Know Thyself: 5 Elements to Cyber Counterintelligence for Threat Hunting
November 11, 2017
"People make themselves appear ridiculous when they are trying to know obscure things before they know themselves." (Phaedrus, Plato)
I originally wrote most of this post as the first post I was going to write, but I got so excited about the models that I published that one instead and this one was left with the other 15 in the draft state.
Imagine you are preparing for a fight, like a championship fight -- your entire reputation is staked on the outcome of this fight.
How would you prepare for this pivotal moment?
Chances are you imagine a training intense scene from Rocky or maybe Neo learning Kung Fu. Either way you are imagining training yourself for the fight ahead.
What probably doesn't come to mind is just sitting on the couch, instead of training, and watching videos of your opponent so that you can learn as much as possible about them before the fight. Yet this is what I have seen companies do for years while trying to protect their environment. They create robust cyber threat intelligence programs or reverse engineer threat actor tools, without having a decent asset management program.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
― Sun Tzu, The Art of War
Cyber Counterintelligence, the information gathered and activities conducted to protect against cyber threats, is the foundation of a good defense and response.
Threat Hunting is a critical, proactive component of a good counterintelligence program, but it relies on knowing the organizational landscape -- even more so than the threat landscape. So I want to take some time to go over what I consider to be necessary for a in-house, kick ass hunting program because I haven't seen a good tactical overview for those trying to get a program started. ENDGAME mentions this in their Hunt Cycle as "Survey" and SANS references "Situational Awareness" in the analyst whitepaper -- Generating Hypotheses for Successful Threat Hunting.
I am going to coin the term scouting for gathering of information on organizational assets, networks, and data. Scouting is going to be different depending on the size of your organization, but for the purposes of this post I am going to assume a mid-large size company so we can discuss areas of collaboration in your organization.
At 2017 BlackHat USA, Kelly Shortridge did an amazing presentation where she shared the idea of using SWOT analysis for coming up with strategy. When modeling SWOT for the company in relation to the attacker she noted that a strength of the company should be an understanding of the target environment. Yet, in reality, there is a running joke among responders about asking the attacker for a company network diagram.
Asset Management commonly falls within an IT Ops section of the organization, but really it is something I believe has to be a company wide effort, practically living at the organization's cultural level to succeed. As the owner of a hunt or counterintelligence team, start with fostering a good relationship with IT Ops. Engage them with intel briefings from CTI on adversaries; show them the value they are providing to the org and share with them the value hunting brings to your organization -- I use what I call a "cheerleading deck".* Support efforts to procure good asset management tools, for example ServiceNow or Tanium. Then move on to an education and awareness campaign for the entire company.
If you are going to try to adopt Threat Hunting Models that include Crown Jewels, then I can't stress enough the importance of this element.
*If you could use a "cheerleading deck" and are struggling with content, contact me and I will share a sanitized version I have used with success.
2. Attack Surface
It can be overwhelming to contemplate your attack surface, especially when you hear phrases like, "The perimeter is dead." Depending on the size of your organization, I would plan to phase this over at least a year. This should land within your Cyber organization as you want a full picture that encompasses all subsidiaries, third parties, etc. The attack surface can provide a compelling storyline to executives and other parts of your organization.
There are a couple ways to consider monitoring your attack surface and it might be helpful to consider them both.
Attack vectors are nothing new to cybersecurity, which means they are a familiar way to talk to your leadership about where you might need more insight or resources.
Supply Chain/Third party
I have been using domains as a way to balance my talent, so I like thinking in this way. It also lends itself to thinking about the attack surface from these areas.
Network - the usual
Endpoint - the coveted data
Cloud - yes its different, not its not just another person's computer
DevOps/App - the result of microservices, containerization and REST API's
Mobile - its jus different from other endpoints in my view.
IoT - its not going anywhere, so we will have to protect it eventually.
You know the what and where of your assets and you have begun to map out the attack surface for your high-value targets, next up log what happens on these systems. There is almost nothing that makes talking about logging compelling, ok well except maybe machine learning.
For successful logging in a larger organization, you are likely going to need a policy to enforce the necessary logging across your attack surface and the centralization of those logs.
I'm not an IAM expert, but I have seen what happens when this isn't done in an organization. Your team will want to understand your organizations IAM strategy and you may need to include your corporate security team in the conversation (badging logs can be an interesting source of information for corroborating evidence.)
It seems evident to me that as the organization's perimeter dissolves, the need for robust IAM becomes more important. Identity can now be for a person or a device. If you are equally green to the advances in this element, Garther holds a summit on the topic. https://www.gartner.com/events/na/identity-access-management# While I haven't attended this summit, I have enjoyed Gartner summits in the past.
I grappled with whether to include baselining in this lineup. There is no doubt this will take your hunt and likely insider threat team to the next level, but it heavily relies on items 1-4 to be in place to be successful. I ultimately included it because UBEA can be powerful.
At Blackhat 2017, I was actually impressed by a UBEA tool I saw from E8 Security. It allowed the user to combine multiple data sources to baseline together. (To be honest I walked around the Business Hall looking for any vendor remotely mentioning hunting and I stumbled upon their demo.) Baselining doesn't require any special tool, but having a tool will undoubtedly speed along the process.
The Counterintelligence road can be long and extremely frustrating. It isn't sexy, it doesn't immediately win favor, but in the end with this type of information at your fingertips you are ready to hunt in the areas you are most needed.
Inside note on this post. The boy read this post as I wrote it and let me know how much my references aged me. He advised I change my references to be more up-to-date. I did not take his suggestions, instead embracing my old school references.
I am not endorsing the tools I mention on this page as I haven't used all of them, but they have had elements that impressed me and hopefully can guide you on a search for the topic if need be. I am also not getting paid for my references to vendors.