## Threat Activity Groups ###### Your Hosts Sergio Caltagirone @cnoanalysis DiamondModel.org Joe Slowik @jfslowik ----- ### Industrial Threat Activity Groups ----- ### Is Activity Group Just a Fancy Name for Adversary? ----- ### The Diamond Event ###### over infrastructure against a victim Infrastructure ###### taking a step towards an intended to produce a result. Adversary ###### Axiom 1 goal by using a capability over #### Meta-Features ###### Timestamp ----- ###### by similarities in their features or processes and weighted by confidence ###### Framework to answer analytic questions requiring a breadth of activity knowledge The development of mitigation strategies with an intended effect broader than activity threads ###### An activity group is a set of Diamond events and activity threads associated by similarities in their features or processes and weighted by confidence ----- ### Activity Groups What You Hear is Not it All ###### Analysts traditionally form activity groups to identify a common adversary behind events and threads usually using similarities in infrastructure and capabilities. But, the concept is inherently flexible and extends to include any grouping based on similarities to address a multitude of analytic and operational needs. The desired analytic or operational outcome determines the implementation and type of correlation (i.e., grouping Activity groups are not static – just as adversaries are not static. Activity groups must grow and change over time to absorb new knowledge of the adversary including changes in their #### What you normally see… But, that’s not all… ----- ### Why Activity Groups? To Solve Analytic Problems ###### • Activity grouping is used to solve a number of problems. • These problems generally require deduction and inference based on a common set of features (i.e., feature vector). • These problems are generally distinct enough to require a different feature vector for each problem. • For instance, the feature vector which would group events and threads by likely adversary (e.g., attribution) would not always suffice to group events to discover common malware authors/developers - Trending: How has an adversary’s activity changed over time and what is the current vector to infer future change? - Intent Deduction: What is the intent of the adversary? - Attribution Deduction: Which events and threads are likely conducted by the same adversary? - Adversary Capabilities and Infrastructure: What is the complete set of observed capabilities and infrastructure of the adversary? - Cross-Capability Identification: Which capabilities have been used by multiple adversaries? - Adversary Campaign Knowledge Gap Identification: What are the organization’s - Trending to infer future change? - Intent Deduction adversary? - Attribution Deduction adversary? - - adversaries? - Identification ##### Examples Trending: How has an adversary’s activity changed over time and what is the current vector to infer future change? Intent Deduction: What is the intent of the adversary? Attribution Deduction: Which events and ##### What is the Analytic Problem ###### • Activity grouping is used to solve a number of problems. • These problems generally require deduction and inference based on a ----- ### The Activity Group Process ###### 1 Analytic Problem The particular analytic problem to be solved through grouping The event features and adversary processes used to form the 2 Feature Selection basis of classification and clustering are selected 3 Creation Activity groups are created from the set of events and threads As new events flow into the model, they are classified into the 4 Growth Activity Groups Activity groups are analyzed to address the analytic problem(s) 5 Analysis defined Activity groups need to be redefined from time-to-time to maintain 6 Redefinition their accuracy ###### The event features and adversary processes used to form the basis of classification and clustering are selected Activity groups are created from the set of events and threads As new events flow into the model, they are classified into the Activity Groups Activity groups are analyzed to address the analytic problem(s) defined Activity groups need to be redefined from time-to-time to maintain their accuracy ###### The particular analytic problem to be solved through grouping The event features and adversary processes used to form the Activity groups are created from the set of events and threads ###### 1 Analytic Problem 2 Feature Selection ----- ### How to Create an Activity Group ----- ### Industrial Threat Activity Groups ----- ### Let me know if you ve heard this one… ----- ### Names, names everywhere! ----- ### Why can t we all just agree on one name?! ###### : it’s hard enough to correlate activity consistently within a 10 person team let alone across a variety of : correlation and problem which requires us to share the ###### person team let alone across a variety of organizations. The complex answer classification is a complex analytic problem which requires us to share the same grouping function and feature vector. ###### : it’s hard enough to ----- ### Example: 2017 Present Electric Utility Intrusions ----- ### Initial Analysis: Dragonfly 2.0 ----- ### Behavioral Analysis Yields Distinctions ###### 2013-2014 Late 2015 – ? Europe Turkey North America Europe North America Phishing w/PDF, Watering Phishing w/Doc Hole, Trojanized Softare KARAGANY Malware Various Malware and Backdoors OPC-focused Malware Survey and Screenshots Family via Malware ###### ALLANITE Mid 2017 - ? USA UK Germany Phishing w/Doc, Watering ###### Active Target Geography ----- ### Industrial Threat Activity Groups ----- ###### Activity Groups have varying degrees of confidence – as the grouping gets Activity Groups are not equivalent to attribution but, they can be used that Activity Groups are useful for analysts and defenders to group similar activity together to understand broader implications and take more ###### larger the confidence tends weaker ----- # Thank you ###### DiamondModel.org Sergio Caltagirone @cnoanalysis @jfslowik # Thank you -----