Unmasking a bad actor at an individual level will help organizations gain more context, figure out why the attack happened, and calculate future risk.
Threat actors have been selling employee credentials and private access keys to a critical business application in increasing numbers. To prevent these types of incidents from escalating into full-fledged breaches that damage the company’s credibility, organizations need to understand that they must respond quickly to maintain visibility outside their perimeter. External threat hunting, forensics, and the unmasking of actors using open-source information are common actions (OSINT). Identifying the actor goes a long way toward deciding whether the organization is a target of opportunity or a victim of a targeted attack.
Organizations should, however, take the following three measures to ensure the integrity, confidentiality, and availability of data systems.
Three Strategies for Organizations
Internal and External Triage
Maintaining the integrity, confidentiality, and availability of data systems should be the top priority. This can be accomplished by identifying the source of leaked credentials. If a third-party vendor or law enforcement initiates contact, they can keep those user credentials or private keys when interacting with the threat actor directly.
Also Read: Emerging Cybersecurity Trends in 2021
The account names of the forum members trying to sell the credentials would usually be known to law enforcement. Once the security team has gathered this data, they can investigate the threat actors to determine their technical capabilities and how active they are in underground forums. The dark web vendors, for example, do not have the same technical capabilities as the malicious agent who gained access to the environment.
The extent of the harm is always unclear at this point of the investigation, so one of three directions should be pursued: 1) removing access, 2) determining the extent of the damage, and 3) determining whether the threat warrants unmasking the actors in order to learn more about the attack’s existence.
Unauthorized Access Must Be Removed
Security teams must assess the damage after checking credentials and account access. This involves determining whether or not data are accessed and exfiltrated, as well as proof of unauthorized access, the use of malicious tools, lateral movement, and malware deployment. Implementing a mix of careful logging through two-factor authentication, data acquisition strategy, endpoint and network monitoring, and patch management is likely to prevent a full-blown breach.
It’s critical to conduct external threat detection and threat actor engagement in response to a particular attack to decide whether the actors are attempting to manipulate or monetize the security incident. It may not be appropriate to reveal the attacker’s identity at this stage. It’s likely that no further malicious activity occurred within the environment if an assessment concludes that the attackers obtained access using re-used passwords scraped from third-party servers, brute force spraying for the correct password, or found a re-used password from a prior data breach.
And, the other hand, if the investigation leads the security team to believe that the attack was carried out by an insider or former employee, unmasking and identification will provide crucial context, allowing the security team to prevent a compromise and potentially take legal action.
Unmasking the hacker at an individual level can help gain more insight, assess why the attack happened, and measure potential danger if the company is a victim of a targeted attack rather than a target of opportunity. Making the decision does not have to be a time-consuming process.
Over the last decade, attribution has mostly been based on a nation-state or actor basis, but depending on the attack context, individual attribution is becoming increasingly essential. Although it’s still important to maintain the network’s integrity, confidentiality, and availability through perimeter and internal insight, having the same visibility beyond the firewalls is becoming increasingly important.