2 minute read

HOW FORENSICS CAN HELP TO IDENTIFY YOUR CYBER ADVERSARY

Next Article
What’s trending

What’s trending

Once an adversary has been spotted inside the organisation’s infrastructure, alert levels can be raised, shields-up declared, and intelligence can drive threat-hunting.

Adversary attribution enables security professionals to understand the who, how and why behind the cyberattacks targeting potentially their business. Knowing about espionage-motivated adversary provides guidance on where to place defensive shields-up measures and how you can best prepare. This could include decisions on where to implement new controls, new training needs or prepare with more targeted red and blue team exercises.

Once a known, sophisticated adversary has been spotted inside your organisation’s infrastructure, alert levels can be raised, shields-up declared, and the available intel on the adversary can drive the threat-hunting process to find and expel the adversary.

Without this knowledge, analysts waste time and resources, playing whack a mole in chasing every commodity attack or being blind to adversary activity that may be seen as normal activity without the context provided by threat intelligence.

Forensics gaps

When an attack or critical event is detected, analysts run forensics, gathering all artefacts during the attack, including network traffic, sources, assets, files touched, commands run, so that incident response teams can eradicate all threat activity. Chances are low that forensic evidence will be complete because the amount of data, and volatility within the data, can be too overwhelming to analyse.

Detection and hunting

Detection is an art and involves many moving parts. While standard security analytic tools like SIEM can execute simple IF-THEN rules, including if traffic originates from location X create an alert and even perform baselining or trending analysis, threat actors have learned how to bypass these standard detection rules by living off the land and hiding under legitimate activities. By knowing individual actor behaviours and attack techniques, security engineering teams can set up more targeted detection or better execute threat-hunting practices.

Vulnerability remediation

Vulnerability lists are always too long, and standard risk scoring, like the Common Vulnerability Scoring System is usually too static. By shortlisting actors that apply to your environment and understanding which vulnerabilities are leveraged, risk teams can better prioritise where to focus and concentrate their efforts. Having the latest information on which actors use which exploits can save vulnerability remediation teams a lot of time and pre-emptively reduce threat risks.

Security strategy

Attribution enables security teams to understand their true risk posture by defining who could come after them and how and pre-emptively adjust their security strategy. For instance, targeted attacks may be driven by cyber espionage, which indicates the threat will most likely be persistent and comprise multiple sophisticated attacks that can be expected to attempt to gain access to your sensitive company data.

Silos

Security organisations are often split into operational silos, with each silo focusing on specific detection or protective tools. This structure, with attention to tools in use and small-team objectives, is not always advantageous. Focusing instead at a higher level, knowing the adversaries that are trying to breach your defences, changes the dynamic, which benefits the individual security professional as well as the entire security organisation.

While attribution provides the information that helps security teams prepare, there is additional intrinsic value in taking an adversaryfocused approach to security. Attribution enables the entire security organisation, proactive and reactive defenders alike, to orient their actions toward specific actors that target their business and begin to communicate across all teams with a common language, including the adversary’s name, attack steps and point of view.

This approach helps security teams step away from tool- or processheavy tactics and build strategies to increase the effectiveness of their security efforts. ë

This article is from: