Remember sprinting around the house playing hide and seek as a kid? After ten minutes of searching you’ve found everyone and it’s on to the next seeker; a quick, easy game. But imagine you didn't know how many people you were looking for – or even what they looked like – and there was no limit to where they could hide?
Maybe you find a few people. Great! But the game’s new parameters mean it's impossible to know how well you're doing. So you take a step back and realise that you found everyone in a specific area, and they were all wearing the same outfit. By making use of those patterns, you find six more people.
But what if there are still 100 other people hiding in 30 other locations? While you identified patterns that moved you closer to the end of the game, using them to define the game when there's no way to know its scope would be reckless.
This is what it's like tracking a complex malicious cyber campaign. The operators of these campaigns are trying their best to stay hidden and are experts in doing so. It’s therefore difficult – if not impossible – to determine the level of visibility you have over a campaign at any stage, and additional visibility could skew your findings. That’s why you should present your findings as assumptions alongside evidence and confidence levels; unless you can prove that what you’ve found is fact.
Opening your investigation
While investigating a malicious cyber campaign, you act much like a detective: gathering clues, analysing patterns, and following leads. Initial clues come in the form of indicators of malicious activity – IP addresses, domains, malware samples, etc. Ideally you want to end up with a complete picture of the campaign and its goals given the evidence and data sources available to you. Though this is often more of a dream than reality.
Human preferences tend to proliferate unique characteristics in the way operators establish their infrastructure, but those preferences can change. A campaign's goal can evolve and commercial data sources don’t advertise their level of visibility, which in itself is subject to change. This is why you should take care when communicating your final view of a malicious campaign.
"Ideally you want to end up with a complete picture of the campaign and its goals given the evidence and data sources available to you. Though this is often more of a dream than reality.”Connor Brasnell
An IP address, which represents an internet-facing machine, is a great starting point for an investigation. A machine on the internet can present a wealth of information when queried in the right way: open ports, running services and their responses, TLS certificate information, machine location, operating system; the list goes on.
Observing a machine running a web service on port 443 is nothing special – around half of the close to 500 million servers catalogued by one particular source are doing the same thing. However, you can combine this with other attributes, such as a unique word in a TLS certificate and the fact that port 8443 is also open. This can help you to compile a dramatically reduced list of similar machines that are likely being used by the same operator for the same purpose.
After reaching a small list of potential machines based on this pattern, you might think you've reached the end of your analysis. Surely you’ve found all of them being used in the campaign? You probably would have said the same when you found six more people using your pattern while playing hide and seek earlier. However, it’s impossible to determine the visibility of the tools and data services you’ve been using. Who's to say there aren't more machines using the same patterns, or that the operators aren't using multiple different infrastructure patterns?
While you can say with high confidence that you found some additional indicators related to the campaign, you can’t be certain how much of the campaign you have unveiled. Instead you should look to other indicator types and data sources to help assemble the rest of the puzzle.
Widening the search area
Looking at malware samples can help to identify additional infrastructure and understand what existing infrastructure is being used for. Only considering IP addresses can often make it impossible to discover their true purpose: whether that be command and control, malware delivery, proxy internet traffic, or something else entirely. However, finding and understanding the functionality of malware samples that communicate with that infrastructure can help to fill the knowledge gap; especially when you pivot on that malware, find additional samples, and see that they all exhibit the same functionality.
For example, you may discover an infrastructure pattern used by ten machines. Unfortunately their characteristics don’t betray their use, so you could fall into the trap of assuming these represent some of the more widely discoverable parts of attacker infrastructure, like command and control or delivery servers. However, after analysing some associated malware samples that are used to steal files from a victim machine, you note that the infrastructure is used during the exfiltration process, rather than being used to control the malware.
Though you’ve now uncovered more of the campaign, you still can’t consider your findings exhaustive. Knowing whether the infrastructure has multiple purposes, or if there are more malware samples with different functionality being used in the campaign, is often impossible. So you continue hunting for more pieces of the puzzle.
By continuing to exploit human preferences, you can search for similar malware samples that share encryption/decryption routines, misspellings, programming library choices, and more. This may lead you to samples with different functionality and, in turn, additional infrastructure that presents new patterns.
On top of these two staple indicator categories, infrastructure and malware, there are additional pieces of information that can help to refine and add detail to your investigation. These include lure documents and their content, knowledge of the attacker's background, who uploaded malware samples online, and many more. Using these details can help you pinpoint who the operators are targeting, why they are targeting them, how the campaign worked, and how successful they’ve been with various degrees of accuracy.
Investigating campaigns is a cyclical process. Continuing to pivot between infrastructure, malware, and other campaign elements until there are no more avenues of investigation will help you paint a progressively better picture of the campaign as a whole.
Presenting your findings
This is one of the most important parts of an investigation – the culmination of all your hard work. However, laying out what you’ve found as a complete picture can be misleading. Instead, a journey should be described. Readers should be brought through the investigation process and shown both concrete facts, as well as where and why assumptions were made. Where assumptions are presented, evidence for those claims should be front and centre, with a level of confidence applied.
Ultimately, tracking a malicious cyber campaign being run by an adversary who doesn’t want to get caught is difficult. You can never be sure that you’ve seen the whole picture. But that’s not to say you can’t draw out meaningful, useful context as long as the findings are presented accurately, and the paths to the findings are backed up with evidence.
By looking into as many different sources of information as possible, you can increase your confidence levels without falling into the trap of taking uninformed views based on limited context and presenting those as fact. After all, no-one wants to mislead their audience.
Understand the evolving threat landscape is a key part of maintaining robust defences. BAE Systems' Threat Intelligence team generate original insights through research and collaboration with customers and partners
We believe that strong digital defences come from security of both the Enterprise and the Nation
