Reverse Deception: Organized Cyber Threat Counter-Exploitation (33 page)

Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online

Authors: Sean Bodmer

Tags: #General, #security, #Computers

BOOK: Reverse Deception: Organized Cyber Threat Counter-Exploitation
5.16Mb size Format: txt, pdf, ePub
Knowledge of the operating system
Grasp of commands, options, and arguments
Whether the attack is organized or disorganized, which helps build a clearer picture of the intent and motive
Whether or not the attack is scripted

 

Your security team can measure and observe these pieces of information by analyzing the utilization of each compromised system by the threat. This specific component of information will tell you a lot about your threat.

 

  1
Multiple systems were accessed for long periods of time (threat was searching)
  2
Multiple systems were accessed for long periods of time in specific locations
  3
Multiple systems were accessed for long periods of time surrounding specific applications
  4
A few systems were accessed for long periods of time, and specific information was grabbed
  5
A few systems were accessed on a regular basis targeting specific file types
  6
A few systems were accessed on a regular basis (occurring only within a specific team)
  7
A few systems were accessed a few times (occurring only within a specific team)
  8
A single system was accessed on a regular basis briefly (involving a specific member of a team)
  9
A single system was accessed a few times and briefly targeted (involving a specific member of a team)
10
A single system was accessed directly and briefly (involving only a specific individual)

 

Skills and Methods

When observing attackers’ skills and methods, you are also weighing the victimology and attack origination in combination. Why do we do it this way? Well, there is an easy answer for that one: injection and propagation techniques.

The skills of each attacker will vary, and the more skill shown, the more attention should be paid. Also, if you see a single threat using a lot of skills and techniques that infers more than a single individual is behind the observed events.

Having the ability to observe the skills and methods of each threat is critical. This requires a blend of traditional host-based and enterprise-based security solutions that provide the ability to see not only what occurred on the host, but also what happened over the network. How were they able to get into your network, get out, and then maintain persistence?

The following information needs to be weighed when evaluating a threat’s skills and methods:

Attack (the exploitation and remote control of your enterprise systems)
The vulnerability/exploit and its disclosure history (was this a known exploit?)
The methodology, signature, content, and patterns (is this a known threat that has attempted to exploit or exploited your enterprise before, or is there a specific pattern surrounding the attack that would help attribute the threat to a specific individual or group?)
Tools used
Utilization of access (how did the threat use each system?)
Data transfer technique
Logging alteration or deletion technique

Other books

Journal From Ellipsia: A Novel by Hortense Calisher
The Alleluia Files by Sharon Shinn
Ghosts Know by Ramsey Campbell
Veiled Seduction by Alisha Rai
The Cherbourg Jewels by Jenni Wiltz
The Au Pair's Needs by Carole Archer
Sharpshooter by Chris Lynch
Anyone Can Die by James Lepore