There has been a great deal of talk about the emerging field of cybersecurity threat intelligence in recent years. CTI is the application of intelligence tactics to gain insights on adversarial actors and their tools, techniques, and procedures. However, one aspect that’s not frequently discussed is the use of counterintelligence tactics by both the defender and the adversary.
One of the chief problems in both digital forensics and CTI is that much of the data we need to analyze is under the control of the adversary, who has the means and motive to deceive. For instance, it is not atypical to see malware that has large detailed functions that are never called upon in the real world and exist only to make malware researchers waste time figuring them out.
Most dynamic malware detection solutions will search for any network connectivity that malware makes. However, what they don’t do is determine if the network connectivity is actual malicious traffic or if it is a false trail. Malware can generate a smoke screen of DNS queries and network traffic simply to hide the “real” malicious traffic in a stream of noise that makes it difficult to reverse engineer.
In fact, it’s not unusual for malware to generate traffic to mock various individuals or companies. This is not limited to network traffic; it could be strings in the binary, user-agents, WHOIS data, or anything that can be manufactured to waste the time of the researcher or to troll others.
While amusing, there are far more destructive forms of deception that can and have been employed. If organizations are not scrutinizing the processing of their data, malicious threat actors can poison it to cause outage events.
For instance, if an organization processes lists of known malicious domains -- and bear in mind that attackers also know of these malicious domains -- an attacker could have a few of those domains resolve to IP addresses of important infrastructure. As an example, if an organization simply resolves malicious domains to IPs, then the IPs feed firewalls automatically. One of the resolved IPs points to the organization’s own DNS server, which very quickly results in a significant outage event.
If WHOIS data is forged (which is easy to do), it is possible to direct legal action toward an innocent individual or entity. Even domain generation algorithms (DGAs) -- particularly ones that use wordlists -- could lead to a DGA generating an actually “good” domain name that may get caught up in an automated blocklist.
For CloudFlare hosted domains, “direct” is a default hostname that normally points directly to the actual machine that would otherwise be obfuscated by CloudFlare (e.g. direct.SOMEDOMAIN.com). This is obviously configurable, and a malicious actor could simply point that to an innocent third-party machine. If a researcher is sloppy, he or she could take action against that innocent machine and its owner.
The key to operationalizing CTI rests not simply in generating indicators of compromise; the key rests in the critical thinking that establishes the confidence that a given indicator is, in fact, malicious. Far too many organizations and researchers simply mine for indicators and use those indicators without scrutiny. Malicious actors know this, and it seems like they are starting to use that against us.