By Salvatore Stolfo on Oct 23, 2018 11:07:05 AM
Attribution of attackers and uncovering their true identities remains a challenge for incident response teams. But in a growing number of cases, attribution is becoming achievable. What’s changed?
We often hear that attribution can be tricky because it's possible for hackers to manipulate digital records. Cyber criminals are very good at covering their tracks. But that doesn’t mean it’s impossible. Though attribution forensics are still evolving, commercial technology developed through government-funded research is helping the private sector improve its accuracy.
Naming and shaming
Further, security practitioners are considering attribution (the act of investigating and identifying a hacker or leaker) as a potential deterrent. Even the U.S. government has increasingly used the tactic of publicly naming cybercriminals (“name and shame”) built on technologies that aid attribution. Historically, governments have been reluctant to issue public accusations against other countries regarding cyber attacks. But improved methods and technologies are helping to reveal these adversaries more accurately. I’ve personally been involved in determining attribution and holding hackers accountable based on decades of my own research.
An insider caught in the act
A large enterprise experienced a stock tampering case that demonstrated a financial fraud attack. In this scenario, the indicator was sensed from public sources arousing suspicions that lead this enterprise to investigate whether it had a rogue insider illegally benefiting from inside knowledge of an impending acquisition. It was clear that the insider was leaking and manipulating news about the target company to affect its market valuation. Allure Decoy Documents with compelling information about the target company were strategically placed in file shares. One of the documents was later opened externally at the home of the alleged inside attacker, triggering an alert, surfacing his identity and providing proof for law enforcement. The FBI then did its duty.
A bold hacker and a “pissed off” CISO
A large telecom company experienced a ransomware attack that seemingly utilized portions of the NSA leaked malware. Post-attack forensics determined that the adversary had penetrated the organization through a vulnerable set-top box, which then allowed the attacker to riffle through the organization’s folders and directories, and exfiltrate data.
Identifying this attacker, thwarting the attack in its final stages and not paying the ransom became a top priority. Allure stepped in to help. In order to receive the ransom, in bitcoin of course, communication between attacker and target was conducted via the typical Tor chat protocol. The attacker was clearly feeling quite protected and proceeded to conduct his business without fear of being caught.
However, while the telecom company claimed that it had paid the bitcoin ransom, in actuality it had not. Instead, the company’s CISO used an Allure Decoy Document, disguised as a bitcoin payment confirmation page. The attacker received the confirmation page over Tor and proceeded to open and review the document on his phone. The beacon triggered an alert upon opening, and conveyed geofencing and telemetry insights that allowed the security team to reveal the attacker via his phone service provider. This person is now well known to Interpol.
Attribution via geofencing and telemetry
Incident response should be a well-planned activity by security staff within modern enterprises. It can be hard to know exactly when an incident has occurred and even more difficult to identify the perpetrator. Suspicions are aroused by various monitored indicators of network and host activities, but in other cases, such as the real ransomware attack described above, external indicators provide clear-cut evidence that something is amiss. The attacker told the victim.
Whenever incident response teams need to delve deep into data to identify a perpetrator, often the data at hand isn’t sufficient. A great deal of experience and inference is necessary to accurately resolve the incident, but rarely is attribution solved with evidence. That’s when beacon technology can be a game changer. Strategically placed Allure Decoy Documents with embedded beacons can pierce the tools often used by hacker and leakers to provide valuable attribution data. Better yet, the telemetry provided by the signals not only resolves “who done it,” with evidentiary material appropriate for legal consequences, but can also isolate the source of the offense, in case the attacker has left behind malware that grants later access again.
Allure Decoy Documents used as active defense is a new tool in the cat-and- mouse game between attacker and defender.