Early identification of security breaches and accurate forecasting of attack progression are critical aspects of an effective and timely response to cyber-attacks. The progression of the cyber assault is determined by the attackers' future moves, their objectives, and their motivation—i.e., the "profile" that characterizes the malefactor's behavior in the system. Typically, an "attacker profile" is a collection of an attacker's characteristics—both internal, such as motivations and abilities, and external, such as financial assistance and tools employed. The formulation of the attacker's profile enables the determination of the malefactor's type, complexity of responses and can ease the process of attacker attribution during security incident investigations. This blog aims to identify the behavior of cyber adversary by understanding the motivation behind the attack by analysing the attacker profile and exploring the different stages of cyber-attacks. We then look at some of the available tools and techniques that can help identify the perpetrators and discuss the challenges associated with identifying the malicious actors.
Attackers, or cyber threat actors,' can be classified according to their objectives, motivations, and capabilities. This way we can have a better understanding of their identity and purpose of the attack. It can also help us draw up suitable defense plans. The different types of cyber attackers are:
The substantial surge in ransomware attacks over the last five years is often linked to cyber-criminal groups that also engage in other forms of crime for profit. They are also well-known for the growth of bots and botnet attacks, in which infected endpoints are collectively organized by a command-and-control, or C&C, attack server.
2. State-Affiliated Organizations
High-profile attacks on infrastructure, governments, voting systems and big enterprises are frequently perpetrated by state-sponsored organizations. These nation-state-sponsored assailants are motivated by political considerations. They are frequently organized to influence or destabilize a social, political, or economic market's confidence.
Hacktivist groups stage high-profile attacks in order to bring attention to their political or social causes. They frequently seek public recognition or reputation in order to draw attention to their particular cause.
4. Cyber Terrorists
Cyber-terrorist acts are frequently linked to state ties. Cyber-terrorists frequently target power grids and other critical infrastructure. Shutting down of the Ukrainian power grid by Russian attackers in 2015 can be a cited as a good example.
5. Script Kiddies
The term "script kiddie" refers to inexperienced attackers who make use of publicly available attack tools without fully comprehending the consequences of their actions.
6. Insider Threat
Insider threat is a term that refers to a threat to an organization's security or data that originates from inside the organization. These threats are most frequently made by current or former employees, but they can also come from third parties, such as contractors, temporary workers, employees, or customers.
Cyberattack stages can help us understand the mediums utilized by the cyber adversaries to lure and attack their victims. This helps us throw light on the attacker’s motivation by exploring the mediums and stages of operation.
Generally, cyberattacks fall into two categories: targeted and untargeted. A targeted attack is one in which an organization is targeted because the attacker has a particular interest in the industry or has been compensated to do so. The approaches may involve sending emails to targeted persons that contain malicious software attachments. Another type of attack is Un-targeted cyber-attacks. Here, attackers target as many devices, services, or users as possible indiscriminately. They are unconcerned with the identity of the victim, as there will be a large number of vulnerable devices or services. Examples include sending emails to a huge number of people requesting sensitive information (such as bank account information) or enticing them to visit a bogus website.
Regardless of whether an attack is targeted or untargeted, or whether the attacker employs commodity or bespoke tools, all cyberattacks follow a similar path. An attack, especially one launched by a determined adversary, may consist of repeated stages. The attacker is effectively exploring organization defenses for vulnerabilities that, if exploited, will bring them closer to achieving their objective. Understanding these stages will enable you to protect yourself more effectively.
In most cyber-attacks, there are four distinct stages:
Survey - During the survey phase, attackers will employ every available means to identify technological, policy, or physical weaknesses that they may exploit. They will rely on open-source data sources such as LinkedIn and Facebook, as well as domain name management and search services, as well as social media. They will collect and analyze any information about organization's computers, security systems, and staff using commodity toolkits and methodologies, as well as conventional network scanning tools.
Delivery - During the delivery stage, the attacker will attempt to place himself in a position to exploit a vulnerability they have uncovered or believe may exist.
Breach - During the breach stage, the attacker exploits the vulnerability(s) to get some type of unauthorized access.
Affect - During this stage, the attacker may attempt to explore your systems, get additional access, and establish a persistent presence (a process referred to as consolidation). Typically, assuming control of a user's account ensures a persistent presence. They can attempt to install automatic scanning programs to learn more about your networks and gain control of additional systems with administration access to just one system.
Cybercrime investigators can do cyber attribution (processes that help us track and identify the cyber attacker) using a variety of diverse, specialized approaches. However, decisive and precise cyber attribution is not always attainable.
To gather essential information regarding assaults, investigators employ analytic tools, scripts, and algorithms. Cybercrime investigators frequently unearth information regarding the programming language and associated data, such as the info about compilers, the compilation time, the libraries utilized, and the sequence in which actions connected to a cyberattack were executed. For instance, if investigators find that a piece of malware was built using a Chinese, Russian, or another language keyboard layout, this information might aid in narrowing down cyber attribution possibilities.
Cyber attribution investigators also investigate any metadata associated with the attack. The metadata, which may include source IP addresses, email data, hosting platforms, domain names, domain name registration data from third-party sources, might assist in establishing attribution. The cyberattack systems frequently interface with nodes outside the network landscape. However, these data points also may be fabricated.
Additionally, investigators may evaluate metadata gathered from several attacks against distinct companies. This permits specialists to make some conclusions and statements based on the frequency with which they discover fake data. For instance, security experts may be able to track down an anonymous email address used in an attack and attribute it to the attacker based on domain names used in the assault that was previously recognized as being used by a particular threat actor.
Investigators might also investigate the strategies, processes, and tactics utilized in an attack, as cyber-attackers frequently have distinct styles. Investigators are occasionally able to identify culprits based on information about attack patterns, such as social engineering strategies (tactics where hackers exploit the natural inclination of people rather than hacking the software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password) or repurposing malware from previous operations (majority of new malware reuses huge portions of previous malware's source code with minor modifications and additions)
Some of the more specific cyber attribution techniques are:
1. Prediction of Attacker Behavior Using Attack Graphs
The building and implementation of attack graphs to predict and forecast attacks is an extensively utilized technique. In general, an attack graph is a collection of connected nodes that reflect the assailant's objectives and actions. Typically, the attack graph is constructed by analysis and examination of the network's topology, vulnerability assessment, and software and hardware configuration assessment. As a result, it demonstrates the relationship between vulnerabilities and the system's overall security status. In most circumstances, the model of the attacker is characterized by two critical characteristics: capabilities and location.
2. Prediction of Attacker Behavior Using a Hidden Markov Model
Markov-based approaches are similar to attack tree models. They are often formed based on system states and the transitions between them that occur as a result of events. Each transition is defined by a probability that is independent of the preceding state and is reliant only on the two states involved, i.e., the nature of a process at a specific time is determined solely by the state of the process at the preceding point in time.
3. Pattern Recognition of Attacker Behavior Using Fuzzy Inference
The advantages of fuzzy logic techniques stem from their capacity to work in the face of ambiguity. In many instances, fuzzy logic is employed to generate an average description of the characteristics required to represent either benign or malignant behavior. For instance, in the fuzzification process, the metrics characterizing the TCP service channel between two IP endpoints—count, uniqueness, and variance are used.
4. Assigning Responsibility for Cyber Attacks
The notion of attack attribution is determining the originator of an attack based on behavioral clues. Combinations of behaviors and other signs of harmful conduct are referred to as behavioral indicators. These indications might be atomic or computational. Atomic indications are isolated bits of data that cannot be disassembled without sacrificing their forensic purpose.
IP addresses, email addresses, domain names, and short amounts of text are all examples of atomic indicators. Computed indicators are essentially discrete units of data, but they have a computation aspect.
A 'hash' is an example of a unique signature that is derived from input data, such as a password or a program. The hashes of applications operating on the machines in their network may match those of malicious programs.
It is highly recommended to incorporate cyber attribution skills into organisation incident response plan (IRP). By data, the larger the organization, the more significant is the attribution. For government agencies and groups working in extremely sensitive areas, such as national security, knowing who is behind an assault might be important. A recent example is the NotPetya cyberattack that the US government has recently traced to Russia following a protracted investigation. There is always something to be learned from every incident.
The significance of attribution is determined by the organization involved and its capacity to carry out an inquiry. As the dust settles and questions about "who" and "why" are raised, attribution could be the only way to conclude.
Businesses generally lack the resources or experience necessary to trace cybercriminals, and they typically contract with external information security professionals. However, even with cybersecurity professionals, cyber attribution might prove to be difficult.
To identify the person or actors responsible for a cyberattack, specialists frequently perform thorough forensic investigations, which include evaluating digital forensic evidence and historical data, identifying intent or reasons.
However, one of the difficulties associated with cyber attribution is that hackers often conduct assaults from their homes or places of work, rather than from computers or devices held by other victims that the attacker has already penetrated.
Identifying an attacker is further made more difficult by the fact that attackers can fake their IP addresses or use other tactics, such as proxy servers, to bounce their IP addresses around the world to mislead cyber attribution attempts.
Additionally, jurisdictional constraints might obstruct attribution in cross-border cybercrime investigations. Each time a law enforcement agency needs to conduct a cross-border investigation, it must request assistance through official channels. This can obstruct the process of acquiring evidence, which must be done expeditiously.
Cyber attribution attempts are harmed further in some circumstances when jurisdictional concerns might potentially jeopardize the evidence's integrity and chain of custody.
Understanding the attacker's motivations can assist in cyber attribution, as it is not always about money. Investigators would also want to determine if cybercriminals are simply loitering or have been watching for an extended period. Additionally, they attempt to determine whether hackers are seeking specific data during their assaults and how they intend to utilize what they uncover.
Although cyber attribution is not an exact science, the strategies explained in the blog can assist cybercrime investigators in identifying the perpetrators.
Senior Director | ISSQUARED Information Security
Surya Jatavallabhula is a Cyber Security and Risk professional with an extensive history in Banking, Biotech, Medical, and Education sectors. Surya has played various roles under security domains including CISO, Security Partner/SME for Information and Cyber Security, DevSecOps, Risk Management, Data privacy, Enterprise Security Architecture, Data Architecture, Technology Risk, and Portfolio Management after graduating in MS Risk Management from Stern School of Business, New York University, U.S and M.B.A from Leeds University Business School, U.K.