Reverse Deception: Organized Cyber Threat Counter-Exploitation (76 page)

Actions
Well rehearsed, ad hoc, random, controlled versus uncontrolled

Attack origination points
Outside, inside, single point, diverse points

Numbers involved in attack
Solo, small group, big group

Knowledge source
Chat groups, web, oral, insider knowledge, espionage

It is legal to develop behavioral indicators of specific malicious IP addresses versus individuals. With respect to the preceding points of personality, it is very possible to observe malicious IP addresses with a standard operating procedure, method of entry, and goals or objectives. This information, when analyzed across large enterprises such as government networks, can show which areas of the production network need to be protected in order to increase defensive posture and protection levels.

Analyst Workflow
   It is important for an analyst to adhere to a clearly documented workflow to completely cover every aspect of the operational, intelligence, and technical impact of an attack against a production network. The workflow looks like this:

Event triage

        
Validation/threat assessment
Confirmation of the event of threat

Case overview

        
Assessments

            
History/hotspots
Correlation of prior activity to this network segment

            
Nature of information targeted
The observable goal of the attacker

            
Victim system functionality
Evaluation of the system that was affected

Attack

        
Vulnerability/exploit
Evaluation of the injection vector used by the attacker