Cyber-attacks and terror attacks have one major thing in common - both are among the top security concerns in the world today. A closer look reveals many similarities in the challenges they pose for investigators. So, can time-proven terror attack investigation methods help crack cyber-attack cases?
Lesson One: Understand the Motive...Understand the Attack
Whether you’re investigating a terror attack or a cyber incident, the first step in identifying the attacker is to establish a motive. Terrorists seek to use violence as a means to create terror or fear to achieve a political, religious or ideological aim.
Cyber-attacks, on the other hand, seek to either achieve financial gain or accomplish social or political agendas. According to Richard Clarke, former Special Advisor for cybersecurity during the George W. Bush administration, cyber attackers carry out attacks to:
- Financially harm the target by disrupting its operations and damaging its reputation (cybercrime)
- Use the target for a politically or socially motivated purpose (hacktivism)
- Obtain secrets and data stored in digital format without the consent of the information holder (cyber-espionage)
- Disrupt the activities of a state or organization, by attacking its information systems (cyberwar)
In both terror and cyber-attacks, the more you know the motives, the better you'll understand the attack and the faster you will get to its source. This knowledge gives you a greater chance at preventing future attacks and improving long-term readiness in handling threats.
Lesson Two: Use Intelligence to See the Big Picture
Investigators of both types of attack must discover whether attackers are part of a carefully planned operation or are already known to the party under attack: they need to establish connections and patterns or identify the attacker as a lone wolf.
In the "olden days," you could afford to investigate a cyber incident as a single event - with very little investment into prior attacks, updated threat intelligence, or structured attempts to see a bigger, wider picture of the attack. Times have changed. You can no longer afford to think in a one-dimensional, linear manner.
Cyber investigators must adapt, investigating and analyzing incidents as part of a much larger picture to detect incidents earlier, before the attack is executed. Thankfully, more and more organizations today are transforming their security spending strategy - moving from a prevention-only focus to detection-and-response approaches complemented by investments in threat intelligence and research.
Lesson Three: Implement Investigation Best Practices and Guidelines
A breach in the network is discovered. Do you know who does what, when, and how? Who notifies who? How the event is communicated to customers? In other words, is there an approved post-breach protocol to be followed?
In many cases, the national cyber entity, which usually gathers information from external sources delivers notification on the attack. Initial activities include internal and external communication of the event (including to existing customers), identifying and registering all the known details of the attack, and getting the SOC team up to date and prepared.
In parallel, the team begins to mitigate and contain the attack, launching the investigation that will connect the incident to other dots based on ongoing investigation processes. Best practices and guidelines on what needs to be done once an organizational breach is discovered are readily available. Find them and use them.
Lesson Four: Model Your Cyber Kill Chain Framework After the Terror Attack Chain
The announcement: “There’s been an attack” is the starting point from which investigators and other security team members widen their investigation timeline - to go into the past and the future.
But before we go over the attack timeline of both terror and cyberattacks, notice the similarities and take them into account when conducting your investigation. For example, both terror and cyber-attacks:
- Consist of more than a single incident - A series of events occur prior to the attack eventuate in its execution. In many cases, we discover these events only in retrospect.
- Occur even with security measures in place that keep you secure most, but not ALL, of the time. Sophisticated, dedicated attackers will find ways to overcome multiple security hurdles - in the form of law enforcement, checkpoints, and fences as well as firewalls, antivirus tools and IDS solutions
- Take place because of explicit motives - This leads to the use of one attack method over another. In the majority of cases, these attacks are aimed at a specific target and have pre-defined goals.
- Are carefully organized - Attacks are, more often than not, planned months in advance and are executed as well-coordinated campaigns, relying on both cooperation and effective communication among several actors working together.
Expertise, analytics processes and, of course, intelligence enable investigators to go back on the attack timeline during the investigation process. While modern intelligence tactics have been in existence since the late 19th century, terror investigations became truly intelligence-driven following the 9/11 attacks with the founding of governing bodies such as the Director of National Intelligence in the United States for example.
By adopting an intelligence-driven approach, cyber investigations can now enter the 21st-century investigative world. As we witness the decline in the number of terror attacks (thanks in large part to intelligence), we can now look forward to similar results in the cyber world.
Lesson Five: Redefine Your Cyber Investigation Strategy
The time is ripe for cyber investigations to implement the procedures and processes inherent in successful intelligence-driven counter-terrorism efforts. Wider threat intelligence will help SOC analysts:
- Connect the dots that will take them from the incident for which they received an alert to the full-blown attack that needs to be contained. They can then chase the alert and collect pieces of data that will enable them to scope the attack and afterwards continue with the investigation and response activities.
- Carry out a recovery plan, once the cyber-attack is contained and the incident is resolved, after which they can return to distinguishing between the false positives and the real incidents that all appear as red dots on their screens.
- Enrich the incident’s data and forensic information or enable the incident to be marked as solved.
- Give the SOC team - even if it’s able to connect the dots of an entire attack - a bigger picture, e.g., more information on the attacker(s), the attack method and its origin, and how other enterprises dealt with similar scenarios.
How can you most effectively use intelligence? Make sure that intelligence is ongoing and proactive, by continuously gathering and analyzing data to enable better decision making. Enrich intelligence with security tools that enable investigators to analyze suspicious files and detect various types of malware - providing intelligence and data that was not available before and can now greatly shorten time to detection.
Invest in methods and services that continuously search the internet (including the Dark Web) and make it easier for investigators to track and target potential attackers and dramatically increase the chances of outsmarting them.
Last, but not least, look beyond your organization. Find great sources for current cyber intelligence in the Dark and Open Web, in social media and open and closed forums. They all thrive with activity and provide valuable data, including information on planned or ongoing cybercrime or hacktivism campaigns, discussion and commerce around the latest vulnerabilities and exploits, and indicators of systems breaches and data leaks.
You can gather all this critical cyber threat intelligence using a combination of web intelligence technologies and expert monitoring services.
From the Hunted to the Hunter
Moving the focus to intelligence and adopting new intelligence-gathering technology is great, but it is not complete. Successful cyber investigation also requires a shift in how the SOC analyst works: instead of the SOC analysts relying on a “lean backwards” approach that requires them to sit and stare at the screen looking for red dots, they need to move to “lean forward” mentality.
Analysts need to become more proactive, track and monitor attackers' communications tools and know when a new exploit is being tested and a new campaign is being planned.
Just like intelligence-based counter-terrorism monitors communications and movements of potential terrorists, intelligence-driven cyber investigators should be where the attackers are, monitoring their communications and movements. This turns the security team and the enterprise from being the hunted to being the hunters.