Another Thotcon presentation was very good, unique and moves the industry forward.
Julian Cohen presented This idea:
“Understanding Your Adversaries”
In his talk: “Adversary-Based Threat Analysis”
He explained that in the traditional Threat modeling Process the following 6 items happen.
- Identify Assets
- Create Architecture Overview
- Decompose an Application
- Identity the Threats
- Document the Threats
- Rate the Threats
But his method includes rating the adversaries.
He gave some examples that are well documented (the PLA or Peoples Liberation Army) in Mandiant’s report. The report is now in a “new” mandiant web location with all of their reports. Here is an updated link: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
This famous report is explained as APT1 (Advanced Persistent Threats), the fame of this report is that Mandiant did a thorough analysis how and who did the attacking from China(PLAUnit61398), down to learning where exactly the attacks came from(which building). You can search under APT1 in any search engine and the term is attributed to the report.
Julian discusses the adversary as they have a say (or should) in how you defend.
A discussion of the intrusion Kill Chain ensued (by Lockheed Martin) i.e. below is the action and tools that are used.
- Recon: Email harvesting
- Weapon: Office Macros
- Delivery: Phishing
- Exploit: target runs macro
- install: Poison Ivy
- C2 – Command and Control: Poison Ivy
- Actions: Pivot to active directory
Here is where Julian discussed “what” the adversary is using as to how effective they actually are. The adversary is not going to do ‘everything’ , as they will do stuff that works.
There is another matrix which reviews Attacker Cost (Likelihood) focusing on these
- Weapon- office macros
- Delivery – phishing
- Install – Poison Ivy
- C2 – Poison Ivy
We all know Phishing works for them, since we are getting inundated with spam that tries their hardest to trick and get access to their machine.
Then also reviewed what is effective for defenders
- Delivery – Phishing
- Install – Poison Ivy
- C2 – Poison Ivy
He also mentioned this comment:
“Adversaries don’t think about winning once. They build repeatable, scalable playbooks that are cost effective at achieving their objectives over and over again against a series of targets. Adversaries don’t think about winning at all, they think about a steady stream of targets.”
Attacker efficiency: Attackers determine the least costly and most valuable attacks based on
- Who are the targets
- Required success rate
- Speed of conversion
Defenses to APT1 are the following
Detect, Deny, Disrupt, Degrade, Deceive, Destroy.
All attackers are resource constrained and all attackers have a boss and a budget.
Likelihood versus Input (in a risk calculus)
In most cases issues should be treated on likelihood alone
Do not make impact High.
Get the most up-to-date research data to drive the likelihood information in your matrix
He is talking about this matrix I have shown in the past(in this graph likelihood = probability):
In the presentation this is the matrix he showed:
Notice the similarities even though the impact and likelihood were switched in axis, which does not actually mean much.
There is a profound meaning in this realization.
The reality is that since the attackers are not just going after you, but templates of defenders, you have to have a profile that makes you more difficult to crack. With a focus on phishing defenses, and defending against Poison Ivy the tool.
You should not just create a threat model of your systems and software, also pay attention to the attackers which are doing specific things, so that you can focus on high risk items and the likelihood of attacks on your infrastructure.