Reverse Deception: Organized Cyber Threat Counter-Exploitation (35 page)

These facets of information can convey a significant portion of intelligence about a threat. By understanding the lengths attackers have gone to infiltrate your network, you can infer their resources. Understanding your own enterprise and the levels of security implemented in the locations that were infiltrated and evaded by a threat is also an important factor.

This component can also be measured by level of education, which ties back to resources. Some threats snoop only because they can for ego purposes. Some threats have a very specific mission or target. Some threats are simply attempting to pump and dump as much as possible for resale on the underground digital black market (this is where most foreign intelligence services reside to procure data from organized criminal groups).

This is one of the most difficult observables to ascertain. Without having an understanding of what is actually going on within your enterprise, you will not be able to weigh all of the needed intelligence to make this assumption. Measuring the resources of the threat is highly difficult and can never be completely accurate without insider information into the threat itself (by infiltrating the circle of trust of the individual or group, for example). Due to these factors, there is no measurable list of possibilities. You’ll need to combine the frequency, timeliness, numbers involved in the attack, and skills and methods used to get a clearer picture and determine whether the threat is lower on the criminal food chain or right up there with a state-sponsored cyber threat (SSCT).

Keep in mind that another human is at the other end of the keyboard and needs to research the best tools, tactics, and methods to get into your enterprise. Attackers also must have the appropriate skills and education to carry out specific operations (for example, was this self-paid or more of a trained skill?) across your enterprise. Also consider the times of access. Does it look like the threat is doing this as a spare-time venture or for work-related purposes?

Knowledge Source

Many public sources can be used to track most threats. Fortunately, over the past few years, there has been an explosion of public forums and channels used for criminal activity. Most of these sites are located outside the United States; a few underground sites are hosted within the United States, but generally do not last long. The lion’s share of underground forums is hosted on servers across the Asian continent, specifically Eastern Europe and Southeast Asia. Some are hosted in the Middle East, but those are more radical and fundamentalist-driven sites sponsoring Jihad.

There are numerous forms of knowledge sources you can use to learn more about, attribute, and track a specific threat. These include public security sites, underground forums, public forums, hacker group private sites, and even social networking sites, where individuals and groups may post information about their interests, skills, support for other criminals (under the guise of research purposes), and their friends or crew.

The following sections describe a short list of sources that can be used to learn more about threats, both active and historic. For easier digestion, these are divided into the categories of public security data sources and forums, underground forums, and social networking sites. All of these sites can be used to learn more about threats, operators, actors, new threats in development, and the subtle nuances of the underground community.

Public Security Data Sources and Forums

There is a plethora of information out there to be collected, analyzed, and leveraged when attempting to better understand each threat as it moves throughout your enterprise. Some of the sites mentioned here are centered around specific areas or niches of security (malware, phishing, botnets, rootkits, and so on). When combined, these will help enable you to put all of the pieces together, analogous to a puzzle.

The following sections describe some of the sites you can use to your benefit when performing cyber counterintelligence against an active threat. For each data source, you’ll find a rating for its value from a tactical and operational level (in our humble opinion), as follows:

Fair
Good
Excellent

NOTE

None of these sources are useless in any way. Some simply provide more information into the who, what, and why portions of the cyber counterintelligence approach to help you understand where the bad guys are and where they’ve been. If we have left out your site (and we know there are dozens), let us know, and we’ll add you to our companion website as a public knowledge source. And no, we don’t use our own machines to analyze data sources (we know you bad guys love to send us malware and naughty links)
.

Shadowserver
   This data repository is a great resource that can be used to track specific botnets, criminal networks, and cyber-criminal campaigns. This group is based mostly in Europe, with contributors throughout the world working together to detect and track botnet and criminal networks. It’s located at
www.shadowserver.org
.

Excellent