Chief information security officers and their teams should collect information on who's attacking their firm, rather than just how it's done, says Jeremy Bergsman
Over 95% of CISOs say it is at least ‘moderately likely’ that their company will face an ‘advanced’ attack in the next 12 months. Worse, nearly three-quarters of CISOs think their function won’t deal with it properly.
Advanced threats are substantially different to traditional threats. They differ because they are harder to detect and prevent, and are perpetrated by hackers that are more skilful and have more resources. CISOs consistently rank advanced threats as the most severe and uncontrollable they face. Examples include social engineering and/or phishing, hacktivism, state-sponsored attacks, and information-related organized crime and fraud.
One big problem is that many CISOs only focus on how an attack is conducted (ie, on the techniques used) and assume that figuring out who is behind an attack is for IT vendors, law enforcement, or only the most advanced information security (IS) functions. This is short-sighted and means teams will miss valuable information that is not overly onerous to collect, and which can help combat many different types of threat.
With all the internal and external threat intelligence that IS teams now collect, hunters (one of the more exciting corporate titles) or other IS staff who sift through this information, can search for indicators or techniques associated with a particular attacker, or group, that can identify new threats and pre-empt advanced attackers.
In particular, IS teams should work on two processes: attribution, or determining the identity of the individual or group launching the attack; and attacker profiling, or compiling attacker characteristics, location, and techniques.
Some CISOs may not feel their advanced threat processes are sophisticated enough for profiling, but there are some basic methods that work well.
- Analyze suspicious email headers: Email headers provide valuable information about the source of a message. For instance, the character set attribute can provide information about the attacker’s keyboard layout, and indicate the attacker’s location.
- Examine suspicious email text: Within the text of an email, embedded fonts and language mistakes can provide clues about the attacker’s native language or origin.
- Look for clues in malware: Malware source code can provide further evidence of the attacker’s language or location. Malware configuration options are also often unique to an attacker and can help identify multiple attacks by the same attacker.
Information like this can help organizations get an idea of who the attacker is and categorize the adversary; IS teams should use at least the following basic categories: insider; unsophisticated attacker; organized crime; competitor; and state-sponsored attacker.
By categorizing attackers, organizations can develop more targeted responses and anticipate future attacks. For instance, because organized crime, competitor, and state-sponsored attackers are more likely to launch multiple attacks, recording information about these intruders can help organizations recognize them again in the future.