For Sherlock Holmes, catching criminals was elementary: Carefully observe the scene of the crime, and the clues become self-evident.
But when the criminals are hackers, the crime scene is cyberspace and the clues are buried among reams of data. Nothing is self-evident. Detecting and thwarting hackers requires automated tools operated by professionals adept at discerning patterns amid seeming randomness. Equally important, detection and defense must keep pace with the constantly evolving tactics of hackers.
But just like on a physical battlefield, a strong defense requires intelligence on identifying who the enemy is and the tactics they use.
“Cyberthreat intelligence is all about understanding how the adversary operates,” said Jessica O’Bryan, cyberthreat intelligence and threat hunt development lead at Viasat’s Cyber Security Operations Center.
Speaking at a webinar on cybersecurity during the Association of the United States Army (AUSA) annual conference in October, O’Bryan delved into how Viasat cybersecurity detectives use threat intelligence to spot and thwart attacks.
To say that cyberspace is a threat-rich environment would be an understatement. Complicating the defender’s task is that there are numerous hackers, including Advanced Persistent Threats (APT), that target the U.S. military and other government agencies.
“They all operate a little differently,” O’Bryan said. “Some are sophisticated and stealthy. Some are blatant and use open-source tools. Some are a combination, and they can all change how they operate over time.”
A Viasat advantage
Many cybersecurity firms focus on Indicators of Compromise (IOC), which is evidence of intrusion, such as entries in system logs. O’Bryan compares this to a game of whack-a-mole, as hackers flit from IP to IP to launch their attacks. Added is the fact that IOCs are published openly, which means hackers know when they’ve been compromised.
Viasat’s strategy is to look for Indicators of Attack (IOA), which are the Tactics, Techniques and Procedures (TTP) that adversaries use to hack into networks and devices. And it is here that Viasat has a unique advantage. Because it is an ISP across multiple continents, Viasat handles vast amounts of web traffic.
“We have so much data that spans multiple industries, from government, to aviation, to business and residential,” O’Bryan said. “This is really exciting because we have so much data [available] to observe APT activity [on].”
Probing for vulnerabilities
Why would hackers targeting high-level government and military targets bother with attacking commercial traffic? Because commercial traffic lets them find vulnerable nodes for launching future attacks, gives them a chance to score some money through fraud and ransomware – and lets them practice their TTPs before going after more sensitive targets.
“If you were a bank robber, would you rob a bank using tools you’ve never tested before?” O’Bryan asked, as she described how Fancy Bear – a notorious hacker ring associated with Russian military intelligence – tested open-source hacking tools “in the wild” before using them on more sensitive targets.
That’s why Viasat created Predictive Cyber Threat Hunting Intelligence Analytics, or PyTHIA. This is a tool that fingerpints APT and Malware Family behavior using cyberthreat intelligence-driven behavioral analytics.
“PyTHIA extracts the trends, and analysts vet them to determine if we are seeing novel Indicators of Attack,” O’Bryan explained. Then the data is reanalyzed to see if there are also novel Indicators of Compromise.
PyTHIA leverages a combination of automated data analysis methodologies and advanced cybersecurity expertise to link various forms of attack with specific hackers. And because Viasat is using unpublished intelligence, “adversaries don’t know that we know how they’re operating, and we can watch them over time,” O’Bryan said.
How Viasat tech tracks hackers
To illustrate this with a real-life example, Viasat data scientist Laura Wilke – who helped develop PyTHIA — went step-by-step into how PyTHIA can track APT 41, a hacker ring associated with Chinese intelligence agencies (several members of which were indicted by the U.S. Department of Justice in September.) Using 53 IP addresses known to be used by APT 41, PyTHIA found that 38 of those IPs were communicating with Viasat clients. Examining which ports APT 41 used provided clues to APT 41’s TTPs, including the fact that they may be utilizing BitTorrent, a file-sharing protocol.
“That’s interesting, because APT 41 has never been reported using BitTorrent, so we may have a novel Indicator of Attack,” O’Bryan said.
Other clues include the size of the data that hackers are receiving. “The byte sizes can give us insight into what this APT is doing to our clients,” Wilke said. “Are they opening sessions? Are they transferring data? This is additional information that we can pass off to our cybersecurity experts.”
In effect, Viasat is identifying behaviors that the adversary might employ. Understanding how the adversary might behave in a mission equips cyber analysts to interdict the adversary’s cyber kill chain. Cyber threat intelligence can be used with mathematical tools, i.e. machine learning, to quickly detect, identify and stop these threats.
Ultimately, Viasat’s approach enables two key advantages:
- We’re able to gain visibility into these novel IOAs and IOCs before they are published for the adversary to see; and
- The novel intelligence we derive from our residential and business internet service is used to protect all of our customer networks, including government segments.
“What do we get from all these behavioral analytics that are derived from our threat intelligence?” O’Bryan asked. “From our PyTHIA tool, we are able to fingerprint adversary TTPs. And we are able to identify novel Indicators of Attack and Indicators of Compromise.”