{"id":40270,"date":"2021-04-01T18:00:51","date_gmt":"2021-04-01T18:00:51","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=93267"},"modified":"2021-04-01T18:00:51","modified_gmt":"2021-04-01T18:00:51","slug":"automating-threat-actor-tracking-understanding-attacker-behavior-for-intelligence-and-contextual-alerting","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/automating-threat-actor-tracking-understanding-attacker-behavior-for-intelligence-and-contextual-alerting\/","title":{"rendered":"Automating threat actor tracking: Understanding attacker behavior for intelligence and contextual alerting"},"content":{"rendered":"

As seen in recent sophisticated cyberattacks, especially human-operated campaigns, it\u2019s critical to not only detect an attack as early as possible but also to rapidly determine the scope of the compromise and predict how it will progress. How an attack proceeds depends on the attacker\u2019s goals and the set of tactics, techniques, and procedures (TTPs) that they utilize to achieve these goals. Hence, quickly associating observed behaviors and characteristics to threat actors provides important insights that can empower organizations to better respond to attacks.<\/p>\n

At Microsoft, we use statistical methods to improve our ability to track specific threat actors and the TTPs associated with them. Threat actor tracking is a constant arms race: as defenders implement new detection and mitigation methods, attackers are quick to modify techniques and behaviors to evade detection or attribution. Manually mapping specific indicators like files, IP addresses, or known techniques to threat actors and keeping track of changes over time isn\u2019t effective or scalable.<\/p>\n

To tackle this challenge, we built probabilistic models that enable us to quickly predict the likely threat group responsible for an attack, as well as the likely next attack stages. With these models, security analysts can move from a manual method of investigating small sets of disparate signals to probabilistic determinations of likely threat groups based on all activity observed, comparing the activity against all known behaviors, both past and present, encoded in the model. These models help threat intelligence teams stay current on threat actor activity and help analysts quickly identify behaviors they need to analyze when investigating an attack.<\/p>\n

In this blog we\u2019ll outline a probabilistic graphical modeling framework used by Microsoft 365 Defender research and intelligence teams for threat actor tracking. Microsoft Threat Experts<\/a>, our managed threat hunting service, utilizes this model to enhance our ability to quickly notify customers about attacks in their environments through targeted attack notifications<\/a>. These notifications provide technical information and remediation guidance designed to empower customers to identify and mitigate critical threats in their environments.<\/p>\n

The model enriches targeted attack notifications with additional context on the threat, the likely attacker and their motivation, the steps the said attacker is likely to make next, and the immediate action the customer can take to contain and remediate the attack. Below we discuss an incident in which automated threat actor tracking translated to real-world protection against a human-operated ransomware<\/a> attack.<\/p>\n

Predicting human-operated ransomware groups<\/h2>\n

The probabilistic model we discuss in this blog aids Microsoft Threat Experts analysts in sending quick, context-rich, threat actor-attributed notification to customers in the earliest stages of attacks. In one recent case, for example, the model surfaced high-confidence data indicating initial stages of a new ransomware actor in an organization just two minutes into the attack. This enabled analysts to quickly confirm the malicious behavior and the involved threat group, then send a targeted attack notification to the customer, who was able stop the threat before attackers can encrypt data and ask for ransom:<\/p>\n

    \n
  1. The attacker compromises a device via Remote Desktop. This signal, one of many, starts the examination of the attack by the model, which knows that initial access via Remote Desktop is a technique often utilized by a certain threat actor.<\/li>\n
  2. Attackers copy common open-source tools and custom payloads to the device for such malicious activities as tampering with AV and credential theft, which would allow discovery and lateral movement. With these tools on the device, the model\u2019s confidence increases.<\/li>\n
  3. The attacker begins running the tools and exhibiting behaviors typically associated with attacks by the threat actor.<\/li>\n
  4. Just two minutes into the attack, the model hits a threshold for activity that indicates the suspected threat actor is present in the organization.<\/li>\n
  5. Microsoft Threat Experts analysts are notified of the suspected actor activity identified by model, and they quickly send a high-context targeted attack notification that includes technical information as well as actor attribution.<\/li>\n
  6. As the attacker was attempting to tamper with the antivirus solution, the organization stops the attack, armed with the knowledge of the likely forthcoming activity they need to stop. The threat actor is stopped from performing their other known TTPs, ultimately preventing the ransomware deployment and activation.<\/li>\n<\/ol>\n

    \"Attack<\/p>\n

    Figure 1. Model predicting human-operated ransomware attack chain<\/em><\/p>\n

    Through the automated threat actor tracking model, Microsoft Threat Experts analysts were able to equip the organization with information about the attack as it was unfolding. The model-enriched targeted attack notification enabled the customer to stop a known human-operated ransomware group before they could cause significant damage. If not stopped, the threat actor would have been able to perform its typical behaviors, including clearing of event logs, creating a persistence method, disabling and deleting backups and recovery options for the device, and encryption and ransom.<\/p>\n

    Threat actor tracking through probabilistic graphical modeling<\/h2>\n

    As the case study above shows, the ability to identify attacks with high confidence in the early stages is improved by rapidly associating malicious behaviors with threat actors. Using a probabilistic model to predict the likely threat actor behind an attack removes the need for analysts to manually evaluate and compare techniques and tools with known behaviors with threat groups.<\/p>\n

    Even with attackers frequently adjusting their toolkits, payloads, and techniques to evade detection, the model can help analysts learn new TTPs and then rapidly evaluate the behaviors to confirm the model\u2019s prediction. This intelligence allows pivoting to find recently created attacker infrastructure and tools, and increases the ability to report, detect, slow, and stop the adversary.<\/p>\n

    In the next sections, we will provide more detail about this automated threat actor tracking model and discuss challenges, such as data collection and tagging. We will also share how we leverage security analyst expertise to continuously enrich these models with newfound attacker behavior and improve its ability to surface incidents with high confidence.<\/p>\n

    Data collection<\/h3>\n

    The first challenge in threat prediction is translating data collected from recorded attacks into a set of well-defined TTPs. The idea is to define a knowledge base such that the approach is generalizable across different threat actor groups. For this purpose, we use the MITRE ATT&CK framework<\/a>, which provides such a knowledge base and is widely used across the industry for classifying attack behaviors and understanding the lifecycle of an attack.<\/p>\n

    Attack behaviors need to be carefully mapped at the right level of granularity. If the behaviors are mapped to too broad a category (e.g., MITRE ATT&CK techniques like lateral movement), then discrete attackers cannot be distinguished. If the attack behaviors are too specific (e.g., documented adversary use of a specific file hash) any subtle changes to the behavior or tools used for a particular attack could be missed.<\/p>\n

    The model uses threat data from Microsoft Defender for Endpoint<\/a>, as well as the broader Microsoft 365 Defender<\/a>, which delivers unparalleled cross-domain visibility into attacks. Incidents<\/a>, which are collections of alerts related to a specific attack, that have been tagged as associated with a threat group correspond to a training sample. These incidents are augmented with more specific indicators of compromise, custom behavioral detections built by our threat hunting teams, and additional context from telemetry. This collection of alerts and detections are then mapped to the collection of TTPs being tracked.<\/p>\n

    The TTPs are used as variables in a Bayesian network model, which is a statistical model well suited for handling the challenges of our specific problem, including high dimensionality, interdependencies between TTPs, and missing or uncertain data.<\/p>\n

    Bayesian networks<\/h3>\n

    Given TTPs of an attack observed in an organization, the goal is to identify the most likely threat actor involved and, consequently, the next attack stages, considering that any one TTP very rarely provides enough evidence to attribute an attack to a threat group. It\u2019s the combination of these TTPs that provides the necessary evidence to identify the threat group.<\/p>\n

    We use Bayesian networks to model the relationship of TTPs and threat groups. Bayesian networks are a powerful tool that builds a joint distribution over a set of variables and encodes the relationship between them, which can be represented as a directed acyclic graph. Bayesian networks have properties that make them well-suited for this problem. For one, they are ideal for querying probabilities for a subset of unobserved variables (e.g., attacker groups) in the presence of other observed variables (TTPs). They are also ideal for handling missing or sparse data. Finally, using Bayesian models provides a principled approach to encoding expert knowledge through prior probability distributions that encode one\u2019s belief about the quantity of interest before data is considered. With these properties, Bayesian networks have been shown to work well in correlating alerts from various detection systems and predicting future attack stages.[i]<\/a> [ii]<\/a><\/p>\n

    More formally, the set of possible TTPs for an actor are viewed as discrete random variables. Let X = {X1<\/sub>, \u2026, Xn<\/sub>}<\/strong>, where each variable can take on one of two states, 0 or 1. The value of 1 corresponds to the TTP having been observed. Let the random variable Y<\/strong> correspond to the indicator variable for a specific threat actor or group of threat actors. Each variable is a node in a directed acyclic graph and the edges between the nodes encode the conditional dependencies between them.<\/p>\n

    A Bayesian network defines a joint distribution over the set of TTPs and threat actor group, so that:<\/p>\n

    P(X1<\/sub>, \u2026, Xn<\/sub>, Y) = P(Y|Pa(Y)) \u220fj=1\u2026n<\/sub> P(Xi<\/sub>|Pa(Xi<\/sub>))<\/strong>,<\/p>\n

    where P(X1<\/sub>, \u2026, Xn<\/sub>, Y)<\/strong> denotes the joint probability of the variables and threat actor group taking on specific values, P(Xi<\/sub><\/strong>) <\/strong>denotes the set of parents of variable Xi<\/sub><\/strong> in the graph, and P(Xi<\/sub>|Pa(Xi<\/sub>))<\/strong> the probability that variable Xi<\/sub><\/strong> takes on a certain value given (represented by |<\/strong>) the state of its parents in the graph. The conditional probabilities of observing a node being 0 or 1 given the set of parent states are represented by conditional probability tables.<\/p>\n

    Figure 2 shows a toy example where the variable Actor:X corresponds to the threat actor group, with six TTPs inspired by the MITRE ATT&CK framework, including T1570 (Lateral Tool Transfer), T1046 (Network Service Scanning), T1021 (Remote Services), T1562.001 (Impair Defenses: Disable or Modify Tools), T1543 (Create or Modify System Process), and Impact (TA0040; in this example, we do not specify the sub-technique, though that could easily be done). To illustrate, a directed edge between Transfer Tools and Actor:X indicates that the likelihood of observing the actor is directly related to whether we saw them transfer their attack tools. The node Disable Tools shows an example of a conditional probability table and how the probability of observing the technique changes with respect to the states of its parent nodes in the graph, Network Scanning and Transfer Tools.<\/p>\n

    \"Diagram<\/p>\n

    Figure 2: A toy example showing a Bayesian network for Actor:X with six TTPs. A conditional probability table is also shown for variable Disable Security.<\/em><\/p>\n

    There are two inference tasks that are needed to fully specify the Bayesian network:<\/p>\n

      \n
    1. Structure learning: Given a set of training examples, estimate the graph that captures the dependencies between the variables.<\/li>\n
    2. Parameter learning: Given a set of training examples and the graph structure, learn the unknown parameters for the conditional probability tables P(Xi<\/sub>|Pa(Xi<\/sub>))<\/strong>.<\/li>\n<\/ol>\n

      Structure learning is largely driven by domain knowledge and eliciting expert feedback, which is covered in the next section. Parameter learning is done in the usual Bayesian way, where a prior distribution is specified for the unknown parameters, which can encode subject matter expertise. Then, the parameters are updated with data or new incidents as they arise, so that the final posterior probabilities reflect the prior beliefs from threat intelligence analysts and relevant evidence seen in the data. As new training data is obtained over time as part of hunting and investigations, the Bayesian network can easily be updated so that it always reflects the latest information on the threat actor TTPs.<\/p>\n

      Because the Bayesian network defines a complete model for the variables and their relationships, it allows the analysts to query for information about any subset of variables and receive probabilistic responses. For example:<\/p>\n