Félix Brezo Fernández

The CCN-CERT STIC Conference has been a classic security event at the end of the year for more than a decade. Held between 29 November and 1 December 2022 at the Kinépolis in Madrid, the National Cryptologic Centre has once again organised an event with several rooms in parallel and a multitude of talks. This year's topics ranged from regulatory issues to Threat Intelligence research with a geopolitical slant and a clear defensive focus on threat modelling and the value of people as fundamental elements in defensive management. This year Telefónica Tech Cybersecurity & Cloud has had a representation of the Threat Intelligence Platform & Reports team who attended the event to take note of the trends, TTP and threats that the different manufacturers and suppliers have marked for 2023. In this regard, in this article, we have compiled a chronicle of the talks of greatest interest to our team of analysts. Cyber Intelligence in the National SOC Network: Telefónica Tech a leader in sharing One of the main elements of the conference revolved around Cyber Intelligence Sharing (CIS). The second day's talks revolved precisely around the National SOC Network (RNS) project sponsored by the National Cryptologic Centre itself. The initiative aims to be a focal point for the sharing of cyber-intelligence at national level and makes available the information known and reported on security events identified in the different national SOCs. Each of the events reported to the platform is valued according to the nature of the information shared with different criteria, rewarding those events that describe specific tactics, techniques and procedures seen in them, as well as detection rules (Yara, Snort, STIX, etc.) of similar behaviour. Telefónica Tech Cyber Security & Cloud is the organisation that leads the ranking in terms of contributions since the beginning of the project Telefónica Tech definitively joined the initiative at the beginning of September and the work carried out by our colleagues has been explicitly recognised by the CCN-CERT at the conference for clear reasons: Telefónica Tech Cyber Security & Cloud is the organisation that leads the ranking in terms of contributions since the beginning of the project. The effort made to integrate the information generated from different services of the Digital Risk Protection, malware or SIEM teams is bearing fruit in an activity that, moreover, is publicly recognised by public bodies such as the Cryptologic Centre itself. Supply chain and industrial environment security: a strategic priority The sophistication required to carry out supply chain attacks shows that the structures and resources needed are far from being accessible to single adversaries. While MITRE's proposed definitions of supply chain attacks have not previously focused as much on supply chain or mitigation solutions, the System of Trust (SoT), a proposed methodology for monitoring supply chain risks in an objective manner, has already been proposed in July 2022. At the same time as integrating security controls that take supply chain risks into account from their design, at Telefónica Tech Cyber Security & Cloud we have promoted several initiatives with different organisations that also focus on another environment: industrial control systems, which also includes MITRE in its ICS (Industrial Control Systems) matrix. Proprietary solutions such as Aristeo aim to facilitate the task of identifying attack patterns related to these environments which, by their nature, have higher barriers to entry than conventional ones. In the Aristeo project, industrial decoys (honeypotting) are used to attract attackers, extract information, and generate intelligence to help protect our clients The complexity involved in emulating complete plants and industrial centres in Telefónica Tech Cyber Security & Cloudand the wide variety of systems and platforms under control make understanding how they work and how they interact a necessary first step in securing these systems. Cyber Security Name the malware you have, and I'll tell you which botnet you belong to September 14, 2022 Cyberspace as a battlefield The importance of cyberspace as a scenario that cannot be ignored when planning national defence strategies remained in the air throughout the conference. If around 2015 it was the Asian countries that were reorganising their military structure with the aim of equipping themselves with offensive cyber capabilities, the current geopolitical reality is showing that the trend will not only not be reversed but, on the contrary, will reinforce the thesis of those who defend the consideration of the cyber environment as a space in which to be present given the large number of connected critical infrastructures. Cyberspace has been called the ”fifth domain”, of equal strategic importance to land, sea, air and space The existence of units that in the case of many countries increasingly operate as regular soldiers, with their physical bases in which to train and operate, motivates the increase in cyber capabilities that must be responded to from a purely defensive point of view, on the understanding that the sophistication of these adversaries can escalate all the more the greater the interest of their sponsors. CYBER SECURITY Human factor key in cyber security September 28, 2022 Behaviour as an Indicator: Tactics, Techniques and Procedures The security incidents analysed by our colleagues in the Threat Hunting and Digital Forensics and Incident Response units share a common characteristic: attackers are increasingly agile in deploying new infrastructure and using specific tools in each incident. These capabilities highlight a reality that forces defensive teams to act treating observables (IP addresses, domains, files, etc.) as elements with an increasingly shorter life cycle and with less capacity to detect offensive actions, precisely because of their high linkage to specific incidents in a very specific time frame. The trend already observed by our own teams is motivating threat modelling by increasingly considering behavioural indicators in the form of attack patterns and tools used to describe the behaviour of malicious actors linked to both common cybercrime and advanced persistent threats. Thus, the use of terms such as TTP, attack patterns or threat modelling schemes using standards such as STIX 2.1 will become more and more trendy and the generation of intelligence that allows teams to anticipate in the defence of infrastructures will become more and more important. CYBER SECURITY Disinformation and fake news: what initiatives do exist to combat them? November 7, 2022 The cryptocurrency ecosystem: cybercrime does not lose focus During the workshops, real cases of actual fraud against the backdrop of cryptocurrency investment were presented. In this regard, among the workshops held during the first day, a session was dedicated to the tracking of cryptocurrency and NFT transactions. In this regard, the capacity of specialised companies to trace cryptocurrency transactions in general and non-fungible tokens (NFT) in particular was highlighted. Specifically, those projects that do not implement privacy and anonymity concepts from the design stage, which is still the case in most projects related to cryptocurrencies, have been highlighted. Among the most relevant trends observed is the large volume of operations identified in 2022 associated with DeFi (decentralised finance) environments, as opposed to conventional centralised exchangers The main vehicles for carrying out scams and extortion in the NFT ecosystem are not necessarily new (social engineering remains an ideal vehicle in a particularly technically complex environment), but they have the particularity that monetisation for an adversary is much more direct if they manage to directly steal the tokens. The effectiveness of the use of digital beacons and reverse social engineering has also been demonstrated, using different models of interaction with suspected fraudsters as a lure to track money by deploying decoys under the pretext of making a new investment and obtaining information from the attacker that can facilitate tracking, such as IP address or ASN, among others. Along the same lines, the new component of cryptocurrencies does not escape the security flaws that may occur in smart contracts. Smart contracts are still programmed applications and, therefore, subject to weaknesses and programming errors. Thus, our colleague from Telefónica Digital, Pablo González, gave a workshop in the afternoon in which he outlined the basic principles for identifying some of the most basic exploitable weaknesses and how to set up a working laboratory to carry out security audits on Ethereum smart contracts. A particularly practical session in which technologies and work methodologies were identified for those who want to enter a world with a lot of room for improvement that shows that the inertia points to the fact that fraud related to this technology will still be very present in 2023.

Besides the work carried out by our colleagues in the forensic analysis, malware analysis or Threat Hunting teams, which we have reviewed in the articles in this series associated with incident response, there is an additional element to be considered: the support given by the cyber intelligence teams to the above and how we in the Telefónica Tech team manage the products derived from this work. In this last part of the series, we will review the objectives of this team, the work it carries out and how the material generated is used in the framework of an incident. What do we mean when we talk about cyber intelligence? Establishing points of consensus on the meaning of the concepts we are going to use is always a good basis for any communication exercise and the term cyber intelligence is an example of how the use (and perhaps also the abuse) of the term can end up distorting messages and confusing objectives. To understand what we mean when we talk about the cyber intelligence team within the incident response area, what better way to start than by answering what we mean by intelligence first and cyber intelligence second. Although there are many definitions of intelligence, a fairly consolidated reference is that contained in the Glossary of intelligence published in 2007 by the Spanish Ministry of Defence and coordinated by Miguel Ángel Esteban. On page 82, intelligence is defined as the "product resulting from the evaluation, integration, analysis and interpretation of the information gathered by an intelligence service". Therefore, by application of the prefix cyber- we can venture to say that cyber intelligence is intelligence related to computer networks. In any case, the basic element is that intelligence as such goes beyond data or information feeds, even if these are used to generate the final product. It is not even just a context or a list of raw links to be reviewed when the time comes. It is a concrete product intended to support specific decision making which, in the case of security incidents experienced by our customers in the context of a ransomware incident, can end up being dramatic. Material for technicians and decision-makers Information tends to be confused and inaccurate, especially in the first hours of an incident, until the incident begins to be contained after the planned response plan comes into play, which, if lucky, will only have been implemented conceptually or in directed drills. It is precisely in the context of this coordination and planning work that some of the target audiences for the products provided by the cyber intelligence team in the field of incident response can be identified. The customer's own interlocutors. They need to have visibility as much as possible of the type of threat they are facing and to know if there is a risk of possible exfiltration beyond the visible impact in the form of encryption, for example, or how to act in the face of certain actions of the attacker that may arise. It is important that the information is on the table to be able to manage both the expectations of information recovery and to help management teams to act quickly. The response coordination team: the incident managers. As the organising party in an incident, they need to have visibility of the attacker's known tactics, techniques and procedures, and potential vectors of entry and exploitation. The objective from a technical point of view is to have sufficient knowledge to operationally coordinate the necessary efforts and to be able to organise activities at the containment and investigation level, but also when coordinating forensic, log or malware analysis that may be required based on what is known about the threat and the state of the customer's perimeter. At the same time, as part of this work it may be necessary to identify other action points that are not necessarily technical (legal, communication, etc.) but require immediate attention beyond the purely technological. The team in charge of conducting the investigation. Forensics, malware analysts and log analysts will find their work easier if they have a good grounding in the attacker's tactics, techniques and procedures. Without prejudice to the more in-depth analysis that takes place during the response itself, threat intelligence reports will allow them to narrow down the initial framework of the investigation and select preliminary targets with agility, especially at the beginning of the investigation. The Threat Hunting team. With a very relevant specific weight in the containment of the incident as we have already seen in previous articles, this team is in charge of containing ongoing threats as soon as they are identified and identifying new subjects of investigation on which to perform triage and immediate mitigation actions for which additional context such as the techniques that the attacker is believed to have applied or the software he/she uses beyond the specific indicators of compromise is normally required. Thus, in the framework of incident response, the deliverables of cyber intelligence teams go far beyond the mere identification of specific observables, although, of course, these are also provided. We are talking about providing technical analyst teams with specific tools that enable them to pinpoint specific malicious behaviour on the machines they are analysing and to provide the necessary support on threat behaviour in a timely manner. Intelligence that is not shared loses effectiveness The timeliness of the intelligence products generated has a lot to do with what we deliver and how we deliver it, but more importantly, when we deliver it and how confident we are in what we attach to our reports and deliverables. It is about making sure that the recipient will interpret what we say as it is written and unambiguously: it is a matter of speaking the same language so that sharing takes place in a structured way, with no room for doubt about what is stated forcefully and with absolute transparency to point out those aspects that need to be taken with reservations. The work of the analyst teams is therefore no longer so much a one-off action/reaction task, but the result of continuity efforts maintained by a team that has to be aware of the threats and that has to be able to convey this information in an orderly, clear and consistent manner. And part of that work, of course, has to be done after incidents, closing the loop. Because the work of analysis does not end when the response team leaves the incident, but with the review of the lessons learned from the incident in order to integrate what has been learned into the team for the future. In any case, if we understand communication as the transmission of signals by means of a code common to the sender and receiver, establishing a common framework on the level of trust is fundamental. This is what the STIX intelligence sharing standard (currently in version 2.1) does in the definition of the confidence attribute with which each of its objects can be catalogued between 0 and 100 using different credibility scales such as the one known as the admiral's scale proposed in the US Army's Field Manual 2-22.3. The aim of these scales is to give the analyst the possibility of expressing different degrees of certainty about each object and to avoid failing to document behaviour for fear of having to take a binary assessment (confirmed/unconfirmed). Thus, the fact that there is evidence with questionable credibility at a given moment is relevant because only if it is documented and recorded will it be possible to correlate it in the future, which reminds us of the importance of the time factor when making the assessments included in the reports. Time factor It is clear that an intelligence unit will accumulate knowledge over the years that can be built up and integrated for the future. Storing it in a consistent and reusable way is critical as we have seen, especially if it is to be available just when it is most needed in the form it is needed. But in incident response, the pressure and timing of decision-making is decisive. Indeed, one of the aspects that most differentiates the analytical professional in incident response from a purely academic or research profile is that he or she works precisely against the clock and under uncertainty. Those dealing with the reality of an incident must cope with the gradual arrival of information, the unavailability of some of it when it is most needed, and the pressure being experienced by a client who is inundated with calls from concerned customers and suppliers and who has to meet statutory reporting obligations. All this while trying to contain a threat whose impact is only hinted at by the massive encryption of computers and while trying to ensure that backups and systems are impacted as little as possible. In academic research, the urgency is not as immediate and with days or weeks to spare we have more options to review the details of all the scenarios, look at them in depth and learn accordingly. The reality of an incident where our clients have factories or entire areas shut down is unfortunately much more dramatic. It includes Hunting colleagues with specific operational needs that cannot be extended in the form of indicators and behaviours to block and forensic colleagues who need context and clues on which machines to start the search for patient 0 and to understand how, why and up to what extent the threat occurred. This is where time - understood both in terms of effort and timeframe - is key to getting tactics, techniques and procedures known from similar threats to their intended audience: both at the operational level for containment and mitigation, and at the strategic level to support the decision-maker on the possible scenarios that lie ahead. It is right there, when things don't seem to be working, where the different areas of the response team can help working side by side to recover that longed-for normality. Against the clock, but right in time.