How do security professionals study threat actors, & why do we do it?

I receive a lot of great questions about my work in Digital Forensics and Incident Response (DFIR), and while I’ve written a bit on the topic of threat actors and attribution, I’ve been repeatedly asked some interesting questions about this in specific. In the interest of not answering the same question 101 more times, today I will attempt to tackle some of the most popular, difficult, and ambiguous ones.

Before we begin, there are a couple things that are really important to understand before we deep dive into a conversation about modern computer hacking:

  1. Digital attacks are often launched through hacked or infected computers which belong to innocent people or companies. Those computers might not even be in the same country as the bad guy. The bottom line is: gone is the notion of “just trace the IP address back”.
  2. There are often computers in many countries used in the same digital attack, whether as part of a big DDoS attack, or something more complex like exfiltrating some stolen data through a bunch of computers. The bottom line is: It’s not uncommon to see computers in 10 countries used in the same criminal operation, online.

With that in mind, let’s have a short chat about the strange world of attack attribution, the secret sauce that goes into making it happen, and why it sometimes appears like we as computer security professionals really, really suck at catching bad guys.

Why would anybody care who is hacking them?

I’ve noted before that for the average commercial company, it’s usually not terribly relevant to discuss the specific national origin of attacks at an executive level.  That energy is better spent in understanding why a breach occurred, and preventing it from happening again. Companies are rarely going to cease business operations in a country because of attacks sourced there.

That being said, it can potentially be helpful for the right operational security staff to have an understanding of the actors who are attempting to breach their defenses. Once a team knows that actor CRAZY HAMSTER is attacking their company, they can read reports on attacks by CRAZY HAMSTER against other companies. Reports often document tools, tactics, and procedures used by the attacker, and the security team can use this information to ensure they have appropriate mitigation and detection in place. It might also give the security team an idea of what ends CRAZY HAMSTER is trying to accomplish through their campaign of digital villainy.

Outside of the commercial space, things become a lot more complex. I’ve noted previously that espionage and sabotage are as old as human civilization – and they are still just as relevant to politics and warfare, today. It is very important to not think of “cyber war” as a domain entirely independent of the other realms of warfare, political maneuvering, and espionage. No matter how tempting it is to worry about catastrophic digital attacks on critical infrastructure or the internet, precedent and rhetoric support hacking mostly being used as one component of more complex global conflicts. So, hacking really has to be analyzed as one part of a whole, but it certainly shouldn’t be ignored.

 How can anybody know with any certainty who is hacking whom?

I’ve talked about the complexities of digital attribution in the past, and I always take the time to note that attribution is a complex, time-consuming process. That does not make it impossible, (with the right resources and substantial work hours), for qualified experts to make some determination beyond a reasonable doubt.

I already told you that IP addresses alone aren’t very useful for figuring out the source of attacks, anymore. That’s okay – that doesn’t mean that hackers and their tools don’t leave lots of digital evidence. In essence, the entire field of Digital Forensics and Incident Response (DFIR) centers around responding to and analyzing compromised networks, systems, and their logs, then providing detailed reports on what occurred. DFIR tends to focus on hard evidence like recovering deleted tools, files, and malware, retrieving command history and even tiny changes made to the computer, identifying communication with other systems, and then building a very comprehensive timeline of an attackers’ activity.

In plain English – an unencrypted computer hard drive is an archaeological treasure trove of information, containing stuff like what has been typed in a search bar, which sites were viewed in private browsing mode, what’s been plugged in to it, to what process started exactly five months and 16 days ago. Computer memory contains even more juicy details about use and abuse of computers. It’s very hard to hide every artifact of an attack on a computer that is not encrypted or hasn’t been powered down. Reliable evidence can persist for months, or even years.

Where DFIR tends to answer the “how”, “when”, and the “what” of a hacking incident, cyber threat intelligence strives to grow our understanding into “who” and “why”. Much like traditional Intelligence, good threat intel professionals take a more holistic approach in looking at attackers: taking hard evidence found by DFIR analysis and combining it with softer evidence like typical attacker behavior, linguistics, favored tools, target selection, previous attacker activities and indicators, and global events.

A balance of good quality evidence that DFIR discovers with the comprehensive view that good quality intelligence provides is the secret sauce that can allow agencies and researchers to point towards the source of an attack.

But what if reports on an attack or threat actor conflict?

It happens. Two good investigators can look at similar evidence and come to slightly different conclusions. Our recourse is to carefully read all available reports, then look hard at the quality of the expertise, reasoning, and access to evidence within each. Again, good detective work doesn’t lead to absolute certainty. The goal is to reach the most reasonable and supported conclusion possible. Some assembly is required.

But what about those “false flag” operations?

There’s certainly lots of precedent for false flag operations in the (very, very) long and storied history of espionage and counterespionage.  Digital attacks are no exception. Bad guys can try to pretend to be other bad guys, and people can claim credit for other peoples’ activities for a multitude of reasons.

This is why good intelligence, as opposed to merely digital forensics alone, is crucial to any attribution. It is rare to see a human computer compromise occur without any attacker mistakes (or evidence of those mistakes), and those small errors in syntax, language, or exploitation can be quite telling to a keen and attentive analyst.

Who are these commercial threat intelligence companies?

It takes a lot of resources for a company to build a large-scale threat intelligence program. So, a number of successful companies have popped up which hire intelligence specialists, linguists, security researchers, and political scientists to provide detailed threat intelligence to organizations, for profit. A small word of caution: keep in mind that while it is certainly in these companies’ best interests to be technically correct when they release reports and findings, they are still businesses and their objectives are to sell a product. They will probably not give everything away for free.

So if you know who’s hacking an organization, why aren’t they getting arrested?

Unfortunately, even if we know who is hacking who, there’s often not a lot we can do about the perpetrators. Hacking the attacker back in retaliation is extremely murky legal water, especially since we already noted that hackers like to use innocent people’s computers to launch their attacks. One misstep and we could end up sued or prosecuted ourselves. Government action could have even more severe repercussions.

We can certainly go to the appropriate law enforcement agencies and report theft, intrusion, or damage – indeed, I highly recommend it. However, LEOs don’t have it easy, either. Not only are their computer crimes groups often overtaxed by the surge in ransomware and phishing, but as we noted earlier, computer crimes often cross many international borders. Taking down a big criminal hacking operation usually takes coordination between private firms and several countries’ law enforcement agencies. That means each one has to approve and fund the takedown. It happens fairly regularly, but it’s a big effort.

Then, there’s the issue of state-sponsored attacks, which are a matter of politics above most law enforcement organizations’ ability to pursue. If one country conducts espionage or sabotage against a public or private institution in another, politicians must weigh retaliation for what was done versus the potential of souring international relations (or worse).

So, sometimes we really do know who is attacking, but there’s no feasible way to pursue them ourselves, right at the moment.

I want to see evidence of CRAZY HAMSTER attacking companies first hand. Why can’t I?

First of all, make sure you really can’t. Not every threat intelligence company uses the same nomenclature for the same actors – a sore spot for many security professionals. When in doubt, please check first, and ask if needed.

Many commercial intelligence companies and research firms produce reports for the public that contain an executive summary that is easily readable at any technical skill level. A good report should also contain substantial technical detail including indicators of compromise – specific evidence found in the analysis of the attack which can potentially be used to identify the same actor elsewhere.

Unfortunately, in any breach or attack, there will very likely be a lot of evidence unavailable to the general public. The first problem with releasing it all is that raw digital forensic evidence almost always contains proprietary and confidential data. That’s just the nature of raw network traffic and system drives. Even attacker activity alone usually contains passwords, account lists, and sensitive network configuration and vulnerability data. Some of this information may be made available to information sharing partners and colleagues through NDA/TLP, while some is kept strictly confidential.

The second problem is that any data provided to the general public is by its nature also being made available to the attackers. If they are still operating, showing all cards could really hurt efforts to bring them to justice.

Why aren’t you security professionals and researchers doing anything about these threat actors?

We are. While we might not be able to get every perpetrator arrested today, there are concerted efforts to share data on attackers and malware between commercial companies, law enforcement, and government agencies. The ISAC program is a great example of this. Many threat researchers and non-profit organizations release and share threat intelligence data and malware research for free.

Information sharing not only helps in law enforcement efforts, but it mutually improves detection of attackers and preventative security with their behaviors in mind. If we can’t stop the attackers right now, we can work together to hinder them at every turn.

The $5 Vendor-Free Crash Course: Cyber Threat Intel

Threat intelligence is currently the trendy thing in information security, and as with many new security trends, frequently misunderstood and misused. I want to take the time to discuss some common misunderstandings about what threat intelligence is and isn’t, where it can be beneficial, and where it’s wasting your (and your analysts’) time and money.

To understand cyber threat intelligence as more than a buzzword, we must first understand what intelligence is in a broader sense. Encyclopedia Britannica provides this gem of a summary:

“… Whether tactical or strategic, military intelligence attempts to respond to or satisfy the needs of the operational leader, the person who has to act or react to a given set of circumstances. The process begins when the commander determines what information is needed to act responsibly.”

The purpose of intelligence is to aid in informed decision making. Period. There is no point in doing intelligence for intelligence’s sake.

Cyber threat intelligence is not simply endless feeds of malicious IP addresses and domain names. To truly be useful intelligence, threat Intel should be actionable and contextual. That doesn’t mean attribution of a set of indicators to a specific country or organization; for most companies that is at the best futile and at the most, dangerous. It simply means gathering data to anticipate, detect, and mitigate threat actor behavior as it may relate to your organization.  If threat intelligence is not contextual or is frequently non-actionable in your environment, you’re doing “cyber threat” without much “intelligence” (and it’s probably not providing much benefit).

Threat intelligence should aid you in answering the following six questions:

  1. What types of actors might currently pose a threat to your organization or industry? Remember that for something to pose a threat, it must have capability, opportunity, and intent.
  2. How do those types of actors typically operate?
  3. What are the “crown jewels” prime for theft or abuse in your environment?
  4. What is the risk of your organization being targeted by these threats? Remember that risk is a measure of probability of you being targeted and harm that could be caused if you were.
  5. What are better ways to detect and mitigate these types of threats in a timely and proactive manner?
  6. How can these types of threats be responded to more effectively?

Note that the fifth question is the only one that really involves those big lists of Indicators of Compromise (IoCs). There is much more that goes into intelligence about the threats that face us than simply raw detection of specific file hashes or domains without any context. You can see this in good quality threat intelligence reports – they clearly answer “what” and “how” while also providing strategic and tactical intelligence.

I’m not a fan of the “throw everything at the wall and see what sticks” mentality of using every raw feed of IoCs available. This is incredibly inefficient and difficult to vet and manage. The real intelligence aspect comes in when selecting which feeds of indicators and signatures are applicable to your environment, where to place sensors, and which monitored alerts might merit a faster response. Signatures should be used as opposed to one-off indicators when possible. Indicators and signatures should be vetted and deduplicated. Sensibly planning expiration for indicators that are relatively transient (like compromised sites used in phishing or watering hole attacks) is also pretty important for your sanity and the health of your security appliances.

So, how do you go about these tasks if you can’t staff a full time threat intelligence expert? Firstly, many of the questions about how you might be targeted and what might be targeted in your environment can be answered by your own staff. After your own vulnerability assessments, bring your risk management, loss prevention, and legal experts into the discussion, (as well as your sales and development teams if you develop products or services). Executive buy-in and support is key at this stage. Find out where the money is going to and coming from, and you will have a solid start on your list of crown jewels and potential threats. I also highly recommend speaking to your social media team about your company’s global reputation and any frequent threats or anger directed at them online. Are you disliked by a hacktivist organization? Do you have unscrupulous competitors? This all plays into threat intelligence and security decisions.

Additionally, identify your industry’s ISAC or equivalent, and become a participating member. This allows you the unique opportunity to speak under strict NDA with security staff at your competitors about threats that may impact you both. Be cognizant that this is a two way street; you will likely be expected to participate actively as opposed to just gleaning information from others, so you’ll want to discuss this agreement with your legal counsel and have the support of your senior leadership. It’s usually worth it.

Once you have begun to answer questions about how you might be targeted, and what types of organizations might pose a threat, you can begin to make an educated decision about which specific IOCs might be useful, and where to apply them in your network topology. For instance, most organizations are impacted by mass malware, yet if your environment consists entirely of Mac OS, a Windows ransomware indicator feed is probably not high in your priorities. You might, however, have a legacy Solaris server containing engineering data that could be a big target for theft, and decide to install additional sensors and Solaris signatures accordingly.

There are numerous commercial threat intelligence companies who will sell your organization varying types of cyber threat intelligence data of varying qualities (in the interest of affability, I’ll not be rating them in this article). When selecting between paid and free intelligence sources (and indeed, you should probably be using a combination of both), keep the aforementioned questions in mind. If a vendor’s product will not help answer a few of those questions for you, you may want to look elsewhere. When an alert fires, a vendor who sells “black box” feeds of indicators without context may cause you extra time and money, while conversely a vendor who sells nation state attribution in great detail doesn’t really provide the average company any actionable information.

Publicly available sources of threat intelligence data are almost endless on the internet and can be as creative as your ability to look for them. Emerging Threats provides a fantastic feed of free signatures that include malware and exploits used by advanced actors. AlienVault OTX and CIRCL’s MISP are great efforts to bring together a lot of community intelligence into one place. Potentially useful IoC feeds are available from many organizations like abuse.ch, IOC Bucket, SANS ISC DShield and MalwareDomains.com (I recommend checking out hslatman’s fairly comprehensive list.). As previously noted, don’t discount social media and your average saved Google search as a great source of Intel, as well.

The most important thing to remember about threat intelligence is that the threat landscape is always changing – both on your side, and the attackers’. You are never done with gathering intelligence or making security decisions based it. You should touch base with everybody involved in your threat intelligence gathering and process on a regular basis, to ensure you are still using actionable data in the correct context.

***

In summary, don’t do threat intelligence for the sake of doing threat intelligence. Give careful consideration to choosing intelligence that can provide contextual and actionable information to your organization’s defense. This is a doable task, possible even for organizations that do not have dedicated threat intelligence staff or budgets, but it will require some regular maintenance and thought.


Many thanks to the seasoned Intel pros who kindly took the time to read and critique this article: @swannysec, @MalwareJake, and @edwardmccabe

I highly recommend reading John Swanson’s work on building a Threat Intel program next, here.