Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Actions
Well rehearsed, ad hoc, random, controlled versus uncontrolled
Attack origination points
Outside, inside, single point, diverse points
Numbers involved in attack
Solo, small group, big group
Knowledge source
Chat groups, web, oral, insider knowledge, espionage
It is legal to develop behavioral indicators of specific malicious IP addresses versus individuals. With respect to the preceding points of personality, it is very possible to observe malicious IP addresses with a standard operating procedure, method of entry, and goals or objectives. This information, when analyzed across large enterprises such as government networks, can show which areas of the production network need to be protected in order to increase defensive posture and protection levels.
Analyst Workflow
It is important for an analyst to adhere to a clearly documented workflow to completely cover every aspect of the operational, intelligence, and technical impact of an attack against a production network. The workflow looks like this:
Event triage
Validation/threat assessment
Confirmation of the event of threat
Case overview
Assessments
History/hotspots
Correlation of prior activity to this network segment
Nature of information targeted
The observable goal of the attacker
Victim system functionality
Evaluation of the system that was affected
Attack
Vulnerability/exploit
Evaluation of the injection vector used by the attacker