F3EAD the Bear

Prevailion’s newest product, Arktos, provides a unique opportunity for security and risk teams to validate the controls they’ve put in place. At the most fundamental level, Arktos answers the question, “can your systems connect to malicious systems?” This question cuts straight through the jargon and tooling du jour with regards to EDR, XDR, IPS/IDS. Regardless of their stack’s performance, security teams are responsible for the confidentiality, integrity, and availability of their networks and systems. It is the author’s opinion that a “brilliance in the basics” philosophy — employing skilled analysts with a solid understanding of the foundations of computer science and networking that are supported and kept sharp through up-skilling — should undergird any security team and its tools; Arktos provides the opportunity to apply this philosophy to the security validation space.

It is a universally accepted fact that malware must communicate externally to be effective; via one mechanism or another, the threat actor (TA) must be able to control their tools or receive exfiltrated information. Without this capability, there is no purpose to attack & infiltrate systems (the notable exception being certain denial of service attacks). Keeping this in mind, Arktos cuts to the heart of this truth: an agent running on a system within the boundaries of security coverage attempts to initiate communications with malicious infrastructure. Importantly, the attacker no longer controls this infrastructure: Prevailion does. Prevailion is uniquely situated to provide value in this controls validation space, as our internal intelligence workflow is organized around the F3EAD Targeting Process. The F3EAD (Find, Fix, Finish, Exploit, Analyze, Disseminate) framework is used to generate effects against a target; in Prevailion’s case that target is malware using the world wide web as a command and control (C2) medium.

Our internal team of analysts use a variety of tools and data to Find malware using web-based C2. Once this malware (the ‘target’) is identified, we Fix it in time and space: we answer as many of the 5W’s as we can. Who is using it, what are they using it for, when were they using it, where are they using it (i.e., who are the victims?), and why/how are they using it? Answering these questions provides valuable insight into both the attacker, the victim, and the operational environment (attacks never occur in a vacuum, ergo context is valuable). This knowledge from the Fix stage is a prerequisite for Prevailion to assume control of the malicious C2 infrastructure in the Finish stage. Upon taking control of the malicious C2 infrastructure, Prevailion gathers telemetry from ongoing compromises (and whatever else may occasionally poke at malicious infrastructure: the internet can be a wild and chaotic place). This additional insight is truly what underpins the additional capabilities highlighted by the Exploit, Analyze, and Disseminate stages.

Exploitation of the telemetry, enabled by assuming control of the C2 infrastructure, provides our analysts with additional insight into victimology as well as emerging trends regarding the Threat Actor’s TTPs. We are able to see links to previously-unknown attacker infrastructure or victim networks; we can watch new attacker infrastructure come online, and we can watch the tactical implementation of new communications channels like ports and protocols. Yet these insights aren’t self-evident; they require Analysis from our team of skilled researchers that cross-references open source reporting with our internal data sets, and correlation across disparate data formats and sources. The resultant information, enriched, contextualized, and ready to be operationalized, would be all for naught if the last stage in the cycle weren’t executed, however, and this is where Arktos enters the picture. Prevailion Disseminates its Intelligence findings to its customers; one such form of dissemination is the Arktos Malware Replication Profile (MRP).

Before we dive into how Arktos MRPs work, and how they can be utilized for a variety of controls validation, a quick primer:

• The internet is an interconnected ‘network of networks’, with the World Wide Web riding on top.
• For any connections from one stand-alone network to another to occur (e.g., your phone to your bank app, your computer’s web browser to your favorite news site, your email client to the server housing your email inbox), an IP address is required to identify both parties in the communication (i.e., the server and the client).
• Often, domain names, like “Wikipedia.org,” are mapped to IP addresses so as to provide a sense of brand, recognition, and utility that IP addresses cannot (IP addresses are for machines, domain names are for people).
• Most legitimate sites will have a domain name that is mapped to (one or more) IP addresses.
• Software that uses the internet to connect to remote computers (malware and abused security tools included) will oftentimes use domain names to identify the remote server it wishes to connect to. Malicious actors may make the decision to use domain names to blend into legitimate traffic or as a way to provide resiliency against abuse/take-down requests.
• Various network-based security controls are based on these domain names: DNS filtering, blocklists, DNS firewalling, as well as overlapping capabilities from other tools like WAFs and IPS/IDS.

If a connection to a remote attacker-controlled server is required for an attacker to achieve their objectives, then it stands to reason that there are a wide variety of tools and philosophies to prevent these connections. But how do you know that they’re working? How can these controls, once put into production or staged for testing, be objectively evaluated? Let’s travel back to the basics: attempt a connection to a (formerly) known-bad domain.

Arktos, in the form of an agent executing on a system within a security boundary, executes a MRP based on Intelligence provided by Prevailion. These MRPs are Disseminated to the end user, representing actionable, timely, accurate, and operationalized intelligence derived from the targeted and deliberate collection, exploitation and analysis of information; they are an output of the F3EAD cycle. MRPs are authored specifically to mimic the network behavior exhibited by a specific threat group (e.g., Conti) and/or malware family (e.g., IcedID or AnchorDNS). This network behavior, grounded in trusted reporting and observation, should be identified and/or blocked by security controls. If it is not, the control isn’t working. Herein lies the “back to the basics” mentality of Arktos’ controls validation methodology: with security controls installed and configured, can these outbound connections be made?

Tune in next time when we dive deeper into how Prevailion’s research team creates an MRP from start to finish!