CHRIME and Execution

by Monty St John

Execution comes last in CHRIME, but it’s far from the end at the same time.  Like I’ve mentioned more than once, it can be the beginning, where the steps of the operation performed are a better starting point.  I’ve highlighted many times that CHRIME is meant to be flipped or even used in portions to meet your needs.  That is part of its allure and agility, that it can function so flexibly.  Execution rounds out the rest of the technique and given we’ve been using phishing for our example, we’ll continue doing so.

Go big, but don’t forget the little things

Execution has a micro and macro aspect.  At a macro level, execution is concerned about big picture movements.  Specifically, the strategic operations involved in the execution.   It means evaluating the steps required at the strategic level to execute.  This is the big rock, behind-the-scenes actions.  For phishing, that means understanding and documenting the steps required to employ the phishing, such as the steps taken by your adversary to acquire the phishing kit, the resources they used, how they deployed it, and who they used it against.  Plenty more on that list, of course, but I’m sure you see where I’m going.  The micro execution pieces are the small things, the true step-by-step operations.  Usually, you focus on the tip of the spear operations for the purpose of speed, but given time, you would outline the smaller operations for each strategic step in the execution.

Here’s a short snippet talking about the execution of a phishing example we’ve been using and a slightly longer excerpt about the longer execution chain required.

View 1 – What we see

Phishing emails received

Responded

Victims followed phishing directions

Reported

Targeted employees reported the phish

Ignored or mitigated prior to opening

Phish was ignored or mitigated (recalled/removed)

Went to phishing website

Left the site

Reported the site as phishing

Didn’t report

Stayed on the site

Entered credentials

Didn’t enter credentials

Reported the site

Didn’t report the site

View 2 – What the adversary needed to do

Acquire Phishing Kit

Find (PHaaS)

Research capability to meet needs

Locate reputable seller

Purchase

Use resources to acquire

Deploy Phishing Kit

Tailor

Personalize kit

Setup

Acquire infrastructure if not part of kit

Deploy to infrastructure

Setup intermediate and end destination

Activate

Roll out

spin up redundancies or backups

Phish Targets

Load phishing “send” mechanism

Method might be via a service, script or via hijacked servers

Send phish as a burst, in waves, etc.

Victims Respond

Victims navigate to phishing website

Victims enter information

Gather Stolen Credentials

Accept

Entered data is collected and compiled

Store

Credentials entered are sent to intermediate or end destination

Breaking out operations and their tasks is part of the OODA Loop, specifically the Observe and Orient stages.  They help in understanding your adversary.  In our Defining TTPs course, we spend a significant amount of time instructing students on how to define operations from just about any action that your brain can conceive.  It’s an important technique to learn.  Decomposing big steps into smaller operations helps you understand patterns in data, but also opens the window to more.  Here’s a short list of the reasons to enumerate operations:

• Breaking down steps or stages into smaller operations highlights commonalities.
• Understanding the operations that help identify artifacts left behind by the action.
• At a certain point, new operations become rare, as you find significant duplication exists. This means you can define a common set of operations.

Fact Patterns and Issues

Execution benefits from drafting a fact pattern, especially if you didn’t construct one during the “C” topic of CHRIME or follow on topics.  If you are unfamiliar with this technique, it’s where you write out the facts and information for each element of the event, especially where it relates to execution steps for our purposes at this topic (“E”).  Next, you iterate through the sequence of execution events one piece at a time, outlining each step and noting down any issues for each one.  A handy mnemonic for this is TLIAC, which helps to dissect and understand key issues.

When you develop a TLIAC analysis it is important to do more than simply list the elements within each category. You must also explain why each item is important. Identifying why something is important helps you develop or further refine the Intent for the course of action.

Threats involved:

The “threats” (menace or hazard) by vector or by execution path are significant elements in your investigation.  More than one hazard might be implied at each execution step or by the path taken.  For example, the execution path for malware to gain a foothold on an individual computer is one threat.  A second hazard is the vector for its initial infection, a third the now infectious “patient zero”, a fourth the menace to other members of your enterprise by the same initial infection point and many, many more issues just as easy to outline.

The thought process of outlining threats also includes intangible things, e.g., the time of day, or an action or omission such as failure to detect.

Location:

This involves both the place/location of the execution action involved and the sensitivity of where the execution action occurred.  The head of the finance department exposing their credentials in a company provided “secure” chat has multiple complexities in contrast to responding to a phishing email and providing the same credentials to a bogus website.

Information:

What was accessed, altered or removed.

We often think of this as files, but also consider execution that led to gaining access to records, to pulling files that contained passwords or hundreds of other possibilities.  Best considered as determining the outcome desired, e.g., the “why do this” answer for each execution step.

Artifacts:

What was left behind or whose absence is telling and points to removal.  Actions invariably leave behind trails of evidence.  Map each execution step to what artifacts are left behind.

Credentials:

The status of the credentials involved and their relationship to one another are important to your research. Persons or parties may be individuals, groups, corporations, or any entity or identity significant to the cause of action or the solution or outcome of the execution.  As individuals or credentials are indicated, a link model for link analysis can be employed as well.

Back to that phishing story…

At the big picture level, for the phishing example we want to understand whether-or-not we were singled out by the phishing.  The more tightly defined the phishing targets, the more targeted the phishing.  Any attack singly or tightly focused on us is a high cause of concern.  That points to a specific objective and a defined fisherman dropping a hook into our little pond.  A widespread, shotgun style campaign is like trawling the bottom of a river.  It’s big, wide and hits everything.  We don’t take it any less seriously, but the hazard or menace involved is much, much less than a dedicated adversary.  At the smaller, intimate level, we are looking to understand how many and who was phished, how many responded, what they responded with and when, where, etc.

Those are the immediate concerns.  Part of CHRIME is reflecting the intelligence crafted against your knowledge storehouse.  Execution thinks in operations and even if the faces changed, but the actions didn’t, you can imply a natural connection exists.  If you are phished a hundred times the same way, that intelligence is crucial to not only your threat intel and SOC teams, but also whoever is manning your security tools and handling your user security training.

To summarize, Execution is not only micro and macro depictions of operations, but also the resultant outcomes.  They are part of the CHRIME pattern and the operation outlines are sub-constellations that help depict the event.  Like we mentioned previously, these operational patterns should be stacked and contrasted to understand how they are alike, dissimilar, and to what degree of each.  A chain of execution that looks the same over and over again can point to a gap in your security, a defined procedure on the part of the adversary or help define a spectrum of courses of action available.  The opposite — equally telling.

We also use CHRIME in our daily work and you can find me talking about it at ISSA and conferences pretty year round.  In fact, CyberDefenses believes in this technique so much that we have a full-day dedicated training course to it.  You can find about our offerings on CHRIME and other via this link:  www.cyberdefenses.wpengine.com/academy/.

This wraps up our series on CHRIME.   If you missed the previous discussions, you can find the introduction, as well as the 1st, 2nd, 3rd, 4th, 5th, and 6th discussions on the blog home page.

Don’t forget to check us out on Twitter or LinkedIn to find stay up-to-date on our offerings and become part of the conversation.