BLOG

Three Things to Look for to Identify Context Around an Attack Quicker

by | May 29, 2020 | Blog, Outside Intel

The cybersecurity industry has defined the term “attribution” of threat actors to refer to the identification of the specific actor or group of actors responsible for an attack. For many victims, “attribution” as defined by the industry is unnecessary; understanding the ‘what’ and ‘how’ and returning to business as usual are much more important than knowing the ‘who’ behind the attack.

At Nisos, we define ‘attribution’ as a broader set of investigative actions in response to an incident. Attribution exercises illuminate context behind an attack, answering the ‘what’ and ‘how’ questions and also important details such as where the attack fits in the overall threat landscape, assessments on the motivations of the actors, infrastructure used and patterns observed.

As more advanced security teams know, arming defenses with specific intelligence that makes it harder for threat actors to conduct an attack is a critical component to prevent incidents in the first place.. This type of proactive defense requires context about attackers, TTPs and trends in order to enable defenders to take preventative action.

Over the course of hundreds of attribution investigations, Nisos analysts have observed three general operational security lapses attackers make that can lead to quick attribution wins and can help answer the “how” and the “why” behind an attack, even at the APT level.

Obfuscation Errors

Regardless of sophistication level, attackers will attempt to take steps to hide their true point of presence on the internet. To successfully execute, however, they will likely repeat this process dozens or more times to prepare for, carry out, and profit from an attack, which leads to opportunities to make mistakes.

Examples include:

  • Forgetting to enable private registration when procuring domains to support an attack
  • Failing to properly encrypt their traffic
  • Forgetting to properly enable a VPN or proxy prior to connecting to their command and control infrastructure
  • Failing to remove PII from exchangeable image file format (exif) data – a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras, scanners and other systems handling image and sound files recorded by digital cameras – before posting pictures of their crimes to third-party file sharing sites or pastebin websites

Infrastructure Re-use

Securely obtaining infrastructure is both hard and expensive. For most attackers that are financially motivated, if they can re-use elements of their infrastructure, they can increase their profits. Even APT groups who have unlimited time and resources make mistakes implementing appropriate code segmentation between different stages of computer network exploitation. For defenders, finding these overlaps is a key element not only for attribution, but for threat prevention.

Examples include:

  • Re-using certificates across attacks
  • Repeating specific language or other stylometric indicators between persona accounts and true-name accounts
  • Deploying the same content across different spearphish attacks or disinformation websites
  • Re-using imagery across various attacks or disinformation campaigns
  • Recycling usernames and email addresses to register malicious domains
  • Recycling usernames and email addresses to subscribe to third-party file servers or virtual private servers

Ego

Ultimately behind every attack is a human, and many threat actors have big egos. In addition to needing to monetize their operations through ransomware, selling stolen data, or disseminating disinformation, some actors like the thrill of a victory but make mistakes that show their hand. In these instances when ego has taken over, attackers feel like they have already won and can be caught with their guard down.

Examples include:

  • Posting online to promote themselves and their attacks using photographs that include PII or identifiable geographic landmarks in the background
  • Engaging directly with a victim, getting drawn into a boastful “blackhat” or “greyhat” conversation, and revealing specific TTPs to “prove” they conducted the attack
  • Interacting with peers in online forums to show off their skills, giving away TTPs in the process
  • Failing to use the same security protocols to talk about their attacks online as they did when they actually carried out the attacks
Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks