by Monty St John
Execution comes last in CHRIME, but it’s far from the end at the same time. Like I’ve mentioned more than once, it can be the beginning, where the steps of the operation performed are a better starting point. I’ve highlighted many times that CHRIME is meant to be flipped or even used in portions to meet your needs. That is part of its allure and agility, that it can function so flexibly. Execution rounds out the rest of the technique and given we’ve been using phishing for our example, we’ll continue doing so.
Go big, but don’t forget the little things
Execution has a micro and macro aspect. At a macro level, execution is concerned about big picture movements. Specifically, the strategic operations involved in the execution. It means evaluating the steps required at the strategic level to execute. This is the big rock, behind-the-scenes actions. For phishing, that means understanding and documenting the steps required to employ the phishing, such as the steps taken by your adversary to acquire the phishing kit, the resources they used, how they deployed it, and who they used it against. Plenty more on that list, of course, but I’m sure you see where I’m going. The micro execution pieces are the small things, the true step-by-step operations. Usually, you focus on the tip of the spear operations for the purpose of speed, but given time, you would outline the smaller operations for each strategic step in the execution.
Here’s a short snippet talking about the execution of a phishing example we’ve been using and a slightly longer excerpt about the longer execution chain required.
View 1 – What we see
Phishing emails received
Responded
Victims followed phishing directions
Reported
Targeted employees reported the phish
Ignored or mitigated prior to opening
Phish was ignored or mitigated (recalled/removed)
Went to phishing website
Left the site
Reported the site as phishing
Didn’t report
Stayed on the site
Entered credentials
Didn’t enter credentials
Reported the site
Didn’t report the site
View 2 – What the adversary needed to do
Acquire Phishing Kit
Find (PHaaS)
Research capability to meet needs
Locate reputable seller
Purchase
Use resources to acquire
Deploy Phishing Kit
Tailor
Personalize kit
Setup
Acquire infrastructure if not part of kit
Deploy to infrastructure
Setup intermediate and end destination
Activate
Roll out
spin up redundancies or backups
Phish Targets
Load phishing “send” mechanism
Method might be via a service, script or via hijacked servers
Send phish as a burst, in waves, etc.
Victims Respond
Victims navigate to phishing website
Victims enter information
Gather Stolen Credentials
Accept
Entered data is collected and compiled
Store
Credentials entered are sent to intermediate or end destination
Breaking out operations and their tasks is part of the OODA Loop, specifically the Observe and Orient stages. They help in understanding your adversary. In our Defining TTPs course, we spend a significant amount of time instructing students on how to define operations from just about any action that your brain can conceive. It’s an important technique to learn. Decomposing big steps into smaller operations helps you understand patterns in data, but also opens the window to more. Here’s a short list of the reasons to enumerate operations:
- Breaking down steps or stages into smaller operations highlights commonalities.
- Understanding the operations that help identify artifacts left behind by the action.
- At a certain point, new operations become rare, as you find significant duplication exists. This means you can define a common set of operations.
Fact Patterns and Issues
Execution benefits from drafting a fact pattern, especially if you didn’t construct one during the “C” topic of CHRIME or follow on topics. If you are unfamiliar with this technique, it’s where you write out the facts and information for each element of the event, especially where it relates to execution steps for our purposes at this topic (“E”). Next, you iterate through the sequence of execution events one piece at a time, outlining each step and noting down any issues for each one. A handy mnemonic for this is TLIAC, which helps to dissect and understand key issues.
When you develop a TLIAC analysis it is important to do more than simply list the elements within each category. You must also explain why each item is important. Identifying why something is important helps you develop or further refine the Intent for the course of action.
Threats involved:
The “threats” (menace or hazard) by vector or by execution path are significant elements in your investigation. More than one hazard might be implied at each execution step or by the path taken. For example, the execution path for malware to gain a foothold on an individual computer is one threat. A second hazard is the vector for its initial infection, a third the now infectious “patient zero”, a fourth the menace to other members of your enterprise by the same initial infection point and many, many more issues just as easy to outline.
The thought process of outlining threats also includes intangible things, e.g., the time of day, or an action or omission such as failure to detect.
Location:
This involves both the place/location of the execution action involved and the sensitivity of where the execution action occurred. The head of the finance department exposing their credentials in a company provided “secure” chat has multiple complexities in contrast to responding to a phishing email and providing the same credentials to a bogus website.
Information:
What was accessed, altered or removed.
We often think of this as files, but also consider execution that led to gaining access to records, to pulling files that contained passwords or hundreds of other possibilities. Best considered as determining the outcome desired, e.g., the “why do this” answer for each execution step.
Artifacts:
What was left behind or whose absence is telling and points to removal. Actions invariably leave behind trails of evidence. Map each execution step to what artifacts are left behind.
Credentials:
The status of the credentials involved and their relationship to one another are important to your research. Persons or parties may be individuals, groups, corporations, or any entity or identity significant to the cause of action or the solution or outcome of the execution. As individuals or credentials are indicated, a link model for link analysis can be employed as well.
Back to that phishing story…
At the big picture level, for the phishing example we want to understand whether-or-not we were singled out by the phishing. The more tightly defined the phishing targets, the more targeted the phishing. Any attack singly or tightly focused on us is a high cause of concern. That points to a specific objective and a defined fisherman dropping a hook into our little pond. A widespread, shotgun style campaign is like trawling the bottom of a river. It’s big, wide and hits everything. We don’t take it any less seriously, but the hazard or menace involved is much, much less than a dedicated adversary. At the smaller, intimate level, we are looking to understand how many and who was phished, how many responded, what they responded with and when, where, etc.
Those are the immediate concerns. Part of CHRIME is reflecting the intelligence crafted against your knowledge storehouse. Execution thinks in operations and even if the faces changed, but the actions didn’t, you can imply a natural connection exists. If you are phished a hundred times the same way, that intelligence is crucial to not only your threat intel and SOC teams, but also whoever is manning your security tools and handling your user security training.
To summarize, Execution is not only micro and macro depictions of operations, but also the resultant outcomes. They are part of the CHRIME pattern and the operation outlines are sub-constellations that help depict the event. Like we mentioned previously, these operational patterns should be stacked and contrasted to understand how they are alike, dissimilar, and to what degree of each. A chain of execution that looks the same over and over again can point to a gap in your security, a defined procedure on the part of the adversary or help define a spectrum of courses of action available. The opposite — equally telling.
We also use CHRIME in our daily work and you can find me talking about it at ISSA and conferences pretty year round. In fact, CyberDefenses believes in this technique so much that we have a full-day dedicated training course to it. You can find about our offerings on CHRIME and other via this link: www.cyberdefenses.com/academy/.
This wraps up our series on CHRIME. If you missed the previous discussions, you can find the introduction, as well as the 1st, 2nd, 3rd, 4th, 5th, and 6th discussions on the blog home page.
Don’t forget to check us out on Twitter or LinkedIn to find stay up-to-date on our offerings and become part of the conversation.
