A common and very thoughtful question I hear from current and prospective customers is “how is threat intelligence pertinent to authentication?” It’s an important question. To answer it, we must understand the nature of how advanced attackers operate. An advanced attack is not always just a single user, hunched over a single terminal, hammering away at a Unix shell. Advanced attacks are carried out with high levels of coordination, often using a vast infrastructure that spans the globe. Attackers leverage this infrastructure to launch assaults on their target organization. You often hear this infrastructure referred to as “C2 infrastructure”, but I think that name may be somewhat misplaced. A better name might be “threat actor infrastructure.”
A great and well documented study related to this topic is Mandiant’s report on APT1, a hacker organization linked to some very high profile breaches. The report gives a detailed account of the group’s origin, tactics, and infrastructure. The report is now two years old, an epoch in the security world, but we can still learn some valuable lessons from it. In the time since it has been published, it has greatly contributed to the security community’s understanding of the Advanced Persistent Threat.
The “APT1: Attack Lifecycle” section of the report discusses, in-depth, how APT1 launches attacks on their desired victims. It is a story we have heard many times.
- The attackers first perform reconnaissance to find a potential target. After identifying a target, an initial compromise is executed. This is typically done via a phishing email with a malicious link or attachment.
- Once an unsuspecting user has been fooled by the phishing attempt, the attacker establishes a foothold, installing backdoor software on the user’s system. That backdoor software contacts a command and control (C2) server, allowing the attacker to execute commands, at will, on the system.
- The next goal of the attacker is credential theft via privilege escalation, allowing the attacker wider access to the internal resources of the organization. Internal reconnaissance and lateral movement occur at this phase as the attacker attempts to complete the mission.
- The attacker will continue work to remain persistent, via the installation of additional malware, or by the use of legitimate credentials to log into the corporate VPN. This tactic allows attackers continued access if their malware is discovered and remediated. At this point the attacker looks like a “normal" user and has been historically very difficult to detect.
The threat actor infrastructure comes into play at multiple points in this attack lifecycle. It may be used to house and to deliver the first or second stage malware onto the target system. Often the initial payload delivered to a system is a downloader, designed to look as innocuous as possible as the “real" malware is obtained and injected. The infrastructure is then, of course, used to issue commands to designated backdoor software, in the exfiltration of items of interest to the attacker, and to maintain persistence within the organization.
Further evidence of this is provided by the Software Engineering Institute of Carnegie Mellon University. In May of 2014, SEI published a study, "Investigating Advanced Persistent Threat 1 (APT1)”, further drilling down into details of the Mandiant APT1 report. The study correlated data from the APT1 report with a number of other sources in an attempt to gain a deeper understanding of the infrastructure deployed by APT1. One of the sources was the 2012 Internet Census, which involved the scanning and fingerprinting of the entire IPv4 address space. Included in the census was a survey of open ports on the systems associated with the IP address. Correlation of this data allowed SEI to further break down the usages of APT1 infrastructure.
Based on the correlation, SEI classified the APT1 infrastructure into a few buckets. First, malware servers, used as distribution points for malware. Second, C2 intermediary servers, used to deliver commands to backdoored systems. The third classification was a simple “hop point.” A hop point is a system used in the process of “anonymization". Attackers don’t want to give up their actual location, so they must obfuscate their origin. Evidence of this capability is observed in APT1’s usage of a software program called the HUC Packet Transmit Tool, or HTRAN. HTRAN is a connection bouncer, allowing attackers to proxy their commands through multiple hop points before reaching the destination system. The Mandiant APT1 report documented a large subset of the attacker infrastructure appearing to deploy HTRAN.
The conclusion gained from these reports is that the infrastructure utilized by threat actors is multi-use. That is, it is not just for the delivery and control of malware but involved in the entire attack lifecycle, from initial intrusion to the final goal. Anonymization technologies like HTRAN help the attackers in turning this infrastructure into generic hacking infrastructure, to be leveraged by the attacker however they see fit.
Coming back up from the technical details to the original question: how is threat intelligence relevant to authentication? It is pertinent in two major ways. As mentioned, attackers often fall back to legitimate entry points deployed by the target organization to maintain persistence. The traditional example, and a very important one, is the VPN. In addition, we must remember that the traditional perimeter has shattered, and core applications are moving out of on-premise datacenters to the cloud. Identity, and thus authentication, becomes the glue that binds organizations together. There are an increasing number of authentication touch points from a threat actor’s infrastructure to an organization’s infrastructure and those touch points must be protected in a way that quickly adapts to advanced threats. Leveraging threat intelligence in the authentication process enables this rapid response to evolving threats without significant human intervention.
When combined with other techniques in adaptive authentication, threat intelligence can help provide a very strong level of authentication protection for organizations. Other techniques that can be leveraged in adaptive authentication may include analysis of the users device, their geographical location, and behavior. In addition, the data derived from adaptive authentication “hits” can help in the detection and incident response phases of the security lifecycle. When such a hit is correlated with other security events in the organizations SIEM, a clearer picture of an attack in progress can be obtained. If you’re not already considering including threat intelligence and adaptive authentication in your access control strategy, you should be. It’s critical to keeping pace with bad actors.