Cyber threats are evolving so rapidly that they now require constant monitoring. Attacks observed during the first quarter of 2019 make it clear that cybercriminals are not only increasing the sophistication of their methods and tools, but that they are also diversifying. Recent attacks use a wide range of attack strategies, from targeted ransomware, custom coding, living-off-the-land (LoTL) strategies, and exploiting pre-installed tools to move laterally and stealthily across a network to launch or extend an attack.
Another interesting trend is that threat actors are increasingly leveraging existing malware components, such as those offered on Dark Web sites either as open code or as Malware as a Service (MaaS). We are also learning that many attacks leverage common infrastructures, such as domains from which they launch attacks or run C2 services. For instance, nearly 60% of threats shared at least one domain from a handful of web service providers, indicating the majority of botnets not only leverage established infrastructure for distribution, but gravitate towards the same resources.
The degree to which different threats share infrastructure shows some valuable trends. Below is a closer look at how malicious actors are sharing infrastructure to maximize their opportunities, taken from the findings of the Global Threat Landscape Report Q1 2019.
IcedID, a banking trojan, is an example of both of these strategies. Researchers from FortiGuard Labs have found that IcedID had previously been distributed by other well-known banking trojan families, such as Emotet and Ursnif. Using this kind “why buy or build when you can borrow” approach, distributed malware families—usually for a fee—can increase their spread potential. Second, like many other attacks, IcedID leverages public infrastructure for distribution and control rather than using a unique or dedicated infrastructure.
There are a number of possible motives for these behaviors. For example, MaaS allows IcedID developers to perform their own cybercrime operations while also profiting by providing distributed services to their kin. Adding multiple attacks to malware through a MaaS subscription service allows a subscriber to increase their chances of stealing valuable information by overwhelming their victims with multiple malware exploits.
Recently, FortiGuard Labs caught one of Trickbot’s C2 (Command and Control) servers sending commands to its victims that instructed its bots to download what turned out to be an updated variant of the IcedID banking trojan. Later, it was reported that IcedID was seen downloading Trickbot. So, perhaps they decided it was time to return the favor.
Leveraging common infrastructures indicates that threat actors are reusing information about reliable resources that can be safely used. In a competitive market place in the cybercrime ecosystem, the bad guys need to ensure that their services are as good if not better than the others, and one key feature of any malicious service is stability. Cybercriminals need to use an infrastructure that not only supports the service, but that is always there or “Always-On.”
Interestingly, one discovery showed that for those threats that share infrastructure, the tendency is to do so within the same stage in the kill chain. For example, it is unusual for a threat to leverage one domain for exploitation and then later leverage it for C2 traffic. This suggests infrastructure plays a particular role or function when used for malicious campaigns, even if it’s just for obfuscation. Understanding what threats share a common infrastructure, and at what points of the attack chain these resources are utilized, enables organizations to predict potential evolutionary points for malware or botnets in the future.
Sharing Threat Intelligence
With threats constantly evolving—and now sharing both code and infrastructure—information sharing among organizations becomes one of the most critical elements of any security strategy. Without it, security can only be seen through a broad lens where literally anything is possible. Being able to analyze the device or network you are trying to protect against a set of threats that are known to be currently active is invaluable in pitting the right resources and countermeasures against the appropriate target.
To achieve this, organizations need to access a variety of threat intelligence sources and leverage them properly for cybersecurity. These include:
- Intelligence collected from distributed systems and devices– As networks expand, they create new opportunities for threats to infiltrate your network. However, because different network environments, such as virtual networks or public cloud environments, usually run separate – and often isolated – networking and security tools, it is essential that you set up a process to centrally collect and correlate these different intelligence threads.
- Intelligence shared among peers– Several industry groups share threat intelligence, including ISACs (Information Sharing and Analysis Centers) and ISAOs (Information Sharing and Analysis Organizations). These organizations share threat intelligence between organizations in the same market sector, vertical industry, or geographic region. This intelligence is especially helpful for zeroing in on trends and threats that are impacting your peers—and therefore more likely to affect you as well.
- Intelligence protocols– To make security intelligence effective, organizations need to have tools in place that can work with common intelligence sharing protocols. STIX and TAXII protocols are two of the most common backbones used to deliver threat intelligence feeds. STIX can be used for both raw and custom feeds, with TAXII functioning as the transport layer. MISP is another protocol, developed by NATO, which handles both the intelligence and transport with a single open source solution.
- Intelligence distributedamong security vendors– As a founding member of the Cyber Threat Alliance, or CTA, Fortinet shares its intelligence, human expertise, and playbooks with other members in order to raise the bar for security across the entire cybersecurity industry. While such a cooperative endeavor may seem counter-intuitive, it is a testament to the importance of sharing threat intelligence. These organizations understand that the opportunity to reduce the number of threats that put everyone at risk is more valuable than whatever advantage keeping this data to themselves might provide.
Preparing for Tomorrow’s Security
Yesterday, botnets operating independently were bringing down huge swaths of the internet. Today, these threats are sharing common code elements and attack infrastructure. What will tomorrow bring? Improving an organization’s ability to not only properly defend against current threat trends, but also prepare for the evolution and automation of attacks over time, requires threat intelligence that is dynamic, proactive and available throughout the distributed network. The value of—and ability to take action on—threat intelligence is severely diminished if it cannot be made actionable, in real time, across each security device.
Of course, threat intelligence alone isn’t enough. Organizations will also need to deploy integrated security systems that can automatically collect, correlate, share, and respond to threats in a coordinated fashion—even across multiple environments, such as multi-cloud, WAN, and mobile edge. Only a broad, integrated, and automated approach can provide protection for the entire distributed networked environment, from IoT to the edge, and across the core and multi-cloud networks at speed and scale.