Finding sophisticated threat actors on a shoestring
Posted on August 28, 2018
4 min read
Finding well-resourced and sophisticated threat actors doesn’t have to cost the earth thanks to a suite of free and highly-capable tools, a former Pentagon threat expert says.
Defensive security professionals and law enforcement agencies around the world use the tools to passively monitor bad actors operating on the internet.
The free-of-charge toolsets mean cash-strapped security analysts can protect their corporate networks by tracking in detail active sophisticated threat actors, their campaigns, and infrastructure.
These are entirely passive so-called ‘threat hunting’ toolsets, and do not utilise any active defence (hack-back) functionality.
Use of the tools can help security defenders to learn if their organisation’s sector or region is being targeted by bad actor groups. That information can then be used to harden the organisation against the known methods bad actors are using as part of their attacks.
Sophisticated bad actors target a wide range of victims depending on their operational mission and resources, including critical infrastructure, enterprises, to very small businesses.
Targeting depends on the mission and motivation of the group. Bad actors of all stripes will target businesses in a bid to steal intellectual property and customer and financial data, or to hijack infrastructure. Critical infrastructure by contrast is a target of typically politically-motivated actors.
“What would I do if I was a state actor and wanted to target the FBI? You’d say [in a phishing email] ‘here’s the truth of Comey’,” he says.
This victim-targeting can shift rapidly. Martin Hart (not his real name) demonstrated during Telstra’s Defend threat intelligence industry confab in Melbourne how some sophisticated actors pivoted within a matter of days from targeting governments in regional flashpoints to private sector firms for monetary gain.
“Not everyone has a lot of money to spend,” Hart told delegates at Defend.
“These tools will allow you to track bad guys all over the world, even if they are switching infrastructure all the time.
“No one tool will do all that for you.”
Taken together the tool suite allows security researchers to be alerted rapidly to the creation of homoglyph and masquerading domains (such as g00gle.com imitating google.com) and to understand quickly the shifting priorities of well-resourced adversaries.
Hart ran threat hunting experts through a series of examples of how he and his team had applied the tool suite.
He had set up DomainTools brand monitoring for ‘Comey’ following the dismissal of then FBI director James Comey in May last year.
This free check found dozens of domains including comeyismyhomey, comeyyourfired, and comey2024 established within hours of news of the dismissal.
“What would I do if I was a state actor and wanted to target the FBI? You’d say [in a phishing email] ‘here’s the truth of Comey’ and send it to the FBI – you know how many people would click on that? Lots,” Hart says.
In another example, Hart found the Fancy Bear (APT28) bad actor group had established watering holes and masqueraded domains (evronaval.fr) targeting the Euronaval annual defence conference in France. Threat researchers allege Fancy Bear is a CNE (computer network exploitation) arm of Russian intelligence with previous operations targeting the 2016 Democratic National Committee, the World Anti-Doping Agency, and German Parliament.
Threat hunting using these tools can be noisy, however, as it captures legitimate and malicious actors that establish domains and Facebook sites to attract visitors.
Some 1000 domains are generated each day for the 50 keywords, or brands, Hart monitors.
“We equate this to digging for gold,” Hart says.
He recommends threat hunters enrich their data by using free tools to check netblocks, SSL certificates, registrant information, and IP address data among other data types.
Threat actor hunters intending to crawl through registrant information after May 2018 may face trouble thanks to Europe’s General Data Protection Regulation. The new laws could depending on how it is implemented could see registrars follow GoDaddy’s footsteps and remove bulk searching of WHOIS site registrant data. As yet organisations along with the Internet Corporation for Assigned Names and Numbers have not announced final changes.
“The good news is that registrant alerts are just one technique that we use,” Hart says.