Diamonds or chains

What

Kill Chain stage

Diamond Model

Email address

<[email protected]>

 

Delivery

 

Infrastructure

Sender IP

192.0.2.42

 

Delivery

 

Infrastructure

Attachment

runme.exe

 

Exploit/Install

 

Capability

Network traffic

GET   /callhome.php HTTP/1.0

190.0.2.101

acme.example.net

 

C2

 

Capability /

Infrastructure

 

 

 

  Diamond Model 3

What

Kill Chain stage

Diamond Model

Email address (fake)

<[email protected]>

 

Delivery

 

Infrastructure

Email headers

X-Mailer: enom1856

X-Campaign:

 

Delivery

Delivery

 

Capability

Capability

Sender IP

2001:0DB8:1de:ad00::1

 

Delivery

 

Infrastructure

Attachment

update.pdf.exe

 

Exploit / Install

 

Capability

Network traffic

GET /callhome.php   HTTP/1.0

POST /callhome.php   HTTP/1.1

 

Command & Control

Act on Objectives

 

Capability

Capability

Domains and IPs

acme.example.net

198.51.100.5                 

2001:0DB8:1d3:ad00::5

 

Command & Control

Command & Control

Command & Control

 

Infrastructure

Infrastructure

Infrastructure

Destination IP for FTP

198.51.100.6

 

Act on Objectives

 

Infrastructure

 

 

 

The diamond models make it clear there are connections between the initial compromise and the later events. Each has the same email tool (X-Mailer: enom1856), the same implant and they share a common C2 domain.

What have we learned so far?

  1. The attacker is persistent – they have made multiple attempts and keep changing their approach until they achieve success;
  2. They have only used one tool so far – every attack has used the same approach with the same implant;
  3. The e-learning package on spotting phishing attacks isn’t working;
  4. The attacker has exfiltrated a large volume of data already; and,
  5. The domain registration information for example.net may provide us with further information.

We can infer a number of things from this too:

  1. The attacker has done their research – while it is quite public that Frank Smith has just taken the Head of Finance position, Bob’s existence as PA to the Director of IT isn’t (you think);
  2. They are after information that the firm has – the FTP upload demonstrates that;
  3. There is a human driving this – the implant was beaconing for hours before the activity changed, it was then some time before exfiltration started;
  4. The attacker works office hours (most do), so 05:20 for us is likely between 09:00 to 17:30 for the attacker – and probably between 09:00 and 14:30 given that the activity was ongoing when you pulled the plug at 08:30; and,
  5. They may be relatively unsophisticated – they’re emailing executables – however it may just be that they aren’t risking their better quality tools until they know this won’t work.

There are a number of potential red-herrings:

  1. The geo-location data for the C2 nodes – there is no reason to assume that the attackers are using local (to them) infrastructure, and indeed many use nodes that are local to the victim;
  2. Domain registration information can be faked, the DNS for a legitimate domain can be hacked and web sites can be compromised; and,
  3. Email headers are trivial to fake – the only ones you can trust are those your own mail server (or that of your mail provider) adds.

Day Eight

Having had the weekend to think things over, you start dropping the various items of information into search engines and malware search sites.

As you find reports from others you fill out further diamond models. Patterns will start developing as you see the range of capability, infrastructure and targets.  This will enable you to start building that vital threat intelligence. How does this group operate? How sophisticated are they? Do they have any known links to other groups or organisations? All of this, and more, will help you identify the risks to your organisation and help identify the steps you can take to reduce those risks.

Outcome A

In this case the collective knowledge identifies this as BASILISK GAZE, a relatively new and immature group operating in the UTC+06:00 timezone. The targets have all been in the energy sector, or supporting sectors.

The attack method is always an attachment in email and so far they only send executables. Only 2 implants have been observed, the other being Poison Ivy with the default password. All observed exfiltration has been over FTP to an IP in the netblock 198.51.100.0/24.

Outcome B

In this case the collective knowledge identifies this as NIGHTMARE GREEN, a relatively sophisticated group operating in the UTC+04:00 timezone. Targets are highly diverse relating primarily to the energy sector and law firms – plus supporting sectors. Some victims have reported finding compromises that have been active for more than a year with unknown volumes of data stolen.

The attacks seem to start with low quality social engineering emails and executable attachments, moving up through higher quality emails with exploits against a range of PDF and Office programs. Lately there have been indications of the use of watering hole attacks. As yet the group has not been observed using any zero day vulnerabilities.

Implant quality is also varied, from the relatively unsophisticated HTTP implant up to versions with HTTPS, UDP and ICMP capabilities. Newer versions that use TOR have been observed in the last few weeks. Exfiltration methods also vary, with FTP, HTTP and UDP observed. The attackers regularly use legitimate remote access methods after the initial compromise, removing all traces of their implant.

Going forwards

One of those two outcomes will give you a warm feeling that you can remain on top of the threat with relatively little effort. The other, well, resisting it will clearly be harder. Either way, with intelligence on the threat you can make significantly more effective plans to tackle the associated risks.

 


 

[1] http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

[2] http://www.activeresponse.org/the-diamond-model/