Over 95 per cent of chief information security officers (CISOs) say it is at least “moderately likely” that their company will face what they call an “advanced” attack in the next 12 months and, worse, nearly three-quarters of CISOs think their function won’t deal with it properly.
Advanced threats are substantially different to traditional threats faced by CISOs and their teams. They differ because they are harder to detect and prevent, and are perpetrated by hackers that are more skilful and have more resources.
CISOs consistently rank advanced threats as the most severe and uncontrollable they face. Examples include social engineering and/or phishing, hacktivism, state-sponsored attacks, and information-related organized crime and fraud.
One big problem is that many CISOs only focus on how an attack is conducted (i.e., on the techniques used), and assume that figuring out who is behind an attack is for IT vendors, law enforcement, or only the most advanced information security (IS) functions. This is short-sighted and means teams will miss valuable information that is not overly onerous to collect and can help combat many different types of threat.
And with all the internal and external threat intelligence that IS teams now collect, hunters (one of the more exciting corporate titles) or other IS staff who sift through this information can search for indicators or techniques associated with a particular attacker, or group, that can identify new threats and pre-empt advanced attackers.
In particular, IS teams should work on two processes: attribution, or determining the identity of an individual or group who launches an attack; and attacker profiling, or compiling attacker characteristics, location, and techniques.
Some CISOs may not feel their advanced threat processes are sophisticated enough for and profiling, but there are some basic methods that work well.
- Analyse suspicious e-mail headers: E-mail headers provide valuable information about the source of a message. For instance, the character set attribute can provide information about the attacker’s keyboard layout, and indicate the attacker’s location.
- Examine suspicious e-mail text: Within the text of an e-mail, embedded fonts and language mistakes can provide clues about the attacker’s native language or origin.
- Look for clues in malware: Malware source code can provide further evidence of the attacker’s language or location. Malware configuration options are also often unique to an attacker and can help identify multiple attacks by the same attacker.
Information like this can help organisations get an idea of who the attacker is and categorise the adversary; IS teams should use at least the following basic categories:
- Unsophisticated attacker
- Organised crime
- State-sponsored attacker
By categorising attackers, organisations can develop more targeted responses and anticipate future attacks.
For instance, because organised crime, competitor, and state-sponsored attackers are more likely to launch multiple attacks, recording information about these intruders can help organizations recognise them again in the future.
Jeremy Bergsman is Practice Manager at CEB.