Intrusion Sets are on a META

Recently, Trellix published an article discussing the fact that it is increasingly difficult to tell cybercrime and APT groups from each other with TTPs. Even if the title of the article promised to explain "how", I did not really get it. So I wrote what I think is how intrusion sets¹ all use the same TTPs: they just do what is most likely to work.

Information systems are still vulnerable. Intrusion sets want to be the most efficient possible when exploiting them. In competitive video games, this is what is called the Most Effective Tactics Available (META). In the context of cyber threats, it is all the Tactics, Techniques and Procedures (TTPs) that are the most likely to achieve the intrusion set objective without detection and at the lowest possible cost. The META is dynamic. The intrusion sets learn and adapt to the cyber ecosystem, just as defenders do. If a tactic or technique is too well countered by the defenders, intrusion sets will change accordingly².

We tend to forget, but intrusion sets are like penetration teams³. They have at their disposal the sharing of knowledge from the offensive cyber community, especially their tooling. These tools are as efficient as custom-made tools — sometimes even better — and they are free. Because anyone can use them, attributing the usage to a particular group is not possible. Some of these tools are well established in the META.

The META also targets the insecurity by default of information systems and the difficulty to monitor them. Defense evasion techniques exploit legitimate tools and functionalities of the operating system. Living of the Land binaries are first used by the operating system, applications, and administrators. Windows is designed to do process injection and loading DLLs. Command and control infrastructures are similar. Some legitimate services offer the same functionalities, like uploading files and sending data. Detecting the nefarious intent behind those behaviors on a large information system is a big challenge.

For intrusion sets, what has been spared in R&D costs is paid by reduced chances of success against defenders aware of the META. This is a risk cybercriminals — especially the least advanced —are more willing to take. They can always find a new target. For groups affiliated with governments and the military, they might prefer to have every chance on their side — if the target is worth the effort. They will more likely use their own tools and infrastructure to avoid detection.

Not every corporation can — let alone be willing to — watch over each PowerShell script execution or block access to Dropbox. The amount of doors that can be opened by attackers is massive, and they only need one to be successful. As every group is using it, implementing defenses against the META can mutualize the effort⁴ and keep your organization safer against a lot of threats.

That's it for the first post. It was fun to make it. So many hours playing League Of Legends and all are now justified.I limited the post to 500 words, I wish to keep most of the posts short — or at least medium size. Yes, I cheated a bit with footnotes. There are still improvements to be made in my style, but I hope it will get better in time. If you read this far, what did you think ? The comment section is open for discussion !

PS: This blog post discusses the operational part of the "Blurring The Lines" article. The next will be about the motivations and objectives.