Precursors Explained Flashcards

1
Q
A

“Precursors” or “Threat Precursors” are elements of the incident identification and response process that allow both an attacker and a security researcher or professional to determine the existence of flaws and/or vulnerabilities within a system. By identifying precursors organizations can work to prevent cyber attacks before they occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Issues with Precursors

A

Precursors can help a lot in the security scheme of an organization, but they have a very big disadvantage in terms of identification. This is that they are usually the most complicated element to obtain in a threat identification process. After all, the vast majority of attacks do not have identifiable or detectable precursors (from the organization’s perspective); this is undoubtedly a factor that affects the time of detection, and it is such a big handicap, because, if organizations have the knowledge about this type of elements, they could have the opportunity to prevent one or several incidents simply by altering their security posture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Types of Precursors

A

Attacks can take many different forms, and attackers can find many ways to compromise a system. With this in mind it is undeniable to admit that precursors can appear in many different ways and above all, both attackers and security professionals can use many tools to obtain them. Some examples will be shown below.

Port Scanning, Operating System and Application Fingerprinting
One of the most effective ways to obtain information about a network is through scanning. Using tools such as Nmap, Netcat, or Nessus, both a researcher and an attacker can learn about the services and vulnerabilities that exist on a system. A lot of information can be gained from performing host discovery, port scanning, and vulnerability scanning activities, such as which ports or services are running and responding on a system, what operating system is installed on the system, and what applications and versions of applications are present.

When considering the precursors that this activity would generate, we would mainly be looking to monitor network connections and event logs from internet-facing systems.

Logs from firewalls or web application firewalls (WAFs) that have rules written to alert and log when one source IP is attempting to connect on X number of ports over a short period of time.
Logs from systems that are being scanned.

Social Engineering and Reconnaissance
Another way to obtain the greatest amount of information about an organization is, without a doubt, social engineering. This is because, with social skills and deception, both an attacker and a researcher can learn about any type of information and vulnerabilities of an organization. Techniques such as “dumpster diving” (searching for items in the rubbish such as USB sticks, printed documents, notebooks, etc) or “eavesdropping” (Listening to conversations between employees) are very useful for identifying pieces of information that can be brought together to potentially discover vulnerabilities that can be exploited by an attacker.

When considering the precursors that this activity would generate, we would mainly be looking to listen to employee reports of unusual or suspicious activity or CCTV footage from both inside and outside the office.

Non-employees looking through the organization’s bins that are conducting ‘dumpster diving’.
Non-employees hanging around outside the office or lobby areas.
Employees being engaged with outside or near the office by unknown individuals.
Calls from unknown, withheld or spoofed phone numbers.
Documents or office equipment going missing.

OSINT Sources and Bulletin Boards
And finally, we have the review of social media, blogs, forums, and bulletin boards, security articles and reports, and other OSINT data both on the clear web and dark web.

When considering the precursors that this activity would generate, we would mainly be looking to monitor OSINT sources using free tools such as TweetDeck and paid intelligence resources such as Recorded Future.

An email or online message from a threat group threatening or stating they will attack the organization.
Publicly disclosed vulnerabilities (CVEs) that affect systems or programs that are used by the organization.
Chatter on underground forums about a zero-day or new malware that is being exploited or utilized in the wild.
Reports stating an increase in vulnerability exploitation activity supplied by government organizations or intelligence vendors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Conclusion

A

Precursors can appear in many forms and security professionals can take advantage of this to improve existing security positions in an organization or in their own system. Every day, attackers try harder to attack and infect their target, and it is everyone’s duty to prevent them from achieving their goal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Indicators of Compromise Explained

A

Indicators of compromise are a core part of threat intelligence, and allow us to share information on threats in several different formats. This information is used to power intrusion detection and prevention systems, endpoint detection and response systems, firewalls, and other automated defenses. Human analysts can also use these to perform threat exposure checks against their environments to identify the early, or late, signs of a cyberattack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Examples of IOCs

A

Below is a list of typical indicators of compromise that are shared publicly and between organizations.

Email Addresses – These are mailboxes that have been acting maliciously, such as sending emails containing malicious URLs, malicious attachments, or attempting to socially engineer email recipients into taking actions they wouldn’t usually take such as giving out information.
IP Addresses – These IPs have acted maliciously, such as performing unauthorized port or vulnerability scans, hosting malicious content or websites, or have been linked to malicious actor infrastructure such as command-and-control (C2) servers. WHOIS lookups can also be conducted to gain more information, such as who owns the IP, where it’s geographically based, hostname, and occasionally contact details.
Domain Names/URLs – Sites that have been acting maliciously, such as hosting malware, phishing sites, or other malicious content.
File Hashes/File Names – We can easily share intelligence about malware or other malicious files, often by referring to them by their unique hash values (typically MD5, sha256, or sha1). These can be used by security teams to blacklist the specific file hashes so that they are detected and deleted by security solutions such as endpoint detection and response (EDR).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

IOC Formats

A

STIX and TAXII are common methods of sharing threat intelligence, such as indicators of compromise. These values alone don’t mean a lot, but with STIX we can share information in a structured format, providing a lot more than just lists of IOCs.

STIX:
Structured Threat Information eXpression, or STIX, was developed by MITRE and the OASIS Cyber Threat Intelligence Technical Committee as a standardized language for sharing threat information. For some organizations and information-sharing committees, this has been the standard and is widely used. Whilst STIX is designed to be used in conjunction with TAXII, it can be shared without it. STIX is designed to share not just IOCs, but also threat:

Motivations
Abilities
Capabilities
Response
You can read more about STIX at this link – https://oasis-open.github.io/cti-documentation/stix/intro.html

MITRE have also provided some examples of indicators in STIX format, so you can get a feel of what STIX looks like here – https://stix.mitre.org/language/version1.0.1/samples.html

TAXII:
Trusted Automated eXchange of Intelligence Information, or TAXII, defines how cyber threat information can be shared by using services and message exchanges. Designed to handle STIX information, this platform is run on a server and allows the sharing of information between specified groups or provides a public “threat stream” that individuals can sign up to and receive intelligence.

You can read more about STIX and TAXAII at this link – https://medium.com/sekoia-io-blog/stix-and-taxii-c1f596866384

How well did you know this?
1
Not at all
2
3
4
5
Perfectly