2000 years on from Sun Tzu’s ‘The Art of War’, his tactics of deception and espionage are more pertinent than ever. Modern-day warfare is plagued by the problem of attribution. With cyber-attacks appearing to come from different nations and masquerading as different threats, how can you hope you gain the advantage?
“All war is based on deception.” — Sun Wu Tzu, ‘The Art of War’
Influencing the Vietcong, Chairman Mao, and the KGB, Sun Tzu has had a profound impact on military strategy around the world. His focus on winning rather than conforming to a ‘fair fight’ has imbued many of the conflicts this last century, as we shift from traditional binary warfare to a battlefield which is far murkier, where it is not always clear who you are fighting or what actions are being taken.
Asymmetric warfare – waged with espionage, proxy battles, disinformation campaigns, and guerrilla tactics – is now the new normal.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”
Most kinetic acts can be attributed and countered in a relatively straightforward manner. Physical borders and satellite imagery mean that if you’re targeted in the real world, you tend to know exactly where it’s coming from. But the rules of cyber-space are different.
Take the TV5Monde case back in April 2015: a cyber-attack shut down the French TV network, and the hacking group Cyber Caliphate – operators of the Islamic State – immediately claimed responsibility. But closer inspection revealed that this wasn’t a terrorist attack at all. Allegedly, Russia had been behind the whole thing, in what is commonly referred to as ‘false flag’ operation.
Or consider the phishing emails impersonating the far-right Proud Boys group, which spread fear, uncertainty, and doubt prior to the 2020 US elections – and which transpired to be the work of Iranian nation-state actors. Yet – when we consider that in 2019, it came to light that the Russian Group Turla had hacked into Iran’s intelligence agency and was launching campaigns against the Middle East and the West, using Iranian infrastructure – the true battleground becomes less apparent.
“To subdue the enemy without fighting is the acme of skill.”
Attribution has been weaponized, and this makes it extremely difficult for victims to action a proportionate response. How do you go to war over SolarWinds when Russia denies any involvement? How do you punish China for the Microsoft Exchange attacks when they claim the accusation is nothing more than a “malicious smear”? It is the tactic of denial and deception in practice, and to date it has proved extremely effective.
Attacks can appear to come from one place when they come from another. In addition, malware itself can be camouflaged. This is significant because different types of malware have different objectives and are leveraged by different groups. For example, ransomware tends to be financially motivated and so is often deployed by organized crime.
So, when a disk wiper sent by Iran pretends to be ransomware and destroys Israeli systems, this is Iran using the guise of a financial attack to mask what is in reality a political act, and ultimately could be construed as an act of war.
Cyber-space is becoming more anonymous by the day. Monitoring TTPs with rules and signatures is of little value because infrastructure can be changed so easily. Our security systems fundamentally cannot answer the question of attribution. It is not as simple as saying, ‘we followed these IP addresses, and that attack was APT27.’ All we can say is that the code and geolocation are similar to what we’ve seen from this threat actor, but they may well be an imitation.
In turn, nation states exploit this anonymity to launch campaigns under false identities and with disguised weapons.
“I will force the enemy to take our strength for weakness, and our weakness for strength, and thus will turn their strength into weakness.”
The US has possibly the strongest offensive cyber capabilities in the world. If the Five Eyes nations wished to crash the Internet or shut off the lights in a major city, they could do so. But this firepower greatly enhances the risk of misattribution. A false flag operation in a volatile region could set off a very destructive chain of events. The last thing the US government wish to do is mistakenly escalate conflict with an innocent third party.
Human-sourced intelligence (HUMINT) is the only reliable method of attribution, but it is not infallible. An agent on the ground with access to insider information is hard to come by, and even if a government could attribute an attack with certainty, they may not desire to reveal how they sourced that knowledge.
So, with the situation currently as it stands, how can you hope to react?
“Invincibility lies in the defense; the possibility of victory in the attack.”
Biden’s ‘red lines’ are a step in the right direction. There needs to be more transparency over which actions lead to which consequences. But these agreements are limited for the reasons we have discussed: how do you know for certain the extent to which the Kremlin is affiliated with Russian ransomware gangs?
It sounds simple, but the most effective way to prevent these scenarios is to stop the attack before it has happened. Defensive capabilities are the key to this conflict. Cyber-peace is not coming anytime soon, but cyber-resilience may prove pivotal in gaining the advantage.
Vous aimez ça et en voulez plus ?
Recevez le dernier blog dans votre boîte de réception
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.
NEWSLETTER
Vous aimez ça et en voulez plus ?
Stay up to date on the latest industry news and insights.
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.
Darktrace sont des experts de classe mondiale en matière de renseignement sur les menaces, de chasse aux menaces et de réponse aux incidents. Ils fournissent une assistance SOC 24 heures sur 24 et 7 jours sur 7 à des milliers de clients Darktrace dans le monde entier. Inside the SOC est exclusivement rédigé par ces experts et fournit une analyse des cyberincidents et des tendances en matière de menaces, basée sur une expérience réelle sur le terrain.
AUTEUR
à propos de l'auteur
Justin Fier
SVP, Red Team Operations
Justin is one of the US’s leading cyber intelligence experts, and holds the position of SVP, Red Team Operations at Darktrace. His insights on cyber security and artificial intelligence have been widely reported in leading media outlets, including the Wall Street Journal, CNN, The Washington Post, and VICELAND. With over 10 years’ experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.
Sliver C2: How Darktrace Provided a Sliver of Hope in the Face of an Emerging C2 Framework
17
Apr 2024
Offensive Security Tools
As organizations globally seek to for ways to bolster their digital defenses and safeguard their networks against ever-changing cyber threats, security teams are increasingly adopting offensive security tools to simulate cyber-attacks and assess the security posture of their networks. These legitimate tools, however, can sometimes be exploited by real threat actors and used as genuine actor vectors.
What is Sliver C2?
Sliver C2 is a legitimate open-source command-and-control (C2) framework that was released in 2020 by the security organization Bishop Fox. Silver C2 was originally intended for security teams and penetration testers to perform security tests on their digital environments [1] [2] [5]. In recent years, however, the Sliver C2 framework has become a popular alternative to Cobalt Strike and Metasploit for many attackers and Advanced Persistence Threat (APT) groups who adopt this C2 framework for unsolicited and ill-intentioned activities.
The use of Sliver C2 has been observed in conjunction with various strains of Rust-based malware, such as KrustyLoader, to provide backdoors enabling lines of communication between attackers and their malicious C2 severs [6]. It is unsurprising, then, that it has also been leveraged to exploit zero-day vulnerabilities, including critical vulnerabilities in the Ivanti Connect Secure and Policy Secure services.
Given its open-source nature, the Sliver C2 framework is extremely easy to access and download and is designed to support multiple operating systems (OS), including MacOS, Windows, and Linux [4].
Sliver C2 generates implants (aptly referred to as ‘slivers’) that operate on a client-server architecture [1]. An implant contains malicious code used to remotely control a targeted device [5]. Once a ‘sliver’ is deployed on a compromised device, a line of communication is established between the target device and the central C2 server. These connections can then be managed over Mutual TLS (mTLS), WireGuard, HTTP(S), or DNS [1] [4]. Sliver C2 has a wide-range of features, which include dynamic code generation, compile-time obfuscation, multiplayer-mode, staged and stageless payloads, procedurally generated C2 over HTTP(S) and DNS canary blue team detection [4].
Why Do Attackers Use Sliver C2?
Amidst the multitude of reasons why malicious actors opt for Sliver C2 over its counterparts, one stands out: its relative obscurity. This lack of widespread recognition means that security teams may overlook the threat, failing to actively search for it within their networks [3] [5].
Although the presence of Sliver C2 activity could be representative of authorized and expected penetration testing behavior, it could also be indicative of a threat actor attempting to communicate with its malicious infrastructure, so it is crucial for organizations and their security teams to identify such activity at the earliest possible stage.
Darktrace’s Coverage of Sliver C2 Activity
Darktrace’s anomaly-based approach to threat detection means that it does not explicitly attempt to attribute or distinguish between specific C2 infrastructures. Despite this, Darktrace was able to connect Sliver C2 usage to phases of an ongoing attack chain related to the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPN appliances in January 2024.
Around the time that the zero-day Ivanti vulnerabilities were disclosed, Darktrace detected an internal server on one customer network deviating from its expected pattern of activity. The device was observed making regular connections to endpoints associated with Pulse Secure Cloud Licensing, indicating it was an Ivanti server. It was observed connecting to a string of anomalous hostnames, including ‘cmjk3d071amc01fu9e10ae5rt9jaatj6b.oast[.]live’ and ‘cmjft14b13vpn5vf9i90xdu6akt5k3pnx.oast[.]pro’, via HTTP using the user agent ‘curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.7’.
Darktrace further identified that the URI requested during these connections was ‘/’ and the top-level domains (TLDs) of the endpoints in question were known Out-of-band Application Security Testing (OAST) server provider domains, namely ‘oast[.]live’ and ‘oast[.]pro’. OAST is a testing method that is used to verify the security posture of an application by testing it for vulnerabilities from outside of the network [7]. This activity triggered the DETECT model ‘Compromise / Possible Tunnelling to Bin Services’, which breaches when a device is observed sending DNS requests for, or connecting to, ‘request bin’ services. Malicious actors often abuse such services to tunnel data via DNS or HTTP requests. In this specific incident, only two connections were observed, and the total volume of data transferred was relatively low (2,302 bytes transferred externally). It is likely that the connections to OAST servers represented malicious actors testing whether target devices were vulnerable to the Ivanti exploits.
The device proceeded to make several SSL connections to the IP address 103.13.28[.]40, using the destination port 53, which is typically reserved for DNS requests. Darktrace recognized that this activity was unusual as the offending device had never previously been observed using port 53 for SSL connections.
Further investigation into the suspicious IP address revealed that it had been flagged as malicious by multiple open-source intelligence (OSINT) vendors [8]. In addition, OSINT sources also identified that the JARM fingerprint of the service running on this IP and port (00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01) was linked to the Sliver C2 framework and the mTLS protocol it is known to use [4] [5].
However, it was not just during the January 2024 exploitation of Ivanti services that Darktrace observed cases of Sliver C2 usages across its customer base. In March 2023, for example, Darktrace detected devices on multiple customer accounts making beaconing connections to malicious endpoints linked to Sliver C2 infrastructure, including 18.234.7[.]23 [10] [11] [12] [13].
Darktrace identified that the observed connections to this endpoint contained the unusual URI ‘/NIS-[REDACTED]’ which contained 125 characters, including numbers, lower and upper case letters, and special characters like “_”, “/”, and “-“, as well as various other URIs which suggested attempted data exfiltration:
This anomalous external connectivity was carried out through multiple destination ports, including the key ports 443 and 8888.
Darktrace additionally observed devices on affected customer networks performing TLS beaconing to the IP address 44.202.135[.]229 with the JA3 hash 19e29534fd49dd27d09234e639c4057e. According to OSINT sources, this JA3 hash is associated with the Golang TLS cipher suites in which the Sliver framework is developed [14].
Conclusion
Despite its relative novelty in the threat landscape and its lesser-known status compared to other C2 frameworks, Darktrace has demonstrated its ability effectively detect malicious use of Sliver C2 across numerous customer environments. This included instances where attackers exploited vulnerabilities in the Ivanti Connect Secure and Policy Secure services.
While human security teams may lack awareness of this framework, and traditional rules and signatured-based security tools might not be fully equipped and updated to detect Sliver C2 activity, Darktrace’s Self Learning AI understands its customer networks, users, and devices. As such, Darktrace is adept at identifying subtle deviations in device behavior that could indicate network compromise, including connections to new or unusual external locations, regardless of whether attackers use established or novel C2 frameworks, providing organizations with a sliver of hope in an ever-evolving threat landscape.
Credit to Natalia Sánchez Rocafort, Cyber Security Analyst, Paul Jennings, Principal Analyst Consultant
Looking Beyond Secure Email Gateways with the Latest Innovations to Darktrace/Email
09
Apr 2024
Organizations Should Demand More from their Email Security
In response to a more intricate threat landscape, organizations should view email security as a critical component of their defense-in-depth strategy, rather than defending the inbox alone with a traditional Secure Email Gateway (SEG). Organizations need more than a traditional gateway – that doubles, instead of replaces, the capabilities provided by native security vendor – and require an equally granular degree of analysis across all messaging, including inbound, outbound, and lateral mail, plus Teams messages.
Darktrace/Email is the industry’s most advanced cloud email security, powered by Self-Learning AI. It combines AI techniques to exceed the accuracy and efficiency of leading security solutions, and is the only security built to elevate, not duplicate, native email security.
With its largest update ever, Darktrace/Email introduces the following innovations, finally allowing security teams to look beyond secure email gateways with autonomous AI:
AI-augmented data loss prevention to stop the entire spectrum of outbound mail threats
an easy way to deploy DMARC quickly with AI
major enhancements to streamline SOC workflows and increase the detection of sophisticated phishing links
expansion of Darktrace’s leading AI prevention to lateral mail, account compromise and Microsoft Teams
Block the entire spectrum of outbound mail threats with advanced data loss prevention that builds on tags in native email to stop unknown, accidental, and malicious data loss
Darktrace understands normal at individual user, group and organization level with a proven AI that detects abnormal user behavior and dynamic content changes. Using this understanding, Darktrace/Email actions outbound emails to stop unknown, accidental and malicious data loss.
Traditional DLP solutions only take into account classified data, which relies on the manual input of labelling each data piece, or creating rules to catch pattern matches that try to stop data of certain types leaving the organization. But in today’s world of constantly changing data, regular expression and fingerprinting detection are no longer enough.
Human error – Because it understands normal for every user, Darktrace/Email can recognize cases of misdirected emails. Even if the data is correctly labelled or insensitive, Darktrace recognizes when the context in which it is being sent could be a case of data loss and warns the user.
Unclassified data – Whereas traditional DLP solutions can only take action on classified data, Darktrace analyzes the range of data that is either pending labels or can’t be labeled with typical capabilities due to its understanding of the content and context of every email.
Insider threat – If a malicious actor has compromised an account, data exfiltration may still be attempted on encrypted, intellectual property, or other forms of unlabelled data to avoid detection. Darktrace analyses user behaviour to catch cases of unusual data exfiltration from individual accounts.
And classification efforts already in place aren’t wasted – Darktrace/Email extends Microsoft Purview policies and sensitivity labels to avoid duplicate workflows for the security team, combining the best of both approaches to ensure organizations maintain control and visibility over their data.
End User and Security Workflows
Achieve more than 60% improvement in the quality of end-user phishing reports and detection of sophisticated malicious weblinks1
Darktrace/Email improves end-user reporting from the ground up to save security team resource. Employees will always be on the front line of email security – while other solutions assume that end-user reporting is automatically of poor quality, Darktrace prioritizes improving users’ security awareness to increase the quality of end-user reporting from day one.
Users are empowered to assess and report suspicious activity with contextual banners and Cyber AI Analyst generated narratives for potentially suspicious emails, resulting in 60% fewer benign emails reported.
Out of the higher-quality emails that end up being reported, the next step is to reduce the amount of emails that reach the SOC. Darktrace/Email’s Mailbox Security Assistant automates their triage with secondary analysis combining additional behavioral signals – using x20 more metrics than previously – with advanced link analysis to detect 70% more sophisticated malicious phishing links.2 This directly alleviates the burden of manual triage for security analysts.
For the emails that are received by the SOC, Darktrace/Email uses automation to reduce time spent investigating per incident. With live inbox view, security teams gain access to a centralized platform that combines intuitive search capabilities, Cyber AI Analyst reports, and mobile application access. Analysts can take remediation actions from within Darktrace/Email, eliminating console hopping and accelerating incident response.
Microsoft Teams
Detect threats within your Teams environment such as account compromise, phishing, malware and data loss
Around 83% of Fortune 500 companies rely on Microsoft Office products and services, particularly Teams and SharePoint.3
Darktrace now leverages the same behavioral AI techniques for Microsoft customers across 365 and Teams, allowing organizations to detect threats and signals of account compromise within their Teams environment including social engineering, malware and data loss.
The primary use case for Microsoft Teams protection is as a potential entry vector. While messaging has traditionally been internal only, as organizations open up it is becoming an entry vector which needs to be treated with the same level of caution as email. That’s why we’re bringing our proven AI approach to Microsoft Teams, that understands the user behind the message.
Anomalous messaging behavior is also a highly relevant indicator of whether a user has been compromised. Unlike other solutions that analyze Microsoft Teams content which focus on payloads, Darktrace goes beyond basic link and sandbox analysis and looks at actual user behavior from both a content and context perspective. This linguistic understanding isn’t bound by the requirement to match a signature to a malicious payload, rather it looks at the context in which the message has been delivered. From this analysis, Darktrace can spot the early symptoms of account compromise such as early-stage social engineering before a payload is delivered.
Lateral Mail Analysis
Detect and respond to internal mailflow with multi-layered AI to prevent account takeover, lateral phishing and data leaks
The industry’s most robust account takeover protection now prevents lateral mail account compromise. Darktrace has always looked at internal mail to inform inbound and outbound decisions, but will now elevate suspicious lateral mail behaviour using the same AI techniques for inbound, outbound and Teams analysis.
Unlike other solutions which only analyze payloads, Darktrace analyzes a whole range of signals to catch lateral movement before a payload is delivered. Contributing yet another layer to the AI behavioral profile for each user, security teams can now use signals from lateral mail to spot the early symptoms of account takeover and take autonomous actions to prevent further compromise.
DMARC
Gain in-depth visibility and control of 3rd parties using your domain with an industry-first AI-assisted DMARC
Darktrace has created the easiest path to brand protection and compliance with the new Darktrace/DMARC. This new capability continuously stops spoofing and phishing from the enterprise domain, while automatically enhancing email security and reducing the attack surface.
Darktrace/DMARC helps to upskill businesses by providing step by step guidance and automated record suggestions provide a clear, efficient road to enforcement. It allows organizations to quickly achieve compliance with requirements from Google, Yahoo, and others, to ensure that their emails are reaching mailboxes.
Meanwhile, Darktrace/DMARC helps to reduce the overall attack surface by providing visibility over shadow-IT and third-party vendors sending on behalf of an organization’s brand, while informing recipients when emails from their domains are sent from un-authenticated DMARC source.
Darktrace/DMARC integrates with the wider Darktrace product platform, sharing insights to help further secure your business across Email Attack Path and Attack Surface management.
Learn about the intersection of cyber and AI by downloading the State of AI Cyber Security 2024 report to discover global findings that may surprise you, insights from security leaders, and recommendations for addressing today’s top challenges that you may face, too.