices, allowing it to search for Big-IP boxes for intrusion and deliver the malicious payload.

The digital evidence generated by these devices is essential to identifying promptly the origin of an attack and to be able to visualize its scope and impact.

Autonomous vehicles

More applications are being integrated with vehicles and can connect with users' mobile devices. These apps often supply access to social networks or payment apps, such as Apple Pay, Samsung Pay, or Google Pay users.

On the other hand, autonomous vehicle manufacturers integrate capabilities that reduce the number of accidents and improve transport infrastructure efficiency. Using the OBD II and CAN bus access points, someone can perform a remote diagnosis of its operation or its location, carry out remote assistance, or obtain telemetry information collected from the vehicle.

These capabilities, however, open new attack surfaces, including the following:

  • System update firmware manipulation
  • Installing malware on the vehicle system
  • Interception of network communications
  • Exploiting software vulnerabilities

In 2013, security researchers Charlie Miller and Chris Valasek, along with journalist Andy Greenberg, showed how it was possible to hack a vehicle by taking control of the brakes or vehicle speed. In 2015, they met again, and on this occasion, they took control of a jeep at 70 miles per hour using a zero-day exploit that allowed them to take control of the vehicle remotely over the internet.

These discovered vulnerabilities opened the door to new attack scenarios where sensitive user information can be compromised and even put human lives at risk.

In a short period following a traffic incident, and especially with the increase in the number of autonomous vehicles, it will be necessary to collect evidence from the vehicle's digital devices to investigate the details that will help to identify what caused the accident.

Drones

The global drone market will grow from $14 billion in 2018 to over $43 billion in 2024, with a compound annual growth rate (CAGR) of 20.5%. Its non-military use has shown potential for multiple fields, including engineering, architecture, and law enforcement.

Unfortunately, in many cases, their use is not regulated. In several situations, they have been involved in incidents that have jeopardized the operation of airports or the same plane, as was the case at Heathrow Airport in London, where flights were suspended, causing significant financial losses and inconvenience to passengers.

Other risks relate to organized crime in carrying out drug transfers across the border undetected or even attacking rival groups. Drones can also pose a risk to people's privacy, as a drone could record video, take pictures, or sniff conversations in the distance.

If a drone is used illegally, it is essential to collect the evidence necessary to carry out the investigation, using the appropriate procedures and tools.

Electronic voting machines

The use of digital devices in several countries' electoral processes around the world aims to ensure that the voter registration processes, as well as vote capture and counting, are efficient and reliable.

However, like all digital systems, there are attack surfaces on these systems that an attacker could use to compromise the results of an election and the reliability of the systems themselves. Security researchers have revealed that some voting systems could be vulnerable to distinct types of attacks.

In 2019, in the DefCon voting village, several security researchers analyzed more than 100 voting devices, some of them currently in use, and found that they were vulnerable to at least 1 type of attack.

Electoral processes are vital in ensuring not only democracy, but also political and social stability, so it is incredibly important to ensure its reliability and security.

In the event of a security incident occurring on a digital voting device in an election, the DFIR professional's role would be key to quickly and effectively discovering what happened and avoiding further damage to the electoral process.

Cyber attacks on robots

Beyond science fiction, where movies or streaming series show an apocalyptic scenario with robots taking control of humanity, the reality is that robots are already everywhere, whether it's assembling components in a factory or performing high-precision surgeries.

However, the evolution of AI poses new security challenges. What if an attacker compromised a robot and could manipulate it?

There is a category of robots known as social robots; these robots' role is to interact with humans in different ways, such as assisting them or serving as a companion. According to a study by IDLab – imec, University of Ghent, Belgium, regarding the abuse of social robots for use as a means of persuasion or manipulation, they identified the following risks when they performed several proofs of concept:

  • Gaining access to protected areas
  • Extracting sensitive information
  • Influencing people to take actions that put them at risk

In 2018, researchers from the security company IOActive presented the first ransomware attack on robots at the Kaspersky Security Analyst Summit event. In the presentation, they talked about how it was possible to hack social robots known as Pepper and Nao, showing a proof-of-concept video where they modified the source code and made the robot ask for bitcoins (https://youtu.be/4djvZjme_-M).

Considering a robotic-oriented threat landscape, the same scenario could occur with other types of robots and affect a production line in a factory or even a medical surgery, putting people's lives at risk.

For this reason, it is important to identify attack surfaces that could pose a security risk through threat modeling. Currently, there are several related documents with threat modeling for specific models of robots or even for the most well-known robotic operating systems, such as ROS 2: https://design.ros2.org/articles/ros2_threat_model.html.

A specialized device called Black Box was created by the Alias Robotics company to capture information relevant to robots' activity (https://aliasrobotics.com/blackbox.php). In the event of a security incident, this information could be handy in responding and conducting forensic investigations.

The challenge of new technologies for DFIR professionals

Without a doubt, the future looks fascinating for professionals in the incident response field. However, there are many challenges along the way.

The dizzying and constant evolution of technology means that there are more and more digital devices. Although many of them use open and standard technologies, others integrate proprietary components that could make it more challenging to obtain evidence or conduct an investigation.

On the other hand, it is necessary to expand our knowledge into new specialized fields of DFIR and learn about the latest technologies.

 

Summary

In this chapter, we learned the importance of understanding the threat landscape, with the emergence of new threat actors and how the technical tactics and tools used in cyber attacks have evolved.

Studying the threat landscape is a constant and particularly important activity for an incident response professional and the lack of knowledge will make it more difficult to find the right indicators of compromise when you are responding to a cybersecurity incident.

We also learned how modern technologies bring new risks but also new challenges in responding to incidents.

In the next chapter, we will learn the basic concepts of Digital Forensics and Incident Response (DFIR), the importance of identifying forensic artifacts as evidence, and some of the most important incident response frameworks.

 

Further reading

About the Author

  • Roberto Martinez

    Roberto Martinez, works as a Senior Security Researcher at Kaspersky's Global Research and Analysis Team (GReAT) since April 2012, doing research to detect and identify new Security Threats, responding to Security Incidents, and presenting at security events worldwide.

    He also collaborates as an Expert Associate Professor at Tec de Monterrey University and is currently an active member of the HTCIA (High Technology Crime Investigation Association).

    Roberto has more than 15 years of experience in cybersecurity, working in different fields as Offensive Security, Incident Response, Digital Forensic Investigation, Threat Hunting, Threat Intelligence, and Malware Analysis.

    Before this, he worked as a consultant and instructor specializing in security for governments, financial institutions, and private corporations in Latin America.

    Browse publications by this author
Incident response with Threat Intelligence
Unlock this book and the full library for FREE
Start free trial