Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Victimology
is the study of the victim in an incident or attack. This generally includes the relationships between the victims and inferred offenders. In the cyber world, this science also includes the analysis of victims and the nature of the information that was stored on the victim’s system or specifically targeted. One of the most significant components is the victims themselves. What type of organization was attacked or infiltrated, and what function or roles does this organization play in the world? Has this location been targeted once, or has there been a recurrence of attacks targeting this location of the enterprise or organization (a history or hot spot)? The target may be sensitive government information, trade secrets, sensitive corporate projects, financial records—the list just goes on. This is why analyzing the victims of the attack from a measurable and scientific perspective is highly important.
1 | The system of a low-level employee |
2 | The system of a low-level manager |
3 | The system of a network administrator |
4 | The forward-facing systems of your organization (DMZ, boundary, web application servers) |
5 | The system of an administrative assistant who generally e-mails, scans, prints, and coordinates leadership information |
6 | The DNS servers of your organization |
7 | The mail servers of your organization |
8 | The primary file or database servers of your organization |
9 | The systems of your organization’s security team |
10 | The systems of C-level executives, core stakeholders, or organization leadership |
Risk Tolerance
When analyzing an incident, another important observable that needs to be weighed is how much effort the offender, threat, or adversary put into not getting caught. Did the attacker not even take time to alter the victim system’s logs, not caring if information was recorded about these actions?
This component of an intrusion will sometimes also indicate the aptitude of attackers and infer their motives and intent. If the attackers have a high risk tolerance, then they do not care as much about being detected and move throughout your network with the feeling of impunity. If the attackers have a low risk tolerance, then they do not want to get caught, and want to maintain the persistent remote connection or control of your organization’s enterprise. At its core, risk tolerance is the analysis of the offenders’ decision to commit a crime or continue committing a crime with the risk of being detected, and their threshold for detection versus completing their objectives.
Our understanding of the “why” behind an intrusion can also be weighted by using risk tolerance. The decision process behind an intrusion can be derived in multiple ways. The attacker is under duress, following orders, or driven by some other motivation. This will be discussed in more detail in
Chapter 10
.
Keep in mind that in the world of espionage, deception, and disinformation, things are not always what they seem. Sometimes the level of risk tolerance is not what it seems. This is why you need to look at all of the observables surrounding the detection of the threat. Using the information gained from across your enterprise to be able to detect and analyze the attacker is a powerful tool. However, you don’t know what you don’t know until you perform a thorough investigation on all of the data points.
1 | No logs were altered |
2 | Login/access logs were altered |
3 | Connection logs and times were altered |
4 | Entire system logs were wiped (surrounding the attacker’s interaction periods) |
5 | Entire system logs were corrupted |
6 | Operating system security services were disabled |
7 | Specific security applications were disabled |
8 | Specific applications were corrupted |
9 | Operating system was corrupted |
10 | Entire system was wiped clean (corrupted and/or permanently disabled) |
Timeliness
The timeliness aspect of an intrusion reflects how much understanding of your infrastructure your attackers have of your organization. The following are the kinds of questions you need to be asking when you are analyzing an intrusion:
How much time have they been able to spend learning about the individuals, operations, locations, functionalities, and types of secrets within your network?
How much time did they spend exfiltrating data from your enterprise?
How quickly did they go through each system?
How well did they know where to look for the exact information they were seeking?
Was data taken during specific hours?
How often did the threat or adversary remotely connect to your network?
Is there a pattern to the connection times? Does it seem the times were associated in a pattern similar to a common workday?
When it is observed that an attacker has knowledge of your environment, there are generally two primary explanations. One is that the attacker has been inside your network for much longer than you have been aware of (perhaps with help from an insider within your organization). The other is that the attacker found or stole a laptop belonging to a system administrator and has all the sensitive information necessary, without having been inside your network.
The timeliness of an attacker’s actions is highly important to evaluating the following:
Knowledge of your environment, including system locations, system functionality, folder and file locations, and personnel and their roles