How to Identify a Cyber Adversary: What to Look For

We Keep you Connected

How to Identify a Cyber Adversary: What to Look For

There are many factors involved in attributing a cyber incident to a specific threat actor.
March 14, 2024
Cyber-incident attribution gets a lot of attention, for good reasons. Identifying the actor(s) behind an attack enables taking legal or political action against the adversary and helps cybersecurity researchers recognize and prevent future threats. 
As I wrote in the first part of this article, attribution is both a technical and analytical process. Therefore, extracting the necessary data requires collaboration from many types of information and intelligence disciplines. Attribution is getting harder as tradecraft improves and malicious actors find new ways to obfuscate their activity. Human intelligence frequently comes into play, making the work of government intelligence agencies like the FBI and CIA so valuable.  
There are multiple factors involved in trying to attribute an event. Here is a general framework you can apply in your attribution activities.
Finding out as much as you can about the victim (e.g., yourself) through analysis can yield some surprising results. To paraphrase Sun Tzu, “know your enemy and you will win a hundred battles; know yourself and you will win a thousand.” What do you make or manufacture, what services you provide, and who your corporate executives are will all have a direct bearing on the adversary’s motives. Who wants what you have? Is a nation-state fulfilling collection requirements? Does someone want to reproduce your intellectual property? 
Categorize the adversary’ tools you find during your investigation and analyze each group. What did the adversary use? Are they open source? Are they open source but customized? Were they possibly written by the actors? Are they prevalent or common? Unfortunately, tools used in a breach are often transient or lost due to time and anti-forensic techniques (such as malware that exploits a vulnerability). Different tools can maintain persistence, escalate privileges, and move laterally across a network. Tools are harder to detect the longer the adversary remains in your network. 
Looking and behaving like everyone else in your environment is crucial to an adversary’s longevity. They tend to use what is available to them on the corporate network (“living off the land”) or innocuous tools that won’t arouse suspicion, making them harder to detect. An adversary backed by a strong military-industrial complex or sophisticated intelligence apparatus has the time, resources, and patience to linger in your network. In contrast, time is money for cybercriminals and ransomware groups, so their dwell time may be significantly lower. 
Investigate what type of infrastructure the malicious actors used, especially elements related to command and control (C2) functions. Was it leased infrastructure, virtual private server (VPS), virtual private network (VPN), compromised space, or botnets? Did they use Tor or another anonymous network? Was C2 hard coded into the malware? How does the C2 work? Unique infrastructures are easier to identify, whereas commonplace tools make attribution more difficult.
It’s not enough to identify the adversary’s tools and infrastructure; reviewing how they are implemented during the attack is critical. How tactics, techniques, and procedures (TTPs) are implemented can tell you if someone is attempting to intentionally mislead you (i.e., using false flags). If data was exfiltrated from your network, do a detailed analysis to understand what they took or targeted. 
Logging internal user actions can help if the adversary moved laterally and took on an administrator’s or employee’s persona. If they did a “smash and grab,” taking everything, well, you’ve got some work to do. If the attack was unique and there are no benchmarks to start from, that is an indicator. 
Attacks rarely work that way though. Adversaries tend to go with what they know: they learn a way of doing things and try to stick with it. While the tools of the trade (e.g., hacking tools used, vulnerability exploited, infrastructure used) change, tradecraft is more difficult to change wholesale.
Once you collect the intelligence or evidence you need, consider: What is the fidelity of the information captured (how accurate is it)? How exclusive is it? Is the information you know about the attack tied to a particular actor or organization? 
When you make an assessment, you inevitably have information gaps — either missing material information or indicators that are not neatly explained by your strongest theory. If a government needs more information, it probably has the resources to close the intelligence gaps. Any other type of organization must find other ways to derive attribution for defensive purposes.
Many people and organizations want to rush attribution and take immediate action. Hasty attribution doesn’t bypass the need to conduct a thorough investigation. On the government side, rushing a response to a cyber event to set a foreign policy standard or meet a perceived national security objective is a recipe for disaster. 
Attribution should be enhanced and not bypassed; otherwise, highly skilled false flag and deception operations will draw companies and countries into conflict while playing into the hands of a determined adversary. Foreign policy strategy is a game of chess where you must always anticipate the adversary’s countermoves. 
Attribution often requires a whole-of-government and private sector effort; rarely does one agency or company have all the necessary information to put the pieces together. We need to incorporate and formalize threat intelligence and attribution into academic curricula and give it the attention it deserves. This is not something any nation or the cybersecurity community can afford to get wrong.
Charles A. Garzoni
Deputy CISO, Centene Corporation
Charles Garzoni is Deputy CISO, Centene Corporation, and is responsible for cyber defense operations. His career spanned multiple industries, law enforcement, and the military specializing in building teams to investigate, analyze, and attribute both nation-state and criminal cyber attacks.  Over his career he has worked hundreds of high-profile incidents (such as Sony, OPM, Anthem, NASDAQ) and helped design and execute cyber operations against adversaries.
He has held several significant positions within the government including, Incident Response Director and Cyber Incident Coordinator for the FBI Cyber Division, and Chief of Threat Analysis for the (NCIJTF). He was also appointed as the Director of Defensive Strategy for the US Cyberspace Solarium Commission and retired as a senior leader with the Air Force Office of Special Investigations (OSI) where he focused on cyber investigations, operations, and cyber strategy.

TNC

LET US MANAGE YOUR SYSTEM
SO YOU CAN RUN YOUR BUSINESS

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE