Many CISOs and security professionals respond to threats with the same phrase, “I don’t care who is attacking me, I just want it to stop.” They deploy an array of security tools to better block attacks and they hope the malicious actors will go elsewhere. Does this actually work? Some mature security teams have mature detection and intelligence programs that place a serialized code on the bottom of their SOC and intelligence reports that ultimately accumulate to a dollar loss prevention number. But very few enterprises can actually do this effectively. Threat actors really only stop when their infrastructure is disrupted and their flow of funds disappears, and this normally can only be achieved through the activities of U.S. law enforcement and intelligence agencies and major commercial data hosting providers.
The national security community requires context to be provided by the private sector. Full context can range from IP of victims and attackers, date/time, registration emails to VPS, phishing emails, victim emails, website hosting information, phone numbers associated with infrastructure, profile names, account names, other emails of attackers, and forum stylometric attributes and content for starters. Historically, service providers have been the source of data for government organizations, but victim organizations often have observations that can also greatly assist in creating a complete picture of an attacker. As proven by major takedowns, adversaries are not infallible. They make mistakes, and the correlation of data across service providers, victims, and the cyber industry is key to ensuring they pay for those mistakes.
From a service provider perspective, adversary mistakes often consist of using a provider located in the same country, or a close ally, of their targets. This error is becoming less frequent as attackers move to “bullet-proof” hosting for infrastructure. In many cases, the security operations and incident response teams of victims might not even be aware of the mistakes they have uncovered during the course of their investigations. The errors come in many flavors, including:
Regardless of their sophistication, attackers will attempt to hide their true point of presence on the internet. To successfully do this, they will likely repeat the process dozens of times. These repeated attempts during preparation, carry out, and profit taking create opportunities to make mistakes.
- Forgetting to enable private registration when procuring domains to support an attack
- Failing to properly encrypt their traffic
- Forgetting to properly enable a VPN or proxy prior to connecting to their command and control infrastructure
- Failing to remove PII from exchangeable image file format (exif) data – a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras, scanners and other systems handling image and sound files recorded by digital cameras – before posting pictures of their crimes to third-party file sharing sites or pastebin websites
Securely obtaining infrastructure is both hard and expensive. For most attackers that are financially motivated, if they can re-use elements of their infrastructure, they can increase their profits. Even APT groups who have unlimited time and resources make mistakes implementing appropriate code segmentation between different stages of computer network exploitation. For defenders, finding these overlaps is a key element not only for attribution, but for threat prevention.
- Re-using certificates across attacks
- Repeating specific language or other stylometric indicators between persona accounts and true-name accounts
- Deploying the same content across different spearphish attacks or disinformation websites
- Re-using imagery across various attacks or disinformation campaigns
- Recycling usernames and email addresses to register malicious domains
- Recycling usernames and email addresses to subscribe to third-party file servers or virtual private servers
Behind every attack is a human, and many threat actors have big egos. In addition to monetizing their operations through ransomware, selling stolen data, or disseminating disinformation, some actors like the thrill of a victory. But, they make mistakes that show their hand. In these instances when ego has taken over, attackers feel like they have already won and therefore can be caught when their guard is down.
- Posting online to promote themselves and their attacks using photographs that include PII or identifiable geographic landmarks in the background
- Engaging directly with a victim, getting drawn into a boastful “blackhat” or “greyhat” conversation, and revealing specific TTPs to “prove” they conducted the attack
- Interacting with peers in online forums to show off their skills, giving away TTPs in the process
- Failing to use the same security protocols to talk about their attacks online as they did when they actually carried out the attacks
Threat actors are concerned about return on investment (ROI) just like any ordinary business. They need a system of repeatability, division of labor, and scale that allows them to maximize margins. With these processes, attackers make mistakes that allow enterprises to understand how to defend better. Threat intelligence and incident response teams should have a flexible “outside the firewall” investigative capability. Such capabilities can scale with a business’ operational tempo and are critical to providing stakeholders with timely and relevant answers to their questions.
Just as important is the ability to properly triage and manage expectations for the analysis to take place. Leveraging CTI support for incident response and insider threat, rapid assessments for acquisitions, fraud investigations, monitoring and responding to geopolitical events, and addressing real-time threats to personnel and facilities are all common use cases for attribution and the ability to find mistakes with threat actors.
Related: How to Improve Red Team Effectiveness using Obfuscation