Thailand? Who Would Have Thought?
As you have probably heard, Sony Pictures Entertainment was recently the target of a major compromise, which involved the copying of vast amounts of data, including the personal details of employees, internal emails, and several unreleased movies. Reporting on this attack has largely focused on determining the potential source (with much speculation regarding North Korea), and only recently uncovering that a portion of the attack originated in Thailand, specifically a hotel and college in Bangkok.
This connection to Thailand is interesting, but for a different reason than just knowing where the attack came from. For us, the information on Thailand stuck out, thanks to a fairly recent Threat Intelligence information discussed at Defcon 22 last August.
Before we discuss that presentation, we should provide some background on Threat Intelligence. Threat Intelligence (TI) at its most basic level refers to the ways in which security professionals share information about attacker activity, hopefully before the attacks even occur. In recent years, this intelligence often takes the form of Threat Intelligence Feeds, which list malicious hosts (IPs, websites, etc.) that are generated by undercover operatives monitoring known command and control servers, and sharing the information gained from this activity. On the Defense-In-Depth Kill Chain (shown below), this type of work is aimed at preventing attacks in the Recon stage, before they even begin.
Figure 1: The Defense in Depth Kill Chain
At Defcon 22 in August,Alex Pinto and Kyle Maxwell gave a presentation called“Measuring the IQ of your Threat Intelligence Feeds” that discussed TI feeds and focused on using statistics to analyze their value, specifically focusing on using Open Source (i.e. publicly available) feeds. The presentation goes into great detail about the methods and mathematical modeling used for this analysis, looking for correlations between very large data sets to identify potential sources of attacks. In the video, the researchers do a good job of breaking down these concepts; however with regard to the Sony attack, their results are even more interesting. Around 32:25 in the video, listen to which country Mr. Pinto identifies as the number one source of malicious activity based on these Open Source feeds.
Not Russia, not China. Thailand.
This of course is not meant to imply anyone could have predicted the Sony attack. However, it does highlight how TI is being used already to start isolating threat sources. Since most TI feeds offer a ton of data, knowing how to sort and analyze that data to draw out the most valuable information is essential, and the Pinto & Maxwell presentation does an excellent job of showing how that can be done. With the right data analysis of TI feeds, security professionals have another advantage in preventing attacks before the Recon stage of the Kill Chain, and removing any attackers that may be lingering inside the network – what we call the Persistence stage. Threat Intelligence efforts should focus on data sharing methods as well as data analysis techniques. By sharing data about malicious activity, security teams are better equipped to prevent incidents from taking hold as soon as possible.
Additionally, and possibly more importantly for organizations considering where to allocate security budget, the Sony breach highlights the relative accuracy of Open Source TI feeds. While many companies receive value from commercial feeds, Pinto and Maxwell have shown that publicly available (read: free) TI feeds also provide benefits – they simply need the right kind of analysis. Is this to say that commercial TI feeds are worthless? Of course not, but the recent Sony breach combined with this information should give anyone a decent incentive to start including Open Source intelligence in their security efforts.
Could better TI have prevented Sony’s breach? We can’t even really know the answer here, but it couldn’t hurt. Better TI data, better data analysis, and better usage of that analysis can only help.