Exploiting Threat IntelligenceBy: Harlan Carvey
Prioritizing resources and effort to improve the overall security posture and incident readiness of any organization is an arduous but necessary task. No organization has unlimited funds and resources; in fact, the truth is quite the opposite. Fully exploiting threat intelligence can help IT professionals make decisions about best utilizing available resources.
With respect to targeted threat groups, organizations typically focus on automatically ingesting extremely volatile indicators that threat groups use in intrusions targeting the organization's vertical or geographic region. These indicators include MD5 file hashes, as well as domain names and IP addresses for malware command and control (C2) servers. As illustrated in the Dell SecureWorks “Sleeper Agent” blog post, these indicators are volatile and often change quickly. Dell SecureWorks Counter Threat Unit™ (CTU) researchers have responded to intrusions where threat actors created a C2 infrastructure and compiled tools solely to compromise a single organization. In these cases, the resources to ingest the indicators into another organization's systems are wasted. Organizations should focus on less volatile indicators to disrupt a threat group's ability to compromise and exploit an organization's infrastructure.
Threat actors engaged in targeted intrusions have various reasons for infiltrating an organization and do not necessarily focus on a single vertical. Any organization that makes something that is perceived to be valuable, has access to something valuable, or has a trust relationship with someone who makes or accesses something valuable can be (and very likely already is) a target. Rather than dismissing intelligence about a particular threat group because it has not been observed targeting organizations in the same vertical, IT professionals should ask themselves, “If these techniques, tactics, and procedures (TTPs) were used in an intrusion against my company, would we detect them?”
For example, CTU researchers have observed several threat groups that strive to obtain domain administrator credentials. After achieving this goal, many of the groups create additional privileged accounts for future use. IT professionals should strongly consider auditing their infrastructure for the creation and use of privileged accounts. At most, this auditing requires making minor changes to the audit configuration on the domain controllers, and monitoring for specific events via a Security Event and Incident Management (SEIM) system. Another solution is to adopt a privileged account management technology.
CTU researchers have also observed several threat groups stealing credentials from within an organization and then immediately moving to legitimate remote access solutions as their primary access vector. Based on the current level of network and endpoint monitoring instrumentation within most organizations, the threat actors seem to disappear after moving to the legitimate platforms. They become difficult to track by appearing to be legitimate users and relying on the organization's own native infrastructure rather than their own tools and malware. Organizations that do not apply two-factor authentication (2FA) to all remote access solutions (including VPNs and Outlook Web Access (OWA) servers) should consider prioritizing this effort. It requires fewer resources to establish, monitor, and maintain than approaches such as instrumenting all endpoint systems for monitoring.
Organizations should focus on threat intelligence to help them prioritize resource utilization in their environments. Focusing on TTPs to reduce the time and effort to detect and respond to threats better positions organizations to defend themselves from known — and unknown — threat groups.