The cybersecurity industry has defined the term “attribution” of threat actors to refer to the identification of the specific actor or group of actors responsible for an attack. For many victims, “attribution” as defined by the industry is unnecessary; understanding the ‘what’ and ‘how’ and returning to business as usual are much more important than knowing the ‘who’ behind the attack.
At Nisos, we define ‘attribution’ as a broader set of investigative actions in response to an incident. Attribution exercises illuminate context behind an attack, answering the ‘what’ and ‘how’ questions and also important details such as where the attack fits in the overall threat landscape, assessments on the motivations of the actors, infrastructure used and patterns observed.
As more advanced security teams know, arming defenses with specific intelligence that makes it harder for threat actors to conduct an attack is a critical component to prevent incidents in the first place.. This type of proactive defense requires context about attackers, TTPs and trends in order to enable defenders to take preventative action.
Over the course of hundreds of attribution investigations, Nisos analysts have observed three general operational security lapses attackers make that can lead to quick attribution wins and can help answer the “how” and the “why” behind an attack, even at the APT level.
Regardless of sophistication level, attackers will attempt to take steps to hide their true point of presence on the internet. To successfully execute, however, they will likely repeat this process dozens or more times to prepare for, carry out, and profit from an attack, which leads to opportunities to make mistakes.
- Forgetting to enable private registration when procuring domains to support an attack
- Failing to properly encrypt their traffic
- Forgetting to properly enable a VPN or proxy prior to connecting to their command and control infrastructure
- Failing to remove PII from exchangeable image file format (exif) data - a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras, scanners and other systems handling image and sound files recorded by digital cameras - before posting pictures of their crimes to third-party file sharing sites or pastebin websites
Securely obtaining infrastructure is both hard and expensive. For most attackers that are financially motivated, if they can re-use elements of their infrastructure, they can increase their profits. Even APT groups who have unlimited time and resources make mistakes implementing appropriate code segmentation between different stages of computer network exploitation. For defenders, finding these overlaps is a key element not only for attribution, but for threat prevention.
- Re-using certificates across attacks
- Repeating specific language or other stylometric indicators between persona accounts and true-name accounts
- Deploying the same content across different spearphish attacks or disinformation websites
- Re-using imagery across various attacks or disinformation campaigns
- Recycling usernames and email addresses to register malicious domains
- Recycling usernames and email addresses to subscribe to third-party file servers or virtual private servers
Ultimately behind every attack is a human, and many threat actors have big egos. In addition to needing to monetize their operations through ransomware, selling stolen data, or disseminating disinformation, some actors like the thrill of a victory but make mistakes that show their hand. In these instances when ego has taken over, attackers feel like they have already won and can be caught with their guard down.
- Posting online to promote themselves and their attacks using photographs that include PII or identifiable geographic landmarks in the background
- Engaging directly with a victim, getting drawn into a boastful “blackhat” or “greyhat” conversation, and revealing specific TTPs to “prove” they conducted the attack
- Interacting with peers in online forums to show off their skills, giving away TTPs in the process
- Failing to use the same security protocols to talk about their attacks online as they did when they actually carried out the attacks