SAN FRANCISCO – We’ve covered a good deal of what is and what isn’t threat intelligence this week from the show floor at the RSA Conference. So for today’s second post, we'll focus on a threat advisory from Solutionary, which warns of a planned operation against the finance sector by Anonymous called OpIcarus.
Solutionary offers a targeted threat intelligence service, but they're also known for their MSSP operations. It’s a useful space to be in, because smaller organizations don’t have the budget or the staffing to manage security on their own – so outsourcing the SOC can make sense at times.
The Solutionary threat advisory was sent to Salted Hash centers on OpIcarus, an ongoing operation by the loosely associative collective Anonymous. Those supporting the operation have broadcast their intent on social media and other places for quite some time.
The advisory centers on a campaign announced on January 30, and it was supposed to have kicked off on February 8. Salted Hash reached out to Solutionary to inquire if this was a typical example of the email alerts and advisories issued to customers.
A spokesperson confirmed, stating, "Yes, this is indeed the type of notification clients receive when Solutionary identifies an emerging threat. And to be clear, this is a for-pay extension of services and not an email blast to all clients."
From the advisory:
"On January 30, 2016, Anonymous launched a WordPress site with the statement SHUT DOWN THE BANKS #OpIcarus on the home page. This operation indicates multiple Distributed Denial-of-Service (DDoS) attacks may be launched against several organizations in the financial sector.
"Information collected during analysis indicates activities related to this threat could occur Monday February 8, 2016. An example of financial institutions shown on the website are listed below; however the Solutionary SERT believes that because of the call to arms, any company in the financial industry may be a potential target."
To their credit, Solutionary isn’t saying the sky is about to fall. At the head of their advisory they clearly state that receiving the notification doesn't imply the customer will be targeted, but rather, "prompts you to review your current environment and take mitigation steps if necessary."
The primary potential impact of OpIcarus is DDoS, but Solutionary also lists other types of attack.
From the advisory:
"DDoS attacks are a malicious attempt to bring down networks, web-based applications or services by overwhelming these resources with too much data or impairing them in some other way. Results could be, but are not limited to: revenue loss, theft and productivity loss.
"DDoS attacks often masquerade or hide other attacks, so remaining vigilant concerning other attack vectors is imperative. Other attack vectors to consider include network attacks, application attacks, as well as social engineering and phishing."
The advisory goes on to name some of the suggested targets, which include the Bank of England, New York Stock Exchange, Capital One, Bank of America, Chase, and so on. While the campaign might not happen as planned or scheduled, the advisory adds, there is some credibility to the threat.
The entire advisory has been reproduced in the image attached to this story.
Again, the theme this week has been threat intelligence, and the main point that has been stressed is that threat intelligence should have context and enable action or change. Raw data or alerts, presented without either context or analysis isn't actionable intelligence.
The information in the advisory on OpIcarus is OSINT – Open Source Intelligence.
OSINT is a valuable source of information, because it can be paired with other types of intelligence and leveraged to provide context. But OSINT on its own is just on small piece of the larger picture, and it doesn't enable much action or change for that matter.
While verifying the advisory, it became clear that Solutionary was missing other OSINT elements connected to OpIcarus, as there were several gaps. Either that, or they trimmed the advisory down and left out elements assumed to be common knowledge to the customer.
For example, the Solutionary advisory lists nine financial institutions as selected targets, but OpIcarus actually planned raids on more than fifty of them.
On February 8, the day the campaign was set to launch, Radware posted their own threat advisory on OpIcarus, similar to the one issued by Solutionary. In their version of the OpIcarus advisory, Radware named all possible targets, as well as the connection between them, namely the Bank for International Settlements (BIS).
Radware also identifies the tool to be used by those supporting the campaign, LOIC (Low Orbit Ion Cannon), which creates an easily identified DDoS attack that can be filtered with some minimal effort. Solutionary did not mention this.
Neither advisory mentioned the circulated network maps that were shared between OpIcarus supporters. These maps contained IP addresses and other details designed to help those taking part target the correct areas of a given bank's infrastructure. Some of the data was bad, but most of it was legitimate, including the load balancer details at NASDAQ.
Likewise, neither of the advisories identified CyberGhost as the promoted means of VPN or Proxy access to be used by the operation's participants. Doing so might have helped administrators filter the CyberGhost network entirely, preventing many of the most basic LOIC attacks.
The point isn't to compare and contrast here; it isn't about which advisory is better. The point is that OSINT only gives part of the picture, and without context, analysis, and additional data points, OSINT alone isn't threat intelligence. Two vendors issued similar reports, and while there was some overlap, they were not identical despite working from the same basic source materials.
And yet, advisories like this do have some value. In the off chance a security team doesn’t pay attention to protests that include their organization from afar, alerts like these do help get the ball rolling.
As it turns out, OpIcarus didn't even rate a blip on the radar, while those promoting the operation and supporting it were quite vocal, when the day came to act, none of the banks reported any major outages or problems processing transactions. That isn’t surprising either. Just because a cause is championed by Anonymous doesn’t mean it will hit Operation Payback levels of success and attention.
Searching the #OpIcarus hash tag on Twitter will show plenty of accounts promoting it, but very little about actual successes. As anyone who has ever followed an Anonymous operation knows, when they're successful, they'll shout it from the rooftops.
So the lack of bagging is telling.