Cyber Threat Intelligence (CTI) is a complex cat-and-mouse game where blue team cyber professionals are endlessly looking for IOCs, trends, and information from thousands of sources in order to scrape together additional defense against intrusions. Incident response (IR) engagement often fuels CTI by providing IOCs from known breach attempts (successful or otherwise) that can be used to detect future incursions. Another good source is attack patterns and suspicious things found by analysts working on triaging alerts in a SOC environment. One such attack pattern was recently discovered by a colleague, so we’ll be using these IOCs as the examples throughout this article.
Identifying Patterns in the Wild
Recently I came across a pattern of intrusion attempt activity from a few Russian-based IP addresses, targeting government organizations with password spray and brute force attacks utilizing a mixture of generic pastes and specific data as credentials I suspect they obtained via targeted PDFs and spear phishing users within the organizations.
We first identified this activity during an IR engagement, and later correlated similar activity occurring in other related organizations via intel-sharing between teams. The attacks used a specific Russian IP in most cases, but also a hostname that looked like a Windows server in other attacks – mainly on domain controllers. We knew that they had obtained information about specific hosts and users based on the account names they tried during the password spray and brute force attacks. The lists were 90% generic, but with a few very specific hosts and usernames thrown in.
Enumeration at Scale
Enumerating identified IOCs from threat campaigns takes far too long against hundreds of individual tools, but thankfully this process can be heavily optimized using SpiderFoot HX. I’ve used the example IOCs I talked about earlier from a recent campaign to highlight the power of SpiderFoot, specifically around expanding your known list of IOCs as well as the enumeration capabilities.
In the below diagram you can see two large nodes – on the left is the information found by enumerating the target host we identified hitting numerous organizations, and on the right is everything SpiderFoot HX has found related to it, which we can use to expand our list.
Node graph of the scan output, showing related artefacts on the left and other IPs on the right
SpiderFoot HX has already saved me hours of time, and has confirmed what I’ve seen from the existing IOCs – a specific Windows 2012R2 Server conducting AD attacks. This is great, but this is information I could work out manually. The strongest part of this enumeration at scale is the related artifacts we can glean from the scan, from that larger web on the right in the image above.
Analysis and Validation
I’ve always said that I love a GUI – and with CTI, SpiderFoot has amazing graphing capabilities in place that can help determine the relation between artifacts discovered during the scan. As I’ve shown above, we can determine how the IOCs we have relate to others, and what sub-detections have been found. Often those further from source can be less related, and this is usually where it gets noisy, however the analysis part that comes after a scan is made easier with the node graph display.
We can take our analysis further, and validate the kind of activity that has been seen from the IPs SpiderFoot HX has found, that may be related to the activity we’ve seen from our existing IOCs. Not all detections will truly be malicious, so it’s important to validate this.
Twitter is a fantastic source for CTI, and it looks like a few IPs on the same /24 range have been performing similar attacks to one of our other IPs:
Applying the Findings
This information can be used to further enrich blue team operations by including these IPs in threat intelligence feeds to identify similar activity and act accordingly when it occurs. In this case, these findings were integrated into the SOC’s custom threat feed to monitor across dozens of organizations and alert on any activity we see across multiple layers of visibility – from endpoint to network activity. There is a never ending cycle between threat intelligence and SOC blue team operations whereby CTI will provide the SOC with information it gains from DFIR engagement and research in the wild, and the SOC can provide back patterns of activity and points of interest that may be worth exploring further.
SpiderFoot HX enables us to correlate and aggregate large amounts of information obtained from its scans and analyze it both at scale and at a granular level. Using this method we were able to correlate the primary suspect in our intrusions to a number of other IPs performing similar attacks, and this gives us more IOCs to investigate in client environments, and highlight in threat intelligence based alerting.
Pivoting from these findings, we can enhance the process even further with SpiderFoot HX by implementing the IOCs into a monitored scan, and identify new information as it becomes available, APIs improve, and ultimately more sources are added to the platform. This process will ultimately allow fine-tuning of intelligence collection and improve detection capabilities in security operations. It is crucial to leverage every piece of actionable intelligence gained against your day-to-day security operations to ensure known adversaries are monitored and particularly dangerous cyber attacks are potentially prevented.
Leave a Reply