Access a world-class intelligence capability tailored to your specific needs. Control a multi-million dollar program without the time or expense and solve problems both lasting and acute.

What is Managed Intelligence?


3 min read

Three Things to Look For to Identify Context Around an Attack Quicker

May 29, 2020 2:36:17 PM

The cybersecurity industry has defined the term “attribution” of threat actors to refer to the identification of the specific actor or group of actors responsible for an attack. For many victims,  “attribution” as defined by the industry is unnecessary; understanding the ‘what’ and ‘how’ and returning to business as usual are much more important than knowing the ‘who’ behind the attack. 

At Nisos, we define ‘attribution’ as a broader set of investigative actions in response to an incident. Attribution exercises illuminate context behind an attack, answering the ‘what’ and ‘how’ questions and also important details such as where the attack fits in the overall threat landscape, assessments on the motivations of the actors, infrastructure used and patterns observed.

As more advanced security teams know,  arming defenses with specific intelligence that makes it harder for threat actors to conduct an attack is a critical component to prevent incidents in the first place.. This type of proactive defense requires  context about attackers, TTPs and trends in order to enable defenders to take  preventative action.

Over the course of hundreds of attribution investigations, Nisos analysts have observed three general operational security lapses attackers make that can lead to quick attribution wins and can help answer the “how” and the “why” behind an attack, even at the APT level.

Obfuscation Errors

Regardless of sophistication level, attackers will attempt to take steps to hide their true point of presence on the internet. To successfully execute, however, they will likely repeat this process dozens or more times to prepare for, carry out, and profit from an attack, which leads to opportunities to make mistakes. 

Examples include:

  • Forgetting to enable private registration when procuring domains to support an attack
  • Failing to properly encrypt their traffic
  • Forgetting to properly enable a VPN or proxy prior to connecting to their command and control infrastructure
  • Failing to remove PII from exchangeable image file format (exif) data - a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras, scanners and other systems handling image and sound files recorded by digital cameras - before posting pictures of their crimes to third-party file sharing sites or pastebin websites

Infrastructure Re-use

Securely obtaining infrastructure is both hard and expensive. For most attackers that are financially motivated, if they can re-use elements of their infrastructure, they can increase their profits. Even APT groups who have unlimited time and resources make mistakes implementing appropriate code segmentation between different stages of computer network exploitation. For defenders, finding these overlaps is a key element not only for attribution, but for threat prevention.

Examples include:


Ultimately behind every attack is a human, and many threat actors have big egos. In addition to needing to monetize their operations through ransomware, selling stolen data, or disseminating disinformation, some actors like the thrill of a victory but make mistakes that show their hand. In these instances when ego has taken over, attackers feel like they have already won and can be caught with their guard down.

Examples include:

Post a Comment