Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Mistakes by Threat Actors Lead to Disruption, Not Just Better Blocking

Threat actors really only stop when their infrastructure is disrupted and their flow of funds disappears.

Many CISOs and security professionals respond to threats with the same phrase, “I don’t care who is attacking me, I just want it to stop.” They deploy an array of security tools to better block attacks and they hope the malicious actors will go elsewhere. Does this actually work? Some mature security teams have mature detection and intelligence programs that place a serialized code on the bottom of their SOC and intelligence reports that ultimately accumulate to a dollar loss prevention number. But very few enterprises can actually do this effectively. Threat actors really only stop when their infrastructure is disrupted and their flow of funds disappears, and this normally can only be achieved through the activities of U.S. law enforcement and intelligence agencies and major commercial data hosting providers.

The national security community requires context to be provided by the private sector. Full context can range from IP of victims and attackers, date/time, registration emails to VPS, phishing emails, victim emails, website hosting information, phone numbers associated with infrastructure, profile names, account names, other emails of attackers, and forum stylometric attributes and content for starters. Historically, service providers have been the source of data for government organizations, but victim organizations often have observations that can also greatly assist in creating a complete picture of an attacker. As proven by major takedowns, adversaries are not infallible. They make mistakes, and the correlation of data across service providers, victims, and the cyber industry is key to ensuring they pay for those mistakes.

From a service provider perspective, adversary mistakes often consist of using a provider located in the same country, or a close ally, of their targets. This error is becoming less frequent as attackers move to “bullet-proof” hosting for infrastructure. In many cases, the security operations and incident response teams of victims might not even be aware of the mistakes they have uncovered during the course of their investigations. The errors come in many flavors, including:

Obfuscation Errors

Regardless of their sophistication, attackers will attempt to hide their true point of presence on the internet. To successfully do this, they will likely repeat the process dozens of times. These repeated attempts during preparation, carry out, and profit taking create opportunities to make mistakes.

Examples include:

  • Forgetting to enable private registration when procuring domains to support an attack
  • Failing to properly encrypt their traffic
  • Forgetting to properly enable a VPN or proxy prior to connecting to their command and control infrastructure
  • Failing to remove PII from exchangeable image file format (exif) data – a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras, scanners and other systems handling image and sound files recorded by digital cameras – before posting pictures of their crimes to third-party file sharing sites or pastebin websites

Infrastructure Re-use

Securely obtaining infrastructure is both hard and expensive. For most attackers that are financially motivated, if they can re-use elements of their infrastructure, they can increase their profits. Even APT groups who have unlimited time and resources make mistakes implementing appropriate code segmentation between different stages of computer network exploitation. For defenders, finding these overlaps is a key element not only for attribution, but for threat prevention.

Examples include:

  • Re-using certificates across attacks
  • Repeating specific language or other stylometric indicators between persona accounts and true-name accounts
  • Deploying the same content across different spearphish attacks or disinformation websites
  • Re-using imagery across various attacks or disinformation campaigns
  • Recycling usernames and email addresses to register malicious domains
  • Recycling usernames and email addresses to subscribe to third-party file servers or virtual private servers


Behind every attack is a human, and many threat actors have big egos. In addition to monetizing their operations through ransomware, selling stolen data, or disseminating disinformation, some actors like the thrill of a victory. But, they make mistakes that show their hand. In these instances when ego has taken over, attackers feel like they have already won and therefore can be caught when their guard is down.

Examples include:

  • Posting online to promote themselves and their attacks using photographs that include PII or identifiable geographic landmarks in the background
  • Engaging directly with a victim, getting drawn into a boastful “blackhat” or “greyhat” conversation, and revealing specific TTPs to “prove” they conducted the attack
  • Interacting with peers in online forums to show off their skills, giving away TTPs in the process
  • Failing to use the same security protocols to talk about their attacks online as they did when they actually carried out the attacks

Threat actors are concerned about return on investment (ROI) just like any ordinary business. They need a system of repeatability, division of labor, and scale that allows them to maximize margins. With these processes, attackers make mistakes that allow enterprises to understand how to defend better. Threat intelligence and incident response teams should have a flexible “outside the firewall” investigative capability. Such capabilities can scale with a business’ operational tempo and are critical to providing stakeholders with timely and relevant answers to their questions.

Just as important is the ability to properly triage and manage expectations for the analysis to take place. Leveraging CTI support for incident response and insider threat, rapid assessments for acquisitions, fraud investigations, monitoring and responding to geopolitical events, and addressing real-time threats to personnel and facilities are all common use cases for attribution and the ability to find mistakes with threat actors.

Related: How to Improve Red Team Effectiveness using Obfuscation

Written By

Landon Winkelvoss is Co-founder and VP of Security Strategy at Nisos.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...