countering unconscious bias in threat intelligence analysis · BlueNoroff - Under the hood (2016)...
Transcript of countering unconscious bias in threat intelligence analysis · BlueNoroff - Under the hood (2016)...
Untying the anchor: countering unconscious bias in threat intelligence analysis
Presentation by Rachel Mullan & Jason Smart
January 2019
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
Jason Smart
Technical Threat Intelligence Lead
@pewpew_lazors
Rachel Mullan
Strategic Threat Intelligence Lead
@jaded_muse
Who is speaking today…
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
Intellectual bias
Making decisions based
on what you know or
what you do, e.g. from
your work, or what
you’ve studied
Cognitive bias
Simplification of thought
processes - predictable
and consistent e.g.
relying heavily on one
piece of information
Bias
3
Predisposition to a certain judgement Mental error
Emotional bias
Making decisions based
on feelings e.g. your
experiences or your
interactions (often from
the past)
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
Community sees Grizzly Steppe report in a
Word doc with an embedded macro:
Must be APT…
Turns out to be simulated attack
Our bias wanted this to be something more interesting than it actually was.
Bias in action
5
#GrizzlySteppe report now used as decoy for
the malicious document:
Virustotal.com/en/file/eb157e ….
PwC
“Surge” capability can be defined very broadly, including the ability to: move resources quickly to address immediate, usually ad hoc, needs; augment existing capabilities from outside the IC; and, improve responsiveness of resources by building more flexible options for collection.
7
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
8
Surge in practice
Determine objective/focus -
what topic did you need to look
into in more detail? What
question do you need
answered?
1
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
9
Surge in practice
Determine objective/focus -
what topic did you need to look
into in more detail? What
question do you need
answered?
1 Identify resources and
current knowledge - Work out
who will take part and pull
together what
knowledge/intelligence you
currently have
2
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
10
Surge in practice
Determine objective/focus -
what topic did you need to look
into in more detail? What
question do you need
answered?
1 Identify resources and
current knowledge - Work out
who will take part and pull
together what
knowledge/intelligence you
currently have
2 Agree on analytical
techniques to apply
throughout the boxed time
period - what structures will you
put in place to explore your
analysis and avoid bias?
3
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
11
Surge in practice
Determine objective/focus -
what topic did you need to look
into in more detail? What
question do you need
answered?
1 Identify resources and
current knowledge - Work out
who will take part and pull
together what
knowledge/intelligence you
currently have
2 Agree on analytical
techniques to apply
throughout the boxed time
period - what structures will you
put in place to explore your
analysis and avoid bias?
3
Conduct research & analysis
- assign tasks, look for new
data
4
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
12
Surge in practice
Determine objective/focus -
what topic did you need to look
into in more detail? What
question do you need
answered?
1 Identify resources and
current knowledge - Work out
who will take part and pull
together what
knowledge/intelligence you
currently have
2
Evaluate findings - what have
you added to your knowledge
base, what collection gaps have
you filled?
5
Agree on analytical
techniques to apply
throughout the boxed time
period - what structures will you
put in place to explore your
analysis and avoid bias?
3
Conduct research & analysis
- assign tasks, look for new
data
4
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
14
Lazarus, Bluenoroff and Andariel oh my!
Last surge of 2018: North Korea-based threat actors.
Lazarus – Shared code base
Operation Troy Espionage
Blockbuster/Red Dot Espionage, Sabotage
DarkSeoul Sabotage
Bluenorroff Economic
BlackMine/BmDoor/Early Andariel Espionage
Andariel
Rifle/Ghost Rifle Espionage, Economic
Phandoor/Phantomn Ghost Espionage
Other
Kimsuky Espionage, Sabotage
Sanny/Syscon/Konni Espionage
Scarcruft Erebus, FreeMilk, RokRat, N1st, Reaper Espionage, Sabotage
Source: Chris Doman https://twitter.com/chrisdoman/status/960173931696140291
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
15
Surge example - SWOT: Lazarus Group
Strengths Weaknesses
● Well-structured training for cyber\tech capability.
● Cultural and language barrier make outside assessments
difficult.
● Update malware regularly - adapt to system patches;
difficult to track with rules.
● Lack funding; may compete with other departments.
● Objectives may be volatile due to regime.
● Operators may not be motivated; potential for defectors.
● Limited infrastructure available - I.E. potential for
sanctions to limit hardware etc.
Opportunities Threats
● Adopt an asymmetric warfare doctrine to specifically
target the vulnerabilities of opponents.
● Minimal repercussions from international community if it
gets caught - cyber is seen as a low-risk attack vector.
● Can use cyber capabilities to influence international
relations.
● Potential for other countries to increase cyber operations
against them.
● Restrictions on movement of citizens limits access to
external resources.
● Embargoes restrict access to resources.
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
16
Lazarus Group - Ten Days of Rain (2011)
Source Data - Ten Days of Rain, McAfee
DDoS Bots
C2 Client
DDoS component
Self destruct wiper code
Same Suicide Script as KiloAlfa
(Detailed in Operation
Blockbuster)
Cap
ab
ilit
y
South Korean Government
South Korean Financial Services
South Korean Military
South Korean Corporate Sector
U.S. Military
Vic
tim
Multi Tiered servers.
Infected bots.
Infr
as
tru
ctu
re
Black Artemis
Lazarus Group
Ad
ve
rsa
ry
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
17
BlueNoroff - Under the hood (2016)
Backdoors (passive and active)
similar to Romeo families.
Proxy modules similar to
PapaAlfa.
Same RC4 keys as previous
Lazarus malware.
0xAABBCCDD marker (also used
by Manuscrypt 2018).
Dynamic API loading.
Similar loader modules.
SWIFT modules.
Trojan-Banker.Win32.Alreay
(same as Incident 2).
Cap
ab
ilit
y
South East Asian Bank
Strong connection to Bank of
Bangladesh HeistVic
tim
TCP tunneling
throughout infected
network.
Favoured ports
ending in 443.
Infr
as
tru
ctu
re
Black Artemis
BlueNoroff
Ad
ve
rsa
ry
Source Data - Lazarus Under the Hood, Kaspersky
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
18
Lazarus Group - Modern Manuscrypt (2018)
Source Data - CTO-TIB-20181109-02A - Modern Manuscrypt
Shellcode
HWP
CVE-2017-8291
Manuscrypt/Bankshot
0xAABBCCDD marker (as with
Lazarus Under the Hood)
Cap
ab
ilit
y
South Korean technology
companies
Vic
tim
Black Artemis
Lazarus Group
Ad
ve
rsa
ry
Infr
as
tru
ctu
re
flydashi[.]com
as-brant[.]ru
danagloverinteriors[.]com
theinspectionconsultant[.]
com
Infr
as
tru
ctu
re
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
19
Surge example - ACH
Evidence Credibility H1 H2 H3 H4 H5 H6 H7
Code reuse for Black Artemis developed malware among many
Black Artemis attributed intrusions
High I I C I C C N
Custom malware tooling to interact with financial systems (e.g.
SWIFT malware modules that inject into SWIFT server processes,
and FASTCash modules to allow fraudulent messages)
High I C N N N C N
We have observed Black Artemis attributed malware being used for
both espionage and financial purposes (Modern Manuscrypt)
High N I C I C N N
There has been an observed significant increase in financially
focused intrusions from 2015 onwards by Black Artemis
High I C N N N C N
Focused espionage targeting (mainly South Korea) Medium N N N N N N N
Broad financial targeting High N N N N N N N
Destructive malware initially was targeted at South Korea, but more
recently WannaCry did not have any specific targeting
Low N N N N N N N
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
21
How did we go?
ACH says same group but sub-teams with
different targeting requirements.
Yes, and we were collecting samples, we just
hadn’t investigated or attributed the activity.
Likely yes - our SWOT analysis would suggest
a common tasking, and there are overlapping
targets\objectives observed.
Three motives observed: Espionage, Crime,
and Sabotage.
Some overlap in the Lazarus Group, not so
much elsewhere.
Our most ambitious question! Likely a rigid hierarchy,
with tasking coordinated between groups. But without
SIGINT/HUMINT, unlikely we can attribute this deep.
PwC
SANS Cyber Threat Intelligence Summit 2019 Jan 2019
• Knowledge sharing including breaking down silos
• Better collection
• Increased understanding of the threat actor
• Enhanced skills
23
Practical benefits
pwc.com
Thank you
This content is for general information purposes only, and should not be used as a substitute for
consultation with professional advisors.
© 2019 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the UK member firm,
and may sometimes refer to the PwC network. Each member firm is a separate legal entity.
Please see www.pwc.com/structure for further details.
190104-091457-JS-OS