Organized crime has grown more complex since the turn of the century. Coinciding with the rise of the digital world, cybercriminals have leveraged the proliferation of technology to broaden their reach with a more sophisticated network-structured model, effectively globalizing their operations in cyberspace and ultimately devastating companies and consumers alike.
The faster you act, the quicker you will be able to disrupt the adversary and prevent future attacks, directly yielding greater financial savings and identity protection. Part of taking action, however, requires knowing who the bad actor is in the first place – in other words, attributing and uncovering the identities of cyber adversaries.
In the past, organized crime groups utilized a “boots on the ground” approach to attack, involving the coordination of more traditional hierarchical structures and on-location activity. More recently, such an approach has fallen out in favor of smaller, nimbler, more loosely structured crime rings that use advanced technology to widen their capabilities.
Cybercriminals can hack into corporate databases and steal sensitive information from anywhere in the world. Taking out the “mob boss” to cripple their infrastructure and operations is a dated strategy—a modern approach to crime fighting must mirror the technological and organizational sophistication of our cybercriminal nemeses, and, as a result, security analysts are starting to shift their views on identity attribution.
Back in 2007, I was deployed to Iraq as a U.S. Air Force intelligence analyst, assigned to the Joint Special Operations Command (JSOC) Task Force with the objective of disrupting terrorist activities by targeting and capturing Al-Qaeda senior leadership. We were in constant pursuit of adversaries who endangered the very fabric of our democracy, seeking to discover and uncover the identities of enemy forces’ leadership, weapons smugglers, and financiers. To achieve the Task Force’s objectives, we used a myriad of sophisticated resources, including signals intelligence (SIGINT), human intelligence (HUMINT), and state-of-the-art drones.
The Task Force was successful in slowing down insurgent forces, due in large part to the accurate intelligence and positive identification (PID) of adversaries. In our governed rules of engagement, PID means that a hostile has been reasonably identified as a member of the target group or a confirmed imminent threat to our team. Drones, sky cameras, and many eyes and ears on the ground all worked together towards finding and finishing positively identified adversaries.
Adding a deeper layer of complexity to our mission was the necessity for confirming that a “precision strike” from a drone missile actually hit the intended mark. Occasionally, militant groups would falsely announce the death of their leaders or senior operatives in an attempt to throw us off track. Verifying a successful, targeted kill requires on-the-ground confirmation by U.S. personnel, generally through substantiating physical evidence or aerial photographs. Additionally, SIGINT and social media monitoring aided in confirmation efforts.
The same thinking can be applied to unmasking cybercriminals. While intelligence units at commercial organizations may not have access to the same sophisticated resources that were at the Task Force’s disposal, a growing number of private intel teams are now slowly transitioning to a more tactical approach by making intelligence more identity-driven. Although threat actors have become increasingly adept at obfuscating their identities and attack vectors, identity intelligence and attribution analysis experts are at the forefront of developing effective countermeasures and proactive defenses.
Uncertainty in attribution and plausible deniability have historically weighed in cybercriminals’ favor, but bad actors are people too and their personal histories present opportunities for intelligence specialists. Many cybercriminals leave their own historical breadcrumb trails, through data breaches or leaks and across the surface, social, deep, and dark web, ultimately leading security forces to their identities.
While this data is transient in underground communities, a few organizations have collected breached and leaked information from open sources to fuel cybercriminal investigations. New capabilities and tools leverage breached data, open source intelligence (OSINT), proprietary information, and other data sources, making identity attribution not only possible, but reliable and able to be validated in a timely, efficient, and effective manner.
From my personal experience working in a security operations center (SOC), many security operators and traditional threat intelligence analysts are taught to fix—in a pre-defined cycle of detect, respond, remediate, and repeat—what is five feet in front of them. On the one hand, SOCs have been useful because they consolidated and correlated security alerts from so many tools into a single system. Yet the constant influx of new tool and threat feeds tend to produce an unreasonable flood of security alerts every day.
Arduous tasks such as blocking indicators of compromise, flagging suspicious beaconing and removing phishing emails from employees’ inboxes are necessary, but strictly reactive and time consuming. Mitigating one security incident could take hours, if not days; identifying activity that could indicate a security risk and ensuring that they were correctly handled—analyzed, defended, investigated, and reported—would yield an end result that was not likely to efficiently determine the identity of the attackers.
Yet, today, after a breach makes headlines in the news, the first question on everyone’s minds is: “who did it?” By taking advantage of breached data, quickly acting on available intelligence, performing active defense, and attributing the real identity of adversaries and understanding their attack methods, cybercrime intelligence teams can now effectively neutralize and disrupt offensive cyber operations (OCO) and their infrastructure.
The Capital One breach that was disclosed in late July was compelling not only because of how massive it was but also because the bad actor, Paige Thompson, was so careless in disguising her identity following the incident.
More often than not, as previously stated, cybercriminals will attempt to obfuscate their identities. Thompson, however, chose to draw attention to herself by boasting about the crime on social media, which I believe is not listed under “Best practices” in the cybercriminal rulebook. Thompson did not try to disguise her identity, to the bemusement of the cyber world, and was subsequently identified and arrested with the help of the FBI. However, most cybercriminals don’t present themselves on silver platters in quite the way Thompson did.
By uncovering the identity of cybercriminals attacking your organization, you can take a variety of actions identified in the following five-step approach to disrupt the adversary and prevent future attacks:
1. Make the data obsolete: Resetting the passwords of employee and customer accounts, to prevent takeovers, will reduce the value of exfiltrated data on the black market and make data buyers and traders lose confidence in the seller. The dark web economy relies (to a surprising degree) on trust.
2. Move quickly: The more swiftly you can take action on the discovered compromised data, the better. This will lead to less disruption and financial losses for your organization. Every minute counts when your organization’s data is exposed. Time to actionable intelligence is key.
3. Report it: Quickly file suspicious activity reports (SARs) and inform law enforcement. Call the DHS’s National Cybersecurity and Communications Integration Center (NCCIC) or an established contact from the local FBI cyber unit. If you haven’t connected with one already, you should. If you have a high degree of confidence in your attribution investigation, law enforcement can help indict the person and disrupt their campaign, and possibly unveil and prosecute their entire fraud ring.
4. Identify threat vectors: Analyze when and where. At what point was the data compromised? Was it due to a risky merchant? Was it a poorly administered/configured database in the cloud? Was it a weak link in your supply chain? Patch up weaknesses and holes and be sure to vet your partners’ and vendors’ security postures, as they may represent possible avenues of attack as well.
5. Collaborate: Given the interconnected nature of our networks, collaboration has become a crucial tool in the arsenal of law-abiding organizations. If you come across leaked or exposed data from another company, be proactive and inform them so they can quickly notify customers, reset passwords, and perform necessary remediation. Collaborating will allow organizations to learn more about the adversarial network and how this group or person operates. For anti-phishing, contribute to the Anti-Phishing Working Group (APWG). For identity attribution support, invest in a credible identity intelligence monitoring service.
What does the impact of identity attribution and disruption look like? By consistently executing on these five elements, an organization can disrupt cybercriminal operations so effectively that when exfiltrated data becomes available on nefarious forums, the criminals already know that they won’t be able to take advantage of it. Your stolen information won’t sell because you’ve developed the reputation that your data will devalue as soon as it hits a dark web marketplace.
Not only is attribution for disruption applicable to military task forces, it can be effectively beneficial to financial services, retailers, cryptocurrency markets, social media platforms, as well as intelligence and law enforcement units. For law enforcement, attribution is crucial for prosecution and building a case. For corporations, attribution means identifying bad actors in order to assess the risk that an individual or entity poses, allowing the corporation to construct a competitive counter strategy.
With a few keystrokes from a connected device anywhere in the world, cybercriminals can hack into databases and steal troves of sensitive information. Security operation leaders need to understand that there is always a real person behind an attack, so shifting to catch the culprit and their cohorts rather than playing the repetitive game of defensive whack-a-mole will be essential moving forward.