Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities.jpg)
Operational Relay Boxes: An old new challenge in Threat Intelligence
One constant thing in cyber security is that everything is changing... constantly. We refer, of course, to the evolution of techniques used by APT groups to evade defenses, avoid detection and make attribution more difficult.
Let's stay on this last point. Attribution means assigning techniques, tactics and procedures (ATT&CK) to a particular group of attackers who will almost always fall into a geopolitical zone with interests that may vary from sabotage to espionage or purely economic.
In some cases, it is even desired to pervert this attribution to divert it and blame another APT group (and by association, in many cases, another nation) for the operation. This is what has been called, since time immemorial, a false flag operation. For example, making believe that a sabotage has been the work of another APT group. (Nothing sophisticated, these similar situations have occurred from the family environment to the school).
ℹ️ Advanced Persistent Threats (APT) are meticulously planned cyberattacks that remain covert within a system for extended periods, aiming to spy or steal information without being detected.
This false flag can range from something as simple as using coding in the enemy's language or using proxies in the enemy's home country, to using expressions typical of their language and details to the clinical eye that leave false clues. Some of them even do it in such a way that they express themselves in other languages but using typical mistakes of the speakers of the country that is the object of the false attribution. And of course, with generative AI these techniques have been improved (anyone remember phishings with misspellings?).
However, in many cases the attribution is not desired, nor is it intended to place the blame on a third party in a self-serving way. In fact, on the contrary, the aim is to mask the attack for many different reasons: anonymity and concealment of the infrastructure that is so difficult to set up and which, once discovered, is often the subject of demolition and analysis for later cases.
Now, for the purpose of this article, let's look at one type of network infrastructure that can take many forms and layers to serve as a quagmire against the best efforts of the incident response infantry. Their mission is to succeed in operating by making infrastructure attribution and discovery difficult. The ninja concept but APT style.
The different approaches to “fronting” on the web
A few years ago (well, quite a few years now) malware writers started to employ techniques to make their assets more difficult to discover on the network. If they wanted to deploy, for example, a malware download point or a phishing attack, they would use the botnet itself (a network of infected computers under the control of cybercrime). A DNS record with a very low refresh time (TTL) was added to advertise the IP addresses where this point was located. In this way, the IP address of a domain would rotate relatively quickly, throwing analysts off the scent and making it difficult to target their efforts at a single point. The technique is called Fast-Flux.
Another technique consists of creating a network of proxies chained together (proxy-chaining) to add a network of pivoting nodes to add layers of complexity to the attribution. This form has been captured by cinema and surely evokes everyone's personal imagination: the image of the world map and traffic packets traveling from city to city across the globe while someone is pounding the keyboard as if playing Prokofiev's Toccata Op.11.
Then, with the advent of Bullet-Proof servers, and the brazenness institutionally supported, APT groups were (and are) operating in the open through servers hosted in their own or allied territory, so it was easy and straightforward to attribute the operation. There is not much of a layer to peel back in these cases. Despite administrative channels, requests to shut down such infrastructures fell on deaf ears or were delayed without explanation.
Let us add to our small and involuntary anthology the Tor-type networks, which, although they are useful in places where freedom of expression is questioned, are also used for morally and ethically questionable purposes. However, these types of networks are, in many cases, banned in EDRs and other devices, so their use is minor, and we could even say naïve.
Operational Relay Box
And we reach the consequence. If a group wants to make it difficult to attribute and share information about its activities, it must make its exposure a big problem for the analyst.
A botnet? No good to us, too much noise and they can throw it away and even analyze it to detect who's behind it. Tor? Come on, man, let's be serious. Do we use bulletproof servers? Not if we want to go undercover. Proxy chaining? Arianna's thread is never stiff enough or probably long enough.
What if a third party rents us an amalgamation of everything discussed above? What if we copy the Tor-like networking infrastructure, but without Tor? Well, that's more or less a type of network infrastructure that has been dubbed ORB and that conjugates elements of VPS servers acting as a proxy and an assortment of compromised devices, viz: IoT, routers, etc.
Having all that gear in constant motion makes it difficult to keep track of a thread because the thread is continually changing shape, size and color. And sometimes even that thread frays into several strands like a hydra on the rampage. An ordeal for the researcher.
In fact, there are voices proclaiming the death of IOC with this type of infrastructure. Like Michael Raggi, from the Mandiant team (now part of Google Cloud) who has researched, written, and presented on this issue. We recommend reading his article.
Why 'the death of the IOC'?
The IOC aims to be a fixed point. If we have a malware that uses a set of domains and their corresponding IP addresses, we will have a picture on which to rely to deploy prophylactic measures or diagnose an attack.
That is, if your defenses detect outbound traffic trying to contact a malicious domain, then we would have an infection pointing to a certain malware (and pulling on the thread, who knows, a specific APT).
So, what happens when IP addresses dance in a matter of hours or a few days? What fixed point do we grab to feed our threat feed? What Snort rule do we add to our already crowded jar of healing essences?
It's simple to understand and it's going to be a challenge to counter. The cost of detection is going to be higher without fixed points of reference, the cost of attribution is going to be higher, and so the landscape ahead of us (well, we've had this here for a while now) is challenging in many ways.
For those of us who enjoy looking for solutions to new problems it is going to be a tempting challenge, for those who are suffering right now and have nowhere to hold on it is a real pain. But hey, it's the same old story, in this race the mouse will always have the advantage.
Photo: Taylor Vick / Unsplash.
