Anticipation and Preparation: The Science Behind Cyber Threat Intelligence

Insights From a CTI Expert on Emerging Threat Actors

Petko Stoyanov: Today we've got an interesting guest and I love it when we get technical. We're going to talk to Dmitry Bestuzhev and he's the Senior Director of Cyber Threat Intelligence at BlackBerry. And prior to BlackBerry, Dmitry was part of the head of Kaspersky's Global Research Analysis team where he oversaw the company's experts in anti-malware development.

Working in the region he's seen a lot of different things from a nation-state and how they attack, but he spent 20 years just in IT security and different roles.

I'm excited to talk to him about this field of expertise and what we're learning in fraud and profile tax we're seeing in governments and everything. So, I'm going to pass it off to you, Dmitry. Anything I missed there that you want to share about your background or research? What are you currently working on?

Dmitry Bestuzhev: Thank you very much, Petko, and it's a pleasure to be here. Nowadays, it's so hard. You see the threat landscape is getting even more and more weird in terms of the threat actors. Also, tools or weapons they use, like financially-motivated threat actors and nation-states, rely more and more on the same tooling.

That makes our life, like CTI researchers, a little bit harder because that line is really blurred right now, who's behind each attack? We are tracking those attack targets worldwide, all the regions, and doesn't matter if they speak Spanish, Russian, Chinese, English, or French.

Unveiling the Power of CTI

Dmitry: We convert that knowledge or that information from the technical point of view into something actionable you can take and can use very specific actions to test your capabilities and prevention, detection, response, and recovery. That is about the work I and my team do together.

Petko: You're talking about cyber threat intelligence, right, Dmitry? What does that usually entail? I mean, we hear about threat intelligence and we think about speeds and fees, but I think it's more than that.

Dmitry: Absolutely.

Petko: How do you define CTI?

Dmitry: Well, CTI, it's a discipline or knowledge, let's say, which must be always converted into something actionable. And not only feeds, IRCs, hashes, and domains because you need the context. If you want to have an effective CTI program, you need to know the context, which will help you to anticipate attacks against you specifically, not against the industry. 

That anticipation must be also very specific. Not only who will attack me and why, but how. How is the question answer. It's who, how, when, what – and all that information must be answered in a CTI report by means of different sections. Sometimes just high-level information, mid-level information, and very low-level information. And the idea is to convert it into those four subtypes of CTIs, strategical, tactical, technical, and also operational.

All of them – board, system, network administrators, instant response teams, SOC or blue team defenders – in general might have everything needed on their level to anticipate those attacks, to test their capabilities, or in the case over the board, to know what's coming.

Harnessing CTI for Practical Protection and Detection Strategies

Dmitry: How much funds will we need? What are the risks versus impacts? It's not about traditionally speaking feeds and all those things we know every day. It's a part of it.

Petko: Is it about honestly informing the defense infrastructure for CISO or CIO, like, here's what we're seeing in the wild, do we have protections against that? Is that where you're focused on currently?

Dmitry: Yes. We have attacks in the wild, right? Those attacks can't be seen as just like I say, "Oh, it's malware. It's been used that way, but who is behind it? Why? How?" That information is worked on and then transformed into reports.

Those reports are also connected to the industries, connected to the regions of the attacker's motivations. And then technical and also high-level information the companies need to test first. Do they have protection? It means their products, the current products they use, are designed to stop those attacks. Yes or no? If not, can we detect it? It means do we even have visibility, enough to say, okay, we can't protect, but we can detect because we'll have logs – yes or no?

Or maybe it's an attack, maybe it's a tool, maybe it's a technique used to, even out of protection scope by the customer. All of that must always be practical; CTI must be practical. If it's not practical, it's not really about CTI – it's about malware analysis only.

Petko: Can you give us some recent examples of how organizations can use CTI to make it practical or how users can use it to make it practical?

Proactive Defense Strategies for Threat Hunting and Mitigation

Dmitry: Absolutely. We've recently seen many attacks, the geopolitics, and the war in Ukraine. The threat actors behind the targeting of Ukraine also began targeting NATO members by means of the personification of software which is used by NATO members supporting Ukraine.

What we provide to our customers, CTI customers, is a document with the information. For example, a summary of about what happened, when, and how. 

And always the rule, its bottom line up. Then brief MITRE ATT&CK® information. It's a technical analysis of weaponization and a technical overview of the initial attack vector, about network infrastructure, and also about targets and attributions along with conclusions.

Conclusions, so what should they do? And appendixes, technical appendixes. IoCs, applied countermeasures, and detailed MITRE ATT&CK mapping. For a real customer, it's like, okay, this is happening. I'm not sure even if I was attacked or not, let's go threat hunting.

How? We have Sigma rules, Suricata rules. We can see behavior on the endpoint level, can we see any matches based on the sigma rules or Suricata rules? All right, let's go to the network level and see if we have any malicious traffic behavior, like the one described in this or that attack.

Or yellow rules. So, what about files? Those files which are running in my system – is there any similarity, any connection? I can proactively hunt or if I know I was infected, I can respond to that act. But with the context, I know what I'm looking for, I know how it behaves.

I know what the motivation is so I can mitigate it completely. 

Leveraging CTI to Safeguard Personal and Corporate Frontlines

Dmitry: When I understand that, let's say the target was government secrets or military secrets, should I assume that if the information was compromised, the operations were also compromised? I mean in the field everywhere? The countermeasures in this case for the recovery must not be just, "Oh, let's change the passwords," or "Let's revoke the accesses." 

It's about understanding that the whole thing, probably, real-life things, was also compromised. It helps to be very specific, and very concrete to take super good actions, which will have a positive effect in real life and in my cyberspace.

Petko: Dmitry, I'm thinking back to when I was operating a SOC, and we would take some of these reports and we would think we blocked it at the endpoint. And next, we actually didn't realize, but they had gotten to the active directory server and actually copied certain files that would release your username and passwords.

We didn't have to clean up just one endpoint, we had to clean up all our usernames and passwords and reset them all with service accounts and everything. 

I love that you're working at the tip of the spear and constantly seeing what's new. What's the latest? I know at the corporate level we're doing cyber threat intelligence.

Is there something that you're seeing around personal attacks or what, I mean we've got lots of folks traveling now. Is there something they should be aware of?

Protecting Your Devices with CTI in the Travel Ecosystem

Dmitry: Yes. And also that is another ecosystem with many threat actors targeting in different ways. Sometimes it can be just traditional speaking like financially-motivated malware. It depends on the region where you're coming from.

Threat actors will also change. But for travelers, many times what we face is you are running low; your battery's running low. It's very common to see people at the airport looking for a charging station to plug their phone in and to be like, oh, it's like I have a paradise for my cell phone.

Petko: I can't plug my cell phone in? I've got to get my juice. Why can't I plug in my cell phone and charge it?

Dmitry: Yes, you can. And everybody does that. But there is a risk, a real risk. It's not about theories, it's about something called "juice jacking." 

Juice jacking is a malicious technique that helps or enables the attacker by means of physical connections, like through the use of cables connecting the device. It can be any device, it can be a cell phone, it can be Apple^®, it can be Android^™, whatever, or it can be a tablet.

But each time such a device is connected to that malicious station or compromised station, there is an opportunity for the attacker to not just charge the battery of the phone or tablet, but also by means of enabling data transfer mode to manipulate the device, steal something, or to install something.

It's about dual use; not just charging batteries. It's also about straight access to the device for whatever malicious reason.

The Importance of CTI and Physical Data Blockers

Petko: Yes. Because I think most of us when we charge our phones, we'll let it sit there for a little bit, later on, we'll pick it up, I'll start using it, and unlock it. And by unlocking it, I think I've seen this a couple of times, you get asked, "Do you want to grant access to this USB cable," let's say.

Dmitry: Indeed.

Petko: And you're like, well, of course, I want power. And sometimes you don't get power until after you grant access. But what you just did is you didn't just get power. You also now gave that USB cable and whatever's on the other end full access to your operating system on your phone and your contacts.

Potentially there and everything else that goes into it. Is that just for, I mean you mentioned it's also Android and iPhones, I guess it's all devices, right?

Dmitry: Yes. Actually, even if the phone is running on Linux, the thing will be the same because it's a low-level attack with a physical cable, and unless you specifically block data transfer with blockers, special blockers.

Petko: Is that a physical blocker? 

Dmitry: Indeed. Yes.

Petko: So it's not software, it's something that you'd have to use between your phone or your device and the USB to ensure that only the power comes in and not the data. Okay.

Dmitry: Yes. So Sasha blocker, it's a must to have with you when you're traveling, even if you're just connecting to the inside of the aircraft. 

Mitigating Data Compromise Risks

Dmitry: Why not use that? Why even run the risk of exchanging your data with anything? What you're looking for is to not synchronize anything. You don't want to synchronize anything. You just want electricity. So why run the risk, to think your device probably would not be sending or receiving data. It's like what for?

Petko: Dmitry, you just said something that I didn't realize and I wonder if the audience caught it. We always think about the airports and charging our phones there, but what about the airplane?

Dmitry: Well, you see those computers in front of us, sometimes people say, "Oh, it's an entertainment system or it's just a seat." Something like that. But in reality, it's a computer. In the past, I saw those flying terminals running on Linux. Now we see more and more it's Androids behind it. So the question is can they be manipulated, or infected?

Yes, of course, they can. And in the end, it's an operating system so it can install stuff, it can copy stuff, so it can do things. 

It's not about connecting yourself to the AC, just like pure AC. If you do that, it's fine. But if you connect through a USB cable to that system, you need to understand there is always a risk.

Petko: Yes. So it's almost like those ATMs. I mean I think years ago or probably still happening if you have these. They would put something on top of the machine that actually scans your ATM card or your credit card to get a copy of it. 

Safeguarding Passenger Connectivity and Data

Petko: But the same thing could happen on an airplane or in an airport where you think it's a regular USB power station, but they put something on top of it to hijack it. If you will. And it could be months before they realize it even.

Dmitry: Yes, indeed. And the problem is while you're flying, who knows if another passenger is also connected to the same network. I mean a Wi-Fi network can be also a malicious threat actor. Just scanning the network trying to see who's connected.

So that computer which is in charge, one computer in charge of the entertainment. It's also a host inside of the network to which everybody's connected, even if it's a malicious traveler, let's call him like that. It can be also compromised. And then who knows, what are the further actions, and next steps he or she may take?

Petko: I was just looking at the number of folks that are going through TSA security on a certain day. We're now back to pre-COVID. And it's about 2.5, 2.6 million a day that go through TSA security. Make the assumption that all of those end up on an airplane, now you have 2.6 million people sitting in airplane seats every single day. It just takes one of them to change one seat or two seats here and there and next, you know it's propagating.

Dmitry: Yes. And some probably would say, okay, but how to exfiltrate that data? Well, we have also internet on board. So there is a link you can use. There are many ways, not only to steal information but also to exfiltrate it for malicious threat actors. 

How CTI Protects Personal Devices From Emerging Threats

Dmitry: So it's way better if we use just a traditional socket, like electricity, like AC sockets. In fact, we have them at the airport, usually on the bottom of the seat, which is in front of you. Use them instead of USB, right.

Or if you do use a USB cable, use a data blocker, a physical data blocker, which connects basically between the port and your cable – then it's a physical block. The electronic circuit prevents data transfer in any direction.

Petko: So bring your own charger. If you don't have your own charger, bring your own blocker.

Dmitry: Yes.

Petko: Hopefully. Well, I mean I'm assuming that's just iPhone and Android. Are there other attacks you're seeing on other personal devices? I think you and I were talking about macOS becoming much more prevalent. Is that true?

Dmitry: Yes, it's true. And it's proven by telemetry. It's proven by the analysis we have. And essentially it's about targeting macOS users, especially those who invest in cryptocurrencies. And the main cluster behind it, it's the Lazarus Group, which has been publicly attributed to North Korea, and there is a group called AppleJeus. They have been actively targeting macOS users by means of social engineering first, purely malicious. 

There are also websites on the internet supposedly providing information for exchange when someone wants to cash out or just convert the cryptocurrency into another cryptocurrency. Even security tools. So they do a very hard job. 

Safeguarding Users from Cryptocurrency Theft and Supply Chain Attacks

Dmitry: And even infecting people through LinkedIn, sending them CVs, and job offers to work as a cybersecurity expert in the cryptocurrency industry. And the point is that once infected, they steal those wallets. And for cryptocurrency investors, it's a real risk because they impact everything. You can just lose all your investments, all your funds, just because your Mac is infected.

Petko: I can understand the financial motivation for the crypto side. Are there other things that they're looking for from the financial motivation standpoint?

Dmitry: Yes, that's a good example of that. It's the latest attack. We remember that it's a VOIP company, so they were compromised. And then a malicious update was deployed to everybody, basically everyone in the world.

And it was not only for Windows but also for Mac users. So we call it a supply chain attack, right? Again, it was North Korea behind it. 

Imagine if you say, well, I don't have cryptocurrencies and I'm a very good security expert. But if you use any third-party app, and we all use them, so we've got to be ready for a supply chain attack. When you receive an update, that update can have anything inside. If it's an implant, which can be used as a backdoor, it can be used like a, I don't know, a RAT, remote access tool. It can be anything. It depends on the motivation of the attacker.

Petko: Well, I'm curious, what can macOS users do to prevent these types of attacks? How do you safeguard it? Because you talked about updates. So don't I update or should I update?

Enhancing Visibility and Protection Against Compromised Updates and Implants

Dmitry: Well, yes, traditionally speaking, that's what we always teach, right? People always say, yes, sure, install updates because that's how you fix vulnerabilities. And that is right. It's not a mistake. We must install updates. But it's different when your software vendor or any software you use was compromised.

Sometimes even in a fully automated mode, your update gets compromised, it's not even something you accepted or not accepted, it's just automatic. 

It was installed on the side. So for macOS users, it's challenging. It's a challenge even compared to Windows users because on Windows we have so many tools. Even for hunting, for monitoring. On Mac, usually, it's internal commands, native commands. There are also some very nice tools from Objectives by the Sea. Also free. You can download it and use it. That's fantastic. But usually for those macOS users, it's really hard to find out if they're infected or not. So here is the combination of things. 

It's about using threat intelligence, yes, monitoring networks. Because in most cases, if you've got any implant installed, of course, there should be communication with the C2, external C2. Get better visibility over the network, especially your outgoing connections, not incoming connections, but what is traveling from my computer to outside.

And have context. Context about those hosts, IPs, and URLs, try to understand. Check, grab, and also check user agents, because if your computer is connecting, let's say, with a remote host, which you think is not malicious.

CTI Proactive Measures and YARA Rules

Dmitry: But let's say there is a user agent in use, which does not belong to you, you don't have such a browser in your system. But it says this is the system, the user agent that uses it. In this case, it'll be also a red flag.

Petko: So we have to be proactive and know what's in our systems. I guess it goes back to knowing what's on your laptop, knowing what applications are doing there, and being paranoid.

Dmitry: Right. And the good thing, you can also use YARA rules on macOS. So you run them, it's the same. You can write or use those YARA rules not only for the disk but also for the memory, like commands. Those commands, which usually are malicious, it's very easy to spot in the memory because everything's unpacked. That's also great. I recommend it.

Rachael Lyon: I hate to do this, but we are at the end of today's podcast. To all of our listeners out there, thank you so much for joining this week. And for our new listeners, welcome!

Related Reading

• Operation CMDStealer: Financially-Motivated Campaign Leverages CMD-Based Scripts and LOLBaS for Online Banking Theft in Portugal, Mexico, and Peru
• Detecting Cyber Anomalies: Two Ways the BlackBerry Threat Research Team Uncovers Attacks
• What Are Today's Top Cyber Weapons?
• BlackBerry Cybersecurity, the Story Continues