#1280239: Unmask cybercriminals through identity attribution

Description: Organized crime has grown more complex since the turn of the century—coinciding with the rise of the digital world, cybercriminals have leveraged the proliferation of technology to broaden their reach with a more sophisticated network-structured model, effectively globalizing their operations in cyberspace and ultimately allowing cybercriminals to devastate companies and consumers alike.

The faster you act, the quicker you will be able to disrupt the adversary and prevent future attacks, directly yielding greater financial savings and identity protection. Part of taking action, however, requires knowing who the bad actor is in the first place; in other words, attributing and uncovering the identities of cyber adversaries.

In the past, organized crime groups utilized a “boots on the ground” approach to attack, involving the coordination of more traditional hierarchical structures and on-location activity. More recently, such an approach has fallen out in favor of smaller, nimbler, more loosely structured crime rings that incorporate the usage of advanced technology to widen their capabilities without having to step foot in the affected country.

Cybercriminals can hack into corporate databases and steal an abundance of sensitive information from anywhere in the world. Taking out the “mob boss” to cripple their infrastructure and operations is a dated strategy—a modern approach to crime fighting must mirror the technological and organizational sophistication of our cybercriminal nemeses, and, as a result, security analysts are starting to shift their views on identity attribution.

Back in 2007, I was deployed to Iraq as a U.S. Air Force intelligence analyst, assigned to the Joint Special Operations Command (JSOC) Task Force with the objective of disrupting terrorist activities by targeting and capturing Al-Qaeda Senior Leadership (AQSL). We were in constant pursuit of the most dangerous human beings, adversaries who endangered the very fabric of our democracy, seeking to discover and uncover the identities of enemy forces’ leadership, weapons smugglers, and financiers. To achieve the Task Force’s objectives, we used a myriad of sophisticated resources, including signals intelligence (SIGINT), human intelligence (HUMINT), and state-of-the-art drones

The Task Force was successful in slowing down insurgent forces, due in large part to the accurate intelligence and positive identification (PID) of adversaries. In our governed rules of engagement, PID means that a hostile has been reasonably identified as a member of the target group or a confirmed imminent threat to our team. Drones, sky cameras, and many eyes and ears on the ground all worked together towards finding and finishing PIDs.

Adding a deeper layer of complexity to our mission was the necessity for confirming that a “precision strike” from a drone missile actually hit the intended mark. Occasionally, militant groups would falsely announce the death of their leaders or senior operatives in an attempt at propagating misinformation campaigns to throw us off track. Verifying a successful, targeted kill requires on-the-ground confirmation by U.S. personnel, generally through substantiating physical evidence or aerial photographs. Additionally, SIGINT and social media monitoring aided in confirmation efforts.

The same thinking can be applied to unmasking cybercriminals. While intelligence units at commercial organizations may not have access to the same sophisticated resources that were at the Task Force’s disposal, a growing number of private intel teams are now slowly transitioning to a more tactical approach by making intelligence more identity-driven. Although threat actors have become increasingly adept at obfuscating their identities and attack vectors, identity intelligence and attribution analysis experts are at the forefront of developing effective countermeasures and proactive defenses.

Uncertainty in attribution and plausible deniability have historically weighed in cybercriminals’ favor, but bad actors are people too, and their personal histories present opportunities for intelligence specialists. Many cybercriminals leave their own historical breadcrumb trails, through data breaches or leaks, across the surface, social, deep, and dark web, ultimately leading security forces to their identities.

While this data is transient in underground communities, a few organizations have collected breached and leaked information from open sources to fuel cybercriminal investigations. New capabilities and tools leverage breached data, open source intelligence (OSINT), proprietary information, and other data sources, making identity attribution not only possible, but reliable and able to be validated in a timely, efficient, and effective manner.

From my personal experience working in a security operations center (SOC), many, if not most, security operators and traditional threat intelligence analysts are taught to fix—in a pre-defined cycle of detect, respond, remediate, and repeat—what is five feet in front of them. On the one hand, SOCs have been useful because they consolidated and correlated security alerts from so many tools into a single system. Yet the constant influx of new tool and threat feeds tend to produce an unreasonable flood of security alerts every day.

Arduous tasks such as blocking indicators of compromise, flagging suspicious beaconing, and removing phishing emails from employees’ inboxes are necessary, but strictly reactive and time consuming. Mitigating one security incident could take hours, if not days; identifying activity that could indicate a security risk and ensuring that they were correctly handled—analyzed, defended, investigated, and reported—would yield an end result that was not likely to efficiently determine the identity of the attackers.

Yet, today, after a breach makes headlines in the news, the first question on everyone’s minds is: “who did it?” By taking advantage of breached data, quickly acting on available intelligence, performing active defense, and attributing the real identity of adversaries and understanding their attack methods, cybercrime intelligence teams can now effectively neutralize and disrupt offensive cyber operations (OCO) and their infrastructure.

The Capital One breach that was disclosed in late July was compelling not only because of how massive it was—over 100 million U.S. and Canadian customer accounts were accessed—but also given the fact that the bad actor, Paige Thompson, was so careless in disguising her identity following the incident.

More often than not, as previously stated, cybercriminals will attempt to obfuscate their identities. Thompson, however, chose to draw attention to herself by boasting about the crime on social media, which I believe is not listed under “Best Practices” in the cybercriminal rulebook. Thompson did not try to disguise her identity, to the bemusement of the cyber world, and was subsequently identified and arrested with the help of the FBI. However, most cybercriminals don’t present themselves on silver platters in quite the way Thompson did–understanding the enemy and their tools is critical.

By uncovering the identity of cybercriminals attacking your organization, you can take a variety of actions identified in the following five-step approach to disrupt the adversary and prevent future attacks:

1. Make the data obsolete: Resetting the passwords of employee and customer accounts, to prevent takeovers, will reduce the value of exfiltrated data on the black market and make data buyers and traders lose confidence in the seller. The Dark Web economy relies to a surprising degree on trust.

2. Move quickly: The more swiftly you can take action on the discovered compromised data, the better. This will lead to less disruption and financial losses for your organization. Every minute counts when your organization’s data is exposed. Time to actionable intelligence is key.

3. Report it: Quickly file suspicious activity reports (SARs) and inform law enforcement. Call the DHS’s National Cybersecurity and Communications Integration Center (NCCIC), or an established contact from the local FBI cyber unit. If you haven’t connected with one already, you should. If you have a high degree of confidence in your attribution investigation, law enforcement can help indict the person and disrupt their campaign, and possibly unveil and prosecute their entire fraud ring.

4. Identify threat vectors: Analyze when and where. At what point was the data compromised? Was it due to a risky merchant? Was it a poorly administered/configured database in the cloud? Was it a weak link in your supply chain? Patch up weak holes and be sure to vet your partners’ and vendors’ security postures, as they may represent possible avenues of attack as well.

Read rest in the link
More info: https://www.helpnetsecurity.com/2019/10/08/unmask-cybercriminals/

Date added Oct. 9, 2019, 12:06 p.m.
Source Help Net Security
  • Latest Global Security News
  • Security Management/Strategic Security/ROI/ROSI