Hacker profiling: who is attacking me?

Sophisticated cyber attacks have evolved rapidly in the last year, crippling online networks and causing serious financial, operational and reputational damage on firms, regardless of industry or nationality.

Many executives rank a large-scale attack as the most important risk facing their firm. The biggest concern generally isn’t the financial cost, but the reputational impact, especially when it comes to consumer data or sensitive internal information. An organisation’s reputation is fragile – once tarnished, it can be difficult to get back.

The pressures on CISOs and their teams is clearly on the rise. Over 95% of CISOs say it is at least “moderately likely” that their company will face what they call an “advanced” attack in the next 12 months. Worse, nearly three-quarters of CISOs think their function won’t deal with it properly.

>See also: Why you are probably an accidental hacker

It should come as no surprise that if the team does not already have a detailed plan in place – a plan that has been rehearsed by the key players – the consequences of the breach will be much worse.

Advanced threats are substantially different to traditional threats faced by CISOs and their teams. They differ because they are harder to detect and prevent, and are perpetrated by hackers that are more skilful and have more resources. Examples include social engineering or phishing, hacktivism, state-sponsored attacks, and information-related organised crime and fraud.

One big problem is that many CISOs only focus on how an attack is conducted – or in other words, the techniques used and how they can mitigate the impact as quickly as possible.

They assume that working out who is behind an attack is for IT vendors, law enforcement, or only the most advanced information security (IS) functions.

This is short-sighted and means teams will miss valuable information that is not particularly difficult to collect and can help combat many different types of threat.

Being able to broadly categorise a company’s attackers – e.g. whether they are an organised crime group, competitor or an unsophisticated hacker – can make a real difference in helping companies develop more targeted responses and anticipate future attacks.

And with all the internal and external threat intelligence that IS teams now collect, hunters (one of the more exciting corporate titles) or other IS staff who sift through this information can search for indicators associated with a particular attacker, or group, that can identify new threats and pre-empt advanced attackers in the future.

In particular, IS teams should work on two processes: attribution (determining the identity of an individual or group who launches an attack) and attacker profiling (compiling attacker characteristics, location, and techniques).

Some CISOs may not feel their advanced threat processes are sophisticated enough for and profiling, but there are some basic methods that work well.

Analysing suspicious email headers can provide valuable information about the source of a message. For instance, the character set attribute can provide information about the attacker’s keyboard layout, and indicate the attacker’s location.

Examining the text of an email, embedded fonts and language mistakes can provide clues about the attacker’s native language or origin. This will also often be a sign of an unsophisticated attacker or ‘lone hacker’.

Malware source code can provide further evidence of the attacker’s language or location. Malware configuration options are also often unique to an attacker and can help identify multiple attacks by the same attacker.

Information like this can help companies get a better idea of who the attacker is and categorise the adversary. IS teams should use at least five basic categories: insider, unsophisticated attacker, organised crime, competitor and state-sponsored attacker.

By categorising attackers – looking the ‘who’ as well as the ‘how’ – organisations can develop much better responses for future attacks.

Compiling attacker characteristics, location and techniques allows firms to conduct more targeted and productive searches for threats over time.

>See also: Know your cyber-attacker: profiling a hacker

For instance, because organised crime, competitor and state-sponsored attackers are more likely to launch multiple attacks, recording information about these intruders will help companies recognise them again in the future.

Reporting all this information to the board of the company is also essential. Often board members don’t receive specific information on how the company is protecting against cyber risks, and therefore may not know what is at stake and the kinds of investments needed to counter them.

This kind of ‘hacker profiling’ is often a good way communicate to senior management the extent of the company’s exposure to future attacks and the need for continued support from the rest of the business.


Sourced from Jeremy Bergsman, practice leader, CEB

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics