Threat profiles are detailed descriptions of previous attacker activity that help security teams track and mitigate threats. The more intelligence teams gather about their threats, the better prepared they are to detect warning signs and prevent security incidents, especially when dealing with nation-state attacks.
Unlike traditional attacks that target a large network of victims, advanced state-sponsored attackers – who often have unrestricted access to resources – can spend months or more scouting, infiltrating and surveilling their targets.
“When you’re dealing with an advanced attack, there’s usually humans behind it that have an objective — and humans create patterns,” said Jon DiMaggio, author of The art of cyber warfarepublished by No Starch Press.
Many organizations may wonder if they even need threat profiles, as well as what are the chances of a nation-state targeting them.
In his book, DiMaggio explained why every organization should prioritize nation-state threats and detailed real-world attacks sponsored by China, Russia, Iran, North Korea, and the United States. He also offered technical advice on how organizations can protect themselves against advanced nation-state attacks.
Here, DiMaggio explains the importance of threat profiles, including who should create them and what they should include. It also discusses the importance of preparing for an attack on a nation state, the main signs of such an attack and more.
Editor’s note: This text has been edited for length and clarity.
Who will benefit the most from reading your book?
Jon DiMaggio: The book is aimed at security professionals and those aspiring to join the industry. I wrote the first half of the book for anyone interested in attacks on nation states or organized government crime. The hope is that by discussing the history of nation-state attacks, readers will then turn to the second half of the book, which teaches how to find, track, and identify advanced threats.
I wanted to give readers the “why” upfront so there were no questions about how important this topic is. Seasoned security analysts see hundreds of thousands, if not millions, of reported threats every year, 90% of which are automated daily threats that arrive via email, bad websites, etc. The remaining 10% comes from advanced threats. attackers with targeted motives. I give concrete examples in my book to explain why we need to deal with and defend against these threats differently.
Have more organizations started prioritizing nation-state threats in recent months?
DiMaggio: Organizations are starting to treat these threats differently. However, all the headlines around ransomware have drowned out some of the attention on nation-state attacks – it’s like the tree falling in the woods no one hears. However, that has started to change recently with news from Ukraine and Russia.
As ransomware continues to make headlines, news of nation-state attacks continues to circulate. Some ransomware groups started copy the techniques of nation-state attacks. So, yes, people are starting to listen. The problem, however, is that there are still so many daily threat activities that distract from advanced threats. Organizations are starting to change their mindset, but there’s still a long way to go.
Are all organizations potential targets of an attack on a nation-state?
DiMaggio: Yes, absolutely. Nation states don’t just target big business. Imagine Company A is a technology supplier doing research and development for a defense contractor and sourcing a jet engine for a device it manufactures for the government. Company A sources the reactor from Company B – which has nothing to do with defense contracts. Company B is three miles away from the actual target, but nation-state attackers are still breaking into its system in order to get closer to their primary target (the government).
Small organizations are easy targets because they don’t have the same funding and budgets for security as large enterprises. Attackers can take six months to a year to jump from company to company until they get to where they want to go. So, small, family-owned shops should take note.
What are the main signs that an organization has been attacked by a nation-state actor?
DiMaggio: First of all, nation-state attackers take time to profile their victims. Let’s say it’s a spear phishing email, for example. It would be tailored to the victim. This would be different from normal daily threats, where threat actors send out mass phishing messages hoping for a few clicks on the link.
Second, one aspect of the attack vector often involves someone related or affiliated with the victim. Threat actors can use LinkedIn, for example, to find a known ex-employee of the target so it appears as a legitimate interaction to the victim.
Third, the level of malware used by a nation-state is usually much more advanced than traditional cybercrimes, as nation-state attacks often have sufficient resources.
How can threat profiling help detect nation-state threats?
DiMaggio: Humans have preferences about tools and processes that security analysts can track over time, like nuances of code or malware or infrastructure they use. You can put all of this information into a one-page threat profile for your analysts, so when they say, “This doesn’t look like a normal attack; this sounds familiar,” analysts can compare the current attack to threat profile information. It’s a way to identify future attacks and it helps track bad actors you know nothing about over time.
Within an organization, who is responsible for establishing a threat profile?
DiMaggio: At a minimum, organizations should have someone who specifically focuses on advanced threats. Someone who won’t be distracted by the noise of daily security alerts. The individual must follow and familiarize themselves with the patterns in order to be able to detect future attacks.
What are the most important details to include in a threat profile?
DiMaggio: First of all, every bad actor will take on a persona — the voice an abuser claims to be. For example, Russian attackers created the Guccifer 2.0 persona when they hacked into the Democratic National Convention during the 2018 US presidential election. Attackers can change personas for different attacks, but often have different themes, similar backgrounds, languages or time zones. It’s good to follow characters because even when threat actors change them, there’s usually a familiarity or common theme between them.
Also include the type of infrastructure used by the attacker in the threat profile. Tracking registration information used to be useful, but with all the privacy laws and protections, you don’t see much of that data. But you can still see what kind of infrastructure an adversary is using. There is often a theme, whether they sign up with the same provider or they use a common theme to name them. I saw new areas and immediately knew or had a good guess about who was behind the attack because the theme matched a group I had been following.
It is also important to identify and track custom malware. Nation-state attackers typically use local malware; therefore, there is nothing else like it in the world. There will be unique aspects of malware that repeat themselves. It could take a year, or attackers could come up with a whole new version of the malware, but one aspect of its functionality will remain the same. We are lazy as people. We don’t want to start all over again. For example, I can use malware for a year and then modify it by 80% the following year. But I’m still going to reuse some components of it because I don’t want to write all the new code.