Threat actors constantly discover new methods to evade security controls and distribute malicious content, and this will always remain the case. An important lesson learned from many years in the field is to take notes on anything and everything related to threats. This entails keeping historical notes, tracking and predicting trends, identifying anomalies, and clustering accessible data to make better-informed decisions and provide the most accurate reporting. Areas of focus for particular value are identifying elements related to tactics, techniques and procedures (TTPs) that adversaries use when carrying out these attacks.
A Winning Analytical Approach: Threat Sequencing
It’s generally helpful to take note of the sequences when performing analysis on a threat which includes mapping out threats and how they reached the intended target. When studying the threat sequence and comparing historical threats with similar tactics, it provides critical insight into upstream sources and potential origins of the attack. By studying a more complete threat sequence, we can gather top-tier intelligence and disseminate it to appropriate stakeholders. This intelligence, detailing every step of the threat sequence, tells a complete story and allows non-practitioners to understand the risks within their own network and allocate resources available to cover any gaps found.
It may sound obvious at first that this approach is important and worthy of distinct focus. One problem that defenders can run into is that attack telemetry arriving from sensors is often delivered in the form of an event stream, and in many cases this can present two challenges:
- Depending on when and where the event is captured, events may arrive and be presented out of order.
- There is often no indication in event-based log streams which event or artifact directly preceded, followed, or initiated another event or artifact. That is to say, there is no attribution in the sequence of events.
One aspect that is often overlooked and is a crucial data point is documenting a full threat sequence, with as much detail captured as possible for every step of an attack. A threat sequence starts with initial access, a way to deliver content to potential victims to kick off the next stages of an attack. Initial access can take many forms and come via different avenues; email remains by and large one of the most common methods in the past and present. Commodity threat distributors often send regular email blasts containing either malicious attachments or links to remote locations where the next stage of the threat can be retrieved and executed. These will usually appear as coercive messages that are consistent with expected content the targeted user would regularly find in their inbox. Seasonal and occasional lures are also common to blend in with similar messages used by legitimate marketing and advertising sources. All of these elements blend specific attacker tradecraft with aspects of legitimate infrastructure to attempt to minimize suspicious indicators, increasing success rates of this initial access attempt.
The collection of information, upon dissemination, helps to determine the beginning and end of a complete threat sequence that ultimately results in the delivery of malicious files, answering the question “how did this malware get here in the first place?”. Most would start this journey “right of boom”, or following the post-exploit string of events after the malware is delivered and executed. From there, a team would commence triage and assess the impact on organizational operations. For research and proactive prevention purposes, one could start in the opposite direction and work “left of boom,” following the string of events pre-exploit, tracking phases such as weaponization and delivery, leading as close to the initial source as possible. This focus on preliminary phases in the attack sequence, those leading up to the moment of initial access, enables defenders to observe and study patterns and commonalities within each component utilized to deliver the payload. This focus provides insight on tools and TTPs used by the threat actor to evade detection at every step prior to malware delivery on the targeted system.
An example of an an analysis template that the InQuest team often uses when documenting and reconstructing phases of an email-based threat sequence is shown here:
Within each step of the sequence, taking extensive notes and providing detailed analysis will begin to reveal the story of the threat delivery. It’s helpful to pinpoint those elements that relate to techniques that an adversary utilizes along the way, as well as anything that is an identifiable element of infrastructure, malware, or tooling utilized by the adversary as they stage the attack. These are the elements that can lead to development of countermeasures as well as threat indicators, enabling targets to detect and block use of them in future attacks. The template provides an approach to documenting and linking observations together relative to each other, showing what observable artifact occurs and unfolds relative to the next. This is helpful in the modern threat landscape, given that attackers commonly use complex, evasive file-based threats to armor their malware, complicate analysis, and evade detection. For this email example, including any interesting finds from the email headers and email body is a good start; it’s helpful to step through each section and pull out information that is most important to organizational objectives and areas of interest. Moving on to the next step in the delivery sequence we reach the payload to identify actions and events in between. Once this is completed we can stand back and see the big picture with all of the pieces on the board, a brief but technical report that tells a tale about our adversary.
Practical Examples
We can explore some example cases where we utilize this threat sequencing at InQuest to begin to document and understand attacker tradecraft. One particularly valid reason we find this beneficial is what we mentioned earlier – modern day adversaries understand and exploit the fact that complex, evasive multilayer file formats are the key to bypassing defensive controls and evading detection. We documented several cases of this tradecraft utilized by active nation state threat groups in Anticipating File-Borne Threats: How Deep File Inspection Technology Will Shape the Future of Cyber Defense.
Simple, File-based Threat Sequence
A sample of a high level threat sequence from that report is the following, documenting a multilayer file-based attack flow by the North Korean threat group APT38:
An analysis of the attack featuring this threat sequence is documented in detail by JPCERT/CC. By laying out the attack sequence in terms of file-based tradecraft and clearly structuring the sequence of operations, this reporting helps analysts comprehend the complexity of this multi-stage attack and pinpoint opportunities to extract intelligence, deploy countermeasures, and identify future occurrences of this and similar attacks. At InQuest, this informs us of the importance of numerous of our focus areas:
- Email content analysis with a focus on embedded links and attachments.
- Use of RAR archive types, including commonly weaponized file members (CHM, in this case).
- Ongoing and continued abuse of compiled HTML help (CHM) files, popular due to their evasive qualities.
- Analysis of MSI files, used to package and execute other malicious content.
- Deobfuscation, analysis and detection of Windows-based scripting interpreter language files such as PowerShell and JScript.
- Extraction of threat indicators and attacker infrastructure from file components present at each component in the sequence.
Another very effective example of the value of this kind of threat sequencing is when dealing with the problem domain of web-based threats, particularly those involving malware spread and client-side attacks featuring malicious traffic distribution. To understand the criticality of this analysis method in this space, it’s useful to understand the role that traffic distribution plays in today’s threat sequences. At one point in time, web-based attacks were simplistic, often involving direct URL links to a single malicious resource such as a hosted file. As controls such as blocklisting, reputation tracking and content filtering became more commonplace, more complex schemes became popular with adversaries. Over the last 15 years, it is common to see web traffic acquisition adopted as a service model with traffic stolen, sold or traded by dedicated adversaries, and similarly complex multilayer attack schemes emerging, with the now commonplace approach of seeing malicious traffic routed and redirected through a resilient series of hops. These traffic distribution routes may consist of a blend of legitimate systems such as compromised websites or online advertisers, traffic brokers that focus on filtering and optimization, and malicious infrastructure such as redirectors, traffic distribution systems (TDS) and social engineering landing pages.
Complex Malicious Traffic Distribution
Here’s an example of an older occurrence of client-side attack using a complex malicious traffic distribution attack as described above (URLs truncated for clarity). In this traffic sequence, a keyword search from a search engine directed traffic to a landing page serving low-quality advertising inventory, which resulted in subsequent redirection to an attacker’s redirector infrastructure served via Keitaro TDS. The ultimate payload of this scheme was determined to be malware distribution via drive-by download using Rig exploit kit:
Above, traffic redirections are indicated with increasing indent, showing the ordering and progression of client requests. Additional notes provide context on the redirection mechanism used at each stage. The ordering provides clarity in the form of attribution of which resources leads to another, enabling an analyst to trace an attack through several hops. A few brief notes can help capture the details of the redirection types that are utilized, including identification of characteristic Keitaro TDS payloads (using HTTP 302 redirects with identifiable cookie names):
Resolutions of associated infrastructure were performed:
While this is an older, historical example, the principles and approach hold true for analysis of similar web-based threats today. This is no surprise, considering that many of the same techniques remain valid and are likely to do so going into the future. The combination of laying out an ordered attack sequence for this web-based campaign coupled with identifying infrastructure context enabled structured analysis of the infrastructure involved in the attack, providing clear points of delineation to aid in identification of the origin of traffic, and demarcations to identify landing pages and ad networks separate from attacker owned and operated infrastructure.
Value of Threat Sequence Analysis
While cyber intrusions remain an effective means of attaining objectives for attackers, be they targeted threat groups operating for geopolitical gain or criminal groups seeking to increase financial earnings, security analysts will be busy analyzing attacks. This is unlikely to change in the foreseeable future, but what is sure to change is the increased adoption of complex, multistage chains of attack methodology. In this post we reviewed the importance of analyzing these stages as ordered sequences to lead to stronger intelligence assessments and build the means to cluster adversary activity based on patterns of these sequences. Whether to aid with prioritization of specific techniques used in file-based tradecraft, or to enable better tracking and attribution of request sequences in web-based malware distribution campaigns, a focus on the in-depth analysis of steps in the technical elements of the attack remains effective for broad types of attacks.
Free Email Hygiene Analysis
Solid email security begins with proper email hygiene. There are a variety of email hygiene technologies and wrapping one’s head around them all is challenging. Try our complimentary Email Hygiene Analysis and receive an instant report about your company’s security posture including a simple rating with iterative guidance, as well as a comparison against the Fortune 500. Try it today!
