Science of Security: Cyber Ecosystem Attack Analysis Methodology

www.securitytodayinfo.com

November 18 &19, 2014 Gaylord Texan │Grapevine, TX

Science of Security:

Cyber Intelligence Analysis

Shawn Riley

Executive Vice President, CSCSS Americas

http://govsecinfo.com/events/govsec-west-2012/home.aspx


About Me

• Attack Analysis Scientist, Multisource Cyber

Intelligence Analyst, & Sci-Fi Geek

• Veteran – US Navy Cryptology Community

• Former Lockheed Martin Senior Fellow

• Former member UK Cybercrime Experts

Working Group (UK Govt CSOC / OCSIA)

http://www.securitytodayinfo.com/


Outline

• Science of Security

• Cyber Ecosystem

– Cyber Terrain

• Cyber Attack Lifecycle

• Cyber Ecosystem Attack Analysis Method

– Threat Actor’s Cyber Offense Ecosystem

• Threat Intelligence Method

– Defender’s Cyber Defense Ecosystem

• Active Defense Method



Science of Security (SoS)

• The Science of Security term has been around since 2010 when an

independent science and technology advisory committee for the

U.S. Department of Defense concluded there is a science of (cyber)

security discipline.

• The following year, 2011, the White House released “Trustworthy

Cyberspace: Strategic Plan For The Federal Cybersecurity

Research And Development Program” formally establishing the

Science of Security as 1 of 4 key strategic thrusts for U.S. Federal

cybersecurity R&D programs.

• A cyber security scientist, in a broad sense, is one engaging in a

systematic activity to acquire and organize knowledge in the cyber

security domain.



SoS – Core Themes

• In 2011 Canada,

United States, and

United Kingdom

established 7 core,

inter-related themes

that make up the

Science of Security

domain.

SoS

Attack Analysis

Common Language

Core Principles

Measurable Security

Agility

Risk

Human Factors



Cyber Ecosystem

• Ecosystem is defined as “a

community of living organisms in

conjunction with the nonliving

components of their environment,

interacting as a system”.

• DHS defines a cyber ecosystem as:

“Like natural ecosystems, the cyber

ecosystem comprises a variety of

diverse participants – private firms,

non-profits, governments,

individuals, processes, and cyber

devices (computers, software, and

communication technologies) – that

interact for multiple purposes.”

People

Processes Technology

http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf



Cyber Terrain

• (Content)



Cyber Terrain – Layers 0-1

• CAPEC-ID:455 – Malicious Logic Insertion via Inclusion of Counterfeit Hardware Components

• CAPEC-ID:453 – Malicious Logic Insertion via Counterfeit Hardware

• CAPEC-ID:547 – Physical Destruction of Device or Component

• CAPEC-ID:397 – Cloning Magnetic Strip Cards

• CAPEC-ID:391 – Bypassing Physical Locks

• CAPEC-ID:507 – Physical Theft

• CAPEC-ID:414 – Pretexting via Delivery Person

• CAPEC-ID:413 – Pretexting via Tech Support

• CAPEC-ID:407 – Social Information Gathering via Pretexting

• CAPEC-ID:406 – Social Information Gathering via Dumpster Diving

CAPEC = Common Attack Pattern Enumeration Classification (463 total attack patterns in CAPEC V2.6)

Website: http://capec.mitre.org




• CAPEC-ID:383 – Harvesting Usernames or UserIDs via Application API Event Monitoring (Application Layer)

• CAPEC-ID:311 – OS Fingerprinting (Network Layer, Transport Layer, & Application Layer)

• CAPEC-ID:291 – DNS Zone Transfers (Application Layer)

• CAPEC-ID:315 – TCP/IP Fingerprinting Probes (Network Layer, Transport Layer, & Application Layer)

• CAPEC-ID:310 – Scanning for Vulnerable Software (Network Layer, Transport Layer, & Application Layer)

• CAPEC-ID:311 – OS Fingerprinting (Network Layer, Transport Layer, & Application Layer)

• CAPEC-ID:309 – Network Topology Mapping (Network Layer, Transport Layer, & Application Layer)

• CAPEC-ID:293 – Traceroute Route Enumeration (Network Layer & Transport Layer)

• CAPEC-ID:316 – ICMP Fingerprinting Probes (Network Layer)




• CAPEC-ID:37 – Lifting Data Embedded in Client Distributions

• CAPEC-ID:205 – Lifting Credential Key Material Embedded in Client

• CAPEC-ID:8 – Buffer Overflow in an API Call

• CAPEC-ID:14 – Client-side Injection-induced Buffer Overflow

• CAPEC-ID:118 – Gather Information

• CAPEC-IDS:268 – Audit Log Manipulation

• CAPEC-ID:270 – Modification of Registry Run Keys

• CAPEC-ID:17 – Accessing, Modifying or Executing Executable Files

• CAPEC-ID:69 – Target Programs with Elevated Privileges

• CAPEC-ID:76 – Manipulating Input to File System Calls

• CAPEC-ID:35 – Leverage Executable Code in Non-Executable Files

• CAPEC-ID:472 – Browser Fingerprinting

• CAPEC-ID:151 – Identity Spoofing

• CAPEC-ID:156 – Deceptive Interactions




• CAPEC-ID:404 – Social Information Gathering Attacks

• CAPEC-ID:410 – Information Elicitation via Social Engineering

• CAPEC-ID:416 – Target Influence via Social Engineering

• CAPEC-ID:527 – Manipulate System Users

• CAPEC-ID:156 – Deceptive Interactions

• CAPEC-ID:98 – Phishing

• CAPEC-ID:163 – Spear Phishing

• CAPEC-ID:164 – Mobile Phishing (aka MobPhishing)



Cyber Terrain - Complete

• (Content)



Cyber Ecosystem w/ Terrain

Persona Layer

Software App Layer

Operating System Layer

Machine Language Layer

Logical Layers

Communications Ports & Protocols

Physical Layer

Geographic Layer

Organization Layer

Government Layer

Technology /

Cyber Terrain

People

Processes /

TTPs



Cyber Attack Lifecycle

“Use a cyber attack lifecycle as a framework for

observing and understanding an adversary’s

actions and for defining an active defense

strategy that makes effective use of information

available through both internal and external

sources throughout the lifecycle.”

Recon Weaponize Deliver Exploit Control Execute Maintain

Cyber Attack Lifecycle from: http://www.mitre.org/publications/technical-papers/cyber-resiliency-and-nist-special-publication-800-53-rev4-controls

Key recommendation from NIST Guide To Cyber Threat Information Sharing (DRAFT)

http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf






Cyber Ecosystem Attack Analysis

Persona Layer

Software App Layer



Logical Layers Communications Ports & Protocols

Physical Layer

Geographic Layer

Geographic Layer

Physical Layer




Software App Layer

Persona Layer

Organization Layer

Organization Layer

Government Layer

Government Layer

Technology /

Cyber Terrain Processes /

TTPs

Threat Actors / People

Defenders

Threat Actor’s use of

technology and

observable technical

indicators

Threat Actor’s

Modus Operandi

(Methods of Operation)

Defender’s technology

based mitigations and

countermeasures

Defender’s process


countermeasures


Threat Intelligence is

based on analysis of the

Threat Actor’s Cyber

Offense Ecosystem.

Active Defense is

based on analysis of

the Defender’s Cyber

Defense Ecosystem.

Offense

Defense

Offense

informs

Defense



Boyd Cycle / OODA Loop

• Decision cycle developed by USAF Colonel John Boyd who applied

it to combat operations. Often applied to understand commercial

operations and learning processes.

http://en.wikipedia.org/wiki/OODA_loop



Threat Intelligence Method

1. Observe – Observe each stage of the attack, collect and process

available data and information about the attack for each layer of the

cyber ecosystem.

2. Orient – Analyze and synthesize the attack data and information for

each stage and layer. Orient on the Threat Actor’s methods of operation

and use of technology to identify observable indicators in the attack

data for each stage across one or more layers of the cyber ecosystem.

3. Decide – Based on the Threat Actor’s modus operandi identify

observables and indicators, decide if this attack is from a new threat

actor or if the attack is part of a larger campaign. Produce threat

intelligence report.

4. Act – Disseminate the threat intelligence report.



Pivot & Chain Into Campaigns

Attack 1

Attack 2

Attack 3

APT

1

Attack 1

Attack 2

Attack 3

Attack 4

Attack 1

Attack 2

Attack 3

Attack 4

Attack5

Attack 1

Attack 2

Attack 3

Attack 4

Attack 5

Attack 6

APT

2

APT

1

APT

1

APT

2

APT

2

APT

2

CC1

CC1

CC1

CC1

CC1

CC2

CC2

CC2

CC2

CC2

CC2



PDCA – Plan Do Check Act

• Iterative four-step management method used in business for the

control and continuous improvement of processes and products.

AKA Deming circle/cycle/wheel, Shewhart cycle, or as seen in

ISO 9001.

http://en.wikipedia.org/wiki/PDCA



Active Defense Method

1. Plan – Plan active defense courses of action based on threat intelligence

for each stage of the Threat Actor’s attack, consider both technical and

process based mitigations and countermeasures for each layer of the

Defender’s cyber defense ecosystem.

2. Do – Implement the intelligence based courses of action to mitigate and

counter the Threat Actor’s attack and to increase the defender’s

resilience to future attacks by this threat actor.

3. Check – Measure the quality of the threat intelligence and effectiveness

of the mitigations and countermeasures over time.

4. Act – Provide feedback on the quality of the threat intelligence and

effectiveness of the mitigations and countermeasures, take action to

continuously improve the security and resilience of the cyber ecosystem.



Methods Combined

2009 | | | | | | | | | | | | 2010 | | | | | | | | | | | | 2011 | | | | | | | | | | | | 2012 | | | | | | | | | | | | 2013 | | | | | | | | | | | | 2014 | | | | | | | | | | | | 2015 | | | | | | | | | | |

Threat Intelligence Cycle

Active Defense Cycle



Cyber Ecosystem Attack

Analysis Methodology

Persona Layer

Software App Layer




Physical Layer

Geographic Layer

Geographic Layer

Physical Layer




Software App Layer

Persona Layer

Organization Layer

Organization Layer

Government Layer

Government Layer

Technology /

Cyber Terrain Processes /

TTPs

Threat Actors / People

Defenders

Threat Actor’s use of

technology and

observable technical

indicators

Threat Actor’s

Modus Operandi

(Methods of Operation)

Defender’s technology


countermeasures

Defender’s process


countermeasures


Offense

Defense

Threat Intelligence Cycle

Active Defense Cycle



Benefits

• Takes a more holistic approach by considering the attack

across both the Threat Actor’s cyber offense ecosystem

and the Defender’s defense ecosystem.

• Enables the Defender to better identify, chain, and track

Threat Actors and Campaigns over time.

• Enables a more resilient cyber defense ecosystem by

having multiple observable indicators for each stage of

attack across different layers of the ecosystem.

• Costs the Threat Actor considerable more to defeat

layered intelligence based mitigations and

countermeasures.



Additional Recommendations

• Adopt STIX, TAXII, and CYBOX for Threat

Intelligence with MAEC, CAPEC, CWE, CVE,

CCE extensions. (http://msm.mitre.org)

– Automation

– Interoperability

• Semantic Interoperability

• Technical Interoperability

• Policy Interoperability

http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf



Summary

• Following this methodology will reduce the

defender’s cost per attack while increasing

the threat actor’s cost to overcome

• Based on methods used by many

organizations already - OSI Model, OODA

Loop, and PDCA cycle

• Maturing from a reactive, passive defense

posture to a more proactive, active

defense posture



Thank You!

• Please feel free to reach out with any

questions or comments.

• You can find me on LinkedIn at:

www.linkedin.com/in/shawnriley71/


http://www.linkedin.com/in/shawnriley71/

Science of Security: Cyber Ecosystem Attack Analysis Methodology

Presentations & Public Speaking

Transcript of Science of Security: Cyber Ecosystem Attack Analysis Methodology