Unmasking a threat actor at an individual level could help you to gain more context, determine why the attack occurred, and quantify future risk
Imagine law enforcement reaches out to a security team to tell them a threat actor is selling employee credentials or private access keys to a sensitive business application. Even though there is no confirmation that these threat actors accessed or stole data, it is very troubling. This type of threat is growing increasingly common in today’s threat landscape. To make sure these types of events don’t become full-blown breaches and damage the company’s reputation, sophisticated enterprises know that they need to take timely action and have visibility outside their perimeter. That action typically consists of external threat hunting, forensics, and the unmasking of the actors using open-source intelligence (OSINT). Successfully attributing the actor goes a long way to determining if the company is the victim of a targeted attack or just a target of opportunity.
However, there are three steps that organizations can follow to ensure confidentiality, integrity, and availability of data systems.
Step 1: Initial Internal and External Triage
The first step is making sure you have a coordinated response. This should include the legal, human resources, information technology, and security teams. The top priority should be ensuring the confidentiality, integrity, and availability of your data systems. You can do this by determining the origin of leaked credentials. If law enforcement or a third-party vendor initiates contact, they may hold those user credentials or private keys while engaging directly with the threat actor(s).
Generally speaking, law enforcement will have the account names of the forum users attempting to sell the credentials. Once you have this information, you should research the threat actors to assess their technical skills and how prolific they are in underground forums. For example, the dark web sellers may not have the same technical acumen as the actual malicious actor who obtained access into the environment. At this stage of the investigation, the extent of the damage often remains unknown and three paths should be pursued: 1) removing access, 2) determining the extent of the damage, and 3) deciding if the threat justifies unmasking the actors to understand the nature of the attack.
Step 2: Remove Unauthorized Access and Identify Damages
After confirming credentials and proper account access, you need to determine the damage. This includes identifying evidence of unauthorized access, lateral movement, the use of malicious tools, malware deployment, and whether or not data was accessed and exfiltrated. Implementing a combination of proper logging through a data acquisition strategy, two-factor authentication (both on the edge and internally), endpoint and network monitoring, some type of segmentation strategy–even if just hardened access control policies– and patch management, is likely to keep the security event or incident from converting to a full-blown breach.
Hopefully, the attacker’s time in your network only resulted in malicious authentication and no further damage occurred. If you have not implemented those proactive threat deterrents, it makes sense to reevaluate your security stack or engage with an expert for an overall security assessment.
In response to a specific attack, it’s important to do external threat monitoring and threat actor engagement to determine if the actors are attempting to exploit or monetize the security event. During this stage, it may not be necessary to unmask the individual responsible for the attack. If an assessment determines that the attackers gained access via re-used credentials scraped from third-party repositories, brute force spraying for the proper password, or discovered a re-used password from a previous data breach; it’s possible no further malicious activity occurred inside the environment.
If, on the other hand, the investigation leads you to suspect an insider or former employee is responsible for the attack, unmasking and attribution can provide critical context and help you avoid a breach, and possibly take legal action.
Step 3: The Case for Unmasking Attribution
If you are a victim of a targeted attack and not merely a target of opportunity, unmasking the threat actor at an individual level will help you to gain more context, determine why the attack occurred, and quantify future risk. Making the determination does not need to be a resource-intensive effort. The intelligence, forensics, and execution cycle of an event determined in the previous steps will indicate whether a security incident rises to the level of a breach. If the investigation determines one of the following, then unmasking may be warranted:
1. Sold credentials from an insider
2. Default credentials left in place
3. Account created by the former employee remains active
4. Account not rotated for more than 6 months intentionally or accidentally shared
Over the past decade, attribution was largely focused at a nation-state or actor level, but depending on attack context, it is becoming increasingly important to do attribution at an individual level. Remember, you can only secure what you see. While it’s always important to ensure confidentiality, integrity, and availability of your network through perimeter and internal insight, it’s increasingly critical to have the same visibility outside your firewalls.