#1250772: Threat Actor - A Love Story
It’s 5am on a Saturday morning, you’re soundly sleeping after a hectic week as CISO of a large organization. Suddenly, the phone rings and wakes you up. The voice on the phone says one of the most dreaded phrases, “You need to get to the office right away—we’ve suffered a breach.” As you drive to the office you run through multiple scenarios in your mind of how this has happened. In at least one of those scenarios, an Advanced Persistent Threat (APT) actor is responsible. You begin to think it must be a sophisticated APT, because your security controls are robust and you’ve taken every precaution. The board will want to know which APT is behind this. You get on the phone with your head of TI (Threat Intelligence) and instruct, “You need to find out who is behind this. Right now it’s the only thing that matters.”
The Love-Hate Relationship
When a cyber incident strikes, we often romanticize the cause of the situation, even while we hate that it’s happening. We can’t help but love the idea that it was some APT (insert number here) or Fancy/Angry (insert animal here), or other famous threat actor with nation-state abilities. But something that we hate even more than being targeted is the realization that our adversaries are not the ones we hear about in the news but rather someone we could have identified by doing our own internal research.
The Importance of Research
In most cases, the actors that are targeting and eventually breach us are not the well researched APTs that we read about in security vendor reports and blog posts. The amount of research that goes into those publications is truly incredible and done by some of the most skilled cyber threat analysts. We leverage the work done by these exceptional cybersecurity minds to have a view into the general threat landscape, usually by the industry, vertical, or geographic location we find ourselves in. But we need to apply these same techniques when we do analysis of our internal detections.
Our controls are constantly gathering signals for us, small pieces in the bigger puzzle we need to understand. Things like historical WHOIS records, SSL certificates, and more. These pieces of evidence are left behind by threat actors who are just as human and error-prone as we are. Every detection by our security controls tells a story, from the noisy big bad internet type of activity like perimeter scans and brute force attempts, all the way down to malware on endpoints beaconing out of our networks. As an intelligence analyst these are the needles, in the stack of needles, we use to track our adversaries.
With a full-fledged threat intelligence program, the CISO’s post-breach conversation with his security team might go something like this:
“Incident Response and Forensics team, do we know what happened?”
“We’ve provided all the Indicators of Compromise (IOCs) to the TI team sir.”
“Which APT is behind this?”
“Well sir, none. The actor behind this breach is a profile we have been tracking for a while. We created a profile for this actor when we first saw a phishing campaign eight months ago. Subsequently this actor targeted us with nine more campaigns and managed to drop keystroke logger malware onto a user’s machine. The bad news is that the actor was successful in breaching us, the good news is, we know exactly who they are.”
Actor profiling and attribution are not always an exact science. Each security team can make this art more of a science by collecting IOCs, those, little pieces of the overall puzzle. Cyber threat intelligence programs are critical for gathering and analyzing this evidence to determine who our real adversaries are. By practicing adversary profiling on internal detections we sharpen our skills as analysts, increase the level of known bad actors, and help prevent those frantic 5am phone calls.
|Date added||March 14, 2019, 9:11 p.m.|