Reverse Deception: Organized Cyber Threat Counter-Exploitation (122 page)

This is a highly common pattern involved in reportedly Chinese-backed attacks. Whoever it was didn’t go through much trouble to hide what they were targeting (and after this book is published, they may change their pattern, but it will only be a matter of time until that new pattern is deciphered as well).

The most important note when validating your engagement is to understand what type of threat you are engaging and if that is the right threat to engage. We are not stating that every targeted attack will actually implement a network infrastructure that will leverage the name of the victim. There are many targeted attacks that use raw IP addresses versus domain names.

Consider the GhostNet incident discussed in
Chapter 1
, where there was an IP address that resolved back to a Chinese PLA signals intelligence base on the east coast of China. Now, by law, an IP address does not relate to a person. However, having data sent and accepted by a remote destination (an IP address) is highly suspicious, and the burden of proof resides with the Chinese for the activity of that IP address, since it was on their network, under their control, and data was being accepted by the remote system. If data had been dropped or rejected by the remote destination IP address hard-coded into GhostNet, we would have seen it bounce back after connection attempts, although they were fully established sessions transmitting data.

It’s critical to watch what goes in and out of your network. You can almost never completely trust what your host-based tools tell you. When you validate an engagement, you need to ensure the right avenues of your network and protocols your focus is using match up with what you have observed and continue to monitor.

If you are leveraging a real deception network deployment or honeynets, you will be able to maintain control of your engagement and validate what is occurring in that sanitized environment. You will be able to leverage that observable intelligence across your enterprise and identify other infected hosts across your network, and increase your mitigation and removal of the threat’s campaign. You will need to leave a trail of digital bread crumbs across your network over time during the operation to ensure your focus will head into that portion of the network. You can do this in many ways, such as by redirection of flows and sessions. Also, numerous network devices can be used to redirect enterprise traffic to specific predefined destinations.

Putting This Book to Use with Aid from Professionals

If you have read this book in its entirety, by now you should understand that there are numerous types and levels of threats, ranging from simple to sophisticated. Your job is to understand which threats are within your network and which threats deserve more of your resources to engage or deter them from continuing to further penetrate your network. You also need to understand you are not the only one dealing with these threats. There are communities, forums, teams, and working groups that can help augment your capabilities. There are also security researchers out there like Steven K Xylitol and Abram E N@rrat0r, who both do a lot of research into the blackhat community and the latest and greatest happenings in the cyber criminal underground.

To extend a hand out to those facing threats, a very niche community of professionals have volunteered to be listed here. These professionals work diligently and are subject matter experts in the field. They have a deep understanding of the latest in cyber criminal trends, tools, and tactics, and how to counter the activities surrounding the cyber criminal underground.

No one organization can do this alone in today’s world of modern computing and threat landscape. Many firms specialize in helping with the latest threat intelligence and attribution of threats. These companies also sell products and services like those offered by many other firms who are in IT security. They offer services similar to those covered in this book as professional services or incorporated into their product offerings.

The professionals and firms listed here will help if and where possible. However, we have left a lot of firms out of the list, so we highly recommend that you do your own research on which firms or solutions fit your organization.

How to Evaluate Success

This is the question on the lips of almost every executive or manager: Were we successful in mitigating the threat? How to evaluate success is always a management metric used to justify funding and expenses for a specific effort or program.

As we’ve said before, there are no silver bullets when it comes to security. The bad guys will always get in. The best thing you can do is be prepared and understand the options (tools, tactics, and procedures) available to your organization when dealing with targeted or advanced threats.

The best metric to use is whether your team is capable of identifying each specific campaign and movements of each threat traveling across your enterprise. Based on the identification of the different campaigns of a threat, you will have a foundation for beginning attribution.

You also want to understand exactly what a specific threat was doing while within your network. Here’s a short list of questions to ask about a specific event:

Did the threat target specific employees?

Did the threat target specific information?

Did the threat simply gain access and sublease that access?

Did the threat attempt to gain further access to your network systems?