Just as I was about to pack up from my home office and walk downstairs and go to bed last night, I happened to stray on the Twitter and find that Mandiant had released it's detailed report on the Chinese espionage group it is calling APT1. The excitement overwhelmed me and I wound up staying up for a few more hours to read the entire report, check some of the indicators against other indicators I had, and read some of the reaction on Twitter.
First of all, I have to tip my hat to Mandiant on a really well put together report. Before joining InGuardians, I spent several years of my career in the DoD, and have read a lot of intelligence reports. I've also had the pleasure (misfortune) to handle my fair share of chinese-related incidents. With that in mind, I can assert that the APT1 report is top notch. As an organization, and as individuals, Mandiant and its employees are exposing themselves to a great deal of risk by publishing this data, which I'm sure they aren't taking lightly.
The success of Mandiant in the creation of this intelligence product is evident, but as an industry, now is not the time to rest on our laurels and bask in the glory of exposing PLA Unit 61398. The information published in the report isn't very useful if it isn't made actionable. That said, if you are responsible for network security monitoring in your organization, how can you make use of these indicators?
Making Intelligence Actionable with the Intrusion Kill Chain
In order to effectively utilize indicators of compromise (IOCs), I turn to the framework provided by the Intrusion Kill Chain and US DOD JP 3-13 on Information Assurance. There has been a significant focus on the application of the intrusion kill chain in the past year or so, and while it's certainly not a silver bullet, it is a nice tool for determining how defensive technologies can be used, and how to choose where indicators should be deployed.
This framework focuses on specific defensive capabilities. I won't rehash them fully (you can read the docs for that, linked at the bottom of this post), but briefly, they are:
- Detect: Can you see/find it?
- Deny: Can you stop it from happening?
- Disrupt: Can you stop it while it’s happening?
- Degrade: Can you make it not worth it?
- Deceive: Can you trick them [the adversary]?
- Destroy: Can you blow it up?
The framework argues that the capabilities of detect, deny disrupt, degrade, deceive, and destroy can be mapped to different phases of a network attack to form a course of actions matrix. The common phases of attack are recon, delivery, exploitation, installation, C2, and actions/objectives. Recognizing that different organizations use different models to represent the phases of a network attack, you can plug any model in here to generate actions from this framework. For instance, you could also use the attack phases mentioned in the APT1 report, which are initial recon, initial compromise, establish foothold, escalate privileges, internal recon, move laterally, and maintain presence.
The results of the course of actions matrix are a mapping of what defensive mechanisms you can use to employ indicators. Given any particular attack technique or piece of malware, you should be able to come up with something mirroring the following to determine what courses of action you have available to you, and where IOCs related to a particular technique or piece of malware can be deployed.
Table 1: Course of Actions Matrix
In this matrix, defensive capabilities are shown on the top horizontal axis, and phases of an attack are shown in the left vertical axis. At each point where a capability intersects with a phase, an action that can be used to apply the defensive capability to the attack phase is identified. For example, we see that in the recon phase, a firewall ACL could be used to deny the adversaries from completing his goal, which might be an attempting connection to a specific server. In another example, we see that a DEP solution could be used to disrupt the adversaries’ ability to complete their objective, which might be to exfiltrate data from the targeted network.
NOTE: Although the intrusion kill chain mentions the destroy capability, it has been left out of this post. The destroy capability falls beyond the scope of NSM, unless of course, you have your own fleet of Predator drones configured to act in harmony with your IDS alerts.
Keep in mind that the table above is meant to be an example that list a variety of different defensive technologies, some of which that can be used along with indicators. The course of actions matrix isn’t meant to be a solitary entity that defines the scope of every possible attack, but rather, a framework that can be used to assess what actions you can take to respond to various threats based upon the intelligence you have at hand. You will note that some areas have multiple actions available, and the actions you take will depend upon what tools and data you have at your disposal. In addition, there may be instances where no actions exist to address certain capabilities within the kill chain. Specifically, it’s very common to only be able to find detect or deny actions, without being able to develop anything to disrupt, degrade, or deceive. In a perfect world, everything would be denied and we would only employ detection mechanisms as a backup. You should always aim to satisfy the detect and deny capabilities first.
Ultimately, the value of an intelligence product isn't realized if no one takes action on it. If you are in an organization where you are concerned that you may be a target of APT1, then you should read the Mandiant report and use a framework like the intrusion kill chain to determine how you can best make use of the indicators they have provided. Actionable intelligence isn't the answer to the problem, it's merely a mechanism used to achieve a goal. In this case, that goal is protecting your network and the information assets within it.
- Mandiant APT1 Report - http://intelreport.mandiant.com/
- DOD JP 3-13 (2006) - http://www.carlisle.army.mil/DIME/documents/jp3_13.pdf
- Intelligence-Driven Computer Network Defense - http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/white-papers/LM-White-Paper-Intel-Driven-Defense.pdf