Threat Research

Enough attribution to count

Naming and shaming the bad guys can be gratifying, but for practical protection, Threat Activity Clusters are the way

Today Sophos X-Ops published a very interesting blog connecting the dots on some ransomware group activity — a deduction method derived from a process we use to compile and correlate threat intelligence, called Threat Activity Clusters (TAC). TACs aren’t exactly attribution, but they are useful for practical threat detection, and for doing the two most important things you can do to defeat modern cyberattacks – reduce both the time to detect (TTD) and the time to respond (TTR).

Attribution is often unnecessary outside of a law enforcement context, and it’s very difficult to do with high confidence, unless the threat actor makes a mistake (or unless you have other means of gathering information about the situation, as governments do). What defenders really need is to be able to quickly recognize patterns (clusters) of attacker behaviors, which in turn expedites the ability to evict adversaries from networks.

Another advantage to this approach is it can allow us to more easily identify non-Sophos research that also matches the pattern, enabling us to add more detail to a “fuzzy match” of threat activities. After we uncovered the initial four cases covered in our post, we then were able to learn from information uncovered and published by Kroll about those additional Cactus cases that matched our cluster.

One of the advantages of providing MDR (Managed Detection and Response) services to more than 17,000 organizations is that we get to see the same attackers repeatedly. This enables us to spot patterns more quickly and see through much of the smoke screen left behind by the naming of different ransomware strains and criminal nicknames. Since the adoption of ransomware-as-a-service (RaaS) became widespread, it is often a specific affiliate we are interested in getting to know, more than the brand name they slap onto their ransom notes.

Old habits die hard

Ransomware groups come and go, but the crime itself is here to stay. It is important to celebrate our victories when groups like Conti self-destruct or when the US Department of Justice disrupts the infrastructure of a group like Hive, but in the end that is all it really is… a disruption for the adversaries, a moment of celebration for us. The boots on the ground that broke into networks around the world for the disrupted groups simply reform, rejoin, and move on to other targets.

What does that leave us with? Well, we know a lot about the patterns of activity that these clusters of attackers use, and they are unlikely to bother reinventing the wheel. In this case we were able to link four different ransomware “brands” to a set of attacks where the tactics used are too closely related to be a coincidence.

None of these techniques individually cause much notice, but when we consider the tiny details and the order with which they are carried out we end up with the equivalent of partial fingerprints. Maybe not enough to convict in a court of law, but enough to have a pretty good idea whom we are gathering evidence on and how to spot their handiwork. If it works for serial killers, why not serial encryptors?

Shortening the window

Once a TAC is identified, this aids in our two primary goals as defenders — reducing our TTD and TTR. A random mix of techniques may tip off an MDR provider or SOC (Security Operations Center) that something is amiss, but our human brains have remarkable abilities to glance at a collection of indicators of compromise (IoCs), rapidly recognize a pattern, and instinctively jump to action. These abilities help us recognize what might be mostly harmless admin tools as the weapon they are increasingly found to be and know that something is wrong. Once we know we have a problem we can infer what is likely to come next, shortening the window of compromise and risk.

Not only do we use TACs to better protect Sophos MDR customers, but we also share these IoCs with the community to help inform everyone and enable speedier responses for anyone consuming our shared data. As criminals have become more specialized to hone their abilities to scam, exploit, and profit from their misdeeds, we must come together to better recognize their handiwork and evict them from our systems as quickly as possible.

Don’t let perfect be the enemy of the good

Too often in the cybersecurity business we don’t always heed Voltaire’s sound advice to not let our desire for perfection dissuade us from simply getting close enough. In our hearts we all want to nail the criminals behind this; we want to see them serve some jail time, to see justice served. Yet is there really any solace in knowing which North Koreans stole your cryptocurrency, or which Vladimir encrypted your files?

We must remember not to confuse what is truly useful for our own and our collective defenses and what is simply emotionally satisfying. If we work together to do the useful bits, we might just be lucky enough to get both.

Leave a Reply

Your email address will not be published. Required fields are marked *