Mimicking evil

A deep dive into adversary profiles and how you can build them

This tutorial walks through building a simple adversary profile, using only open-source intelligence resources and procedures loaded into Operator. To do full-scale adversary emulation, you should involve an expert in Cyber Threat Intelligence.

In 2014, while working at Kenna Security (known as Risk I/O at the time), we were building tools to combine the vast, often disconnected, data that vulnerability scanners churn out in large numbers.

While building out the tools - specifically systems which combine the results from various scanners, correlate the data and recommend remediations - we naturally had a front-row seat to what an adversary takes advantage of during a hack.

Vulnerability scanners look at software versions and applications which are installed on a given computer. They match these up to known vulnerabilities, usually using Common Vulnerability and Exposures (CVE) definitions to assign a risk score of 1-10.

When a scanner notes that there is an active CVE on a computer, it raises the red flag (quite literally) and displays a notice to the system administrator.

In common terms, a CVE describes what a malicious person can do, if they come across software of the specified version. In other words, the CVEs will seek out the bad applications across your computers.

An open vulnerability can be exploited. Adversaries will often run variations of the same vulnerability scanners the good guys use to identify easy targets, then pivot into attacks that exploit them.

What exactly is an adversary?

An adversary is a malicious threat actor. It is someone or some group that intends to inflict harm to a target. We all saw SolarWinds leveraged in a series of attacks as 2020 came to a close. Adversaries were the ones behind the attacks.

Generally speaking, an adversary could be a “script-kiddie” or a well-funded nation-state. The former is an individual “hacker” who buys or uses free malware to conduct attacks for malicious purposes, without understanding the fundamentals of the attack itself. The latter could consist of hundreds of offensive operatives in organized groups, known as Advanced Persistent Threats (APT).

APT groups usually consist in cyber and non-cyber environments and are either politically, financially or dually motivated. Unclassified APT groups are often referred to as UNC groups and financially motivated groups are referred to as FIN groups.

Some groups are extensions of countries while others are loosely associated with world regions where hackers organize to break into banks or conduct well-oiled attacks against consumers.

In any regard, an adversary has bad intentions. How many APT groups exist? No one knows for sure. How do you know if you are facing an APT? Three words: Cyber Threat Intelligence (CTI).

The role of CTI

The name of the game is attribution. In Cyber Threat Intelligence organizations, analysts sift through massive amounts of security breach data - both offensive and defensive - and attempt to reverse-engineer it. Their main goal is to accurately attribute who was responsible for a specific attack and if possible, determine the motivations behind it.

The results from attribution can be far reaching: a government may use the data to prove another nation is hacking them during a peace agreement period, a company may use attribution to prove an insider threat exfiltrated their data, a bank may use attribution to backtrace who (virtually) robbed their bank, and on and on it goes.

Attribution is half science, half art.

IOC + Behavior = attribution

The scientific side is easier to wrap your head around. Analysts look for tangible evidence related to an attack, such as IP addresses and email accounts discovered in log files. This type of data is known as Indicators of Compromise (IOC) and is paramount to successful attribution - but it can also be spoofed to throw off a CTI analyst. This is where art comes in.

Analysts leverage behavior-driven analysis to help their attribution. Similar to malware analysis, where reverse engineers look for code signatures that are habitual for programmers, CTI analysts look for common behaviors in the aftermath of an attack. The idea is that while an IOC can easily be spoofed, an intrinsic behavior is harder to change.

Analysts rely on a common language matrix, known as ATT&CK, to map behaviors at a tactical and technique level. Using ATT&CK, they can identify if a given adversary performs persistence immediately then lateral-movement or if they always attempt to escalate privileges before exfiltrating data.

However, similar to IOCs, behaviors are spoofed in the wild. It takes combining IOC and behavioral data to land on solid footing for attribution.

Seasoned analysts are able to sift trough data and draw correlations between and within attacks to see patterns where spoofing may be at play. Of course, this means that attribution is rarely if ever 100% accurate. There is a moving target but this is common in cybersecurity, where the cat-and-mouse game of attackers and defenders is prevalent.

How does CTI intersect with adversary emulation?

Understanding the attack patterns that adversaries use can help you emulate them in your environment to better represent realistic threats you may face.

So you’re not the NSA or a major threat intelligence firm. How can you get access to this data?

Operator has a Professional license which gives you access to closed-source, more dangerous procedures which are used by real APT groups in the wild. Subscribe to this Prelude license to get frequent drops of new procedures.

You can use OSINT. Open Source Intelligence is the practice of gathering data freely available on the internet. Many organizations, such as FireEye, post threat intelligence reports in the form of blogs and other resources. By analyzing these reports, you can identify the ATT&CK tactics and techniques an adversary uses and load them in your Operator instance to build an adversary profile, representing the threat.

Read a threat report

Let's say we're a U.S. think tank, which contracts with the government. We may have seen the threat report published recently by the Cybersecurity & Infrastructure Security Agency (CISA).

Review the CISA report at https://us-cert.cisa.gov/ncas/alerts/aa20-336a.

Take a few minutes and scan the document. Take special note of the ATT&CK techniques referenced in the report (T* numbers).

You could build an extensive adversary profile from this report, ensuring you include a TTP from each tactic/technique described. But for example purposes, we're going to extract a simple adversarial behavior from this report: stealing files from a computer.

Scanning the report, we notice a few techniques we want to replicate. Since we want to steal stuff from a computer, we’re going to need the ability to: locate files of interest, co-locate (stage) the files to steal in one shot, zip up the files to make the theft smaller and less noticeable, and then an ability to lift the zipped artifact from the remote machine back to my laptop.

From the report, we note down a few interesting techniques:

  • T1005: Data from a Local System (the files to steal)

  • T1074: Data staged (a place to put data before stealing)

  • T1560: Archive collected data (shrink the data before stealing)

  • T1041: Exfiltration over C2 channel (actually stealing the data).

With these techniques at hand, we can head to Operator and build our profile.

Build your own adversary profiles

In Operator, you can design your own adversary profiles, using either OSINT or other intelligence sources at your disposal, if you're lucky enough to have an internal intelligence team.

Start by opening Operator and navigating to the Emulate section. From here, your home range is automatically chosen and you can build an adversary from this screen.

When you build an adversary, it doesn't matter which range is selected, as adversaries are global. The range simply determines which set of agents you want to deploy your agent against when the time comes.

When you click the Add Adversary button a new, blank adversary is created. Operator assigns each adversary to a unique UUID-4 identifier, which is abstracted from the GUI because you don't need to worry about it.

If you get into plugin writing, you may be interested in managing adversaries, at which point the identifier will become invaluable. Note that your adversary is saved to your disk, in your local workspace directory, in a YML file, so it will be accessible between reboots.

Each adversary is created with a default name, which you can change by clicking into the field.

Let’s go ahead and start building an adversary called ThinkTank, which will steal important files from a computer, following the threat report we analyzed earlier.

Next, click the edit button to open the TTP library.

You will be confronted with a search bar, which you will use to locate procedures you want to add to your adversary. By default, this library will be empty until you start searching.

Let’s start by searching for a T1005 procedure. As you start typing, TTPs matching your criteria will start to filter below. The search capability looks at all text within the given procedure file, including the name, description, commands and more. Your end result will show all procedures which contain the words in the search bar. Let's locate the one named Find recent files.

Here the procedure (note the T1005 classification):

If you haven't read our post about Tactics, Techniques and Procedures, I'd recommend you do so at this point.

TTPs contain a name/description, ATT&CK classification details and have a list of supported platforms containing a sublist of executors, with commands.

Here we can see there are three operating systems (platforms) supported: Windows, Linux and MacOS (darwin). To the right of the platforms you can see the execution engines which can run the command, in the last column. An execution engine can be a shell or non-shell program on a computer (think bash, PowerShell, shell code, assembly language, etc.) and a command is a single or multi-line instruction that the executor can interpret.

Let’s go ahead and click Add to give this ability to our new adversary.

Once done, the add button flips to remove, indicating the ability is within the selected adversary profile.

Once done, let’s repeat this activity for the following procedures, taking time to evaluate the commands within each TTP. Note the technique to search for. In parenthesis, you'll see the procedure under that technique I'd like you to add, for this example).

  • T1074 (Create staging directory)

  • T1074 (Stage sensitive files)

  • T1560 (Compress staged directory)

  • T1041 (File.io exfil)

When you are complete, you can click out (the X at the top-right of the screen) to exit adversary building. When you click back (Edit) into your adversary, you’ll now see all 5 procedures (abilities) your adversary contains - but you can continue editing the profile any time.

Now, let’s review your adversary.

It has 5 distinct abilities:

  • Find recent files: this procedure will hunt for specific user directories on the computer, looking for files which have been modified in the last 24 hours. This is a useful indicator that the file is important, so an adversary can start a hack by stealing the suspected important files.

  • Create staging directory: an adversary will often pick a location on a computer to copy files into before they steal them. In this procedure, the adversary will create a new directory on the computer to use as a staging directory.

  • Stage sensitive files: this TTP does the copying. It takes the files from the first procedure and copies them to the directory created in the second one. Note the variables in the command field for this TTP. This means your Operator will use any files collected from a T1005 procedure and directories found from a T1074 procedure and fill in the variables with the found values. Operator does not know these values ahead of time but instead uses parsing logic to determine in real-time what and how to do the interoperability action.

  • Compress staged directory: Before the act of stealing, an adversary will often compress the target directory, in order to make the payload smaller and to avoid stealing many smaller files. Either of these cases - a large exfiltrated directory or a batch of smaller files leaving a network at once - are likely to raise some red flags for defenders. Note the variable used in this command.

  • File.io exfil: In this final procedure, the adversary exfiltrates the compressed directory to a common public file share, called file.io. This is one of many similar file share services, which allow you to share 1-use download links with another person for a semi-secure (security through obscurity) way to share files. Note the variable used in this final command as well.

In addition to searching the TTP library like we did in this step, you can manually look through the same set of procedures, in file form, by going to the Community repository.

Operator ships with our collection of open-source procedures but you can import your own private collection, or those from the Atomic Red Canary or Caldera projects by going to the Editor section and selecting the import button.

Once your adversary is built, you can then deploy it against any range of agents. This process will be shared in a future post. But in the meantime, read the docs in Operator to walk through the process now.

Other ways to create adversaries

Adversaries can also be built using tags or goals.

Adversary tags are macro categories that TTPs can be assigned to, such as ransomware or FIN6. You can use a tag to filter the TTPs for a common theme, if you are trying to build an adversary profile with a specific set of abilities. From the TTP library, you can filter procedures by tags.

Similarly, you can create an adversary using goals. A goal is an objective for the adversary to complete. You can enter any fact root & technique (such as file.T1005) with any value in the goal section (such as passwords.txt) and the adversary will automatically rebuild itself to contain the procedures which will help achieve the goal. Check our post which goes into more detail on this.

Deleting an adversary

You can easily delete an adversary, right from the Emulate -> adversary section as well. This is an irreversible action however, so do so only when you are done with your adversary. You can rebuild it at any point in the future.

Leveraging Cyber Threat Intelligence to build adversary profiles can seem daunting at first. Without experience, you may see your lack of knowledge as a barrier. And you'd be wrong. Sure, having a solid background as a CTI analyst will help you build better profiles - but no experience shouldn't create a wall. You can still get value.

We hope to lower the bar - and complexity - for building adversary profiles. If you always need an expert to build your profiles, you'll move slower and spend more money, diluting their value. You know your data, your environment, your risk tolerance better than anyone. Leverage that to build profiles that work for you.

Happy building.