by Monty St John
Nicholas Sparks rolled out this beautiful saying that I often butcher, but like to use nonetheless — “Nothing is ever lost nor can be lost…”. The “H” in CHRIME is about history, specifically the history of the element you are examining with CHRIME and those elements linked to it. History and reputation tend to be intermingled a lot, but it is key to remember that we specifically mean the Who, What, Where, and When here. Adding this information constitutes a refinement of the links we forged during the “C” topic of CHRIME.
What? So What? Now What?
A favored technique here is leveraging the W3 line of reflective questioning laid out in the title to tease out important history elements. This technique works best if you have laid out the situation in a fact pattern, like we did previously in Constellations. From that information you ask, “WHAT? What happened? What was noticed, what facts or observations stood out?” As a rough overview, this is done as a stream of consciousness below the fact pattern. After all the salient observations have been collected ask, “SO WHAT? Why is that important? what patterns or conclusions are emerging? What hypotheses can be made?” This line of inquiry helps make sense out of the information. Finally, after making sense of things you ask, “NOW WHAT? What actions make sense at this point?”
Take a suspicious file found during a scan of a traveler’s laptop, a common security task. Using W3, we might ask:
- What type of file is this?
- What is it named and other attributes about it, like hash, creation dates, etc.
- What do we know about it?
- Where was it located?
- Was it active (running) or at rest?
- Is it one part of a whole, like a file dropped from another?
- Is the file malicious?
- What steps are required for the file to appear where it did?
- Does it contain sensitive, damning or compelling information?
- What’s the history of the file?
- Is the file important?
- Is the file part of a pattern of activity?
- Does its existence apply other activity occurred?
Funnel line of inquiry
It’s best to visualize the shape of a funnel when using this approach. A funnel has a wide mouth and narrows at the bottom. Similarly, you start with a list of general questions on the question you are asking with CHRIME and then narrow it down to one point to reach a conclusion. Specifically, you ask a lot of closed-questions in the beginning, like those that will resolve to “Yes” or “No” and those questions that will give a single answer, such as “What’s the SHA-256 for this file?”. After a series of closed-questions you widen the approach to asking open questions, with multi-stem or varied answers. Continuing our file example above:
- What’s the name of the file? [closed]
- Where is the file located? [closed]
- When was the file created? [closed]
- How did the file get there? [open]
- Was the file created as a response to another file? [open]
- What steps are required for it to appear at this location [open]
Inward and Outward
History in CHRIME is reviewed both internally, as in what we know about it from our point of perspective, and externally, for everyone else’s perspective. Internally is, obviously, usually the most rich and trusted source, followed by observations made from external sources. Our history with the inquiry source of CHRIME is evaluated first, followed by external history with the same. Falling back on the file example discussed previously, we may have never seen it before and thus, have little data on it. A quick check externally, however, say via hash check on Virustotal, might show that its widely known externally as a file dropped by malware. This situation would be where the external history is very critical to our inquiry and enriches what we know about it.
Back to reeling in that Phish
During the Constellation article, we built a skeleton of connections and crafted a word pattern at the end. You can refer to it here and I’ll pull in parts as needed, like we are trying to decided whether this phish is targeted or not.
47 individuals in 4 departments received a phishing impersonating a corporate survey, one that was expected to occur based-off previous department messaging. Only one of the four departments had already received a valid survey. 8 of these individuals had the same or similar job functions and 32 of them had overlapping permissions for records access. The phishing email was well-crafted but contained errors of organization, e.g., added long greeting and spurious fake identity in the signature block. The link contained in the phish went to a website impersonating the service corporate uses for climate surveys. It prompted for corporate credentials and showed an error page afterward. Stolen credentials were sent to a Gmail account.
Keeping history on past events is a critical function of security operations and threat intelligence. In this case, our handy threat intel team provided some interesting past-history on the targeted individuals. First, 16 of the targeted 47 were repeat offenders who had fallen for phishing. While no direct connections existed by phishing theme, these sixteen had previously responded to phishing that year. A larger 21 of the 47 people were publicly exposed in social media as associated with the corporation in the area of the overlapping records permissions access. This was drawn for social media documentation, such as media releases by the corporation, external discussions, papers, interviews and so on. It’s part of the public footprint of the corporation, just like the thankfully smaller 9 instances where individuals had publicly leaked their credentials, in part or wholly, via discourse in chats, interviews, blogs or papers. This happened mainly via interviews and recorded presentations where care was not taken when logging into the corporate network when being recorded.
- 16 exposed externally from previous phishing or leaks in the last year
- 21 publicly associated with corporation related to their shared job permissions (records)
- 9 instances where individuals were noted as exposing special access permissions publicly, via discourse (chat, interview, blog, paper, etc.)
While interesting and painful to read, it wasn’t quite enough to push over the 80% mark on whether the phish was targeted or not, (the question we were trying to answer). The operations and intelligence teams both indicated that this phish was one in a series of related phishing attempts. Our internal records on past phishing campaigns showed this theme had occurred 14 times previously, using a similar method of sending and the addition of a signature block. These were interesting points, giving some hard cues toward it being targeted. Comparing the phishing delivery time to the emails sent announcing a department survey showed a clear link. It wasn’t present in all the phishing events, but it was in nine of them. Quick analysis showed a gap of 2-4 days after announcement for phishing to occur. That, in turn, pointed to a possible compromised account or misdirection of email. That kicked off its own investigation. Another look at the targets between the phishing attacks showed little overlap of people, but a major overlap of records permission access. More than three-quarters of the targets shared this permission. Given that only a small section of the population of the corporation was provided with this access, it was major pointer towards targeting.
At this point, we had enough intelligence to call it targeted and linked to the previous series of attacks. When the investigation came back later, the announcement link, we found that the sending department was pasting in chunks of emails to send versus using an email list. Not only was this an error prone process, but the blocks of emails contained numerous past employees. Not all of these accounts were properly terminated and that became a task to do, along with crafting proper email lists for them to use in the future.
Had we not found the answer in the data collected above, we could have easily continued with various techniques to infuse history data into our constellation. If none of that information had existed, and external history was equally shy, then driving on into the rest of CHRIME would be paramount. We’ll carry on our example using this thought process when we delve into Reputation and other topics of CHRIME in the future articles.
We also use CHRIME in our daily work and you can find me talking about it at ISSA and conferences pretty around year around. In fact, CyberDefenses believes in this technique so much that we have a full-day dedicated training course to it. You can find about our offerings on CHRIME and other via this link: www.cyberdefenses.com/academy/.