Threat intelligence is a word used and abused by both media and organizations and many makes the assumption that threat Intelligence is only applicable to government sponsored attacks and malicious groups with a highly technical capability. This is also why every company
should have some sort of TIP(Threat Intelligence Platform).
I do agree that, however threat intelligence can also be applicable to something as simple as ransomware attacks as I will try to explain in this little write-up.
But before we come to this lets make it clear that Threat Intelligence is not a feed with domains, IP's, MD5/SHA1/SHA256 etc. this should be defined as a threat feed. In order for something to be "intelligence", it need to have some sort of context, something that relates data from a threat feed to something else, this could again be ransomware.
What is a TIP (Threat Intelligence Platform):
As very good paper has recently been released by ENISA called "Exploring the opportunities and limitations of current Threat Intelligence Platforms".
https://www.enisa.europa.eu/publications/exploring-the-opportunities-and-limitations-of-current-threat-intelligence-platforms
I'm personally a big fan of the MISP Threat Sharing Platform, this is an ongoing development of many possibilities and is available to everyone due to being a very maintained open source platform backed by many, end with endless possibilities to expand or contribute to.
http://www.misp-project.org/ so If you don't allready have a TIP in your organization this is definitely worth a look.
The case:
I will try to describe a case with ransomware as it is something we all heard of and most of us experienced, in some form or another. The context I'll describe
it is from an incident response perspective and with that in mind the well known triage model from NIST (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf)
this is not the only model that incident responders use but properly one of the most known.
The loop goes like "Preperation" -> "Detection & analysis" -> "Containment, Eradication and Recovery" -> "Post incident activity".
Now from my perspective Threat Intelligence goes well into all of these steps, as it is a matter of logging and analyzing the incident both while it is going on and also when
coming to an "end". This is where the TIP comes in handy, and why everyone should have one big or small it is a matter of learning.
Case example:
A user calls help desk with the information that his screen looks a bit weird there is a message that "All of your files are encrypted with RSA-2048 and AES-128 ciphers."
Now in this case the case should already be pretty clear that there is something not that good going on, however it is a matter of detaching the users computer from the
network so that one can't do any more harm than properly already the case.
Now this is usually where the internal security team comes in play, but you might be a small team but still applicable.
In the detection process you now need to start checking multiple things on is your backup OK, and second has anyone else been affected.
The security team now gets a hold of the machine, while also looking into their log system to try to identify what ever they can on the current threat. A sample has been collected from the machine and the sample has been collected.
Adding the data into the TIP and storing checksum like MD5, SHA1, SHA256.
After this execute the sample in a sandbox, if you don't have one yourself there are public sandboxes or services like virustotal that can be used. Remember that this is not always, a good idea if there is a suspicion of a more targeted attack, as it can give the threat-actor indication on that they have been spotted. But in this case we suspect that this is a standard ransomware attack.
After uploading to virustotal.com it confirms that we are taking about a ransomware binary in the family Locky.
https://www.virustotal.com/#/file/bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3/detection
This gave some additional information of network connections
- hpglf.de
- ahfontplac.pm
- muvytwb.tf
- fmuccfbehnan.it
- nwcxvmwqglkgn.pm
- ufgceqiv.pw
- 208.100.26.251
- 86.104.134.144
And the Payment URL's
- hXXp://6dyxgqam4crv6rr6.tor2web.org/DF709D1E553E7BEF
- hXXp://6dyxgqam4crv6rr6.onion.to/DF709D1E553E7BEF
- hXXp://6dyxgqam4crv6rr6.onion.cab/DF709D1E553E7BEF
- hXXp://6dyxgqam4crv6rr6.onion.link/DF709D1E553E7BEF
Now you have the capability to search your logs for anyone connected to any of these as they are indicators of potential infections. This show 2 more computers infected
DESKTOP-DS0VFGI
DESKTOP-UU1KCDG
DESKTOP-XJSHESU (The initial machine)
From interviews and analysis of the employees and analysis of their machines it was also found that the threat came in through email
from: svc_apacnts_274@herbalife.com
subject: HERBALIFE Order Number: 6N01001367
And with a .7z attachment that included a .vbs file.
All in all at the current time you will have a lot of IOC (Indicators of compromise)