We needed a way to systematically characterize organized threats, consistently track them as they evolve, sort one from another, and then figure out ways to counter them.This doesn’t just work on APT
Meta Features are very important for describing the relationships between events, esp in activity threads (incidents)The model accepts unknowns and uncertainty. Uncertainty will be represented as knowledge gaps. Pivoting provides a way to discover unknowns. Uncertainty is allowed through confidence rating of each Edge and each Meta-Feature within the Event. This allows for knowledge gaps, that can be addressed with hypothesis generation to attempt to fill the gaps or activity groupings that group similar activity so that inferences can be made.
Live TC Demo as I move through the pivots…The Diamond model provides a powerful framework for Analytic Pivoting in the course of analysis.It is the typically the first, and one of the most powerful, applications analysts will use. It is actually how the Diamond was discovered. Adversaries could be tracked as they change/evolve their infrastructure and capabilities if at least one node of it’s grouped/clustered set of associated nodes (or associated methodologies/sub-graphs)In this pivoting scenario looks the Diamond shown should be seen as a sort of “Hyper-Diamond” as it is a set of grouped events, e.g. Activity Group, vs a single event for simplification.
Understanding the Social-Political axis can allow you to predict attack targets and motivations. It can also allow you to make yourself a less attractive target
Purple lines represent arcs correlating similar or identical nodes across activity threads/events (Horizontal Correlation). Blue lines are arcs/directed edges representing sequenced, causal relationship between events in an activity thread (Vertical Correlation). Incident 2 has some unknown and allows for hypothesis creationHypothesis generation and testing:
Don’t stick on this slide too long other than to point out there are really cool things you can do with machine learning/automated actions based on rules that fire on indicators grouped in a given activity group. This is like Amazon, except with defensive action vs shopping; your APT get’s a custom experience with your defenses based on your knowledge of their past behavior.
Feature selection is still an informed art as much it is a science, and is why experience is valuable and data scientists get paid so much. You will go down rabbit holes. Learn from it and crawl back out. Intrusion Set Quiz:If I say there is a group that tends to be the first observed in the wild with the latest 0-day, drop PI, shift to Hydraq/9002 once they gain access, move laterally to target network admin types and then shift to logging in via legitimately via stolen VPN creds to conduct action on objective what group am I talking about?If I say there is a group who appears to originate out of Shanghai, uses a variety of base64/mod-base64 encoded C2 messages on thirdparty website, who am I talking about?Some more…
These look familiar right?
Single Activity Thread, the set of Activity Threads from an Activity Group, or most comprehensively an Activity-Attack Graph, can be used to populate KILL CHAIN CoA Matrix. Activity Groups with capabilities and infrastructure can better represent the limits of those capabilities for CoA consideration.They can also be weighted in terms of observed favored or tendency of usage by the adversary for the same purpose.