Well, after a bit of travel that slowed me down, we’re ready to wrap up our introduction to STIX. We ended last time on a high level overview of the APT1 campaign as presented by Mandiant/FireEye. That top level looked a bit like Figure 1:
Figure 1 – Top Level View of the APT1 Campaign Tree View in STIXViz
Notice that we start with threat actors and TTPs. That’s just this campaign. What will be in the top level view will depend upon the data used to create the STIX profile and how much you want to open up the view. I have opened a couple of levels below the top – the top being just one actor and one TTP. Each time I open a new level by clicking on an icon I get more information. Don’t open everything at once. Take time to think through what you are seeing and referencing the HTML – the “pretty” XML. We’ll pass on the XML for the moment and concentrate on the tree.
Let’s open up one of the actors for a moment. Notice, in Figure 2, that we are expanding the GSD 3rd Department actor. That expands to the PLA General Staff which in turn expands to China. Note that the China actor is not red as are the rest. That is because you have reached the end of the chain. You have traced a threat actor back to its source and the source is China. You cannot go farther because there is no place else to go.
Figure 2 – Expanding GSD 3rd Department
Next, let’s have a look at APT1’s tools, techniques and processes. If we expand that TTP we get a fairly complete list. These are the TTPs observed by Mandiant when they analyzed their data. That is in Figure 3 and is pretty hard to read so we’ll dig a bit deeper in Figure 4.
Figure 3 – Expansion of generalized APT1 TTPs
Figure 4 shows how APT1 maps a domain name infrastructure. There are three TTPs here: Registered DNS Zones, 3rd Party Services, and Hijacked FQDN. These all are gray so we’re at the end of our road. Now we will need to do some research to see how those techniques work unless the author of the profile has included that for us. That would be the right way to do it since we intend that our profiles are shared.
Figure 4 – Mapping the Domain Name Infrastructure
If you look down at the end of the TTP row, you’ll see a threat actor called China: Pudong New Area. If we expand that, we see the actors involved with using the APT1 TTPs as well as a recap of the TTPs themselves. Figure 5 shows this for you.
Figure 5 – APT1 TTPs Expanded Also Showing Actors
Finally, let’s expand a single, well-known, actor: Ugly Gorilla, AKA Wang Dong, AKA JackWang. You’ll note that his TTPs are just references to a suite of malware and an observable, in this case, a domain name, hugesoft.org. Without reading the XML, we can infer from this that there is an extensive suite of malware and a particular site used, perhaps, as a phishing decoy. It turns out that these assumptions are not far off track. Figure 6 shows this breakdown.
Figure 6 – Ugly Gorilla
That gets us to the end of the tutorial. From now on, when I describe a particular threat, I’ll use STIX and you’ll find that the interpretation is about as straightforward s it gets.
Here’s the Malware Domain List for this time.
So… until next time….
If you use Flipboard, you can find my pages at http://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – nothing particularly technical, but interesting stories none-the-less.