Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:59 PM
Connect Directly

Turning Tables: ID'ing The Hacker Behind The Keyboard

How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense

Second in an occasional series on knowing the attacker.

Even if you learn the name and get a photo of the Chinese hacker sitting behind the keyboard and siphoning your valuable intellectual property, it's unlikely to lead to his arrest. But there are ways to use that information to put the squeeze on the attacker and his sponsors.

After years of focusing mainly on the malware used in data breaches and financially motivated hacks, some security experts have begun to turn the spotlight on the attacker himself, attempting to profile the bad actors stealing your blueprints or customer credit card numbers, or leaking your usernames and passwords on Pastebin. Leading that charge is CrowdStrike, the startup that aims to aggressively profile, target, and, ultimately, help unmask sophisticated cyberattackers.

Trend Micro also has been drilling down on the characteristics of different types of attackers, recently profiling the East Asian cyberespionage attacker versus the Eastern European cybercrime attacker. This shift toward getting to know the enemy behind the malware is a new way to put up better defenses from these inevitable attacks.

"I feel like we are at a tipping point," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. "We're at a place in the industry where we are about to throw away 30 years of thinking on this issue ... Companies are willing to consider other strategies, and they are dissatisfied and really pissed off with the fact that they've spent millions of dollars in defense and defense-in-depth and best practices, and it's still not helping. We're making the adversary earn their medals, but they are still getting in. It may take two days now instead of one, but that's not really a win."

But since you can't really fly to China and arrest the hacker who's siphoning the intellectual property out of your servers, it's more important to know what he's after rather than who he is, says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. "You want to know what they are after. That's the end of it," Hoglund says. "If incident response has a picture to show the board that helps validate what they're doing ... at the end of the day, does it really matter? The guy who's after military technology, or your high-value IP on the commercial side -- that's the game. [He] might be interested in M&A activities or other work in another country to get a strategic advantage."

Hoglund says the best way to beat the APT is incident-response and least-privilege user controls. "If a company has an incident-response [program] in place and a good security policy with least privileges, they can put a serious dent in APT. That's a fact," Hoglund says. "It's also a fact that most companies don't do that."

So how can you use intelligence about the bad guy targeting you to better protect your organization?

Alperovitch says the key is finding out what company or organization is benefiting from the information that the attacker is stealing. "While we're interested in the guy behind it, it's also who's ultimately benefiting from the information. Maybe it's this guy in China [doing the hacking], but a state-owned oil and gas firm is getting to better compete in the marketplace" with the information he's grabbing for them, Alperovitch says.

Once you pinpoint the company sponsoring or getting the stolen intelligence, you have some legal options. "If you know the company, you can sue them. You can pick a jurisdiction because a lot of them are multinational in scope," he says.

Another weapon you can use: deception. If the utility firm is snooping on negotiation information, you can then plant phony data that derails their cyberespionage operation, he says.

Even having a photo of the culprit hacker and his identity can help disrupt a cyberespionage or cybercrime operation. "You can create pain for these guys by publicizing who they are and taking them out of business, if you will," Alperovitch says. "If their picture is flashed all over the news media, they are not going to work in that industry much longer, and it could cause concern with whoever's employing them ... The more you can expose cybercrime actors, [for example], the harder it is for them to do business with others."

It's all about making it painful and expensive for them to operate. Profiling your attacker can help you understand how they move within your network, for instance, says Tom Kellermann, vice president of cybersecurity at Trend Micro. "Most hackers have specific cyber kill-chains they like to employ. They don't deviate much, with the exception of delivery and exploit variables," he says. "Understanding how they move laterally within your system, for example, and what destination IPs and URLs they are using so the command-and-control is found ... Once you achieve that, it's how can you make discomfort for them? Make it more resource-intensive for them."

Still missing from the equation, he says, is applying pressure to the attackers' infrastructure suppliers, such as the hosting companies that house their servers and the alternative payment channels that breed money-laundering. "Those are the only ways to force them to stop hacking and do their own damage control," Kellermann says.

[ As companies try to make sense of a greater amount of information on their networks, anomaly detection becomes more difficult but more important as well. See Security Intelligence Starts With Detecting The Weird. ]

Knowing who your attacker is can help in some ways, but there are limitations, says Jeffrey Carr, CEO of Taia Global. "It helps when you're a large corporation with millions of nodes on your network and lots of files, and you have no idea what is strategically valuable and what isn't ... it does help you understand who wants what you have," Carr says.

It can also help drive home to your users the need to lock down data and devices while traveling overseas and doing business in countries like China or Russia, for example, he says. "They have to understand the insider threat. They have to make sure their executives [understand they can] be individually targeted when they travel," Carr says. "So if they are leaving the office with a laptop or cell and then come back and replug into the network, it doesn't matter if you are defending against spear-phishing [attacks]. You just got owned because of a senior executive" who got infected overseas, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/2/2012 | 10:22:48 PM
re: Turning Tables: ID'ing The Hacker Behind The Keyboard
It's a very large leap from identifying a hacker in China to connecting said hacker back to a multinational corporation in any way that will stand up in court. -And if you fail to make your case, you may find your self hacked and countersued. -That's staring to get pretty far adrift from any company's core competencies.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has a heap-based buffer over-read in jfif_decode in jfif.c.
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid write in bmp_load in bmp.c.
PUBLISHED: 2020-05-24
Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php hidden parameter.
PUBLISHED: 2020-05-24
SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.