www.darkreading.com
Open in
urlscan Pro
2606:4700::6812:6b2f
Public Scan
URL:
https://www.darkreading.com/cyberattacks-data-breaches/how-to-identify-cyber-adversary-what-to-look-for
Submission: On March 15 via api from TR — Scanned from DE
Submission: On March 15 via api from TR — Scanned from DE
Form analysis
0 forms found in the DOMText Content
Dark Reading is part of the Informa Tech Division of Informa PLC Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726. Black Hat NewsOmdia Cybersecurity Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics RELATED TOPICS * Application Security * Cybersecurity Careers * Cloud Security * Cyber Risk * Cyberattacks & Data Breaches * Cybersecurity Analytics * Cybersecurity Operations * Data Privacy * Endpoint Security * ICS/OT Security * Identity & Access Mgmt Security * Insider Threats * IoT * Mobile Security * Perimeter * Physical Security * Remote Workforce * Threat Intelligence * Vulnerabilities & Threats World RELATED TOPICS * DR Global * Middle East & Africa See All The Edge DR Technology Events RELATED TOPICS * Upcoming Events * Webinars SEE ALL Resources RELATED TOPICS * Library * Newsletters * Reports * Videos * Webinars * Whitepapers * * * * * Partner Perspectives: * > Microsoft SEE ALL * Cyberattacks & Data Breaches * Vulnerabilities & Threats HOW TO IDENTIFY A CYBER ADVERSARY: WHAT TO LOOK FOR There are many factors involved in attributing a cyber incident to a specific threat actor. Charles A. Garzoni, Deputy CISO, Centene Corporation March 14, 2024 4 Min Read Source: Chris Baker via Alamy Stock Photo COMMENTARY Cyber-incident attribution gets a lot of attention, for good reasons. Identifying the actor(s) behind an attack enables taking legal or political action against the adversary and helps cybersecurity researchers recognize and prevent future threats. As I wrote in the first part of this series, attribution is both a technical and analytical process. Therefore, extracting the necessary data requires collaboration from many types of information and intelligence disciplines. Attribution is getting harder as tradecraft improves and malicious actors find new ways to obfuscate their activity. Human intelligence frequently comes into play, making the work of government intelligence agencies like the FBI and CIA so valuable. There are multiple factors involved in trying to attribute an event. Here is a general framework you can apply in your attribution activities. VICTIMOLOGY Finding out as much as you can about the victim (e.g., yourself) through analysis can yield some surprising results. To paraphrase Sun Tzu, "know your enemy and you will win a hundred battles; know yourself and you will win a thousand." What do you make or manufacture, what services you provide, and who your corporate executives are will all have a direct bearing on the adversary's motives. Who wants what you have? Is a nation-state fulfilling collection requirements? Does someone want to reproduce your intellectual property? TOOLS Categorize the adversary' tools you find during your investigation and analyze each group. What did the adversary use? Are they open source? Are they open source but customized? Were they possibly written by the actors? Are they prevalent or common? Unfortunately, tools used in a breach are often transient or lost due to time and anti-forensic techniques (such as malware that exploits a vulnerability). Different tools can maintain persistence, escalate privileges, and move laterally across a network. Tools are harder to detect the longer the adversary remains in your network. TIME Looking and behaving like everyone else in your environment is crucial to an adversary's longevity. They tend to use what is available to them on the corporate network ("living off the land") or innocuous tools that won't arouse suspicion, making them harder to detect. An adversary backed by a strong military-industrial complex or sophisticated intelligence apparatus has the time, resources, and patience to linger in your network. In contrast, time is money for cybercriminals and ransomware groups, so their dwell time may be significantly lower. INFRASTRUCTURE Investigate what type of infrastructure the malicious actors used, especially elements related to command-and-control (C2) functions. Was it leased infrastructure, virtual private server (VPS), virtual private network (VPN), compromised space, or botnets? Did they use Tor or another anonymous network? Was C2 hard coded into the malware? How does the C2 work? Unique infrastructures are easier to identify, whereas commonplace tools make attribution more difficult. IMPLEMENTATION It's not enough to identify the adversary's tools and infrastructure; reviewing how they are implemented during the attack is critical. How tactics, techniques, and procedures (TTPs) are implemented can tell you if someone is attempting to intentionally mislead you (i.e., using false flags). If data was exfiltrated from your network, do a detailed analysis to understand what they took or targeted. Logging internal user actions can help if the adversary moved laterally and took on an administrator's or employee's persona. If they did a "smash and grab," taking everything, well, you've got some work to do. If the attack was unique and there are no benchmarks to start from, that is an indicator. Attacks rarely work that way though. Adversaries tend to go with what they know: they learn a way of doing things and try to stick with it. While the tools of the trade (e.g., hacking tools used, vulnerability exploited, infrastructure used) change, tradecraft is more difficult to change wholesale. NEXT STEPS Once you collect the intelligence or evidence you need, consider: What is the fidelity of the information captured (how accurate is it)? How exclusive is it? Is the information you know about the attack tied to a particular actor or organization? When you make an assessment, you inevitably have information gaps — either missing material information or indicators that are not neatly explained by your strongest theory. If a government needs more information, it probably has the resources to close the intelligence gaps. Any other type of organization must find other ways to derive attribution for defensive purposes. FINAL THOUGHTS Many people and organizations want to rush attribution and take immediate action. Hasty attribution doesn't bypass the need to conduct a thorough investigation. On the government side, rushing a response to a cyber event to set a foreign policy standard or meet a perceived national security objective is a recipe for disaster. Attribution should be enhanced and not bypassed; otherwise, highly skilled false flag and deception operations will draw companies and countries into conflict while playing into the hands of a determined adversary. Foreign policy strategy is a game of chess where you must always anticipate the adversary's countermoves. Attribution often requires a whole-of-government and private sector effort; rarely does one agency or company have all the necessary information to put the pieces together. We need to incorporate and formalize threat intelligence and attribution into academic curricula and give it the attention it deserves. This is not something any nation or the cybersecurity community can afford to get wrong. ABOUT THE AUTHOR(S) Charles A. Garzoni Deputy CISO, Centene Corporation Charles Garzoni is Deputy CISO, Centene Corporation, and is responsible for cyber defense operations. His career spanned multiple industries, law enforcement, and the military specializing in building teams to investigate, analyze, and attribute both nation-state and criminal cyber attacks. Over his career he has worked hundreds of high-profile incidents (such as Sony, OPM, Anthem, NASDAQ) and helped design and execute cyber operations against adversaries. He has held several significant positions within the government including, Incident Response Director and Cyber Incident Coordinator for the FBI Cyber Division, and Chief of Threat Analysis for the (NCIJTF). He was also appointed as the Director of Defensive Strategy for the US Cyberspace Solarium Commission and retired as a senior leader with the Air Force Office of Special Investigations (OSI) where he focused on cyber investigations, operations, and cyber strategy. See more from Charles A. Garzoni Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe You May Also Like -------------------------------------------------------------------------------- Cyberattacks & Data Breaches Kinsing Cyberattackers Target Apache ActiveMQ Flaw to Mine Crypto Cyberattacks & Data Breaches CompTIA Advises Retailers to Check their Cybersecurity Preparedness Ahead of the Holiday Shopping Season Cyberattacks & Data Breaches Google Goes After Scammers Abusing Its Bard AI Chatbot Cyberattacks & Data Breaches Worldwide Hacktivists Take Sides Over Gaza, With Little to Show for It More Insights Webinars * Unleash the Power of Gen AI for Application Development, Securely March 19, 2024 * The Anatomy of a Ransomware Attack, Revealed March 20, 2024 * How To Optimize and Accelerate Cybersecurity Initiatives for Your Business March 26, 2024 * Building a Modern Endpoint Strategy for 2024 and Beyond March 27, 2024 * Building a Modern Endpoint Strategy for 2024 and Beyond March 27, 2024 More Webinars Events * CYBERSECURITY’S HOTTEST NEW TECHNOLOGIES: WHAT YOU NEED TO KNOW March 21, 2024 * Cybersecurity's Hottest New Technologies - Dark Reading March 21 Event March 21, 2024 * Black Hat Asia - April 16-19 - Learn More April 16, 2024 More Events EDITOR'S CHOICE A mobile device with a red screen on which is a triangle with an exclamation point in the middle Endpoint Security Sophisticated Vishing Campaigns Take World by StormSophisticated Vishing Campaigns Take World by Storm byElizabeth Montalbano, Contributing Writer Mar 11, 2024 5 Min Read A green goblin in a cloak sticks his tongue out amid binary code Threat Intelligence 'Magnet Goblin' Exploits Ivanti 1-Day Bug in Mere Hours'Magnet Goblin' Exploits Ivanti 1-Day Bug in Mere Hours byNate Nelson, Contributing Writer Mar 12, 2024 3 Min Read Finger touching the word AI against a dark background Cyber Risk Google's Gemini AI Vulnerable to Content ManipulationGoogle's Gemini AI Vulnerable to Content Manipulation byJai Vijayan, Contributing Writer Mar 12, 2024 5 Min Read cyberattacker in a hoodie, red tint Threat Intelligence Typosquatting Wave Shows No Signs of AbatingTyposquatting Wave Shows No Signs of Abating byDavid Strom Mar 11, 2024 6 Min Read Reports * Industrial Networks in the Age of Digitalization * Zero-Trust Adoption Driven by Data Protection * How Enterprises Assess Their Cyber-Risk * Zero Trust and the Power of Isolation for Threat Prevention * State of the Intelligent Information Management Industry in 2021 More Reports White Papers * FortiSASE Customer Success Stories - The Benefits of Single Vendor SASE * Fortinet Named a Leader in the Forrester Wave: Zero Trust Edge (ZTE) Solutions * 2023 Snyk AI-Generated Code Security Report * Buyer's Guide: Choosing a True DevSecOps Solution for Your Apps on AWS * 2023 Software Supply Chain Attack Report More Whitepapers Events * CYBERSECURITY’S HOTTEST NEW TECHNOLOGIES: WHAT YOU NEED TO KNOW March 21, 2024 * Cybersecurity's Hottest New Technologies - Dark Reading March 21 Event March 21, 2024 * Black Hat Asia - April 16-19 - Learn More April 16, 2024 More Events DISCOVER MORE WITH INFORMA TECH Black HatOmdia WORKING WITH US About UsAdvertiseReprints JOIN US Newsletter Sign-Up FOLLOW US Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG. Home|Cookie Policy|Privacy|Terms of Use Cookies Button ABOUT COOKIES ON THIS SITE We and our partners use cookies to enhance your website experience, learn how our site is used, offer personalised features, measure the effectiveness of our services, and tailor content and ads to your interests while you navigate on the web or interact with us across devices. You can choose to accept all of these cookies or only essential cookies. To learn more or manage your preferences, click “Settings”. For further information about the data we collect from you, please see our Privacy Policy Accept All Settings COOKIE PREFERENCE CENTER When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All MANAGE CONSENT PREFERENCES STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Cookies Details PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Cookies Details FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Cookies Details Back Button BACK Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label * View Cookies * Name cookie name Confirm My Choices