False Flags in Cyber Threat Intelligence Operations

Like “fake news” also in the security world there is the risk of “false flags”. There are tons of information in the form of paid and OSINT (Open Source Intelligence) feeds that enrich and add value to any indicators used to protect the networks. It is relatively easy to inject fake IOC (Indictors of Compromise) and the reasons why adversaries want to run false flags through global CTI (Cyber Threat Intelligence) operations can be:

• Geopolitical issues of ruining the opposition’s reputation
• Providing higher “credibility” for decoy attacks indicators for defenders to waste time on
• Overwhelming CTI infrastructure feeds and IOC’s for analysis paralysis effect

CTI adversary injection is possible and could have major impacts on the victim depending on specific timing and scale of the injection. As demonstrated in https://medium.com/@dw.chow/false-flags-in-cyber-threat-intelligence-operations-6893af697080, the researcher created sample malware of varying types including binaries, scripts, and other general payload and performed Robot Process Automation uploads to VirusTotal, rotating browser fingerprints and VPN/Proxy IP services to mask the origin. In under 15 sample submissions he was able to get the victim’s domain blacklisted for a period of 48–72 hours. Over time the domain was whitelisted but even to this day there’s still 2 vendors that blacklist the victim’s domain simply because of previous malware file associated detection. This slow rate of decay, especially if no action is taken, can have a large impact and this can be more permanent in Machine Learning models if threat intelligence is a primary source of data ingestion.

On What to focus to deter false flags in threat intelligence?

• Focus on TTPs (Tactics, Techniques, and Procedures) rather than atomic indicators as hashes, domains, IP’s, strings, etc, that can easily be spoofed.
• Successfully identifying the family of malware or campaign activities already tied to an APT from well trusted sources (Rapid7, Palo Alto, Verizon, FireEye, etc.) really help
• Leverage proper use and overlay of the MITRE ATT&CK framework, CTI Diamond Model
• Correlate geopolitical events timing to establish a list of likely and unlikely adversaries or groups based on TTP known campaign verticals.
• Evaluate any malware samples with different levels of inspection and confidence depending on things such as their last known campaign targets and infrastructure origins.

What we want to achieve in Concordia

CONCORDIA selected the opensource MISP (https://www.misp-project.org/) solution as the “platform” for the European Threat Intelligence. The MISP platform, among its features, is based on a modular architecture supporting distributed instances (e.g. one per Concordia partners) interconnected and able to share threat intelligence information in a controlled fashion. Inside CONCORDIA, Task2.1 is dedicated to the Telco Pilots and aims to demonstrate how the usage of the Threat Intelligence is key to effectively protect the cyberspace and enhance the security of both the Telco infrastructure and its customers. The objective of this pilot is to face the emerging industrial (Telco) security challenges and address the requirements emerged from direct experience gained during real security operations. In particular one use case, led by Telecom Italia, is strongly based on the Threat Intelligence Platform (TIP) the Concordia project is building, and foresees not only the sharing of CTI information, but also the integration of automatic and semi-automatic mechanisms to increase the validation and prioritization of CTI collected, through a collaborative enrichment and data analysis process . The final goal is to identify the most relevant and up to date CTI information in the form of contextualized events, their corresponding indicators of compromise together with information on malware and threats using them, and, possibly, on the tactics, techniques, and procedures (TTPs) used by threat actors.

Threat Intelligence information includes different types of IoCs that can be consumed by various security systems such as firewall, proxies and other security tools.

Assessing the reliability and timeliness of IoCs is a need for their consumers and providing an appropriate level of contextualization is a requirement for assigning a priority based on the risk they represent for the different scenarios where they are consumed and at the same time detect the false positive.

To sum up, within the telco pilot in CONCORDIA, one use case is actually focalized to define additional mechanisms for the Threat Intelligence to assess the quality, reliability and freshness of time sensitive indicators, thus achieving a sort of prioritization of the IoC and the automatic elimination of the “false flags”.

Moreover, as a companion features, it is important to both contextualize and enrich large volumes of events and IoCs to the specific environment of usage (eg. Telco, finance, etc.).

Conclusion

The Telco Pilot(s) have been designed to take maximum advantage of the CONCORDIA resources emerging from both the Vertical industry needs and experiences and the Academia researches and know-how about emerging technologies and algorithms that are revolving around A.I., Data Analytics, machine learning, etc. The objective is to face the emerging industrial security challenges and address the requirements emerged from direct experience gained during real security operations.

The above “research topics” have been shared and discussed with the Academia partners of the CONCORDIA Consortium and specific ad hoc events have been organized in order to let industry and research people meet and discuss and finally to find “smart” (e.g. AI/ML) solutions to the challenges encountered directly in the field.

(By Telecom Italia (TIM))