What new cyber-threats are out there? What do we need to be doing to be aware of them? And how do we best protect ourselves from them? These are the questions that many, if not most, modern SMEs and enterprises are asking themselves when it comes to devising the best digital security strategy for their business, writes Chris O’Brien, director, intelligence operations at cyber analysis product company EclecticIQ.
With the General Data Protection Regulation (GDPR) on the horizon later this spring, the business cost of cyber-attacks and data breaches is only going to soar. This, combined with the fact the threat landscape is becoming increasingly evolved and hackers are using ever more sophisticated techniques to gain access to protected data, is the reason why businesses need more intelligently guided help to counter cyber-attacks than ever. So what to do? When almost every day brings headline stories of the latest cyber-attack or data breach, from interventions by suspected Russian hacking groups into foreign affairs through to the Olympic Destroyer malware targeting the recent Pyeongchang Winter Olympic Games amid cries of ‘false flag operations’. It’s increasingly the case that cyber-attacks can and do influence major global events, and not only specific individuals or organisations. As these types of attacks become more advanced, it becomes increasingly difficult to identify the culprits and for organisations to take steps to protect themselves from them.
How best to identify hackers and attribute blame
Attributing direct blame to a specific actor or group of hackers is becoming increasingly hard, as shrewd use of online tools and encryption services (such as VPNs) enables many malicious actors to mask or hide their online identities. Online anonymity is a double-edged sword, as it protects millions of legitimate web users every day, though it is also effectively used by a tiny minority of malicious users. Much of our efforts, as analysts, is to try to identify those threat actors by spotting some uniquely identifiable component of their online activities that manages to help us discover their true identity.
As this process becomes increasingly complex, we have to employ highly detailed and structured intelligence in a threat intelligence platform to identify the key attributes that might provide us with clues to a hacker’s identity. This could be anything from identifying patterns and repetitions in the way in which they write their malware code, the types of commands they use when accessing networks or time-zone analysis – anything that is unique about a specific hacker’s habits and behaviour.
Attribution is never 100 per cent accurate, yet that’s a key part of the challenge. Any company that is interested in identifying threat actors to their business has to keep on challenging cyber-attacks by also capturing solid evidential chains in a structured threat intelligence platform.
Look for patterns not culprits
It’s natural that business owners look for somebody to blame, following any attempt to attack and steal their company or customer’s private data. But the pragmatic business reality is that, following an attack, it’s often too little and too late to spend time, money and effort chasing the culprit. What is of more value is to develop an understanding of an actor’s intents or modus operandi. And, instead of focusing too heavily on attribution – which is more often than not closing the stable door after the horse has bolted – there needs to be much more of a focus on tactics, techniques and procedures (TTPs).
So it’s more about ‘how’ this specific attack happened, instead of ‘who’ is responsible for this and how that person or this group can be brought to justice. This shift from attempting to identify the cyber-criminal responsible to identifying the TTPs that have allowed an attack to succeed puts an organisation in a far better position to identify and prevent further similar types of attacks from happening again.
Or, to put it differently, if you are focusing all of your security efforts on pursuing one cyber-criminal after a successful attack or data breach has occurred, you are potentially leaving yourself wide open to similar attacks from a thousand other hackers who might use the same tactics. TTPs are the best and by far the most reliable way to track and stop threats, although that doesn’t mean that chasing those responsible should be discounted entirely. What is important is that, following insight gained from the Diamond Model, companies start to consider the value of taking a holistic approach to data collection. This teaches us to follow a practical and common-sense approach to only seeking attribution and pursuing the cyber-criminal responsible if it improves your understanding of the motivations behind the attack and your ability to compare/contrast those motivations with the tools used.
If it doesn’t, then don’t waste valuable time and effort getting caught up with finger-pointing. Instead, channel your anger and concentrate on ensuring the basics of network defence are covered. Make sure your IT systems are up to date, any necessary software patches are deployed and all your digital security standards are adhered to. Doing so is the most effective form of protection against the most commonly known TTPs, and will allow businesses to use their resources more effectively.
