We’ve all seen the research into Fancy Bear (aka APT28, Sofacy etc) which is likely a group sponsored by or a part of the Russian government. They even have their own website. Research into these groups is predominantly reactive.
Typical process for investigating nation state malware.
You’ll note in the above process that this is all driven by malware or attack samples being obtained at the beginning. The very nature of this means that attacks are already underway or might have already been finished by the time it’s detected or blocked. Protections against future attacks from this same actor using this process may or may not bear fruit as a result.
What if instead of simply waiting for malware or attack samples, we research one of the core enablers of this type of threat activity. Would this be a better return on investment for our efforts?
For those that don’t know, bulletproof hosting is one of the key enablers for cyber threat activity. The miscreants need hosting for everything they do, be it command and control server hosting or exploit kit hosting. It also takes quite a bit of time for the miscreants to setup these servers, so ideally they want hosting that isn’t taken down easily. Any time a miscreant runs a command and control server or exploit kit, their server provider will likely receive complaints and pressure from various anti-virus and security companies to take down the malicious infrastructure. Bulletproof hosting is hosting that will (or claims to) remain running even with the pressure from the antivirus and security company. Some bulletproof hosting providers even have their own data centers with prepaid government protection.
When it comes to bulletproof hosting, we are trying to achieve a position of information dominance over our adversary where these hosting networks are identified before they are used and can be blocked. At Intel 471 we refer to these as “pre-IOCs”. It’s a marketing gimmick we know but based on the fact that these aren’t indicators of compromise (IOCs) yet, we believe it’s an accurate term to describe the proactive blocking of bulletproof hosting networks. Blocking the bulletproof hosting networks proactively also means we don’t need to spend all our resources focusing on the specific threat groups or malware families themselves.
We’ll use the name Alex to describe one bulletproof hoster whom Intel 471 has tracked closely (Alex isn’t a nickname he uses). At the elite cybercriminal level there are only a few legitimate bulletproof hosting providers and Alex is one of them. In March-May 2017 we were able to link Alex’s bulletproof hosting network to the following malicious infrastructure:
Alex’s front-end proxy network from March-May 2017 consisted of around 800 different IPs across about 230 different providers. The vast majority were abusing US, China and Russian cloud hosting providers. In the beginning, the daily average size was around 100 hosts that were being rotated across his clients’ infrastructure.
Using Intel 471’s actor-centric intelligence with Anomali Threatstream, we are able to automatically ingest, correlate and action the blocking of Alex’s bulletproof hosting network. Intel 471, in this case, is the collector of the information whilst the Threatstream platform enables the sharing of this threat information into your organization’s security infrastructure.
The idea behind proactively blocking bulletproof hosting is that you are blocking things before they are bad. I.e., don’t wait for your organization’s systems to be compromised with the latest exploit kit, banking trojan or ransomware whereby a costly incident response exercise is initiated. Intel 471 believes that there is truly only a dozen legitimate bulletproof hosters in the top tier or elite cybercriminal underground. The efficiency gain for simply blocking this pre-IOCs compared to the cost of not doing so is very large.
We did and you found us out. Alex’s cybercriminal bulletproof hosting service has been used in targeted attacks in Eastern Europe. Nation state threat actors need bulletproof hosting too.
The joint Anomali and Intel 471 offering provides a window into the elite cybercriminal underground within the Anomali Threatstream platform. This centralized threat intelligence solution provides proactive and breaking insight into how top tier cybercriminals are targeting your organization, assets, and people. Leveraging ThreatStream’s integrations and data enrichment features with Intel 471’s intelligence and insights creates a powerful weapon against cybercriminals and other threat actors. It’s a solution that gives analysts the ability to research actors like Alex and proactively push out protections against his known infrastructure. Because Intel 471 stays on top of actors like Alex, infrastructure changes can be followed and defenses adjusted accordingly.
Anomali and Intel 471 are happy to announce that as of 1 August 2017 we are offering silver, gold and platinum Intel 471 packages so organizations of any size can take advantage of Intel 471’s actor-centric intelligence within the Anomali platform. These offerings are available exclusively through the Anomali platform and depending on the package chosen. Packages include:
Travis Farral is the Director of Security Strategy for Anomali. With over 20 years of security industry experience, he has developed a strong background in threat intelligence, incident response, and Industrial Control Systems security. Previously Travis ran the Cybersecurity Intelligence & Strategic Services team at ExxonMobil and spent several years at companies such as Nokia and XTO Energy.