MODELING FANCY BEAR CYBER ATTACKS Designing a Unified Kill Chain for analyzing, comparing and defending against cyber attacks Author: Mr. drs. Paul Pols Student ID: S1806084 Date: December 7, 2017 Supervisor: Dr. ir. Pieter Burghouwt Second Reader: Prof. dr. ir. Jan van den Berg Institution: Cyber Security Academy (CSA) [1] PAUL POLS – MODELING FANCY BEAR CYBER ATTACKS . Abstract Organizations increasingly rely on Information and Communication Technology (ICT), exposing them to increasing risks from cyber attacks from a range of threat actors. The term Advanced Persistent Threats (APTs) is used to refer to particularly capable threat actors, that are typically backed by nation-states. To raise their resilience, organizations can model APT cyber attacks using Lockheed Martin’s Cyber Kill Chain® (CKC) or ethical hacking assessments by Red Teams. The modus operandi (MO) of APTs does not necessarily coincide with these models, which can limit their predictive value and lead to misaligned defensive capabilities and investments. In this thesis, a Unified Kill Chain (UKC) model is developed that focuses on the tactics that form the consecutive phases of cyber attacks (Table 1). A hybrid research approach is used to develop the UKC, combining design science with qualitative research methods. The UKC is first developed through literature study, extending the CKC by uniting improvements that were previously proposed by other authors with the tactics of MITRE’s ATT&CK™ model. The UKC is subsequently iteratively evaluated and improved through case studies of attacks by Fox-IT’s Red Team and APT28 (alias Fancy Bear). The resulting UKC is a meta model that supports the development of end-to-end attack specific kill chains and actor specific kill chains, that can subsequently be analyzed, compared and defended against. Table 1 - Overview of the development of the Unified Kill Chain (UKC) literature study literature Bryant Malone Laliberte Nachreiner MITRE ATT&CK™ MITRE Cyber Kill Chain® (CKC) Chain® Kill Cyber UKC after Red Team C1 Team Red UKC after C2 Team Red UKC after C3 Team Red UKC after UKC after Red Team KC Team Red UKC after UKC after APT28 C4 & C4KC APT28 UKC after # Unified Kill Chain UKC after 1 Reconnaissance 1 1 1 1 1 1 1 1 1 1 1 2 Weaponization 2 3 3 3 2 2 2 2 2 2 2 3 Delivery 3 5 5 6 3 7 7 3 3 3 3 4 Social Engineering 5 6 6 11 5 3 3 4 4 4 4 5 Exploitation 6 8 8 14 6 5 4 5 5 5 5 6 Persistence 8 14 9 18 8 6 6 5 6 6 6 6 7 Defense Evasion 18 18 14 16 10 11 8 6 7 7 7 7 8 Command & Control 18 5 7 9 8 8 8 8 8 9 Pivoting 11 13 11 9 9 9 9 9 10 Discovery 14 10 10 11 11 11 10 10 11 Privilege Escalation 17 14 14 10 10 10 11 11 12 Execution 18 12 12 14 14 14 12 12 13 Credential Access 15 13 12 12 12 13 13 14 Lateral Movement 16 17 13 13 13 14 14 15 Collection 8 15 17 17 17 17 15 16 Exfiltration 16 15 15 15 15 16 17 Target Manipulation 16 16 16 16 17 18 Objectives 18 p a g e 2 | 104 PAUL POLS – MODELING FANCY BEAR CYBER ATTACKS . The literature and case studies show that the traditional CKC is perimeter- and malware-focused and as such fails to cover other attack vectors and internal attacks paths. The case studies falsify a crucial assumption underlying the CKC model, namely that attackers must progress successfully through each phase of the deterministic sequence of the CKC. The observation that attack phases can be bypassed affects defensive strategies fundamentally, as an attacker may also bypass the security controls that apply to that phase in doing so. Instead of focusing on thwarting attacks at the earliest point in time, layered defense strategies that focus on phases that are vital for the attack path or that occur with a higher frequency are thus expected to be more successful. The UKC provides insights into the ordered arrangement of phases in end-to-end cyber attacks and covers diverse attack vectors, by uniting and extending existing models. The UKC offers a significant improvement over the scope limitations of the CKC and the time-agnostic nature of the ATT&CK™ model. Other improvements over the existing CKC and ATT&CK™ models include: explicating the role of users by modeling social engineering, recognizing the crucial role of choke points in attacks by modeling pivoting, covering the compromise of integrity and availability in addition to confidentiality and elucidating the socio-technical objectives of threat actors. These insights support the development (or realignment) of layered defense strategies that adopt the assume breach and defense in depth principles. Initial Foothold: Pivoting Network Propagation: Pivoting Network Propagation: Access Action on Objectives: Compromised System Office Environment Critical Infrastructure Critical Asset Access • Reconnaissance • Discovery • Discovery • Collection • Weaponization • Privilege • Privilege • Exfiltration • Delivery Escalation Escalation • Target • Social Engineering • Execution • Execution Manipulation • Exploitation • Credential Access • Credential Access • Objectives • Persistence • Lateral Movement • Lateral Movement • Defense Evasion • Command & Control Figure 1 – A further attack path abstraction supported by the Unified Kill Chain The UKC is utilized to analyze and compare attacks by Fox-IT’s Red Team and APT28 to improve threat emulation and to raise organizational resilience against APT28 attacks. The comparison shows that the tactical MO of these actors converge in their attack paths within internal networks of targeted organizations. Red Team assessments are thus thought to be particularly well suited to test the resilience of organizations against this part of APT28’s potential attack path. Notable divergences were also identified, which signify the potential to improve the predictive value of Red Team assessments, for example by performing action on objectives (Figure 1). As the reliance of organizations on ICT continues to grow, and APT cyber attacks continue to rise in number and in force, the risks for organizations and societies as a whole increase at an accelerating pace. The UKC attack model can be used by Red Teams to improve their threat emulations and by defenders to develop and realign their defense strategies in their attempts to decelerate this dangerous trend. Keywords — Attack Modeling, Attack Simulation, Threat Emulation, Cyber Kill Chain®, MITRE ATT&CK™, CORAS, APT28, Fancy Bear, Pawn Storm, Sednit, Sofacy, Strontium, Red Team, Tactics, Techniques, Procedures, Design Science, Assume Breach, Defense in Depth, Unified Kill Chain. p a g e 3 | 104 PAUL POLS – MODELING FANCY BEAR CYBER ATTACKS . Table of Contents 1 Introduction ..................................................................................................................................... 7 1.1 Conceptualization and Contextualization ............................................................................... 7 1.1.1 Societal Dependence on Cyberspace .............................................................................. 7 1.1.2 Constructs of Technical and Cyber Risk ........................................................................... 8 1.1.3 Mitigation of Technical and Cyber Risk ........................................................................... 8 1.1.4 Advanced Persistent Threats (APTs) ................................................................................ 8 1.1.5 APT Threat Modeling ....................................................................................................... 9 1.1.6 Ethical Hacking and Red Teams ....................................................................................... 9 1.2 Problem Description ................................................................................................................ 9 1.2.1 High Profile and Impactful APT Attacks ........................................................................... 9 1.2.2 Attribution and Relevance ............................................................................................. 10 1.2.3 Red Team Threat Emulation and Attack Simulation ..................................................... 10 1.2.4 Limitations of APT Threat Modeling .............................................................................. 10 1.3 Research Question(s)............................................................................................................. 11 1.3.1 Research Goal ................................................................................................................ 11 1.3.2 Levels of Abstraction ..................................................................................................... 11 1.3.3 Primary and Sub Questions ........................................................................................... 12 1.4 Research Methodology ......................................................................................................... 12 1.4.1 Availability of Research Data ......................................................................................... 12 1.4.2 Research Design and Approach ..................................................................................... 13 1.4.3 Incorporating the Guidelines for Design Science .......................................................... 15 1.5 Thesis Structure ..................................................................................................................... 16 2 Modeling Framework .................................................................................................................... 17 2.1 The Cyber