Posted September 26, 2014
All of us who work in the risk, security, or compliance space would love a crystal ball to predict threats—to know who’s trying to attack us, what their motivations are, and what tactics they’ll use. In the absence of that, one of your best options to stay proactive and respond to threats quickly is by studying groups or individuals that pose a risk to your organization or industry using Open Source Intelligence (OSINT).
Security experts generally group threat actors into three broad categories: organized criminal groups targeting financial assets; state sponsors, including foreign governments, who pilfer data for defense or national interests; and terrorists or activists who are motivated by political and social beliefs to disrupt infrastructure or harm individuals.
Learning more about threat actors’ tactics and motivations can help you better prepare against them, saving you the cost and headaches that come with a breach or attack. But investigating threat actors can be difficult, particularly if you don’t have a large team of expert analysts at your disposal. With the right tools, however, there is a lot you can learn very quickly by combining individual data points with OSINT.
Are they affiliated with any groups?
In many instances, criminals and hacktivists are associated with threat actor groups. These associations may be found by looking at their associates on social media networks or underground forums. Uncovering this information can help you determine a few things about the threat actor. First, an association with a certain group can reveal the magnitude of an impending threat. If a threat actor is associated with a well-known global group, for example, the attack may be more severe than if he or she is part of an unknown crew with very few members.
Second, association with a particular group can help you determine the threat actor’s motivation. A threat actor associated with a government-sponsored group will have different motivations than someone from an environmental activist group. Knowing the threat actor’s motivation can help a security team determine which assets may be targeted, and in turn, if increased protection is required.
Where are they based?
If you have an IP address or an IP address block, you can use tools such as those in our Cyber Threat Center to find where a threat actor may be based, and whether there has been any illicit activity on that IP address in the past. The approximate location of a threat actor can help you determine whether they’re located near any physical assets or employees, and warn your physical security team.
A history of illicit activity can indicate whether the IP is being used for criminal purposes on a regular basis. Once you have that information, the address can be blocked, preventing your employees from visiting the bad URL. In a well-publicized case, the FBI used similar methods to bring down the Silk Road cyber-underworld site.
What is their real name?
Although threat actors often try to disguise themselves by using handles or profiles that are different than their real life identities, they’ll often leave traces that can help you determine their real names or identities. Many threat actors maintain an online presence with their real identity even when they’re involved in illicit activity. So there will typically be at least some identifying details that can be traced back to the individual.
Do they have a history of attacks?
Using search tools such as those found in the Cyveillance Cyber Threat Center, you can determine whether an IP address has a history of bad activity, such as hosting malware or phishing attacks. If it does, you can search for the name of the attack or malware family to gauge the sophistication of the threat actor. By doing this, you won’t waste time and energy pursuing lone, unsophisticated attackers versus career criminals who have a finely-tuned arsenal of tactics and experience launching coordinated attacks.
Who – or what – are they after?
Armed with the information above, you can make an informed guess about what the threat actor is likely to go after – trade secrets, intellectual property, money, access to credit card information, and so forth. A government-sponsored threat actor will likely be more interested in trade secrets or national security, while a threat actor associated with a group that fights for environmental awareness could be interested in disrupting business activities at physical locations. Based upon your research, you can alert either your information security team or your physical security team, or in some instances, both.
Finding attributes of threat actors is faster and easier when using a cloud-based all-in-one tool, like the Cyveillance Cyber Threat Center. Our new cloud-based platform allows you to collect web and social media information from thousands of sources, sort and filter it, and then cross correlate it with information from our proprietary databases. It has everything you need in one place, which allows your analysts to distill information about attacks and attackers instead of spending their time collecting masses of data from multiple sources and trying to sort through it to find what’s important. Learn more and request a free trial today.