Attacks/Breaches
10/2/2012
12:59 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Turning Tables: ID'ing The Hacker Behind The Keyboard

How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense

Second in an occasional series on knowing the attacker.

Even if you learn the name and get a photo of the Chinese hacker sitting behind the keyboard and siphoning your valuable intellectual property, it's unlikely to lead to his arrest. But there are ways to use that information to put the squeeze on the attacker and his sponsors.

After years of focusing mainly on the malware used in data breaches and financially motivated hacks, some security experts have begun to turn the spotlight on the attacker himself, attempting to profile the bad actors stealing your blueprints or customer credit card numbers, or leaking your usernames and passwords on Pastebin. Leading that charge is CrowdStrike, the startup that aims to aggressively profile, target, and, ultimately, help unmask sophisticated cyberattackers.

Trend Micro also has been drilling down on the characteristics of different types of attackers, recently profiling the East Asian cyberespionage attacker versus the Eastern European cybercrime attacker. This shift toward getting to know the enemy behind the malware is a new way to put up better defenses from these inevitable attacks.

"I feel like we are at a tipping point," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. "We're at a place in the industry where we are about to throw away 30 years of thinking on this issue ... Companies are willing to consider other strategies, and they are dissatisfied and really pissed off with the fact that they've spent millions of dollars in defense and defense-in-depth and best practices, and it's still not helping. We're making the adversary earn their medals, but they are still getting in. It may take two days now instead of one, but that's not really a win."

But since you can't really fly to China and arrest the hacker who's siphoning the intellectual property out of your servers, it's more important to know what he's after rather than who he is, says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. "You want to know what they are after. That's the end of it," Hoglund says. "If incident response has a picture to show the board that helps validate what they're doing ... at the end of the day, does it really matter? The guy who's after military technology, or your high-value IP on the commercial side -- that's the game. [He] might be interested in M&A activities or other work in another country to get a strategic advantage."

Hoglund says the best way to beat the APT is incident-response and least-privilege user controls. "If a company has an incident-response [program] in place and a good security policy with least privileges, they can put a serious dent in APT. That's a fact," Hoglund says. "It's also a fact that most companies don't do that."

So how can you use intelligence about the bad guy targeting you to better protect your organization?

Alperovitch says the key is finding out what company or organization is benefiting from the information that the attacker is stealing. "While we're interested in the guy behind it, it's also who's ultimately benefiting from the information. Maybe it's this guy in China [doing the hacking], but a state-owned oil and gas firm is getting to better compete in the marketplace" with the information he's grabbing for them, Alperovitch says.

Once you pinpoint the company sponsoring or getting the stolen intelligence, you have some legal options. "If you know the company, you can sue them. You can pick a jurisdiction because a lot of them are multinational in scope," he says.

Another weapon you can use: deception. If the utility firm is snooping on negotiation information, you can then plant phony data that derails their cyberespionage operation, he says.

Even having a photo of the culprit hacker and his identity can help disrupt a cyberespionage or cybercrime operation. "You can create pain for these guys by publicizing who they are and taking them out of business, if you will," Alperovitch says. "If their picture is flashed all over the news media, they are not going to work in that industry much longer, and it could cause concern with whoever's employing them ... The more you can expose cybercrime actors, [for example], the harder it is for them to do business with others."

It's all about making it painful and expensive for them to operate. Profiling your attacker can help you understand how they move within your network, for instance, says Tom Kellermann, vice president of cybersecurity at Trend Micro. "Most hackers have specific cyber kill-chains they like to employ. They don't deviate much, with the exception of delivery and exploit variables," he says. "Understanding how they move laterally within your system, for example, and what destination IPs and URLs they are using so the command-and-control is found ... Once you achieve that, it's how can you make discomfort for them? Make it more resource-intensive for them."

Still missing from the equation, he says, is applying pressure to the attackers' infrastructure suppliers, such as the hosting companies that house their servers and the alternative payment channels that breed money-laundering. "Those are the only ways to force them to stop hacking and do their own damage control," Kellermann says.

[ As companies try to make sense of a greater amount of information on their networks, anomaly detection becomes more difficult but more important as well. See Security Intelligence Starts With Detecting The Weird. ]

Knowing who your attacker is can help in some ways, but there are limitations, says Jeffrey Carr, CEO of Taia Global. "It helps when you're a large corporation with millions of nodes on your network and lots of files, and you have no idea what is strategically valuable and what isn't ... it does help you understand who wants what you have," Carr says.

It can also help drive home to your users the need to lock down data and devices while traveling overseas and doing business in countries like China or Russia, for example, he says. "They have to understand the insider threat. They have to make sure their executives [understand they can] be individually targeted when they travel," Carr says. "So if they are leaving the office with a laptop or cell and then come back and replug into the network, it doesn't matter if you are defending against spear-phishing [attacks]. You just got owned because of a senior executive" who got infected overseas, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pmoriarty
50%
50%
pmoriarty,
User Rank: Apprentice
10/2/2012 | 10:22:48 PM
re: Turning Tables: ID'ing The Hacker Behind The Keyboard
It's a very large leap from identifying a hacker in China to connecting said hacker back to a multinational corporation in any way that will stand up in court. -And if you fail to make your case, you may find your self hacked and countersued. -That's staring to get pretty far adrift from any company's core competencies.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.