Reverse Deception: Organized Cyber Threat Counter-Exploitation (33 page)

BOOK: Reverse Deception: Organized Cyber Threat Counter-Exploitation

4.1Mb size Format: txt, pdf, ePub

Read Book Download Book

ads

Knowledge of the operating system

Grasp of commands, options, and arguments

Whether the attack is organized or disorganized, which helps build a clearer picture of the intent and motive

Whether or not the attack is scripted

Your security team can measure and observe these pieces of information by analyzing the utilization of each compromised system by the threat. This specific component of information will tell you a lot about your threat.

1	Multiple systems were accessed for long periods of time (threat was searching)
2	Multiple systems were accessed for long periods of time in specific locations
3	Multiple systems were accessed for long periods of time surrounding specific applications
4	A few systems were accessed for long periods of time, and specific information was grabbed
5	A few systems were accessed on a regular basis targeting specific file types
6	A few systems were accessed on a regular basis (occurring only within a specific team)
7	A few systems were accessed a few times (occurring only within a specific team)
8	A single system was accessed on a regular basis briefly (involving a specific member of a team)
9	A single system was accessed a few times and briefly targeted (involving a specific member of a team)
10	A single system was accessed directly and briefly (involving only a specific individual)

Skills and Methods

When observing attackers’ skills and methods, you are also weighing the victimology and attack origination in combination. Why do we do it this way? Well, there is an easy answer for that one: injection and propagation techniques.

The skills of each attacker will vary, and the more skill shown, the more attention should be paid. Also, if you see a single threat using a lot of skills and techniques that infers more than a single individual is behind the observed events.

Having the ability to observe the skills and methods of each threat is critical. This requires a blend of traditional host-based and enterprise-based security solutions that provide the ability to see not only what occurred on the host, but also what happened over the network. How were they able to get into your network, get out, and then maintain persistence?

The following information needs to be weighed when evaluating a threat’s skills and methods:

Attack (the exploitation and remote control of your enterprise systems)

The vulnerability/exploit and its disclosure history (was this a known exploit?)

The methodology, signature, content, and patterns (is this a known threat that has attempted to exploit or exploited your enterprise before, or is there a specific pattern surrounding the attack that would help attribute the threat to a specific individual or group?)