Picture this: Your company's network is facing a DDoS attack, but you have no idea who is responsible or what their motivation might be. Without this knowledge, you can't tell if they want money in exchange for stopping the attack or if the attack is a diversion to occupy your security team while your network is being penetrated and commercial secrets are stolen.
In the aftermath of a network breach it can also be incredibly useful to know some information about the likely attackers. That's because knowing who they were — or just where they were from — can help you carry out a more accurate damage assessment exercise. This knowledge can guide you where to look for signs of data compromise, and what other specifics (such as exploit kits or Trojans that may have been left behind) to search for.
Knowing who you have been attacked by can also shed some light on why they may have attacked you, what they were after and what the likely consequences for your business may be. For example, a common cybercriminal may be after any data that they think they can resell (such as customer credit card details), while a foreign competitor or so-called "state-sponsored" hackers may be after specific technical information.
"If you can attribute an attack to a particular adversary you can understand their motivations, their capabilities and their infrastructure," says Kyle Ehmke, a threat intelligence analyst at Virginia-based security company ThreatConnect. "If you can understand the 'how' and the 'why' then that can be very valuable information."
Perhaps most importantly, knowing who has attacked you can help you formulate your future security plans and decide how best to allocate your security budget going forward. For example, if you believe that you were the victim of a targeted attack and the hackers did not succeed in exfiltrating everything that they were after, then you may decide to beef up your security specifically to protect those assets that you think they are most likely to come back for.
The ability to attribute an attack to a particular group becomes even more important when it comes to major security breaches. Attacks like the 2014 Sony breach — which the FBI attributed to hackers connected to the North Korean government — can be cause for national security concerns and can also have major political repercussions.
So how do security experts go about identifying hackers and where they are from?
Foraging in forums
The first thing to understand is that attribution is very hard. You can't just look at the apparent source of an attack, because it will almost certainly be passing thought at least one proxy, perhaps on a compromised server on the other side of the world from the attackers. Or, in the case of DDoS attacks, the traffic will come from thousands of compromised machines that may be part of a global botnet.
It's also difficult to attribute an attack to a group or country based on messages left on compromised servers or strings in a particular language found in exploit code. In part that's because hackers tend to share, buy, copy or steal other hackers' tools, so code with a string of Russian text could just as likely be used by Peruvian hackers or North Korean students. And for every hacker who inadvertently leaves some trace of his activity (like a string of text in Russian) there is probably another who will leave such information deliberately as a form of misdirection.
Another thing that's important is that hackers rarely meet each other face to face. Instead they often exchange information, tools and hacked data on hacker forums — either on the web, or the more obscure darknet.
[Also on CIO.com: 8 of the most unsettling things you'll find on the darknet]
These forums are vital sources of information for law enforcement agencies and security specialists, according to Christopher Ahlberg, CEO and founder of real-time threat intelligence provider Recorded Future. Speaking at the Black Hat Europe 2016 security conference in London, Ahlberg said that in many cases the ability to attribute an attack to a particular group or individual comes down to "sloppy handle usage" on hacker forums.
"We will see someone register a domain name, and use the same handle on hacker forums, on developer forums, on social networks and so on," he says. When handles (which may be part of an email address) are reused in this way it becomes relatively easy to work out who a forum member is, and forum posts often provide information that points to a specific individual (or group) as being responsible for a particular hack.
The problem for security experts like Ahlberg is that smart hackers know about operations security (opsec) and therefore know better than to reuse their handle in different environments. "They will do 'handle hopping,' changing their handles between forums, or indeed within a single forum," he says.
What can be done to overcome the practice of handle hopping? A possible solution is to apply a dose of mathematics and carry out a Pattern of Life analysis, which Wikipedia defines as "a method of surveillance specifically used for documenting or understanding a subject's (or many subjects') habits. This information can then be potentially used to predict future actions by the subject(s) being observed."
In fact, Pattern of Life analyses can be carried out on all kinds of data sets, ranging from crime statistics to Uber rides, to spot certain patterns of behavior, Ahlberg says. For example, it turns out that on Valentine's Day there are plenty of Uber rides that start at 1 a.m. and return at 5 a.m., but on the eve of Tax Day this type of ride behavior is very uncommon. Also interesting: the most popular time for burglars to strike in Chicago is 9 a.m., and narcotics dealers are most active at lunchtime and at night.
Similarly predictable behavior patterns can be found incyber-crime. Ahlberg's company ran an automated system that collected data on 750 criminal or hacker forums on the web and the darkweb that use seven different languages, including Chinese, Russian and Arabic. Data on 1.4 million handles was processed and indexed, with some interesting results.
They found that over 96 percent of forum handles were used only once, indicating that the vast hackers that frequent these forums are keenly aware of the need to take measures to hide their identities.
But that's not always the case, and the exceptions provided Ahlberg with the opportunity to find out more about those hackers and their activities. "If I can see two (handle) patterns moving in sync then it could be that it is the same person using two different handles, or it could be two guys who are working together," he says. "The trick is to find handles that display similar usage behavior. By identifying ‘hang-arounds,’ we can begin to identify a crew."
By looking at the language used in different forums, it was possible to extract other information from the captured data. It turns out that distinct groups of hackers work at very different times of the day or night. For example, Iranian hackers tend to work during the day (perhaps indicating that many of them are students), while Russian hackers tend to operate in the evening (which suggests that many have daytime jobs and carry out cybercrime as a second job to supplement their incomes).
And groups of hackers that operate on Russian language sites frequent these sites at different times, which suggests they may be in different time zones, perhaps one group in Vladivostok and another in Moscow.
And other patterns provide experts with even stronger indications of where hackers may be from. For example, Russian hacking activity falls away during New Year's Eve (for obvious reasons), while Arab hackers' activity ramps up during the month of Ramadan (when perhaps there is little else to do).
What's clear from all this is that while some level of attribution is possible, it is very much an inexact science: two years after the Sony hack it's not entirely obvious how the U.S. government can be sure that North Korean hackers were responsible.
But using techniques such as Pattern of Life analysis the security community is increasingly able to shed some light on the "who?" and "why?" of cyberattacks, and it is information that enterprises can take advantage of to minimize the damage when intrusions do occur and to help keep themselves safer in the future.