How to Catch a Cyber Culprit

Behind every investigation is a detective, tasked with combing through the trivial details at a crime scene to find the clues that count. Every good detective knows what evidence to look for first: fingerprints. Essential to identifying a culprit, fingerprints are the first step toward uncovering other important pieces of information—behaviors, intentions, motives, accomplices, related crimes—that can help crack a case.

This is true in threat hunting too, where understanding the adversary is critical. Gathering intelligence—such as what the attackers are most likely to do, who they are targeting and why, what they want to achieve, their go-to tactics and how they will react if detected—is the only realistic way to make smart decisions about how to defend our networks.

This starts with observing our enemies, and their tactics, techniques and procedures (TTPs), even when they are attempting to cover their tracks. Leveraging network forensics, incident response processes and known facts from previous (or active) intrusions can provide a window into a threat actor’s activities and behaviors. With facts from controlled observations, teams can develop a hypothesis about how the adversary operates, and the tools being used. Identifying patterns in activity and the typical targets of a specific adversary will help the team validate or refine the hypothesis. As adversaries evolve or change their TTPS and targets, the hypothesis should be refreshed.

Catching cyber culprits will always be a cat and mouse game. While attackers are constantly becoming increasingly sophisticated, it will continue to be difficult for them to completely hide their fingerprints. Defenders that are adept at web asset fingerprinting and strategic about how they leverage the intelligence gathered from this approach will have far more success in answering important questions about their adversary and blocking malicious infrastructure from their networks. Read More

iTM covers all aspects of cybersecurity from Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us