www.darkreading.com Open in urlscan Pro
2606:4700::6812:6b2f  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Dark Reading is part of the Informa Tech Division of Informa PLC
Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT
This site is operated by a business or businesses owned by Informa PLC and all
copyright resides with them. Informa PLC's registered office is 5 Howick Place,
London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726.

Black Hat NewsOmdia Cybersecurity

Newsletter Sign-Up

Newsletter Sign-Up

Cybersecurity Topics

RELATED TOPICS

 * Application Security
 * Cybersecurity Careers
 * Cloud Security
 * Cyber Risk
 * Cyberattacks & Data Breaches
 * Cybersecurity Analytics
 * Cybersecurity Operations
 * Data Privacy
 * Endpoint Security
 * ICS/OT Security

 * Identity & Access Mgmt Security
 * Insider Threats
 * IoT
 * Mobile Security
 * Perimeter
 * Physical Security
 * Remote Workforce
 * Threat Intelligence
 * Vulnerabilities & Threats


World

RELATED TOPICS

 * DR Global

 * Middle East & Africa

See All
The Edge
DR Technology
Events

RELATED TOPICS

 * Upcoming Events

 * Webinars

SEE ALL
Resources

RELATED TOPICS

 * Library
 * Newsletters
 * Reports
 * Videos
 * Webinars
 * Whitepapers

 * 
 * 
 * 
 * 
 * Partner Perspectives:
 * > Microsoft

SEE ALL


 * Cyberattacks & Data Breaches
 * Vulnerabilities & Threats


HOW TO IDENTIFY A CYBER ADVERSARY: WHAT TO LOOK FOR

There are many factors involved in attributing a cyber incident to a specific
threat actor.

Charles A. Garzoni, Deputy CISO, Centene Corporation

March 14, 2024

4 Min Read
Source: Chris Baker via Alamy Stock Photo


COMMENTARY

Cyber-incident attribution gets a lot of attention, for good reasons.
Identifying the actor(s) behind an attack enables taking legal or political
action against the adversary and helps cybersecurity researchers recognize and
prevent future threats. 

As I wrote in the first part of this series, attribution is both a technical and
analytical process. Therefore, extracting the necessary data requires
collaboration from many types of information and intelligence disciplines.
Attribution is getting harder as tradecraft improves and malicious actors find
new ways to obfuscate their activity. Human intelligence frequently comes into
play, making the work of government intelligence agencies like the FBI and CIA
so valuable.  



There are multiple factors involved in trying to attribute an event. Here is a
general framework you can apply in your attribution activities.


VICTIMOLOGY

Finding out as much as you can about the victim (e.g., yourself) through
analysis can yield some surprising results. To paraphrase Sun Tzu, "know your
enemy and you will win a hundred battles; know yourself and you will win a
thousand." What do you make or manufacture, what services you provide, and who
your corporate executives are will all have a direct bearing on the adversary's
motives. Who wants what you have? Is a nation-state fulfilling collection
requirements? Does someone want to reproduce your intellectual property? 




TOOLS

Categorize the adversary' tools you find during your investigation and analyze
each group. What did the adversary use? Are they open source? Are they open
source but customized? Were they possibly written by the actors? Are they
prevalent or common? Unfortunately, tools used in a breach are often transient
or lost due to time and anti-forensic techniques (such as malware that exploits
a vulnerability). Different tools can maintain persistence, escalate privileges,
and move laterally across a network. Tools are harder to detect the longer the
adversary remains in your network. 




TIME

Looking and behaving like everyone else in your environment is crucial to an
adversary's longevity. They tend to use what is available to them on the
corporate network ("living off the land") or innocuous tools that won't arouse
suspicion, making them harder to detect. An adversary backed by a strong
military-industrial complex or sophisticated intelligence apparatus has the
time, resources, and patience to linger in your network. In contrast, time is
money for cybercriminals and ransomware groups, so their dwell time may be
significantly lower. 




INFRASTRUCTURE

Investigate what type of infrastructure the malicious actors used, especially
elements related to command-and-control (C2) functions. Was it leased
infrastructure, virtual private server (VPS), virtual private network (VPN),
compromised space, or botnets? Did they use Tor or another anonymous network?
Was C2 hard coded into the malware? How does the C2 work? Unique infrastructures
are easier to identify, whereas commonplace tools make attribution more
difficult.


IMPLEMENTATION

It's not enough to identify the adversary's tools and infrastructure; reviewing
how they are implemented during the attack is critical. How tactics, techniques,
and procedures (TTPs) are implemented can tell you if someone is attempting to
intentionally mislead you (i.e., using false flags). If data was exfiltrated
from your network, do a detailed analysis to understand what they took or
targeted. 

Logging internal user actions can help if the adversary moved laterally and took
on an administrator's or employee's persona. If they did a "smash and grab,"
taking everything, well, you've got some work to do. If the attack was unique
and there are no benchmarks to start from, that is an indicator. 



Attacks rarely work that way though. Adversaries tend to go with what they know:
they learn a way of doing things and try to stick with it. While the tools of
the trade (e.g., hacking tools used, vulnerability exploited, infrastructure
used) change, tradecraft is more difficult to change wholesale.


NEXT STEPS

Once you collect the intelligence or evidence you need, consider: What is the
fidelity of the information captured (how accurate is it)? How exclusive is it?
Is the information you know about the attack tied to a particular actor or
organization? 

When you make an assessment, you inevitably have information gaps — either
missing material information or indicators that are not neatly explained by your
strongest theory. If a government needs more information, it probably has the
resources to close the intelligence gaps. Any other type of organization must
find other ways to derive attribution for defensive purposes.


FINAL THOUGHTS

Many people and organizations want to rush attribution and take immediate
action. Hasty attribution doesn't bypass the need to conduct a thorough
investigation. On the government side, rushing a response to a cyber event to
set a foreign policy standard or meet a perceived national security objective is
a recipe for disaster. 

Attribution should be enhanced and not bypassed; otherwise, highly skilled false
flag and deception operations will draw companies and countries into conflict
while playing into the hands of a determined adversary. Foreign policy strategy
is a game of chess where you must always anticipate the adversary's
countermoves. 

Attribution often requires a whole-of-government and private sector effort;
rarely does one agency or company have all the necessary information to put the
pieces together. We need to incorporate and formalize threat intelligence and
attribution into academic curricula and give it the attention it deserves. This
is not something any nation or the cybersecurity community can afford to get
wrong.





ABOUT THE AUTHOR(S)

Charles A. Garzoni

Deputy CISO, Centene Corporation

Charles Garzoni is Deputy CISO, Centene Corporation, and is responsible for
cyber defense operations. His career spanned multiple industries, law
enforcement, and the military specializing in building teams to investigate,
analyze, and attribute both nation-state and criminal cyber attacks.  Over his
career he has worked hundreds of high-profile incidents (such as Sony, OPM,
Anthem, NASDAQ) and helped design and execute cyber operations against
adversaries.

He has held several significant positions within the government including,
Incident Response Director and Cyber Incident Coordinator for the FBI Cyber
Division, and Chief of Threat Analysis for the (NCIJTF). He was also appointed
as the Director of Defensive Strategy for the US Cyberspace Solarium Commission
and retired as a senior leader with the Air Force Office of Special
Investigations (OSI) where he focused on cyber investigations, operations, and
cyber strategy.

See more from Charles A. Garzoni
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.

Subscribe

You May Also Like

--------------------------------------------------------------------------------

Cyberattacks & Data Breaches

Kinsing Cyberattackers Target Apache ActiveMQ Flaw to Mine Crypto
Cyberattacks & Data Breaches

CompTIA Advises Retailers to Check their Cybersecurity Preparedness Ahead of the
Holiday Shopping Season
Cyberattacks & Data Breaches

Google Goes After Scammers Abusing Its Bard AI Chatbot
Cyberattacks & Data Breaches

Worldwide Hacktivists Take Sides Over Gaza, With Little to Show for It
More Insights
Webinars

 * Unleash the Power of Gen AI for Application Development, Securely
   
   March 19, 2024

 * The Anatomy of a Ransomware Attack, Revealed
   
   March 20, 2024

 * How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
   
   March 26, 2024

 * Building a Modern Endpoint Strategy for 2024 and Beyond
   
   March 27, 2024

 * Building a Modern Endpoint Strategy for 2024 and Beyond
   
   March 27, 2024

More Webinars
Events

 * CYBERSECURITY’S HOTTEST NEW TECHNOLOGIES: WHAT YOU NEED TO KNOW
   
   March 21, 2024

 * Cybersecurity's Hottest New Technologies - Dark Reading March 21 Event
   
   March 21, 2024

 * Black Hat Asia - April 16-19 - Learn More
   
   April 16, 2024

More Events



EDITOR'S CHOICE

A mobile device with a red screen on which is a triangle with an exclamation
point in the middle
Endpoint Security
Sophisticated Vishing Campaigns Take World by StormSophisticated Vishing
Campaigns Take World by Storm
byElizabeth Montalbano, Contributing Writer
Mar 11, 2024
5 Min Read

A green goblin in a cloak sticks his tongue out amid binary code
Threat Intelligence
'Magnet Goblin' Exploits Ivanti 1-Day Bug in Mere Hours'Magnet Goblin' Exploits
Ivanti 1-Day Bug in Mere Hours
byNate Nelson, Contributing Writer
Mar 12, 2024
3 Min Read
Finger touching the word AI against a dark background
Cyber Risk
Google's Gemini AI Vulnerable to Content ManipulationGoogle's Gemini AI
Vulnerable to Content Manipulation
byJai Vijayan, Contributing Writer
Mar 12, 2024
5 Min Read

cyberattacker in a hoodie, red tint
Threat Intelligence
Typosquatting Wave Shows No Signs of AbatingTyposquatting Wave Shows No Signs of
Abating
byDavid Strom
Mar 11, 2024
6 Min Read
Reports

 * Industrial Networks in the Age of Digitalization

 * Zero-Trust Adoption Driven by Data Protection

 * How Enterprises Assess Their Cyber-Risk

 * Zero Trust and the Power of Isolation for Threat Prevention

 * State of the Intelligent Information Management Industry in 2021

More Reports
White Papers

 * FortiSASE Customer Success Stories - The Benefits of Single Vendor SASE

 * Fortinet Named a Leader in the Forrester Wave: Zero Trust Edge (ZTE)
   Solutions

 * 2023 Snyk AI-Generated Code Security Report

 * Buyer's Guide: Choosing a True DevSecOps Solution for Your Apps on AWS

 * 2023 Software Supply Chain Attack Report

More Whitepapers
Events

 * CYBERSECURITY’S HOTTEST NEW TECHNOLOGIES: WHAT YOU NEED TO KNOW
   
   March 21, 2024

 * Cybersecurity's Hottest New Technologies - Dark Reading March 21 Event
   
   March 21, 2024

 * Black Hat Asia - April 16-19 - Learn More
   
   April 16, 2024

More Events





DISCOVER MORE WITH INFORMA TECH

Black HatOmdia

WORKING WITH US

About UsAdvertiseReprints

JOIN US


Newsletter Sign-Up

FOLLOW US



Copyright © 2024 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

Home|Cookie Policy|Privacy|Terms of Use

Cookies Button


ABOUT COOKIES ON THIS SITE

We and our partners use cookies to enhance your website experience, learn how
our site is used, offer personalised features, measure the effectiveness of our
services, and tailor content and ads to your interests while you navigate on the
web or interact with us across devices. You can choose to accept all of these
cookies or only essential cookies. To learn more or manage your preferences,
click “Settings”. For further information about the data we collect from you,
please see our Privacy Policy

Accept All
Settings



COOKIE PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

Cookies Details‎

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

Cookies Details‎

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

Cookies Details‎

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Cookies Details‎
Back Button


BACK



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

 * 
   
   View Cookies
   
    * Name
      cookie name

Confirm My Choices