If you’re looking to gain visibility into attacker activity with threat campaigns, you’ve got a few options. First, you can rely on time-stamping and Indicators of Behavior (IOBs). These methods used to identify known and unknown threats, but they aren’t as effective as threat campaigns.
Indicators of Behavior (IOBs)
If you’ve been searching for a way to detect malicious activities, then you’ve likely heard of Indicators of Behavior (IOBs) and Indicators of Compromise (IOCs). They are useful for detecting the early signs of attacks, and for identifying attackers’ path to a targeted system.
IOBs are often unique to a target. They show the trajectory of an attack and the tactics and techniques used by the attacker. They can also be useful to determine whether an attack is a replica of normal network activity.
Indicators of Compromise generated by enriched telemetry from a variety of data sources, including network devices and servers. This telemetry then processed in SIEM environments. The result is a list of IOBs that can export from a security tool and shared with other organizations. This provides a proactive means to identify and monitor attacks, and a more thorough set of data than IOCs.
Indicators of Compromise can express in machine readable formats that can quickly loaded into security devices. This is especially helpful for non-advanced actors.
Living off the Land (LotL) techniques
Living off the Land (LotL) is an attacker strategy that allows cyber criminals to use legitimate tools and functions while avoiding detection. This technique has become popular with nation-state targeted attack groups, but has also adopted by many other cyber criminals.
The main category of LotL attacks are fileless attacks. These attacks characterized by running shellcode directly in memory. Some of these attacks use tools that already installed on the target computer. These tools may have legitimate uses, such as running a backup program, but they can also use to download malware.
These tools often evade security measures, such as antivirus and firewalls. This is because they can run in trusted process memory space and fly under the radar. They can use to download and execute malware, or as backdoors.
These tools may be legitimate or unauthorized, but it is often difficult to tell the difference. The tool can either installed on the victim’s system, or it can be one that is only available to the attacker.
Time-stamping techniques
With the proliferation of ransomware activity, organizations need a reliable approach to tracking adversaries and their activity. One such approach involves time-stamping techniques. By leveraging this type of technology, recipients can verify the integrity of a document.
In many of these campaigns, the documents used to deliver the malicious payload hosted on legitimate web services. For example, they may host on Google Drive, Basecamp, or Sendgrid. However, the real purpose of the phishing document is to download malware binaries. The phishing document contains instructions to click on a link, which then launches the malicious payload.
In addition to the malicious payload, the phishing document includes additional links to other websites. The document also crafted to look like a generic corporate communication, such as a reply to a business call. It may even contain the recipient’s name in the subject line.
Using time-stamping techniques, recipients can verify the document’s authenticity after it has delivered. The process involves combining a hash of the original file with a trusted time stamp.
Blocking a novel threat
As security teams work to block a novel threat campaign, they often lack visibility into the tactics and techniques used by the attackers. However, with Mandiant’s Threat Campaigns feature, they can quickly stay abreast of the most active attacks.
With the ability to view a detailed timeline of the campaign, security teams can understand the attack lifecycle and identify key events and techniques. Analysts add comments to each event and explain its context. By gaining insight into the attacker’s activities, defense teams can prioritize their defensive actions and respond to threats more effectively.
The StellarParticle campaign, which tracked by CrowdStrike, leveraged a variety of malware families, and associated with the COZY BEAR adversary group. It also demonstrated a deep knowledge of Linux and Active Directory. As a result, the attackers were able to use decoys to obfuscate their attack surface and create persistence within the Office 365 environment.
The threat actor accessed several sensitive documents related to the victim’s products and services. They viewed vulnerabilities, internal business operations, points of contact, and product/service architecture. They used a VPN to connect to the victim’s network. In addition to accessing data, they attempted to log into the victim’s account using valid accounts without implementing MFA.
