Tailored Threat Modeling for Advanced Threat Actors

DEFINING ADVANCED THREAT ACTORS

When organizations are assessing cyber risks, it’s critical to understand the scope and scale of different threat actors. The most dangerous are groups classified as advanced threat actors. To understand that distinction, let’s take a look at APT10.

By any measure, the group known as APT10 (aka “Stone Panda,” aka “MenuPass,” aka “Red Apollo”) is an advanced threat actor. Active since at least 2009, the hacking group, based in the People’s Republic of China, has been linked to attacks on many top government agencies and companies in industries including defense, aerospace, and heavy industry.

What separates an advanced threat actor from an ordinary cybercriminal group or hacktivist collective? Surprisingly, it is not always the group’s technology. As GCHQ notes, “the targeting methods used (by APT10) are not highly sophisticated.” In most cases, APT10 relied on run-of-the-mill hacking tools, malware, and common administration utilities like Powershell to establish and expand its presence on targeted networks.

What makes a group like APT10 an advanced threat actor has more to do with the sum of its actions, operations, and tools than any one element or method of attack. The group’s resourcefulness, flexibility, precision, and patience in carrying out operations makes it difficult to spot, and at times even more difficult to eradicate once compromised.

Understanding the modus operandi of a group like APT10—its tactics, techniques, and procedures (TTPs)—is necessary, but not sufficient to thwart damaging attacks. It is critical to understand how your organization is uniquely exposed to that threat actor in order to proactively address threats instead of reacting to them.

TRADITIONAL DEFENSES AREN’T ENOUGH

To respond to these more nimble, patient, and resourceful hackers, most organizations are left to choose among traditional forms of threat defense. These include perimeter-based defenses, like firewalls and email gateways, intrusion detection and prevention software, data leak prevention, and endpoint security tools.

Public accounts of APT10’s activities suggest why this castle and moat approach fails with advanced threat actors. Reports by PricewaterhouseCoopers and BAE Systems document the while the group used unsophisticated spear phishing attacks, they also used more sophisticated third-party attacks on managed service providers (MSP) and then leveraging their access to the compromised MSPs to gain trusted access to the ultimate target: the MSPs’ customers.

APT10 shows us why point-protection based approaches and detect and block tools are inadequate to the task of blocking advanced threat actors. More and more, organizations are embracing a holistic approach to threat defense that encompasses protection from multi-vector attacks like those used by APT10.

Critical to holistic cyber defense is understanding the security of IT assets and data owned and managed by your organization, as well as those of your supply chain of third-party software and service providers, organization partners, current and former employees, and customers.

SOLUTION: TAILORED THREAT MODELING

What is the most effective response to these challenges? Organizations in the crosshairs of advanced persistent threat actors like APT10 need comprehensive and tailored threat models. A tailored threat model allows organizations to filter out background noise from the threat landscape, easing the burden on threat intelligence analysts. Tailored threat models are also dynamic, incorporating and correlating new information and making connections between new and existing threat intelligence that may highlight novel risks to an organization.

Components of a Tailored Enterprise Threat Model

Tailored threat models encompass several components. Among them:

High-Quality Threat Intelligence

At the center of any tailored threat model is high-quality threat intelligence that comprises all credible threats facing an organization. For example, threat intelligence vendors including LookingGlass monitor for actor chatter in deep/dark web forums, algorithm-generated domains (DGAs) used in cyber-attacks and spoofed (typo-squatting) domains that may indicate a looming or ongoing attack.

Cyber-attack Frameworks

Robust threat models also rely on attack frameworks to put threat intelligence in context. Cyber-attack frameworks are the starting point for any threat model. They ensure that an organization’s threat intelligence work has consistency and points defenders toward the right response. Properly applied, cyber-attack frameworks convey many benefits including a consistent nomenclature, the application of a common format in the collection of threat information, and a way to link dependencies between the actions of adversaries and threat intelligence that is agnostic of any particular security or data collection tool or process.

Additional Elements of a Threat Model

Beyond threat intelligence and cyber-attack frameworks, a robust threat model should feature:

  • Information collections and reports: This is threat intelligence aggregation derived through ingesting large volumes of structured and unstructured data from internal sources, third-party threat intelligence providers, and open-source intelligence.
  • Threat actor profiles: These dynamic profiles identify known threat actors and adversaries. Threat actor profiles include descriptions of the group and any known members or other affiliations (i.e., nation-state, cyber-criminal, ideological/hacktivist). Additionally, threat actor profiles describe the group’s modus operandi including typical targets, and preferred TTPs.
  • Objects and indicators: These refer to the elements of inquiries and investigations. Objects might refer to suspicious files deposited by intruders or logged events associated with activities that are under investigation. Indicators are tags used to characterize objects as part of an inquiry and threat intelligence work.
  • Hypotheses and impact: Threat models drive analysts toward the creation of many competing hypotheses about the likelihood and effectiveness of different actors and attacks. They build on the output of the other components of the threat model by considering the capabilities of the adversary, its TTPs, and the capabilities of the targeted organization.

PROACTIVE CYBERSECURITY WITH scoutTHREAT

There is no shortage of threat platforms that support data collection, data sorting, and data storage at scale. Unfortunately, data aggregation alone is not enough. Security teams need tools that enable the tradecraft of threat intelligence work, including collaborative workbenches to support correlation and contextualization of threat actor capabilities, to enhance their effectiveness as analysts.

LookingGlass’ scoutTHREAT is a powerful threat intelligence platform engineered to aid analysts in several tasks critical to modern cyber threat intelligence work, including entity extraction and dissemination. The platform allows organizations to collect both structured and unstructured information in its original format. After uploading documents, the contents are parsed and indexed, so analysts can search across the content in its entirety. This also allows the configurable queries within each analyst’s workbench to hit the content to ensure eyes on areas of interest.

The platform allows indicators of compromise (IOCs) to be rapidly extracted from newly assimilated threat intelligence and correlated with existing data. scoutTHREAT has a structured data model that organizes information by sources, collections, and reports and allows analysts to attach levels of trust and veracity ratings both to each piece of information received and the sources from which it was received.

Most importantly, scoutTHREAT supports cyber intelligence analysts’ tradecraft from beginning to end, enabling analysts to manage and investigate data for multiple threat scenarios and actors collaboratively with workbenches and workflows.

TAILORED THREAT RESPONSE IN CONTEXT

The following sections describe how an investigation of APT10 might proceed using the scoutTHREAT modeling sequence:

Aggregate Threat Intelligence

The first step in an analysis of a cyber threat like APT10 is to collect any relevant threat intelligence. This would include TTPs that are characteristic of this group, information on malicious command and control networks, suspicious files, and links.

Apply Data to Attack Framework

Next, apply the aggregated threat intelligence to the attack framework that your organization is using. Referencing an attack framework will help you see where disparate items of threat intelligence might fit into an overarching attack or reconnaissance by threat actors.

Build a Threat Model Tailored to the Organization

At this stage, analysts begin to narrow their focus from the broader threat environment to those threat actors or scenarios that are most applicable to them. Using the aggregated threat intelligence and context from an attack framework, security analysts within the organization can build a threat model that is specific to their needs, connecting those pieces of threat intelligence to known TTPs, indicators of compromise, and other information specific to one or more threat actors.

Score Cyber Risks

Analysts use scoutTHREAT’s modeling features to score specific threats. Using the APT10 example, a concerned organization might conclude that several factors make that threat group a higher risk to them. Does the organization use an MSP that is known to have been targeted by APT10? Are there active VPN or RDP connections to that provider’s network? Have there been past or recent detections of known APT10 tools like the PlugX remote access trojan (RAT) on the organization’s network? Are there critical vulnerabilities in key systems on the network that an adversary like APT10 could detect and exploit?

Perform Gap Analysis of Threats

In the gap analysis phase, the organization determines which IT and security controls will be effective in mitigating the highest-ranked risks to emerge from the risk scoring phase. With a list of the most effective responses to the identified threat or threats, precious IT resources can then be identified and devoted to addressing those top-most risks.

Manage Risk and Introduce New Controls

In the final stage of threat modeling, steps are taken to mitigate the identified risks using existing controls or changes to process. New controls are proposed where gaps have been identified that pose a risk of compromise to the organization.

CONCLUSION

Keeping advanced threat actors like APT10 at bay requires companies to establish a proactive cyber threat analysis capability and to develop tailored threat models that account for its IT and data assets, employees, customers, partners, and supply chain. Threat modeling mirrors other kinds of intelligence work: using information to develop hypotheses and then assertions about what is likely to happen based on an impartial assessment of quality threat intelligence. Finally, cyber threat models need to be continually updated with new threat intelligence and other information.

scoutTHREAT is uniquely capable of supporting such work. The robust platform acts as a tool where teams of cyber threat intelligence analysts can collaborate and share information, amplifying and focusing their efforts to identify and thwart cybersecurity threats facing an organization. 

To learn more about scoutTHREAT and how it can accelerate the work of your threat analysts while covering the entire cyber threat lifecycle, contact LookingGlass at info@lookingglasscyber.com.

RESHAPING ADVERSARY ENGAGEMENT

LookingGlass addresses cybersecurity challenges head on, empowering organizations to meet their missions with tailored, actionable threat intelligence and active defense capabilities delivered at machine speed. With foundational solutions that provide effective, dynamic functionality, LookingGlass helps the private and public sectors enhance their cyber mission performance while transforming their cybersecurity missions and operations.

Learn more at http://www.LookingGlassCyber.com/.