Know Thine Enemy—Profiling Cyber Threat Actors: Detect ‘19 Series

ANDREW DELANGE: Everyone, thank you for joining.

I mean, you could have been anywhere else, but you decided to come here.

And I appreciate that.

Thank you very much.

I hope everyone is enjoying the conference so far.

I believe what we've shown in terms of lens is going to significantly help with helping the analysts get where they need to go in the massive amounts of data that we have to play in every single day.

So a little bit about myself.

Some of the guys know me.

I actually did attend FSI sec training with you guys and that's how we know each other, very small world.

I am under Andrew DeLange and I'm originally from South Africa.

Moved to Dubai six months ago.

So I now focus primarily on the Middle East.

So what you're going to be seeing in my presentation is a lot about Middle East threat actors and stuff like that.

So pay no attention to the actual data itself, but more on the methodologies behind what I'm going to try to show you.

So in my previous life, I was an incident responder in banking.

I was the head of threat intelligence for the two biggest banks in South Africa.

And yeah, I was an analyst myself.

I'm pretty far away from that now since joining the Anomali sales force.

And yeah, I guess I was picked specifically because I used to be a very good user of the platform.

So, let's start off with the things like APT research, right?

I mean there's a lot of reasons why companies do these types of things.

And it's quite obvious why, think, all these strange names like Charming, Kitten, APT this, Scary this, Scary that, Buffalo, on and on.

Everyone has different names, but primarily it's there to kind of show that there's a lot of research being done.

And they want to put their own little spin on these adversaries or threat actors as we like to call them.

Now, if we look at some of the just, you know some of the headlines that we see.

We see things like Fin 7, Charming Kitten, Lazarus Group, Silence, all of these names kind of you know, basically mean something to the vendor and we should not get lost in the terminology of what these guys call vendors.

Because at the end of the day, it's not what the name of the adversary is or what he's being called or what they're being called by the different vendors that we kind of sign up to.

Because that can get a bit confusing, right?

And I mean, if some of you are-- just a show of hands, any Anomali customers, current Anomali customers in the room?

Oh, great.

So you've seen the aliases, when you look at the threat models, and you see the actor profiles, you see these aliases, right?

So that's one of the things that we create there.

Because it's just, it's just too much information.

So focusing on the Middle East, just showing you kind of how we-- well this is just some of my own research that I've done.

And you know this is something that we'll hopefully be putting into the platform at some point.

But kind of breaking it down, if you're an analyst trying to figure out, not just by your geo location, but your industry vertical, that you are playing in or that you work in, what are the actors and what are their capabilities?

So if we kind of just pivot out to what I've created in this little mind map, if we look at the Middle East, specifically, and if we break down all of the verticals there, you can see that there's obviously a lot of overlap in some of these threat actors and where they play.

So it means that the Yemen Cyber Army and APT 34-- now APT 34 is the Iranian threat actor that is quite prevalent in the Middle East and has been seen targeting things like oil and gas quite heavily.

But you can see, they've also been playing around in financial services.

And that's because you know they trying to fund themselves and things like that.

So you will see a whole bunch of overlap in some of them.

Now, if we look at well, APT 34, we can break it down into sophistication, motivation, their aliases, tactics, all of this information lives within threat stream, right?

We just need to find a way to actually bring it all together in one single space.

And I'm not going to pivot too much on this.

But yeah, this is just the kind of data that you can extrapolate.

You can see it.

It becomes a lot of data, when we're talking about APT research.

Now, my whole discussion today, and if we look here, for example this is Oil Rig.

It's no matter the name, the fingerprints, the fingerprints remain the same.

So these things like the hashes, domains, IP addresses, these are the things that we can count on to differentiate the names of, or actually differentiate what we're looking at.

And you know if it's APT or fuzzy this or woolly this or whatever it's, what we need to look at is the prints that are being left behind.

So, that's a simple ABT campaign from Oil Rig.

I mean, we can see that this was just a Turkish government entity that was targeted.

And obviously there was a Excel file that was attached.

And so, what happens is now, how do we use our platform to kind of look at things in a specific way?

So if we look at this specific file hash, which was detonated in the sandbox in anomaly threat stream, and if we use our threat intelligence platform, we will be able to kind of see certain things.

So we can see there's a threat active match.

And there are two threat bulletins that are associated with this specific file hash.

Right?

So we can go and search all the associations that I have for all the observables for the Oil Rig threat actor.

And I eventually end up with all this garbage in one single space.

So this is for all for APT 34 infrastructure, that is in the Anomali platform.

And you can keep going as-- you can keep pivoting on hashes and doing packets of DNS calls and all kinds of things, looking at things like VirusTotal enrichments and everything, just to get to where you want to go.

But at the end of the day, it becomes a lot of information.

Now in terms of looking at APTs, chances are quite slim that some of us sitting in the room will ever see APT activity on our network, right?

I mean, we're just sometimes too small for these guys to even look at us.

So what we have is, we have a different type of threat actor that's trying to disrupt us.

We have guys trying to harvest credentials from us.

We have low level threat actors.

You know, young kids there are kind of figuring their way out on a kali machine and trying to just scan the internet.

And then they find an open port somewhere and they start playing around.

And we have to worry about these as well.

So you know just about APTs, you know, all that stuff we can burn.

So, look at a very random phishing campaign.

So let's say, for example, you have this phishing campaign.

And you are observing that this one specifically is trying to harvest iCloud credit.

And as we can see that this was-- you know, you send it into the-- how many of you make use of the import function for phishing emails in the [INAUDIBLE]??

All right, so that's a good function to have, right?

So, by default what's going to happen is it's going to start scraping all these IOCs, the headers, and everything is going to be scraped out for you.

And you will have a campaign.

And you'll end up with the IOCs and everything associated with it.

But let's focus specifically on that domain over there.

And bear in mind, please, this is a very, very simple example of threat actor profiling and the reason behind why we profile.

And as we can see, this is a random phishing campaign.

We've confirmed it because we actually went to the URL in the sandbox.

We can see that in the sandbox there, we can definitely see that this is actually a false Apple website.

And if you're trying to populate it, then you will obviously compromise your credentials.

So, out of that one single campaign, that phishing campaign, as a threat analyst, you know, we we're interested in our APTs and that.

But we also want to understand, for example, when we go all the way up to strategic intelligence, is if we want to start doing trend analysis, what type of attacks are we seeing from, in this example, phishing?

So what type of phishing themed attacks are we seeing a lot of?

Are they trying to harvest credentials from Office 365?

Then, if we are users of Office 365 services, then someone might know that we could compromise our domain credentials by that.

These are very random, because they are you know, credentials being sold online in all kinds of marketplaces that our friends in 471 tell us about.

But let's look at what happened with this specific campaign and this threat active profile that we've created from there.

So as you can see, we started off with one single campaign and we managed to create-- for my organization called Metacortex, we created a threat actor by the name of Flor.

And we've used our threat stream platform to actually do this and create this threat actor profile.

This is why this exists in thread stream is because, as analysts, we want to try and bring as much information together as we can to see if we can build profiles.

So, if we look at this threat actor here and the description of it, we can see that the threat actor Flor, which is the name that I've given it, was initially identified during an investigation into an iCloud thief phishing campaign.

And from historical who is information, we were able to identify ties to Albania.

The campaign was a credential harvesting campaign and was successfully detected and blocked by our controls.

Now, if our controls are successful in detecting and blocking, does that mean we should just step away from it?

Or should we try and collect as much information as we can about what's happening to us as an entity?

So if I'm a bank for example, what I'm trying to do is I'm trying to protect money.

So you know what we don't want someone to get our payment systems to extrapolate money from our payment systems.

If I work for a government, one of the things that I'm trying to protect is state secrets, right?

So there's different motivations we know.

So, as this one for example, we were able to kind of find, from the domain registration information, we were able to find one email address and obviously from historical who is information which also lives within threat stream, we were able to find some data that was-- I think this was in 2004, where this email address was first seen registering domains.

And we have some information on our potential threat actor there.

So this one, I'm not going to dive too deep into, but there is an overlay between this threat actor called Jamal [INAUDIBLE],, and our actor Flor, and I'm going to show you now where the overlay will happen.

So we can see that this actor Jamal [INAUDIBLE] is not actively targeting us.

But there is a connection between the threat actor Flor, which needs to be investigated.

So Flor is someone that has been trying to phish us for credentials, but this one is another one we created just out of interest because there is some overlap in some of the infrastructure.

So let's look at this.

This is the research that we have with that we've completed.

At one phishing campaign, we were kind of able to map out all of this bad infrastructure from the threat actor.

Now how did we get to this point?

So, I don't know if you guys can see that.

But I mean, so let's use you know simple examples for let's see Apple, Apple, Apple ID.

So all right, so-- I'm struggling to see-- you guys can probably not see what the writing is there.

Or can you?

Is it possible?

No point then.

So the overlap between our actor Jamal and our actor Flor here lives on that IP address over there, right?

And there's also similarities in what the campaigns are.

So that we can see that the registration from that email address that Jamal [INAUDIBLE] at gmail.com, that's our threat actor profile.

And these registrations that we see are all kind of Apple themed.

Right?

So, he's definitely trying to harvest Apple credentials as well as our actor Flor, which is also trying.

Could be the same person, possibly not.

Who knows?

At the end of the day, it's up to the analysts to try and find these connections and kind of build out the infrastructure.

Now what's important to remember is that we started off with one phishing email, one phishing email that contained one single domain.

So let's look at Flor a little bit deeper.

So, if we go and look at that specific domain, which was contained, we can see that this domain, Appleinfo.com, sits on this IP address over here.

And there is a who is registration for that email address over there.

And we've associated it with our threat actor.

This is now after we've completed our investigation.

So, what'll happen from there on is, if we just go back one second.

So 190, oh there we go.

able to find obviously those other domains there as well.

And also if we dive out a little bit more, we can see that there is Apple-idalert.com.

That's another domain registered by that specific email address.

And eventually what we ended up with is from that one single campaign, we ended up with all of this infrastructure over here that we can tie back to that one specific threat actor.

Now what's interesting to see is that there's a lot of iCloud, a lot of Apple themed campaigns, but we can see that our friend was also seen doing some PayPal.

So he's trying to harvest PayPal credentials as well.

So this is just a general phisher.

I mean, you know, the reason we do this kind of research as analysts is, you know if one day, we've created our threat actor profiles, and you know, some big company with all these great analysts that have all this time and effort, does research and they find a specific IP address, which I've researched in my research five months ago, that is targeting me, and if I can overlap that APT versus my simple threat actor profile that I've created, then I've made a connection possibly between my threat actor and their threat actor who's the APT, right?

So now there is a little bit more of a hypothesis about, well, I've been tracking this guy for so long and what he's been trying to do with these campaigns is maybe not trying to harvest credentials, but there's maybe some other motivation behind this whole thing.

So I mean at the end of the day, we ended up with a whole pretty picture of Flor's attack infrastructure.

As you can see some of these blue points here, these are metadata points that gets pulled into threat stream as well.

A really cool feature within threat stream is that things like SSL certificates, if you pivot on an SSL certificate, you're able to find domains which are associated with certificates and things like that.

And this has kind of helped us out where the who is information is a little bit sketchy as of late with GDPR and all these things.

But we do have historical who is information living in the platform already.

I mean Anomali has been in business since 2013.

So we started collecting that data back then.

And then obviously that data still lives there.

So, if you can find an association between an email address and the information that lives in threat stream, it means that you can make a connection to that.

So question, why do we profile?

Now, is anyone willing to answer, why do we go through all this effort to kind of just do all of that?

And I've touched on some of the points, but is it is it really necessary that, because we have blocked that email address, for us to try and profile the campaigns against us?

Do you see any value in what has been provided in that?

So in my view, what we've done there is we've proactively found domains that we should send down to our protection and into our security controls.

That's the one thing that we've done.

Another reason why we do profile is because it keeps us sharp.

It keeps us-- and like I said, this is a very simple example, where once you start diving deep into something like [INAUDIBLE] research and things like that, it becomes a little bit more tricky to do attribution.

Because attribution is not an exact science you will never be correct in your assumptions.

But what you need to do is, you need to kind of get into the mindset of-- if you look at the military.

Why would the US be interested in who is trying to attack them?

Why?

Because they would need to understand the capabilities and they would need to understand, are they able to defend against the capabilities?

So that's why we profile.

We profile because we need to understand if there is a specific TTP that a threat actor can exploit in our environment and are we defending against it efficiently.

Thank you very much.

I really appreciate it.