Hacker profiling: who is attacking me?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123459862/hacker-profiling-who-attacking-me

Sophisticated cyber attacks have evolved rapidly in the last year,
crippling online networks and causing serious financial, operational and
reputational damage on firms, regardless of industry or nationality.

Many executives rank a large-scale attack as the most important risk facing
their firm. The biggest concern generally isn’t the financial cost, but the
reputational impact, especially when it comes to consumer data or sensitive
internal information. An organisation’s reputation is fragile – once
tarnished, it can be difficult to get back.

The pressures on CISOs and their teams is clearly on the rise. Over 95% of
CISOs say it is at least “moderately likely” that their company will face
what they call an “advanced” attack in the next 12 months. Worse, nearly
three-quarters of CISOs think their function won’t deal with it properly.

It should come as no surprise that if the team does not already have a
detailed plan in place – a plan that has been rehearsed by the key players
– the consequences of the breach will be much worse.

Advanced threats are substantially different to traditional threats faced
by CISOs and their teams. They differ because they are harder to detect and
prevent, and are perpetrated by hackers that are more skilful and have more
resources. Examples include social engineering or phishing, hacktivism,
state-sponsored attacks, and information-related organised crime and fraud.

One big problem is that many CISOs only focus on how an attack is conducted
– or in other words, the techniques used and how they can mitigate the
impact as quickly as possible.

They assume that working out who is behind an attack is for IT vendors, law
enforcement, or only the most advanced information security (IS) functions.

This is short-sighted and means teams will miss valuable information that
is not particularly difficult to collect and can help combat many different
types of threat.

Being able to broadly categorise a company’s attackers – e.g. whether they
are an organised crime group, competitor or an unsophisticated hacker – can
make a real difference in helping companies develop more targeted responses
and anticipate future attacks.

And with all the internal and external threat intelligence that IS teams
now collect, hunters (one of the more exciting corporate titles) or other
IS staff who sift through this information can search for indicators
associated with a particular attacker, or group, that can identify new
threats and pre-empt advanced attackers in the future.

In particular, IS teams should work on two processes: attribution
(determining the identity of an individual or group who launches an attack)
and attacker profiling (compiling attacker characteristics, location, and
techniques).

Some CISOs may not feel their advanced threat processes are sophisticated
enough for and profiling, but there are some basic methods that work well.

Analysing suspicious email headers can provide valuable information about
the source of a message. For instance, the character set attribute can
provide information about the attacker’s keyboard layout, and indicate the
attacker’s location.

Examining the text of an email, embedded fonts and language mistakes can
provide clues about the attacker’s native language or origin. This will
also often be a sign of an unsophisticated attacker or ‘lone hacker’.

Malware source code can provide further evidence of the attacker’s language
or location. Malware configuration options are also often unique to an
attacker and can help identify multiple attacks by the same attacker.

Information like this can help companies get a better idea of who the
attacker is and categorise the adversary. IS teams should use at least five
basic categories: insider, unsophisticated attacker, organised crime,
competitor and state-sponsored attacker.

By categorising attackers – looking the ‘who’ as well as the ‘how’ -
organisations can develop much better responses for future attacks.

Compiling attacker characteristics, location and techniques allows firms to
conduct more targeted and productive searches for threats over time.

For instance, because organised crime, competitor and state-sponsored
attackers are more likely to launch multiple attacks, recording information
about these intruders will help companies recognise them again in the
future.

Reporting all this information to the board of the company is also
essential. Often board members don’t receive specific information on how
the company is protecting against cyber risks, and therefore may not know
what is at stake and the kinds of investments needed to counter them.

This kind of ‘hacker profiling’ is often a good way communicate to senior
management the extent of the company’s exposure to future attacks and the
need for continued support from the rest of the business.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!