Understanding the MO of a Cyber Attacker
You are here: Home \ Cybercrime \ Understanding the MO of a Cyber Attacker
9 February 2020 - 9:00, by , in Cybercrime, Use Cases, Comments off

This blog will be the first in a series around profiling the types of individual(s) and activities associated with cybercrime. As the other guys at Titan Labs would testify, the concept illustrated in the film Minority Report is a running theme for me… Being able to predict and prevent a crime before it happens is the holy grail!

Whilst we can’t claim to be there quite yet, understanding the type of person committing cybercrime goes a long way in being able to spot triggers, characteristics & activities early enough to be stop them before they really take hold. Prevention being better than cure!

Whilst I appreciate we at Titan Labs build software to monitor and protect against cyber-attacks and this blog suggests that software like ours isn’t the only option I truly believe in this approach. Having an insight into what criminals do is a big step in writing better software to protect against it! I’m basing this theory on how a police profiler would investigate a crime scene, interview the victims and review the physical evidence. These methods and practices are not dissimilar to the way intelligent content written for a monitoring solution picks through reams of data to get to the culprit!

How did the perpetrator gain access?

Cyber-Translation: This can be seen as a question around entry and exist points to your network – are they monitored? Would you see any tell-tale signs of someone ‘trying the lock’ or worse, successfully forcing entry?

Potential Use Case: Uninvited Entry – repeated logon failures from your boundary devices followed by a successful logon!

What did the perpetrator do & what was taken?

Cyber-Translation: Do you have visibility or an audit log showing what would happen during a breach? Do you monitor user activity and their associated files?

Potential Use Case: Unauthorised Data Exfiltration – triggers from your DLP solution would be the primary event source of this use case but failing that a use case could be written around email tracking logs where a user has emailed an external non-corporate domain with a large attachment size or a large amount of data was sent to a known online file repository domain like dropbox.com. A SIEM like TitanView could track and alert this through use of lookups and bringing in the disparate events into one place.

Were their tracks covered?

Cyber-Translation: Would you know if someone cleared an event log or deleted a bunch of files?

Potential Use Case: Audit Logs Cleared – this could be as simple as using a Windows event to alert when Windows logs are cleared OR a file integrity monitoring (FIM) tool on your endpoints to alert when sensitive files  change size.

What was it that attracted the perpetrator?

Cyber-Translation: Do you know how your organisation is perceived online? Do you follow social media to understand your company’s reputational data?

Potential Use Case: Increase in Negative Media Coverage – this could be achieved by monitoring common social media and news sites for certain terms. Given some data analysis a rating of positive or negative coverage could be produced and snippets of the data could be presented to illustrate any trends forming i.e. Company X is increasingly appearing in the news for declared profits from deemed controversial trading practices or Company Y is seen to support a political group. This intel could be used to drive a heightened alert level or a campaign to address this media coverage.

What was the motivation behind the attack?

Cyber-Translation: Do you leverage external threat intelligence to increase awareness of the changing threat landscape?

Potential Use Case: Rising Chatter Amongst the Dark Web – this would leverage known ‘dark’ forums online for an increase in keywords i.e. company name and certain terms to indicate an increasing amount of chat amongst nefarious communities. If this alert triggers then this should trigger heightened security  bringing forward patching cycles, antivirus updates/scans and verification of all boundary devices.

So, hopefully, you can see, the common steps that have formed the process of police investigations for years can easily be translated into “cyber speak”. Understanding how criminals think & work means you can be proactive and build a strategy to protect against them.

We at Titan Labs are only a call or email away to help put this strategy into action!


About author:

Comments are closed here.


June 2022