Attacks/Breaches
10/2/2012
12:59 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Turning Tables: ID'ing The Hacker Behind The Keyboard

How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense

Second in an occasional series on knowing the attacker.

Even if you learn the name and get a photo of the Chinese hacker sitting behind the keyboard and siphoning your valuable intellectual property, it's unlikely to lead to his arrest. But there are ways to use that information to put the squeeze on the attacker and his sponsors.

After years of focusing mainly on the malware used in data breaches and financially motivated hacks, some security experts have begun to turn the spotlight on the attacker himself, attempting to profile the bad actors stealing your blueprints or customer credit card numbers, or leaking your usernames and passwords on Pastebin. Leading that charge is CrowdStrike, the startup that aims to aggressively profile, target, and, ultimately, help unmask sophisticated cyberattackers.

Trend Micro also has been drilling down on the characteristics of different types of attackers, recently profiling the East Asian cyberespionage attacker versus the Eastern European cybercrime attacker. This shift toward getting to know the enemy behind the malware is a new way to put up better defenses from these inevitable attacks.

"I feel like we are at a tipping point," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. "We're at a place in the industry where we are about to throw away 30 years of thinking on this issue ... Companies are willing to consider other strategies, and they are dissatisfied and really pissed off with the fact that they've spent millions of dollars in defense and defense-in-depth and best practices, and it's still not helping. We're making the adversary earn their medals, but they are still getting in. It may take two days now instead of one, but that's not really a win."

But since you can't really fly to China and arrest the hacker who's siphoning the intellectual property out of your servers, it's more important to know what he's after rather than who he is, says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. "You want to know what they are after. That's the end of it," Hoglund says. "If incident response has a picture to show the board that helps validate what they're doing ... at the end of the day, does it really matter? The guy who's after military technology, or your high-value IP on the commercial side -- that's the game. [He] might be interested in M&A activities or other work in another country to get a strategic advantage."

Hoglund says the best way to beat the APT is incident-response and least-privilege user controls. "If a company has an incident-response [program] in place and a good security policy with least privileges, they can put a serious dent in APT. That's a fact," Hoglund says. "It's also a fact that most companies don't do that."

So how can you use intelligence about the bad guy targeting you to better protect your organization?

Alperovitch says the key is finding out what company or organization is benefiting from the information that the attacker is stealing. "While we're interested in the guy behind it, it's also who's ultimately benefiting from the information. Maybe it's this guy in China [doing the hacking], but a state-owned oil and gas firm is getting to better compete in the marketplace" with the information he's grabbing for them, Alperovitch says.

Once you pinpoint the company sponsoring or getting the stolen intelligence, you have some legal options. "If you know the company, you can sue them. You can pick a jurisdiction because a lot of them are multinational in scope," he says.

Another weapon you can use: deception. If the utility firm is snooping on negotiation information, you can then plant phony data that derails their cyberespionage operation, he says.

Even having a photo of the culprit hacker and his identity can help disrupt a cyberespionage or cybercrime operation. "You can create pain for these guys by publicizing who they are and taking them out of business, if you will," Alperovitch says. "If their picture is flashed all over the news media, they are not going to work in that industry much longer, and it could cause concern with whoever's employing them ... The more you can expose cybercrime actors, [for example], the harder it is for them to do business with others."

It's all about making it painful and expensive for them to operate. Profiling your attacker can help you understand how they move within your network, for instance, says Tom Kellermann, vice president of cybersecurity at Trend Micro. "Most hackers have specific cyber kill-chains they like to employ. They don't deviate much, with the exception of delivery and exploit variables," he says. "Understanding how they move laterally within your system, for example, and what destination IPs and URLs they are using so the command-and-control is found ... Once you achieve that, it's how can you make discomfort for them? Make it more resource-intensive for them."

Still missing from the equation, he says, is applying pressure to the attackers' infrastructure suppliers, such as the hosting companies that house their servers and the alternative payment channels that breed money-laundering. "Those are the only ways to force them to stop hacking and do their own damage control," Kellermann says.

[ As companies try to make sense of a greater amount of information on their networks, anomaly detection becomes more difficult but more important as well. See Security Intelligence Starts With Detecting The Weird. ]

Knowing who your attacker is can help in some ways, but there are limitations, says Jeffrey Carr, CEO of Taia Global. "It helps when you're a large corporation with millions of nodes on your network and lots of files, and you have no idea what is strategically valuable and what isn't ... it does help you understand who wants what you have," Carr says.

It can also help drive home to your users the need to lock down data and devices while traveling overseas and doing business in countries like China or Russia, for example, he says. "They have to understand the insider threat. They have to make sure their executives [understand they can] be individually targeted when they travel," Carr says. "So if they are leaving the office with a laptop or cell and then come back and replug into the network, it doesn't matter if you are defending against spear-phishing [attacks]. You just got owned because of a senior executive" who got infected overseas, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pmoriarty
50%
50%
pmoriarty,
User Rank: Apprentice
10/2/2012 | 10:22:48 PM
re: Turning Tables: ID'ing The Hacker Behind The Keyboard
It's a very large leap from identifying a hacker in China to connecting said hacker back to a multinational corporation in any way that will stand up in court. -áAnd if you fail to make your case, you may find your self hacked and countersued. -áThat's staring to get pretty far adrift from any company's core competencies.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.