SOC-Class: Use Case Development

Posted on 2020-11-23 by Chris Crowley and Josiah Smith
## Use Case Development To start out, I want to assert that use cases are engineered efforts to detect issues. Hunts are ad hoc efforts to detect issues. You need both. In this blog, we'll talk about the right approach to building a use case, and an often-neglected portion of that build effort: developing and deploying testing alongside the development and deployment of the detection capability. Ideally, the development of use cases would be a requirement for all (on-prem, cloud, etc.) new IT systems deployments. It's an optimistic position to hold, but any company with a mature DevSecOps approach should consider the inclusion of use cases as part of that effort, even if they're not a required output from the initial systems development. An output from hunting would be discovering good candidates for use cases. We'll cover hunting in more detail in a future post (if you can't wait, take a look at Crowley's ["Hunting by Numbers"](https://www.youtube.com/watch?v=Vm7iMPe0rMA) youtube video. In the SOC-Class model, the steps for building a use case are: Identify the scenario and business relevance Decompose the scenario into elements Identify artifacts of data relevant to the elements Propose (and test) candidates of detection and differentiation within the data elements Select enrichment opportunities within the data Implement the use case Monitor and assess the performance of the implemented use case based on the detection and differentiation initially proposed Review and revise the components (scenario elements, data artifacts, detection candidates, enrichment) and expire them when there is no longer business relevance or a relevant threat Many organizations lack a programmatic definition of use case development. Many are doing it in some form, but don't have a clearly articulated strategy and tactical implementation of this fundamentally important activity of security operations. If you want more of the details related to how this fits into a larger program of security operations for a SOC, you should look at Crowley's [SOC-Class](https://soc-class.com). With the common reference to the ATT&CK framework as a maturity assessment capability, see figure 1 for its prevalence in the forthcoming SOC-Survey.com results, SOCs are tasked with assessing confidence in detecting a given tactic or technique expressed by an adversary. Without having tests in place to simulate those tactics and techniques, we can't (honestly) assert confidence. Fig 1. Models in use for determining capabilities. The mandate to verify our use cases in ongoing operations is part of our maturity self-assessment, as well as a solid approach to performance measurements. If the adversary behaviors are an unknown input into our environment (a reasonable assumption: we don't know what the adversary is doing and we're trying to find that activity), ongoing testing that simulates the adversary behavior is an effective way to assert ongoing confidence that our use cases are functioning as designed. ## Use Case Development Example The following discussion aims to showcase the utilization of the SOC-Class's model to develop a use-case to detect malicious events targeting an organization user's with coercive malicious documents delivered through phishing campaigns. With consideration to InQuest's capabilities and mantra to "Prevent, Detect, Hunt", it feels natural to aim to tackle a problem using our favorite pattern matching tool YARA. ### Identify the scenario and business relevance As we have already acknowledged, phishing is the predominant access vector for threat actors to carry out their attacks; it is irresponsible to think that it is possible to "Squish the Phish" or get that "click rate" down to zero. Concerning the colloquial security proverb, "Prevention is ideal, but detection is a must!", InQuest has been following a variety of different techniques used in malicious documents. On a consistent basis, threat actors are trying to convince the unbeknownst user to "enable macros" or "enabling content" to progress down the attack chain. One such method to detect these coercive lures is the implementation of [Optical Character Recognition](https://inquest.net/blog/2020/05/12/Detecting-Coercive-Lures-with-OCR) within the Deep File Inspection stack. Another innovative technique is to anchor and pivot on [Adobe Extensible Metadata Platform (XMP) identifiers (IDs)](https://inquest.net/blog/2019/09/30/Adobe-XMP-Tales-of-an-Overlooked-Anchor) shared within these coercive lures. Unfortunately, there are a few scenarios where cleverly obfuscated embedded logic may still prove troublesome to detect and are misaligned with the previous detection techniques for graphical lures. Consider the following image that is coercing the recipient to "Enable Content" within a foreign language. Fig 2. Foreign Language Lure. After considering the fact that these graphical lures are often utilized across campaigns and incorporated into a variety of different obfuscation/delivery frameworks, it may prove fruitful to develop a methodology for the use case of detection of maldocs using the images they contain with the obvious ### Decompose the scenario into elements Following the SOC-Class model, the next step for developing a use case would be to decompose the scenario into elements. The derived elements are the malicious documents themselves, the security tool, and the prospective targets of the phishing campaign within a perspective. ### Identify artifacts of data relevant to the elements The artifacts relevant to the malicious document elements that we plan on anchoring our detection logic on are the images embedded within the documents. We have been busy collating these graphical lures within our [Malware Lures Gallery](https://inquest.net/malware-lures-gallery). While some of these images and their respective parent files are well detected by OCR, XMP anchors and known by the AV community, some are not. With their probability of recurring in the future and emerging TTPS, the redundant or novel detection method could prevent the next incident or data breach. ### Propose (and test) candidates of detection and differentiation within the data elements In order to properly develop, test, and scale this technique, the detection rule will start with a smaller subset of data and the respective strings being used. For this venture, we will use the following maldocs to generate the use-case. | Indicator Type | Sha256 Hash           | Notes/Reports | |:----------------:| ----------------------| :-----------------:| |Document Hash|ccf6d989bd33ecd81ee39f8a89ec72e5f27936a277d2ff41f4afe2d89060c770|[InQuest Labs](https://labs.inquest.net/dfi/sha256/ccf6d989bd33ecd81ee39f8a89ec72e5f27936a277d2ff41f4afe2d89060c770) | [VirusTotal](https://www.virustotal.com/gui/file/ccf6d989bd33ecd81ee39f8a89ec72e5f27936a277d2ff41f4afe2d89060c770) |Document Hash|63c8b6288a09b1ac43867bee20e5147e1251d589458f0a2f5686f66a47e0d259|[InQuest Labs](https://labs.inquest.net/dfi/sha256/63c8b6288a09b1ac43867bee20e5147e1251d589458f0a2f5686f66a47e0d259) | [VirusTotal](https://www.virustotal.com/gui/file/63c8b6288a09b1ac43867bee20e5147e1251d589458f0a2f5686f66a47e0d259) |Document Hash|d541874dd0e9d045f893a30c64cac85b5c9ecfa249d287d0378bc82199e35036|[InQuest Labs](https://labs.inquest.net/dfi/sha256/d541874dd0e9d045f893a30c64cac85b5c9ecfa249d287d0378bc82199e35036) | [VirusTotal](https://www.virustotal.com/gui/file/d541874dd0e9d045f893a30c64cac85b5c9ecfa249d287d0378bc82199e35036) |Document Hash|eb940285e68042df9c82c929ba87c3bd4c93e4c7969b34ab4f09f20f90a892a8|[InQuest Labs](https://labs.inquest.net/dfi/sha256/eb940285e68042df9c82c929ba87c3bd4c93e4c7969b34ab4f09f20f90a892a8) | [VirusTotal](https://www.virustotal.com/gui/file/eb940285e68042df9c82c929ba87c3bd4c93e4c7969b34ab4f09f20f90a892a8) |Document Hash|40e5e65bc8514eb8ac9c1b87b297c4c010e6934338cddac16eef5a8d3a756cf8|[InQuest Labs](https://labs.inquest.net/dfi/sha256/40e5e65bc8514eb8ac9c1b87b297c4c010e6934338cddac16eef5a8d3a756cf8) | [VirusTotal](https://www.virustotal.com/gui/file/40e5e65bc8514eb8ac9c1b87b297c4c010e6934338cddac16eef5a8d3a756cf8) After performing Deep File Inspection on the above files, the specific images of concern are identified. ```iq-terminal $ find . -name '*' -exec file {} \; | grep -o -P '^.+: \w+ image' ./d541874dd0e9d045f893a30c64cac85b5c9ecfa249d287d0378bc82199e35036-pp/carving-001.png: PNG image ./40e5e65bc8514eb8ac9c1b87b297c4c010e6934338cddac16eef5a8d3a756cf8-pp/carving-001.png: PNG image ./eb940285e68042df9c82c929ba87c3bd4c93e4c7969b34ab4f09f20f90a892a8-pp/tge-zip-1-1/xl/media/image1.jpg.png: PNG image ./63c8b6288a09b1ac43867bee20e5147e1251d589458f0a2f5686f66a47e0d259-pp/tge-zip-1-1/word/media/image1.png: PNG image ./ccf6d989bd33ecd81ee39f8a89ec72e5f27936a277d2ff41f4afe2d89060c770-pp/ccf6d989bd33ecd81ee39f8a89ec72e5f27936a277d2ff41f4afe2d89060c770.stream-5.olefileio.jpg.png: PNG image ``` Here are the derived graphical lures for your viewing pleasure :) * { box-sizing: border-box; } .column { float: left; width: 33.33%; padding: 5px; } /* Clearfix (clear floats) */ .row::after { content: ""; clear: both; display: table; } ### Select enrichment opportunities within the data There are a variety of different techniques that can be used to have the images anchored into strings within a Yara Rule. This derivative will be using a nifty tool recently brought to our attention [Halogen](https://github.com/target/halogen/blob/main/halogen/halogen.py) The resulting rule is output from the tool ```iq-terminal rule halo_generated_a9b32fad32b4afb8cb3330c189fd7c87 : maldoc image { meta: tlp = "amber" author = "Halogen Generated Rule" date = "2020-11-18" md5 = "['28ab3d552d6f795378f9e6bb692c4f5f', 'afbdecbc6c7c5fc32ec922c2960b172b', '1c2b1d2d121683a9597ae8cf17763958', '7f7aad6745acc211a264bbc1350aed89', 'a9b32fad32b4afb8cb3330c189fd7c87']" family = "malware family" filename = "Directory: ../../scratchpad/use-cases/images/" scope = "['detection', 'collection']" intel = "['']" strings: $png_img_value_0 = {89504e470d0a1a0a0000000d49484452000000cd0000003a08020000009c494a9f000000017352474200aece1ce9000000097048597300000ec400000ec401952b0e1b0000201249444154785eed9d075c95d51bc77d} $png_img_value_1 = {89504e470d0a1a0a0000000d49484452000000180000001808020000006f15aaaf000000017352474200aece1ce9000000097048597300000ec400000ec401952b0e1b000001d249444154384f63fcffffffb7efbfe6} $png_img_value_2 = {89504e470d0a1a0a0000000d49484452000000180000001808020000006f15aaaf000000017352474200aece1ce9000000097048597300000ec400000ec401952b0e1b000002f549444154384f9d545d481451149e3b} $png_img_value_3 = {89504e470d0a1a0a0000000d49484452000005550000027d0802000000baa0053d00000006624b474400ff00ff00ffa0bda793000000097048597300000ec300000ec301c76fa8640000800049444154780104c13d8e} $png_img_value_4 = {89504e470d0a1a0a0000000d49484452000002df0000015b080200000082a175c0000000017352474200aece1ce90000ffca49444154785eecfd77971cc796de0b676596aff6dde8863704080284a13d7666ce68ace6} $png_img_value_5 = {89504e470d0a1a0a0000000d4948445200000353000000fc0806000000921afe3a000000017352474200aece1ce90000000467414d410000b18f0bfc6105000000097048597300000ec200000ec20115284a80000094} $png_img_value_6 = {89504e470d0a1a0a0000000d494844520000026e0000012c0802000000f5b2a8be00000006624b474400ff00ff00ffa0bda793000080004944415478daecfdf7775bc7963f0abe7f647e98796fde74b8d7b698903398} condition: any of them } ``` ### Implement the use case Before fully implementing the use case, there are a few potential mechanisms to frame the efficacy before the rule is released into production. Using the VirusTotal Hunting feature, the signature's fidelity can be benchmarked against real-world traffic being submitted to VirusTotal via their Livehunt operations. Additionally, a Retrohunt procedure can be performed against the Goodware files-set, a corpus of non-malicious files. The Goodware rethrohunt finished without any matches and improved or assumed higher fidelity by proactively avoiding some false positives. Fig 3. Goodware Retrohunt. ### Monitor and assess the performance of the implemented use case based on the detection After the detection capability has been released into the monitoring environment, the SOC-Class use case development framework suggests continuous monitoring and performance assessment of the given solution. Discussed are two potential methods of monitoring the performance of the developed detection method. The first is to leave the given rule-set within the VirusTotal Livehunt operation. As the image depicts, there is effective detection against malicious documents well known by the AV community Fig 4. Livehunt Notifications. Another approach to monitoring the performance of a signature is to track the count through various dashboards. Measuring performance here is most effective against customer traffic through MSSP visibility. Other approaches to performance measurement are to continue to inspect high-volume data streams through services like [MXmaildata](https://mxmaildata.com/) Fig 5. Event Monitoring. ### Review and revise the components Following the SOC-Class model, the next step describes the necessity to review and revise the use-case components. For this specific process, let's contrive the scenario where there were various false positives or benign true-positives against a subset of executable files. This oversight is easily correctable by changing the condition logic in our perspective rule. While it would be perfectly acceptable to add the MZ magic string and use it with a NOT condition, we will use this handy [UInt()Trigger Generator](https://labs.inquest.net/tools/yara/iq-uint-trigger) for speed and performance. The resulting condition: ```iq-terminal condition: /* trigger = 'MZ' */ AND NOT (uint16be(0x0) == 0x4d5a) ``` ### Expire it when there is no longer business relevance or a relevant threat. The SOC-Class model's last step is to retire the use case when it is no longer relevant. For this specific scenario, if the detection with the image anchoring becomes non-actionable, or graphical coercive lures stop being used within phishing campaigns, there might not be a threat presented within the organization. The best practice shows there is a time-based review process for the efficacy and usefulness of these detection capabilities. While this time is arbitrary or independent of your organization, it should be employed and documented within the SOC's Organizational policy. ### About the SOC-Class/Guest Author Christopher Crowley has 20 years of experience managing and securing networks, beginning with his first job as a Ultrix and VMS systems administrator at 15 years old. Today, Crowley is a Senior Instructor at the SANS Institute and the course author for SOC-Class.com. He works with various organizations across industries providing cybersecurity technical analysis, developing and publishing research, sharing expert security insights at conferences, and chairing security operations events. The SOC-Class is a niche course on cybersecurity operations, training CISOs, SOC Managers, and technical leads to build and excel in Cybersecurity Operations Centers SOCs/CSOCs. This use case development methodology is one of the approaches discussed in the course and is intended to provide a framework for the mature and repeatable construction of engineered detections.

Tags
walkthrough in-the-wild threat-hunting guest

Get The InQuest Insider

Find us on Twitter for frequent updates, follow our Blog for bi-weekly technical write-ups, or subscribe here to receive our monthly newsletter, The InQuest Insider. We curate and provide you with the latest news stories, field notes about innovative malware, novel research / analysis / threat hunting tools, security tips and more.