In today’s cyber threat landscape, identifying your enemy is a crucial piece of any defense plan. Finding out who your attackers are, how they work, and what they want is critical to protecting your data and intellectual property. Fortunately, breached computer systems, like any crime scene, contain a trail of clues.
When it comes to advanced cyber-attacks, assailants may give themselves away inside their malware code, phishing emails, command-and-control (CnC) servers used, and even behavior. Just as the science of fingerprints, DNA and fiber analysis have become invaluable in criminal forensics. In fact, connecting the dots of an advanced cyber-attack can help identify even the most sophisticated threat actors, if researchers know what to look for.
Drawing from a sample of nearly 1,500 campaigns tracked, FireEye, a leader in stopping today's new breed of cyber-attacks, published an interesting whitepaper, titled Digital Bread Crumbs: Seven Clues to Identifying who’s Behind Advanced Cyber Attacks, that describes the following facets of malware attacks and what they often reveal about the culprits:
- Keyboard Layout. Hidden in phishing attempts is information about the attacker’s choice of keyboard, which varies by language and region.
- Malware Metadata. Malware source code contains technical details that suggest the attacker’s language, location, and ties to other campaigns.
- Embedded Fonts. The fonts used in phishing emails point to the origin of the attack. This is true even when the fonts are not normally used in the attacker’s native language.
- DNS Registration. Domains used in attacks pinpoint the attacker’s location. Duplicate registration information can tie multiple domains to a common culprit.
- Language. Language artifacts embedded in malware often point to the attacker’s country of origin. And common language mistakes in phishing emails can sometimes be reverse-engineered to determine the writer’s native language.
- Remote Administration Tool Configuration. Popular malware-creation tools include a bevy of configuration options. These options are often unique to the attacker using the tool, allowing researchers to tie disparate attacks to a common threat actor.
- Behavior. Behavioral patterns such as methods and targets give away some of the attacker’s methods and motives.
By examining these areas, security professionals can make great strides in identifying threat actors and better defend their organizations against future cyber assaults. Knowing the source of an attack can be especially useful when combined with intelligence gleaned from previous attacks elsewhere from the same threat actor. Solutions such as the FireEye Dynamic Threat Intelligence cloud—which shares anonymized threat intelligence across the growing base of FireEye customers—provides information about tactics, protocols, ports, and callback channels used by attackers.
In another recent report, titled World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks, FireEye describes the unique international and local characteristics of cyber-attack campaigns waged by governments worldwide. A hot topic right now, we don’t want to keep back from you and at least briefly raise the issue.
“Cyber weapons are being used as an advantage in real-world conflict”, said Kenneth Geers, senior global threat analyst, FireEye. “Regions have their own set of cyber weapons, which they will use to their advantage when it comes to a conflict or to help their allies. The world is at cyber war with attacks in every direction and location. Cyber shots are fired in peacetime for immediate geopolitical ends, as well as to prepare for possible future kinetic attacks. Since attacks are localized and idiosyncratic—understanding the geopolitics of each region can aid in cyber defense”, he elaborated.
Cyber-attacks have already proven themselves as a low-cost, high-payoff way to defend national sovereignty and to project national power. The key characteristics for some of the regions include:
- Asia-Pacific. Home to large, bureaucratic hacker groups, such as the ―Comment Crew‖ who pursues targets in high-frequency, brute-force attacks.
- Russia/Eastern Europe. These cyber-attacks are more technically advanced and highly effective at evading detection.
- Middle East. These cybercriminals are dynamic, often using creativity, deception, and social engineering to trick users into compromising their own computers.
- United States. The most complex, targeted, and rigorously engineered cyber-attack campaigns to date.
In addition, the report speculates factors that could change the world’s cyber security landscape in the near- to medium-term, including:
- Outage of national critical infrastructure that is devastating enough to force threat actors to rethink the power of cyber-attacks.
- A cyber arms treaty could stem the use of cyber-attacks.
- Privacy concerns from the PRISM could restrain government-sponsored cyber-attacks in the U.S. and globally.
- New actors on the cyber stage, most notably—Brazil, Poland, and Taiwan.
- Increased focus on developing evasion methods that bypass detection.
For more information and to find out more about how the FireEye threat-protection platform can help you better defend against cyber-attacks, please visit http://www.FireEye.com.