The need for dump analysis in Cyber Threat Intelligence (CTI)

Over the last year, there have been numerous dumps of stolen classified data posted on the Internet for all to see.  The damage from these dumps has obviously been huge to the US intelligence community.  In this post, we won’t discuss the actual damage of the dumps to the intelligence community (many others have already pontificated on that).  Instead, this post will focus on the need for CTI analysts to perform analysis of the dumps.

For the first time, CTI analysts have a view of what appears to be a relatively complete nation state toolset in the Shadow Brokers dumps and insight into tool development and computer network exploitation (CNE) tool requirements in the Vault 7 dumps.  These are game changers for CTI analysts. We define threat as the intersection between intent, opportunity, and capability.  These tools and documents highlight the capabilities of an APT adversary. Whether you believe the US intelligence services have the intent to attack your network, it is likely (almost certain) that other nation state attackers have developed similar capabilities.  Analyzing the data you have available (Shadow Brokers and Vault 7) can help shed light on what you don’t have available (every other nation state attacker’s toolset in a single dump).

Note: We understand that this is a sensitive topic. When classified data is released, it is still considered classified until declassified by a classification authority.  There is no evidence that any classification authorities have declassified the data in the Shadow Brokers or Vault 7 dumps.  It is likely that they remain classified to this day.  The advice in this article may put those with security clearances at odds with the advice of their security officers.  Please proceed with care.

Shadow Brokers dumps

The Shadow Brokers dumps contain a wide range of CNE tools.  They contain a number of exploits, backdoors, post exploitation tools, and auxiliary tools.  The world has already seen the EternalBlue exploit used in multiple attacks, including WannaCry, Petya, and AES-NI.  Before WannaCry, we observed a number of attackers exploiting machines using EternalBlue to distribute crypto mining software and password stealing software.  Russian attackers are now being observed using EternalBlue to perform lateral movement in hotel networks.

There is little doubt that attackers will continue to use the exploits, tools, and techniques from the Shadow Brokers dumps.  We still occasionally see MS08-067 in internal networks almost a decade after the patch was released. MS17-010 (EternalBlue and others) will likely be the same.  It will be quite a long time before these vulnerabilities are patched in the wild everywhere vulnerable machines are deployed.

We have already seen adaptations of some of the Shadow Brokers released tools.  There are still likely many lessons to be learned from the dumps in terms of IOC’s, TTPs, and tool capabilities.  Make no mistake about it: every APT group on the planet has dedicated resources to understanding this tool dump. Your teams should be doing it too.

Vault 7 dumps

The Vault 7 dumps, while initially possibly not as interesting as the Shadow Brokers tools, probably will have a longer lasting impact for CTI analysts.  While the Shadow Brokers tools are immediately usable, they do little to demonstrate the intent of the analysts and operators.  Many of the Vault 7 documents show the requirements levied by analysts on the tool developers.  All CNE tools are developed to serve a particular purpose.  By examining the requirements in the documents, analysts can understand the problems and challenges that are faced by nation state CNE operators.

Another benefit of analyzing the Vault 7 documents is understanding which capabilities are potentially more difficult for developers to build. When presented with requirements, it is rare for developers to simply ignore requirements. The requirements not delivered in a particular release (or mentioned for future releases) are likely the most difficult to implement and troubleshoot.  Another benefit of the requirements documents is the realization that CNE tool developers are getting requirements to evade specific antivirus vendors.  The choice of antivirus to evade tells us something about the target sets the tools were designed for. But even leaving that out, it is important to note that the documents demonstrate to management that APTs can and do evade antivirus at will. This by itself may be more justification for defense in depth.

Finally, many of the Vault 7 wikis contain notes and discussions. These are extremely valuable in understanding the mindset of a CNE development/operations team.  Understanding the mindset of these attackers is perhaps more valuable than seeing their tools.  The tools will change.  Developer and operator mindset drive TTPs, and those are at the top of the pyramid of pain (the toughest thing for an adversary to change).

Pyramid of Pain

Pyramid of Pain

Closing thoughts

The Shadow Brokers and Vault 7 dumps contain a wealth of knowledge for attackers and defenders alike.  While the leaking of these documents and tools was illegal (and highly damaging to US interests), your analysis of the dumps as a CTI analyst will not exacerbate that damage.  What it will do is increase your understanding of the capabilities that attackers are repurposing, as we write this, to target your networks.  Analysis of the dumps also give you insight into how APT groups think, develop, and operate. The information from these dumps can be extrapolated to the groups that are likely targeting you network.

At Rendition Infosec, we put our customers first.  We have put many hours into analyzing the data contained in the dumps and will continue to do so if and when more data is released.  Doing so can only increase the security of our customers by protecting them from attacks that they will surely face.