With continued hacking incidents, security requirements are growing more stringent and defense systems are growing in functionality to a very high level. Despite this fact, security incidents continue to occur and even corporations with good cyber defense systems are no exceptions.
The Pyramid of Pain (a popular cybersecurity concept) expresses that the most effective way to defend against such attacks is for the defender to understand the attacker's tactics, techniques, and procedures (TTPs) in advance. Security makes attacking tough!
Figure: The Pyramid of Pain (David J. Bianco)
Defense structures based on indicators of compromise (IOCs), artifacts observed on a network or in an operating system that indicates a computer intrusion, are still very useful. However, attackers can easily acquire and then dispose of the attack infrastructure using simple indicators.
This is not the case for TTPs. Attackers cannot easily acquire or dispose TTPs. Attackers who have set targets invest a lot of time to learn and practice TTPs in order to neutralize the target's defense. The targets that the acquired TTPs can be continued to be used on become new targets.
The attacker's TTPs are always connected to the characteristics of the defensive environment. As such, the defender must have an accurate understanding of the defensive environment and view the flow/procedure of attacks based on tactics and strategies rather than patterns or techniques. The attacker’s TTPs and the defender’s environment are two sides of the same coin.
A defender who understands TTPs should be able to describe two things: whether the attacker's TTPs are valid in the defender's environment, and if valid, what is the defense tactic to neutralize the TTPs?
The Korea Internet & Security Agency (KISA) identifies attackers’ TTPs through security incident responses, compiles information and response measures based on the ATT&CK® framework for distribution. Various artifacts related to TTPs in the report are merely ancillary tools to assist the understanding of TTPs.
Gwisin is a ransomware family that informs victims of ransomware infection with the phrase, "You have been visited by GWISIN." Unlike other ransomware incidents, the attackers understand the businesses of corporate victims very well and are proficient in utilizing solutions widely used at home. The attackers enumerate Korean investigation agencies and mention the authentication system (Personal Information & Information Security Management System; ISMS-P) used in Korea to delay and interrupt incident analysis. It seems that the attackers have expertise in the Korean security market.