Knowing the enemy and knowing yourself: the key to countering a cyberattack
![Image Europol Head of Operations discusses [dismantling of LockBit]](https://incyber.org//wp-content/uploads/2023/12/incyber-news-water-cybersecurite-cybersecurity-885x690.jpg)
« If you know the enemy and know yourself, you need not fear the result of a hundred battles. » This rule, postulated in Sun Tzu’s The Art of War, dates back to the 6th century B.C. It still applies today in the context of cyberattacks on companies and organizations. The frequency of cyberattacks is increasing significantly every year. Experts expect further increases in the coming years. At the same time, the complexity of attacks is also increasing, so that experts have to search for traces more and more thoroughly.
Forensics helps build a line of defense against cyberattacks
The information that leads to the origin of an attack, and therefore an attacker, is important to protect systems against future attacks. Past insights help identify gaps in the internal network and mitigate or even prevent attacks in the future. Investigations of cyberattacks are also an important source of information for companies to identify who is attacking the company and for what reasons. This allows protective measures to be taken to better prepare for future attacks.
Investigating and attributing information about an attack is the only way for companies to properly conceptualize their security infrastructure. The most important questions are « who », « how », « where », and « what ». This allows for the creation of behavioral patterns for attackers, encompassing attack vectors and identifying the targets of attacks. At this point, it is also important to know whether the attack was random or targeted.
A structured approach helps identify attackers on IT systems
The increase of data stored on IT systems leads to a corresponding increase of sensitive data that companies need to protect from attacks. In the case of cyberattacks, this is not always easy and requires a structured approach. If you know your enemy, you can name them and be better prepared for similar attacks. Other companies and organizations can also better prepare for known attacks and known attackers if their identities and modus operandi are published and can be used for their own investigations.
States and large companies are becoming more active in hunting down attackers. To this end, they are also examining malware more closely to discover specific characteristics that can be used to draw conclusions about the attackers. Therefore, defending against an attack first involves discovering the attack. This is followed by digital forensics, which should reveal where, how, and when the attacker used a vulnerability to transmit their malware or launch their attack. The target is also important at this point. This yields information that can be merged with other data to ultimately identify the attacker.
Metadata and characteristics of attacks form an important information base
The important data of an attack includes various objects, such as timestamps, file paths used, authentications, and many other settings and properties. They can allow conclusions to be drawn about similar attacks. This also includes the country from which the attack was made. The native language used is also information that forensic experts need to know. This involves identifying information that an attacker wanted to disguise but was unsuccessful in doing so. Strings and the technical level of the attack are also an important basis for attributing an attack.
Many attackers use similar approaches. Other criminals often copy these attack patterns. This helps to identify whether a new malware may be very similar to an already known one. This is important information for identifying its origin. It enables to group malware and attackers, but also to match previously unknown attackers and malware.
Attackers want to protect their malware. Criminals also want to hide other information. Identifying this data (for instance, specific encryption keys, similar passwords, certificates, and procedures used in the attack) can be enormously helpful. Encryption keys are a reliable way to detect similar malware. New malware can be quickly associated with known attackers using this information. With proper preparation, companies can better protect themselves from this type of attack in the future based on this knowledge.
Cyberattackers also use infrastructure
Most attacks on IT infrastructures are controlled by people. The attackers rely on their own infrastructure. Clues about these IT components can be extremely helpful in identifying attackers. The attack patterns of criminals are often similar; in the case of new malware, they allow conclusions to be drawn about the developers. Indicators of Compromise (IOCs) are important information at this point. They include hashes of malware files and virus signatures. These IOCs can be matched against code similarities and known tools or infrastructure of the detected threat actors.
Information such as IP addresses, domains used, server names, cloud providers, VPN information, and DNS data also play a role here. Together, these can form an important information base. This also applies to proxy servers and anonymization services. This data allows conclusions to be drawn about the actual location of the attacker. If it is possible to trace the attack back to a specific device, it may also be possible to find out the identity of the attacker.
False flags pose a challenge
Of course, attackers often try to hide their identity and origin. They sometimes use false flags to mislead security researchers. If attackers know the procedures of forensic experts, false flags actions can be extensive and meticulous. Inexperienced attackers are often much more careless in this regard and can be quickly detected by experienced forensic experts.
Unexplained artifacts also play an important role in cyberattack investigations. If the investigation of an attack finds out that a lot of information cannot be explained logically or is illogical, this can be an indication that other information is also incorrect. This is where the ‘Fourth Party Collection’ technique can play a key role. In this technique, attackers use data from other attackers by having malware attack the criminals.
Conclusion
It is difficult to determine the identity of attackers. Often, attackers are discovered by establishing a connection between current and already known attacks. The more information is available, the higher the likelihood is of identifying the origin of attackers while discovering vulnerabilities in the internal network. Analysts need to work carefully at this point and reliably detect fake information (false flags).
This also means that analysts should constantly educate themselves on this topic. Companies under attack should rely on specialists in this area who can correctly recognize and classify data and artifacts from cyberattacks. Ideally, this will allow criminals to be identified quickly. In any case, future attacks of the same kind can be reliably prevented by this. Knowing why you were attacked, what was attacked, and how attempts were made to compromise your defenses is invaluable to being prepared for tomorrow’s battles.
A deep understanding of the adversary enables organizations to plan for the protection of their information and systems well into the future. As Sun Tzu goes on to say: « If you know neither the enemy nor yourself, you will succumb in every battle. »