Attacker attribution is hard, but sometimes easier than you think

Attribution of an attacker, and uncovering his or her true identity, remains a vexing problem for incident response teams. But in certain cases, it can be solved. Advanced telemetry and geofencing technologies offer the potential to track sensitive data and stop data loss and are useful investigative tools in incident response.

The recent controversy over Hack Back, not to be confused with Back-Hack, was largely fueled by proposed but failed legislation in the State of Georgia. The spate of articles and opinion pieces arguing against the emotionally satisfying, but dangerous strategy largely hung their shields on the impossibility of getting “attribution right.”

It’s true that attackers are very good at hiding their tracks and stepping over stones making it near impossible to reach their actual source location. But there are methods and technologies that can help reveal these adversaries more accurately. I’ve personally been involved in determining attribution and holding hackers accountable based on decades of my own research.

A ransomware case that went badly for the attacker

A large telecom company experienced a ransomware attack that seemingly utilized portions of the NSA leaked malware. There was no guessing that an incident occurred; the attacker demanded a ransom. In this all too familiar ongoing scenario that continues to plague large enterprises,  incident response teams well understand what’s next: Management must decide whether or not to pay the ransom, but also they must identify the means and method of entry allowing the attackers to execute the ransomware malware to prevent future attacks.

The CISO was surely unhappy about how the perpetrator entered the telecom company’s well-defended network. Fortunately, the attack had not targeted business critical data due to its well-managed backup systems. Post-attack forensics determined that the adversary had penetrated the organization through a vulnerable set-top box.

Nonetheless, the CISO was not amused by the attempt to hold his company’s data hostage, and those deep emotions convinced him to identify and pursue the perpetrator. In other words, he was pissed.

Tor and VPN’s can be pierced

In order to receive the ransom, in bitcoin of course, communication between attacker and target was conducted via the typical Tor chat protocol. The attacker was clearly feeling quite protected and proceeded to conduct his business without fear of being caught.

The typical conversation ensued, with the perpetrator demanding his bitcoin and the victim offering to pay. However, while the targeted company claimed that they had paid the bitcoin ransom, in actuality, they didn’t. Instead, the clever CISO used advanced deception technology and composed a bogus bitcoin payment page to provide evidence to the attacker payment had been made. The attacker received the confirmation page over Tor and proceeded to open and review the document on his phone. The phony document, which was embedded with a sensor to convey geofencing and telemetry details upon the opening of the document, quietly signaled and the attacker’s identity was readily revealed by his phone service provider. Bingo. Tor had been pierced. The attacker’s identity had been uncovered.

Attribution via geofencing and telemetry

Incident response should be a well-planned activity of security staff within modern enterprises. It is hard to know exactly when an incident has occurred and who the perpetrator is, however. Suspicions are aroused by various monitored indicators of network and host activities, but in other cases, such as the real ransomware attack described above, external indicators provide clear-cut evidence that something is amiss. The attacker told the victim.

Another example of a threat I personally helped to resolve was a stock tampering case that demonstrated a financial fraud attack. In this scenario, the indicator was sensed from public sources arousing suspicions that lead an institution to investigate whether they had a rogue insider illegally benefiting from inside knowledge of an impending acquisition. It was clear that the insider was leaking and manipulating news about the target company to affect its market valuation. Strategic placement of deceptive documents with sensors, containing information about the target company, was strategically placed in various file shares. The documents were later opened externally at the home of the alleged inside attacker, surfacing his identity and providing proof for law enforcement. The FBI did its duty.

Whenever incident response teams need to delve deep into data to identify a perpetrator, often the data at hand isn’t sufficient, only their tools and methods are revealed. A great deal of experience and inference is necessary to accurately resolve the incident, but rarely is attribution solved with evidence. That’s when sensor technology can be a game changer. Strategically placed deceptive documents with embedded sensors that entice an attacker can easily lead to the perpetrator. Better yet, the telemetry provided by the signals can not only resolve “who done it,” with evidentiary material appropriate for legal consequences, but can isolate the source of the offense, in cases the attacker has left behind malware that grants later access again.

Deception used as active defense is a new tool in the cat and mouse game between attacker and defender. Attackers beware. Securing your identity is no longer a guarantee.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.