Using Threat Intelligence
Activity 2.1 Explore the ATT&CK Framework
In this activity I will analyze a threat using the MITRE ATT&CK framework. For this example, I will use the 2019 Capital One Data Breach.
Threat Profile
On July 29 2019, Capital One Bank announced a data breach which affected approximately 100 million individuals in the USA and 6 million in Canada. The personal information of individuals who applied for Credit Cards was exfiltrated in the breach. The vulnerability leading to the incident was stated by Capital One as a specific configuration vulnerability in their infrastructure. This vulnerability was leveraged by an individual to extract info on March 22 to 23 2019. Capital One was made aware of the breach from an anonymous email to their reponsible disclosure program. Data was encrypted at rest, however the perpetrator was able to decrypt some of the data. Data fields such as Social security numbers and account numbers remained encrypted.
The threat actor was determined to be Paige Thompson, a former Amazon Web Services Engineer. Thompson leveraged a misconfiguration in the bank’s ModSecurity Web Application Firewall in order to execute commands on the firewall to exfiltrate the data from Capital One’s Amazon S3 buckets. The misconfiguration of the WAF was key in the exfiltration of the data. Specifically, the WAF was assigned excessive permissions which allowed it to read and list the files in any S3 bucket. The type of vulnerability exploited is a “Server Side Request Forgery” or SSRF. This is attack manipulates a server or in this instance the WAF into running unintended commands. The attack then ran an S3 sync command in order to copy the data to their server. Logs from Capital One show Thompson connected several time from both TOR exit nodes and a VPN service in order to cover her tracks.
In regards to evidence, Thompson was confirmed to have a list of over 700 AWS S3 Storage buckets. Logs at the bank were also able to show attempted connections from TOR exit nodes which listed bucket content. Other commands executed on the buckets originated from a VPN service which Thompson subscribes too. After the breach, Thompson also posted to several public forums, i.e. Slack and GitHub boasting about the breach. Thompson was arrested by the FBI. During the raid, FBI agents seized several storage devices containing copies of the breached data
Analysis
The following is a mapping of the above threat profile to the MITRE ATT&CK framework.
| Stage | Step of the attack | ATT&CK |
| Initial Access | Utilize the AWS Command Line Credentials, AccessKeyID and SecretAccessKey, in order to execute commands | Valid Accounts |
| Intial Access | Use previous work experience building Capital One Cloud Infraastrucutre in order to plan attack | Trusted Relationship |
| Execution | Execute several AWS CLI commands in order to exfiltrate data | Exploitation for Client Execution |
| Credential Access | Leverage misconfiguration of WAF to relay commands to AWS services in order to retrieve credentials | Exploitation for Credential Access |
| Discovery | run CLI commands in order to list content of AWS storage prior to exfiltration | Cloud Infrastructure Discovery |
| Exfiltration | Use the sync command to copy AWS data to local storage | Exfiltration Over Alternative Protocol |
This diagram breaks down the approximate timeline the attacker followed when exfiltrating the data.
Sources
http://web.mit.edu/smadnick/www/wp/2020-16.pdf
https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
https://www.zdnet.com/article/100-million-americans-and-6-million-canadians-caught-up-in-capital-one-breach/
https://www.capitalone.com/about/newsroom/capital-one-announces-data-security-incident/
https://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-arrested-data-theft-involving-large-financial-services-company
Activity 2.2 Set Up a STIX/TAXII Feed
In this acitivity I will setup the Anomali STAXX in order to process STIXX feeds for threat intel. Anomali STAXX allows you to connect to STIX/TAXII servers and poll threat intelligence from them. Using STAXX, you are able to run keyword searches on vulnerabilities.
- Installation
For this setup you will need either VMWare Workstation or Oracle VirtualBox. Anomali STAXX can be downloaded from here.
Once downloaded open the virtual appliance and be sure to assign it 4GB of RAM and 2 CPUs. If you are using VirtualBox, check that the network adapter is set to Bridged. Start the VM.
- Before logging in to Anomali and gathering threat data, first I will set the timezone. Login to the VM server with the username/password displayed at the top of the VM.
Reset the password as prompted.
Once logged in, use the following command to change your timezone.
sudo timedatectl set-timezone (your timezone)
Timezones can be listed with the folllowing command
timedatectl list-timezones
- The VM will then display an IP address for you to connect to locally.
Login to the interface with a webrowser using the following credentials:
User name: admin Password: changeme
After that, set your own password – and you are good to go.
- After logging in, agree use the Limo service to gather data for your first threat feeds. The dashboard will then begin to populate with threat feeds!
Glossary
A glossary of all the terms, acronyms and slang I run across for this chapter.
| STIX | Structured Threat Information Expression -- standardized XML language for sharing threat intel |
| TAXII | Trusted Automated Exchange of Indicator Information -- Protocol for cyberthreat info to be shared at the application layer via HTTPS |
| OpenIOC | Open Indicators of Compromise -- standardized XML language for sharing threat intel |
| Threat Intelligence Cycle | Lifecycle for using threat intelligence -- Requirements Gathering > Data Collection > Analysis > Info Dissemination > Feedback |
| ISAC | Information Sharing and Analysis Centers -- organizations in the USA for sharing of threat intel pertaining to a specific industry |
| Threat Actor Types | The following are the main threat actor types: 1. Nation-state 2.Organized Crime 3. Hacktivists 4. Insider threats |
| STRIDE | Microsoft method for classifying threats -- 1. Spoofing of user identity 2. Tampering 3. Repudiation 4. Information disclosure 5. Denial of service 6. Elevation of privilege |
| Threat Modeling | Activity for understanding threats an organization faces. Requires assessing 1. Adversary capability 2. Attack surface 3. Attack vectors 4. Possible attack impact 5. Likelihood of an attack succeeding |
| Threat Reputation | Examining a site or IP to determine if it has a history of malicious behaviour |
| IOC | Indicators of compromise -- forensic evidence and data that can help identify an attack |
| MITRE ATT&K | Adversarial Tactics Techniques and Common Knowledge attack framework |
| Diamond Model | Intrusion analysis model focusing on the 1. Core features (adversary + capability + infraastrucre + victim) 2. Meta features 3. Confidence Value and their relationship together |
| CVSS | Common Vulnerability Scoring System |
| Cyber Kill Chain | Lockheed Martin's seven step process: 1. Recon 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command and control 7. Actions on Objectives |
| Unified Kill Chain | Combination of the Lockheed Martin Cyber Kill Chain and MITRE ATT&K framework -- an 18 phase process |