Have you been hit? CyberDefenses can help.

CHRIME and Constellation

background-parallax-7

by Monty St John

If you haven’t had a chance to look over the introduction of CHRIME via this link, take a second to do so prior to diving into this first topic. It sets the stage to understanding what CHRIME is all about and gives some context to make the dive we are about to take a little less daunting.

 

The “C” of CHRIME stands for Constellation, which is a reference to the stars in the skies and the patterns they make, as well as, the navigational techniques that have evolved to take advantage of them.  Beyond its choice as a handy letter for our mnemonic, it was selected with some care.  Psychologically, the concept of a constellation draws your attention upwards, versus a map, which was a close logical choice, that draws your attention downwards.  Constellations also inherently refer to navigation and patterns; the combinations of stars and heavenly bodies that haven meaning beyond their pure collection.  In CHRIME, our “C” topic inherits all those implications.  Your constellation, like a real word version, will:

 

  • Draw attention
  • Act as a navigation mark
  • Represent a pattern
  • Refer to an entity broader than its composition

Structure, then context

In its simplest form, Constellations are the links one-step away from the element examined.  Take DNS, for example.  If we start with domain as our pivot, the 1-step pattern looks like this:

 

  • Domain
    • IP Address
      • IP Range (CIDR)
        • ASN
      • Hosting Provider
    • WHOIS
    • NS
    • MX
    • Registrar

 

Defining this pattern could be enough to answer our question, but usually it requires a second-step look for DNS to dig into some of the attributes to help make that determination.  Constellations were conceived with the idea that iterating through the process in a spiral of greater and greater detail could be done until an answer was achieved or a second topic was required to provide the context instead.  A second iteration, though looks much deeper into each of the high level connections.

 

  • Domain
    • Age
    • Entropy
    • Parked
    • DNS association (mimicry, bouma, etc.)
    • IP
      • Parked Page IP
      • Tor Exit Node
      • Proxy/VPN/DDNS
      • rDNS (PTR)
      • # of domains hosted
      • # of mail servers hosted
      • # of name servers hosted
      • IP Range
        • # of IP Routes
        • # of domains hosted
        • # of mail servers hosted
        • # of name servers hosted
        • # of IDN domains hosted
        • # of Spam hosts hosted
        • ASN
          • AS Name (ISP)
          • Country Ownership
          • Bogus AS
          • Bogons
        • Hosting Provider
          • Tor/Underground
          • BPH
          • Country
          • Company data (size, AS owned, etc.)
        • WHOIS
          • Age
          • Expiration date
          • Forged?
          • Public or private email?
          • Address (mappable? Correct?)
          • Ownership change?
        • NS
          • Custom or default?
          • DDNS?
          • Consecutively numbered?
          • Same hosting provider?
          • Circular referencing?
        • MX
          • Mail Server Type
        • Registrar
          • Tor/Underground
          • Country
          • Company data (size, TLDs registered, etc.)
          • Free domains?
          • Managed DNS?
          • Traceable website?

 

But first, we need to…

Before we get too far down the trail, it’s important not to forget that all of CHRIME is driven by a question to answer.  Defining it is critical, or else you’ve poisoned the effort and doomed it to fail.  The point in the collection, analysis and reporting functions is to answer the question and then derive the next, obvious sub-questions that will demand to be answered.  In this instance, to outline our process for the “C” topic, we are going to use a phishing scenario.  We are going to skip the obvious, “is this phishing?”, question and go straight to the question of, “is this phishing targeted or untargeted?”, and see what answer we can find.

 

Phishing in our little pool

Phishing is the common bane of all our security existences.  If you have email, you have phishing and spam.  To build out the details of our example, we are going to use a straightforward phishing attempt that was sent to 47 individuals.  It was sent on a Sunday, in batches of roughly 10 targets each, as a series of waves spaced out by 30 to 90 minutes.  The Phishing theme was a verification of credentials in relation to a corporate survey and the call to action was well crafted, with a link to an offsite location similar to past corporate surveys.  With the stage set, let’s craft our initial pattern.

 

  • Phishing Email
    • To
    • From
    • Subject
    • Reply-to
    • Rec’d Chain (MTA & IP)
    • Source Host
    • Message-ID
    • Content
      • Intro
      • Call to Action
      • URL Links
      • Attachments
      • Close/Signature

 

This much data is usually more than enough to classify the email as phishing and process it according to your procedures (e.g., warn end users, black hole DNS, block, flag and remove emails, block URLs and deploy signatures for any attachments or downloads).  To get the root of our question, which is, “whether this phish is targeted or not” we’ll need to dig a bit deeper by iterating one more step.

 

  • Phishing Email
    • To
      • Department
      • Function (job)
    • From
      • Impersonation
      • Trusted Source
    • Subject
      • References internal details?
      • References external details (news, community, social event, etc.)?
      • Urgency
    • Reply-to
    • Rec’d Chain (MTA & IP)
    • Source Host
    • Message-ID
    • Content
      • Intro
        • Personalized?
      • Call to Action
        • Sense of urgency?
        • Type (Temptation/Threat/Complaint/Request/etc.)
        • Skill in word smithing (poor, native, highly educated, technical, etc.)
        • Orthogonal errors?
        • Social Engineering links?
      • URL Links
        • Obvious or hidden?
        • Obfuscated?
        • Begins with IP address?
        • Masked via HTML?
      • Attachments
        • Macros?
        • Shellcode?
        • Malware?
        • Links to malicious, scripts, or fraudulent websites?
      • Images
        • Embedded
        • Downloaded
      • Close/Signature
        • Signature Block
        • Correct for email?
        • Social Engineering back links?
        • URL?

 

Second-stage dimensions

This level of information gives us some elements to form into intelligence.  For our example, in the “To:” portion of the phish, we’ll quickly see that it went to people from four different departments.  In that number of 47 people, only 8 of them have the same or similar functions, but 32 of them have overlapping permissions to special programs (records access).  That’s all information we can get from our organizational tables and a permissions map from the identity management (or SOC, if they have it) department.  We’ll need more to really paint a picture with just that data, but doing so requires adding in the History topic of CHRIME.  Then we could further ask if they have previously responded to phishing, are publicly associated with our company, been part of a data leak or data loss incident and other important investigation points.  The “From:” portion of the email was originated from an unknown sender.  Same for all the reply and rec’d data — it was spoofed.  Content was well crafted.  It impersonated a realistic corporate service we used, including a randomized link that would send them offsite, and was timely, e.g., users expected to receive one shortly.  Individual departments had received emails indicating a survey was forthcoming.  One of the departments targeted had already received their survey, while three had not.  Some issues that stood out from the otherwise well-fashioned call to action was the OD (orthogonal distance) of the email was too long.  That was mostly because of the addition of a longer greeting that broke across multiple lines and the addition of an internal company signature block, which also added to the distance computation.  Surveys don’t come signed by an internal person, especially by one that doesn’t exist (fake identity).  Organizing this along the skeleton of Constellation, really made it shine that this was indeed, a phishing attempt.  Determining that it was targeted started with identifying that internal company information was somehow in play in the targeting for the phish, in this case the timing and choice of the mimicked corporate survey.  Equally, the application of an internal signature block was a strong cue towards labeling it targeted.  More data from other topics in CHRIME was going to be needed to get to a defendable and supported “targeted” labeling.  We’ll expand on that in the next article.

 

Sewing it up

A couple of quick points about the phishing event.  The URL provided in the email went to a bogus website that harvested credentials for anyone unwary enough to provide them.  The website was a near duplicate of our usual corporate climate survey service, which made it pretty compelling.  The URL was a randomly scrambled link of letter and numbers pretended to a domain stub of a misspelling of surveytruist.com [they added an “i”], all of which helped identify it was an incorrect website.  It prompted for corporate credentials before sending them to an error page, another telling issue for employees navigating to the website.  Examination of its source showed it sending stolen credentials to a newly generated gmail account.

 

Just to summarize everything into a fact pattern:

 

47 individuals in 4 departments received a phishing impersonating a corporate survey, one that was expected to occur based-off previous department messaging.  Only one of the four departments had already received a valid survey.  8 of these individuals had the same or similar job functions and 32 of them had overlapping permissions for records access.  The phishing email was well-crafted, but contained errors of organization, e.g., added long greeting and spurious fake identity in the signature block.  The link contained in the phish went to a website impersonating the service corporate uses for climate surveys.  It prompted for corporate credentials and showed an error page afterward.  Stolen credentials were sent to a gmail account.

We also use CHRIME in our daily work and you can find me talking about it at ISSA and conferences pretty around year around.  In fact, Cyberdefenses believes in this technique so much that we have a full-day dedicated training course to it.  You can find about our offerings on CHRIME and other via this link:  www.cyberdefenses.com/academy/.

About the author

Carin Young

Contact CyberDefenses today to learn how we can help your company’s cybersecurity needs.