A Closer Look at the Strange Love-Hate Relationship We Have With Cyber Threat Actors

Threat Actor - A Love Story

March 14, 2019 | Andrew de Lange

The Breach

It’s 5am on a Saturday morning, you’re soundly sleeping after a hectic week as CISO of a large organization. Suddenly, the phone rings and wakes you up. The voice on the phone says one of the most dreaded phrases, “You need to get to the office right away—we’ve suffered a breach.” As you drive to the office you run through multiple scenarios in your mind of how this has happened. In at least one of those scenarios, an Advanced Persistent Threat (APT) actor is responsible. You begin to think it must be a sophisticated APT, because your security controls are robust and you’ve taken every precaution. The board will want to know which APT is behind this. You get on the phone with your head of TI (Threat Intelligence) and instruct, “You need to find out who is behind this. Right now it’s the only thing that matters.”

The Love-Hate Relationship

When a cyber incident strikes, we often romanticize the cause of the situation, even while we hate that it’s happening. We can’t help but love the idea that it was some APT (insert number here) or Fancy/Angry (insert animal here), or another famous threat actor with nation-state abilities. But something that we hate even more than being targeted is the realization that our adversaries are not the ones we hear about in the news but rather someone we could have identified by doing our own internal research.

The Importance of Research

In most cases, the actors that are targeting and eventually breach us are not the well-researched APTs that we read about in security vendor reports and blog posts. The amount of research that goes into those publications is truly incredible and done by some of the most skilled cyber threat analysts. We leverage the work done by these exceptional cybersecurity minds to have a view into the general threat landscape, usually by the industry, vertical, or geographic location we find ourselves in. But we need to apply these same techniques when we do an analysis of our internal detections.

Our controls are constantly gathering signals for us, small pieces in the bigger puzzle we need to understand. Things like historical WHOIS records, SSL certificates, and more. These pieces of evidence are left behind by threat actors who are just as human and error-prone as we are. Every detection by our security controls tells a story, from the noisy big bad internet type of activity like perimeter scans and brute force attempts, all the way down to malware on endpoints beaconing out of our networks. As an intelligence analyst, these are the needles, in the stack of needles, we use to track our adversaries.

With a full-fledged threat intelligence program, the CISO’s post-breach conversation with the security team might go something like this:

  • “Incident Response and Forensics team, do we know what happened?”
  • “We’ve provided all the Indicators of Compromise (IOCs) to the TI team.”
  • “Which APT is behind this?”
  • “Well, none. The actor behind this breach is a profile we have been tracking for a while. We created a profile for this actor when we first saw a phishing campaign eight months ago. Subsequently, this actor targeted us with nine more campaigns and managed to drop keystroke logger malware onto a user’s machine. The bad news is that the actor was successful in breaching us, the good news is, we know exactly who they are.”

The Conclusion

Actor profiling and attribution are not always an exact science. Each security team can make this art more of a science by collecting IOCs, those, little pieces of the overall puzzle. Cyber threat intelligence programs are critical for gathering and analyzing this evidence to determine who our real adversaries are. By practicing adversary profiling on internal detections we sharpen our skills as analysts, increase the level of known bad actors, and help prevent those frantic 5am phone calls.

Find out how cyber threat intelligence is evolving, get the SANS 2019 Cyber Threat Intelligence (CTI) Survey Results.

Andrew de Lange
About the Author

Andrew de Lange

Andrew de Lange is a solutions consultant for Anomali. Andrew has over 15 years experience in cyber security, with the bulk of that time spent in Financial Services and Banking, he is an evangelist for Cyber Threat Intelligence collaboration initiatives and community driven defence.

Get the latest threat intelligence news in your email.