Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
These observable details can also provide deeper insight into the individuals behind the other end of the keyboard. For example,
keystroke analysis
, also known as
text-based analysis
, can be used to determine the gender, age, and intelligence of a threat behind a specific incident. Research based on behaviors can identify gender and when genders switch in the middle of an intrusion. Using keystroke analysis at the session layer, you can infer the age and intelligence of the individual behind the events, based on the usage of commands, options, arguments, methodology, and content analysis.
With behavioral profiling, the observables at the scene of the crime can be related to the behavior of that individual in real life. When combined with the other observables of an event, behavior can be further analyzed by tracking affiliations, position types, backgrounds, and experiences.
1 | Open source publicly available tools freely downloadable using basic techniques |
2 | Open source publicly available tools freely downloadable using some custom techniques |
3 | Open source publicly available tools freely downloadable using completely custom techniques |
4 | Customized open source tools freely downloadable using completely custom techniques |
5 | A combination of customized open source and commercial (cracked) tools using custom techniques |
6 | A combination of customized tools and commercial (cracked) tools using professional techniques |
7 | A combination of customized tools and commercial (cracked) tools using professional techniques along with observable patters and signatures of previous intrusions |
8 | Completely customized tool suite with mid-level knowledge of operating system commands, options, and arguments for use specifically within your environment |
9 | Completely customized tool suite with in-depth knowledge of operating system commands, options, and arguments that would work only against your environment |
10 | Customized/tailored tools that have never been seen in the wild, demonstrating that the operator is well aware of your enterprise composition and has a firm grasp of the operating system commands, options, and arguments for use specifically within your environment |
Actions
Okay, what just happened? This is one of the two “so, what” factors you or your leadership will want to know. What did the attackers do while in your enterprise? You need to know every system they touched and which may have a backdoor (a malicious agent or module that runs on an infected system that allows for remote control by the attacker).
Discerning actions is one of the most difficult tasks when simply relying on the host (the compromised system) and what malware was on the machine. In today’s modern world of threats, adversaries, and espionage, everything you want to know about (such as social engineering, exploitation, data theft/exfiltration, and persistent remote control) occurs over the network. You are attempting to identify in total the sum of systems that were touched, at what times, so you can identify a possible pattern, which can also be identified through skills and methods, as described in the previous section.
You want to know how attackers made it into your network, how often they used your network, how they used your network, and how deep your enterprise is hemorrhaging. Also, by analyzing the actions, you can add that as a weight to the possible motives, intent, and objectives.
1 | Threat is using your system as a training point—just poking around without causing any harm or attempting to steal any information |
2 | Threat is storing peer-to-peer files for torrent seeds (such as porn, movies, and music) on the system |
3 | Threat is an infector worm spreading itself across files stored on the systems involved |
4 | Threat is a standard infection to your system from a random infector site |
5 | Threat is using your system as a part of a larger criminal botnet |
6 | Threat is using your system as a part of a larger criminal network and stealing information |
7 | Threat is using your system to coordinate attacks against external systems to your enterprise |
8 | Threat is using your system to coordinate attacks against internal and external systems to gain a larger foothold across your enterprise, partners, customers, and random external entities |
9 | Threat is using your system to coordinate attacks against internal and external systems, and is targeting specific types of information critical to your organization’s operations |
10 | Threat is using your system to coordinate attacks against internal and external systems, targeting specific types of information critical to your organization’s operations, and selling access to specific nefarious groups around the world |
Objectives
The objectives component is one that no stakeholder feels comfortable discussing
ever
. This is because these are the moments when your team gets together and tries to figure out what has been lost. The only time you should
ever
be happy about your data being stolen is when you have set up a deception operation and allowed your attackers to exfiltrate information in order to mislead them or feign in battle.
When true adversarial objectives have been met is never a happy moment for any organization. Everything you have been working toward has, in total or in part, been lost to a competitor or criminal of some sort. Billions of dollars worth of sensitive, corporate, and personal information have been lost over the past decade. These are the objectives of your adversaries. Whether they’re posed by some pimply teenager in his parent’s home or a foreign intelligence service, threats are out there (we did say there would be plenty of FUD).
What has been taken is a very important piece of information to know. Once you’ve identified the objectives, affiliations of the threat can be attributed. Whether the objectives were financial or information-based can be a significant indicator as to who is behind the attack or intrusion.
Observable objectives can go wide and deep, such as monitoring e-mail, logistical information, your supply chain, and other areas of your organization that can be used against you to your adversaries’ advantage. What are they doing? What pieces did they get? Which sections are they in? What do they know? These are the questions you generally ask when thinking of your adversaries’ objectives.
1 | Seemingly curiosity |
2 | Targeting login information |
3 | Targeting organizational information (e-mail, logins, and so on) |
4 | Targeting organizational, partner, and customer information |
5 | Targeting organizational user’s personally identifiable information (PII) |
6 | Targeting organizational user’s financial information |
7 | Targeting organizational financial information |
8 | Targeting organizational operational, financial, and research information |
9 | Targeting specific high-profile organizational members’ information |
10 | Targeting specific high-priority, organizational sensitive, and classified information, and all of the above, as this infers the threat is going for all the eggs in your basket |
Resources
The ability to measure the resources of an attacker is not an easy task. However, it is possible to gain this information through all of the observables collected across your enterprise, such as the following:
The period of time spent moving through your enterprise
The types of tools used in the event, such as open source, publicly available, freeware, commercially, or illegally purchased (Zeus, SpyEye, and other tools can cost $10,000 or more)
The types of information being taken/stolen
The methods used to exfiltrate your information into their possession
The payoff of an insider to infect your enterprise