How to make Russian Hacker Attribution useful to Active Defense

The recent DOJ indictment of four Russian criminals who broke into Yahoo!’s customer data and stole over a half billion sensitive records was significant for many reasons ( see U.S. Charges Russian FSB Officers and Criminal Conspirators ). The point that stood out to me the MOST was that the arrests proved the same hackers engaged in nation state cyberwarfare between Russia and the U.S., are also engaged in petty cybercrime  including theft of gift/credit cards, and spam campaigns to sell illicit erectile dysfunction drugs. (See Cascading Effect: One Attack Led to Another at Yahoo ).

Here’s a chart I’ve had for at least four years that shows attackers and attack methods are often the same while attack motivations differ. The only time there appears to be a significant difference in attack methods is when they involve DDoS campaigns.

Attack Methods Differ; Attackers and Methods are often the Same

I’ve been tweaking this chart for years.  At first, I believed that Nation States must be engaged in incredibly stealthy never-before-seen attack methods but when I presented this chart to intelligence officers a few years ago, they told me that most times, nation states use the exact same methods as the cybercriminals.

The second tweak I made was when I recently learned in early 2017 that the ATTACKERS – and not just the ATTACKS – are the same as well.  This finding has been confirmed by the DOJ arrests and other news reports including another one published recently in the NYTimes. See Russian Espionage Piggybacks on a Cybercriminal’s Hacking .

What does Attribution mean for Enterprise Security?

How does attacker attribution help a CISO and an enterprise?  Most organizations don’t care, nor should they care, who the attacker is. They just want to stave off the attack.

Well, by creating ‘indicators of attacker compromise’ (IOAC) – the attribution of one attack gang to multiple types of attacks now becomes very useful.  For example, if one attack group is behind both banking Trojans and cyberespionage against employee email accounts, identifying the methods used by those same attackers can benefit BOTH the banks and the employee organizations and any other organization type the gang will target in the future. Hence, instead of just relying on multiple somewhat-redundant IOCs across attack target types, you can also benefit significantly from a single IOAC that is the parent of the multiple IOCs, which should be predictive of future unseen attacks.

One threat intelligence firm, Diskin Advanced Technologies — headed by former Shin Bet chief Yuval Diskin and staffed with former senior Israeli intelligence operatives — discovered (somewhat accidentally) that an IOC they derived to identify a gang responsible for some nasty banking Trojan attacks was the exact IOC the FBI released to identify Grizzly Steppe, the Russian gang that hacked the DNC during the 2016 U.S. election.

Central Campaign Infrastructure used by different Hacker Groups

In fact, while profiling the group activity DAT discovered this very same criminal gang rents parts of its elaborate campaign infrastructure to other threat actors from both criminal and state level arenas. Doing so, the group generated an internal dynamic profile that was evident across different hacker groups, and at the same time generated a unique behavioural signature that was identical to Grizzly Steppe`s C2 IOCs as published by U.S. Cert. (See HomeLand Security Enhanced Analysis of GRIZZLY STEPPE Activity ).

Predictive Models and IOACs

DAT’s predictive model came up with this IOAC (my term) to identify the common hackers involved in both nation state (DNC Hacking) AND cybercriminal (bank Trojan) campaigns.

Knowing that the same guys (I haven’t seen any women yet) who are undermining democracies across the world on a political level are also stealing money out of the pockets of innocent consumers and institutions in cybercrime and Trojan campaigns just makes us all angrier.   But attribution and anger alone won’t do much to help.  Indicators of Attacker Compromise will, if we can only get our hands on enough of them and spread them around continuously and rapidly to potential targets across the globe.

Attack footprints can change quickly, malware can and does mutate any number of ways, but attackers represent a finite number of people who can only operate in so many ways, whilst leaving behind relatively unique digital fingerprints that identify them. Indicators of Attacker Compromise can and should be very useful in fending off attacks in the future.