countering unconscious bias in threat intelligence analysis · BlueNoroff - Under the hood (2016)...

Untying the anchor: countering unconscious bias in threat intelligence analysis

Presentation by Rachel Mullan & Jason Smart

January 2019

PwC

SANS Cyber Threat Intelligence Summit 2019 Jan 2019

Jason Smart

Technical Threat Intelligence Lead

[email protected]

@pewpew_lazors

Rachel Mullan

Strategic Threat Intelligence Lead

[email protected]

@jaded_muse

Who is speaking today…

mailto:[email protected]

mailto:[email protected]

PwC


Intellectual bias

Making decisions based

on what you know or

what you do, e.g. from

your work, or what

you’ve studied

Cognitive bias

Simplification of thought

processes - predictable

and consistent e.g.

relying heavily on one

piece of information

Bias

3

Predisposition to a certain judgement Mental error

Emotional bias

Making decisions based

on feelings e.g. your

experiences or your

interactions (often from

the past)

An example of bias

4

PwC


Community sees Grizzly Steppe report in a

Word doc with an embedded macro:

Must be APT…

Turns out to be simulated attack

Our bias wanted this to be something more interesting than it actually was.

Bias in action

5

#GrizzlySteppe report now used as decoy for

the malicious document:

Virustotal.com/en/file/eb157e ….

Anchoring

6

PwC

“Surge” capability can be defined very broadly, including the ability to: move resources quickly to address immediate, usually ad hoc, needs; augment existing capabilities from outside the IC; and, improve responsiveness of resources by building more flexible options for collection.

7

PwC


8

Surge in practice

Determine objective/focus -

what topic did you need to look

into in more detail? What

question do you need

answered?

1

PwC


9

Surge in practice





answered?

1 Identify resources and

current knowledge - Work out

who will take part and pull

together what

knowledge/intelligence you

currently have

2

PwC


10

Surge in practice





answered?




together what


currently have

2 Agree on analytical

techniques to apply

throughout the boxed time

period - what structures will you

put in place to explore your

analysis and avoid bias?

3

PwC


11

Surge in practice





answered?




together what


currently have

2 Agree on analytical

techniques to apply





3

Conduct research & analysis

- assign tasks, look for new

data

4

PwC


12

Surge in practice





answered?




together what


currently have

2

Evaluate findings - what have

you added to your knowledge

base, what collection gaps have

you filled?

5

Agree on analytical

techniques to apply





3

Conduct research & analysis

- assign tasks, look for new

data

4

Untying the anchor

13

PwC


14

Lazarus, Bluenoroff and Andariel oh my!

Last surge of 2018: North Korea-based threat actors.

Lazarus – Shared code base

Operation Troy Espionage

Blockbuster/Red Dot Espionage, Sabotage

DarkSeoul Sabotage

Bluenorroff Economic

BlackMine/BmDoor/Early Andariel Espionage

Andariel

Rifle/Ghost Rifle Espionage, Economic

Phandoor/Phantomn Ghost Espionage

Other

Kimsuky Espionage, Sabotage

Sanny/Syscon/Konni Espionage

Scarcruft Erebus, FreeMilk, RokRat, N1st, Reaper Espionage, Sabotage

Source: Chris Doman https://twitter.com/chrisdoman/status/960173931696140291

PwC


15

Surge example - SWOT: Lazarus Group

Strengths Weaknesses

● Well-structured training for cyber\tech capability.

● Cultural and language barrier make outside assessments

difficult.

● Update malware regularly - adapt to system patches;

difficult to track with rules.

● Lack funding; may compete with other departments.

● Objectives may be volatile due to regime.

● Operators may not be motivated; potential for defectors.

● Limited infrastructure available - I.E. potential for

sanctions to limit hardware etc.

Opportunities Threats

● Adopt an asymmetric warfare doctrine to specifically

target the vulnerabilities of opponents.

● Minimal repercussions from international community if it

gets caught - cyber is seen as a low-risk attack vector.

● Can use cyber capabilities to influence international

relations.

● Potential for other countries to increase cyber operations

against them.

● Restrictions on movement of citizens limits access to

external resources.

● Embargoes restrict access to resources.

PwC


16

Lazarus Group - Ten Days of Rain (2011)

Source Data - Ten Days of Rain, McAfee

DDoS Bots

C2 Client

DDoS component

Self destruct wiper code

Same Suicide Script as KiloAlfa

(Detailed in Operation

Blockbuster)

Cap

ab

ilit

y

South Korean Government

South Korean Financial Services

South Korean Military

South Korean Corporate Sector

U.S. Military

Vic

tim

Multi Tiered servers.

Infected bots.

Infr

as

tru

ctu

re

Black Artemis

Lazarus Group

Ad

ve

rsa

ry

PwC


17

BlueNoroff - Under the hood (2016)

Backdoors (passive and active)

similar to Romeo families.

Proxy modules similar to

PapaAlfa.

Same RC4 keys as previous

Lazarus malware.

0xAABBCCDD marker (also used

by Manuscrypt 2018).

Dynamic API loading.

Similar loader modules.

SWIFT modules.

Trojan-Banker.Win32.Alreay

(same as Incident 2).

Cap

ab

ilit

y

South East Asian Bank

Strong connection to Bank of

Bangladesh HeistVic

tim

TCP tunneling

throughout infected

network.

Favoured ports

ending in 443.

Infr

as

tru

ctu

re

Black Artemis

BlueNoroff

Ad

ve

rsa

ry

Source Data - Lazarus Under the Hood, Kaspersky

PwC


18

Lazarus Group - Modern Manuscrypt (2018)

Source Data - CTO-TIB-20181109-02A - Modern Manuscrypt

Shellcode

HWP

CVE-2017-8291

Manuscrypt/Bankshot

0xAABBCCDD marker (as with

Lazarus Under the Hood)

Cap

ab

ilit

y

South Korean technology

companies

Vic

tim

Black Artemis

Lazarus Group

Ad

ve

rsa

ry

Infr

as

tru

ctu

re

flydashi[.]com

as-brant[.]ru

danagloverinteriors[.]com

theinspectionconsultant[.]

com

Infr

as

tru

ctu

re

PwC


19

Surge example - ACH

Evidence Credibility H1 H2 H3 H4 H5 H6 H7

Code reuse for Black Artemis developed malware among many

Black Artemis attributed intrusions

High I I C I C C N

Custom malware tooling to interact with financial systems (e.g.

SWIFT malware modules that inject into SWIFT server processes,

and FASTCash modules to allow fraudulent messages)

High I C N N N C N

We have observed Black Artemis attributed malware being used for

both espionage and financial purposes (Modern Manuscrypt)

High N I C I C N N

There has been an observed significant increase in financially

focused intrusions from 2015 onwards by Black Artemis

High I C N N N C N

Focused espionage targeting (mainly South Korea) Medium N N N N N N N

Broad financial targeting High N N N N N N N

Destructive malware initially was targeted at South Korea, but more

recently WannaCry did not have any specific targeting

Low N N N N N N N

20

Outcomes

PwC


21

How did we go?

ACH says same group but sub-teams with

different targeting requirements.

Yes, and we were collecting samples, we just

hadn’t investigated or attributed the activity.

Likely yes - our SWOT analysis would suggest

a common tasking, and there are overlapping

targets\objectives observed.

Three motives observed: Espionage, Crime,

and Sabotage.

Some overlap in the Lazarus Group, not so

much elsewhere.

Our most ambitious question! Likely a rigid hierarchy,

with tasking coordinated between groups. But without

SIGINT/HUMINT, unlikely we can attribute this deep.

22

Bonus Outcomes

PwC


• Knowledge sharing including breaking down silos

• Better collection

• Increased understanding of the threat actor

• Enhanced skills

23

Practical benefits

pwc.com

Thank you

This content is for general information purposes only, and should not be used as a substitute for

consultation with professional advisors.

© 2019 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the UK member firm,

and may sometimes refer to the PwC network. Each member firm is a separate legal entity.

Please see www.pwc.com/structure for further details.

190104-091457-JS-OS

countering unconscious bias in threat intelligence analysis · BlueNoroff - Under the hood (2016)...

Documents

Transcript of countering unconscious bias in threat intelligence analysis · BlueNoroff - Under the hood (2016)...