Threat Emulation is the process of mimicking the TTFs of a specific threat.
Threats of any variety can be emulated
- Zero-day or custom attacks
- Script kiddie to advanced adversary
- Emulation of specific threat (Botnets, DDOS, Ransomware, Specific Malware, APT, etc.)
Scenario driven assessments are typically driven by emulation of some level of threat. This may be a specific threat, such as the Havex trojan used by Energetic Bear / Crouching Yeti / Dragonfly or a general threat, such as a simple command and control botnet. No matter what the scenario, the TTPs outlined by the scenario drive the rules a Red Team must follow to perform an engagement.
Red Teams perform threat emulation by acting as a representative threat actor. Representative is key. When designing a threat emulation scenario, that threat’s key components should be defined. Every detail is not needed or important to execute a successful threat scenario. In practice, it can be very difficult to emulate a threat exactly, but this does not mean the threat cannot be emulated or there is no value in attempting to do so. A Red Team should focus on emulating a threat’s key components and use their own TTPs to fill in the gaps. A Red Team is not the original designer or author of a threat, but is a highly skilled and capable group. A Red Team can (and should) reinforce an emulated threat’s TTPs with their own tradecraft and processes. In this way, the Red Team is able to model a threat actor in a way that supports the goals of a threat based scenario.
The challenge in threat emulation
The biggest challenge in threat emulation is emulating to a level where an analyst believes the threat is real. Approaches range from using real malware to developing custom malware that models a real threat, to using tools that generate the indicators of compromise (lOCs) an attack from a real threat leaves behind. In any case, effective planning and determination of the critical components of a threat will lead to better threat emulation design.
The Energetic Bear/ Dragonfly/ Crouching Yeti attack
A malicious actor named Dragonfly by Symantec, Energetic Bear by CrowdStrike and Crouching Yeti by Kaspersky launched an attack to gain information and intelligence on multiple industries including aviation, defense, and energy. According to CrowdStrike, Energetic Bear is an adversary group with roots in the Russian Federation and has a goal of intelligence collection against victim across the globe focusing on the energy sector.
As an interesting side note, using build times of malware samples and the observed C2 activity, CrowdStrike was able to determine these aligned with Moscow business hours.
Initially, a spear-phishing campaign was observed appearing to target high-level individuals. The attacks consisted of a malicious document or a redirection to a watering hole that used legitimate websites to redirect to a malicious site. The site would use a variety of client-side attacks to infect the target. In addition to a watering-hole, the group compromised legitimate binaries on ICS vendor’s websites. Customers would unknowingly download what they thought was legitimate software from the vendor.
Energetic Bear used a few different types of malware but HAVEX (dubbed “HAVEX” by F-Secure and Backdoor. Oldrea by Symantec was the dominant choice.
Energetic Bear used three major phases to deliver malware:
1) Malicious PDF via Spear-phishing
Spear-phishing was used to infect targeted individuals for initial information gathering by delivering malicious PDF documents. In this case, a PDF/$WF exploits targeting CVE-2011-0611 to drop malware. Even with this running up through 2014, older exploits were still valuable,
2) Malicious JAR and HTML via a watering-hole attack
Watering-hole attacks were used to deliver Backdoor. Oldrea by Symantec. These attacks exploited CVE-2013-2465, CVE-2013-1347, and CVE-2012-1723 in Java 6, Java 7, IE 7 and IE 8 to drop the HAVEX malware. The exploits appeared to be modified Metasploit JAVA exploits built to deliver the HAVEX loader.
3) Legitimate Software Loaders
Energetic Bear compromised several legitimate ICS vendor websites. Binaries such as camera drivers or PLC management software were modified and made to deliver the HAVEX malware.
In order to complete the third attack type, the threat actor had to compromise several ICS vendor& websites. Sometimes called a Strategic Web Compromise (SWC) attack, these have become a favorite attack method from Russian and Chinese based threats. In this case, SWC attacks were used to compromise a site that would most likely be visited by customers or users of ICS systems. This made the watering-hole or binary compromises much more useful against the targeted victim. Using these three attack types demonstrated an organized and arguably sophisticated threat actor. The team behind this planned and organized a scenario to be successful against their target audience.
Once malware was delivered, three major tasks were observed:
- System enumeration tools that collected information, such as OS version; machine name and username; file and directory listings.
- A credential-harvesting tool that extracts stored passwords from various web browsers.
- Secondary implants that communicate with different C2 infrastructures using custom protocols and payloads executed in memory.
Backdoor.Oldrea, Symantec (link not available)
Secure Your Organization’s Mind with Securemind.se