Threat Activity Clusters: Project Ice Cream

This blog was originally published by Alert Logic here.

Written by Josh Davies, Product Manager, Alert Logic.

The Challenge

Continuously hunting for the latest and emerging threats and campaigns requires dedicated SOC analysts, data scientists, and security researchers. This human led process is an essential component to compliment automated detection (including advanced analytics such as machine learning) as threat actors adapt and try to evade the latest developments in detection, constantly trying to find a way to operate in the ‘unknown’ activity that sits between known good and bad.

The Solution

Alert Logic has amassed a wealth of knowledge and understanding of distinctive threat actor groups. Keeping track of the tactics and techniques used has increased our effectiveness and efficiency in identifying emerging campaigns and zero-day exploits, as threat groups tend to favor their own tactics, techniques and procedures (TTPs). Even when threat groups evolve their campaign by including a shiny new exploit, other TTPs and indicators remain consistent. By tracking the actors behind the threats, we know where to look next when we see new activity bearing similarities to previous campaigns, increasing our detection and response times.

Everyone can benefit, both directly and indirectly from the process and findings of threat hunting. Those targeted receive early warning, and can remediate the compromise before any real damage can be done. Our broad understanding of persistence mechanisms means we can address the entirety of a compromise and not just the glaring symptom.

Those who have not been targeted directly benefit from the lessons learned from those who have been targeted, as we document relevant indicators and devise a unified approach to disrupt the campaign and accumulate targeted remediation advice. This indirect benefit is often referred to as “community immunity.”

Human led threat hunting is an integral part of our security analytics development, both to continuously improve coverage of the ever-expanding attack surface while also eliminating false positives. This approach enables us to detect new signs of compromise in a network manually, while we review the suitability of raised incidents for creating automated detections. Over time we have developed a deep understanding of threat group activity clusters that have improved analysis time and informed comprehensive remediation plans.

The Activity Clusters

This series of blogs will share activity clusters of threat groups observed in the Alert Logic dataset. We will share a narrative on the threat groups involved in finding and exploiting zero-day vulnerabilities and those who use novel tactics or techniques in an attempt to circumvent standard breach detection and prevention solutions. While our Threat Intelligence teams subscribe to numerous public and private intelligence feeds, this series offers our assessment of threat group activity clusters, ultimately based on our unique insight into the ~40 PBs of monthly threat data we collect from our 4000+ customers.

We have chose ice cream flavors as our naming convention to codify the observed threat clusters:

• Mint
• Mint Sprinkles
• Strawberry
• Strawberry Sprinkles
• Pistachio

The Naming Convention

We track and combat these threat groups daily, and our experts wanted to give them a suitably un-intimidating identifier. Ice cream flavors allow us to group related and evolved campaigns with iterations of documented flavors.

For example, the Vanilla group may disappear into temporary obscurity, re-emerging with recycled IP addresses and new techniques, but still including common indicators from their previous campaign. In this case, we can be confident that they are one and the same, or at least linked. Where the evolution is significant enough, we can refer to this “new” campaign as Vanilla with sprinkles. A superficial difference that changes how they operate and how we track them, but ultimately it is the same ice cream underneath.

This means that when the hydra grows another head, you know from which neck it has (likely) grown.

Ice cream flavors also allow us to steer clear of geographical implications in the naming convention. While it is useful for analysis to understand where attacks, CnC servers and the like originate from, it is unwise to attribute campaigns to regions with certainty. Spoofing an IP address is incredibly easy, and it has been widely reported how nation states have masqueraded as other nations for geo-political benefit.

This series could be beneficial to your cybersecurity practices or your own threat hunts. We hope that by sharing this information with the wider community, we can contribute toward the shared understanding of our common enemy and foster further security discussions and successful hunts.

You can find links to the entire series here:

• Cluster 1: Mint
• Cluster 2: Mint Sprinkles
• Cluster 3: Strawberry
• Cluster 4: Strawberry Sprinkles
• Cluster 5: Pistachio

About the Author

Josh Davies is a Product Manager at Alert Logic. Formerly a Security Analyst and Solutions Architect, Josh has extensive experience working with mid-market and enterprise organisations; conducting incident response and threat hunting activities as an analyst before working with organisations to identify appropriate security solutions for challenges across cloud, on-premises and hybrid environments.