Have you ever wondered who, in fact, are the attackers in the field of cyber espionage, ie the entities that contribute to the cyber security incident and who is responsible for data theft? There is generally a division into internal and external attackers. External attackers and their partners come, as the name suggests, outside the organization itself, internal attackers coming from the company should not be ignored and they enjoy a certain degree of trust and privilege that comes with that role. Partner attackers, or associates, include any third party who shares a business relationship with the organization, and also, unlike external attackers, enjoy certain privileges and trust of the company.
How come companies are mostly unaware of espionage
It is interesting that the companies and organizations that were victims of cyber espionage were generally not even aware of the attack. Most often, external sources are the ones who reveal information about it, and this trend was valid in the period covered by the aforementioned Verizon report on cyber espionage. What is interesting about this type of attack is that cyber espionage allows attackers to gather a lot of information and at the same time remain unnoticed for a long time, so the question is how organizations around the world can shorten the time to detect spies, or how to find out in a short time to attack in order to leak as little information as possible to hackers? And how to avoid relying on external sources when it comes to detecting an attack and is there a way to detect an attack at the same time, if not before it starts? These are all issues that our team of private investigators in the cyber espionage sector has been dealing with for years.
A few tips for better attack detection
Asking these questions has led to some innovations in the field of detection technologies, although the problem of detection itself is still present. The answer to the question of why this problem is still present in the age of modern technologies lies in the fact that new attack detection techniques still require the company to set some security basics, such as determining the mainline of network activity, defining the permissible level of cyber security incidents and specifying the point when and in which cases an attack warning will occur in the system - which, let's be honest, many companies do not keep in mind even today. Before investing in new technology, an organization must identify and validate that the very foundations of its cyber security are solid and in place, and this can be achieved by adopting the Capability Maturity Model (CMM) strategy, which was originally created to improve software development processes. This type of strategy relies on measuring, controlling, and regularly updating documentation and processes to eliminate unknowns. During investigations related to hacker attacks, key data are, unfortunately, largely unavailable. In the end, it boils down to the same thing: the lack of information not only hinders the investigation itself but creates great opportunities for hackers to find and access sensitive information in a very easy way.
How to avoid cyber attacks
One way to solve this problem is to work on strengthening detection capabilities while using the latest techniques to avoid attacks. What security experts advise organizations in such cases is to urgently work on methods of defense against cyber espionage, such as antispyware techniques designed to deceive potential spies on the Internet. Although the situation is not yet perfect when it comes to detecting cyberspies in the business world, it can still be said that in the last few years some progress has been noticed in the detection and prevention of possible attacks. However, it is also important to remember that even the latest technologies will not be of much help if you do not have established security practices as well as sufficient professional staff to be able to manage them. This means that before investing in technology one should first invest in people and their training. Therefore, it is necessary to ensure the availability of key data by reducing the number of incidents that lead to the loss of logs and poor data availability. It is also advisable to switch to more complex protection systems and methods based on automation, artificial intelligence, and machine learning. But all this not before hiring experienced professionals who will know how to manage such technology.
What methods to use?
When it comes to methods of detecting cyber spy attacks, the most effective is the detection and analysis of suspicious network traffic, which was used to successfully detect attacks in 48 percent of cases. At the same time, a very interesting fact is that the second most effective methods of detecting cyber espionage are antiviral tools, which were able to detect attacks in 23 percent of cases. Of course, these are more advanced antivirus platforms that are somewhat more sensitive to potential malware than tools intended for ordinary users, but still - this is an impressive statistical result.
What are the motives of the cyber attacker?
Identifying an attacker is a process in which there are many challenges given that attackers put a tremendous amount of effort into masking their activities and remaining anonymous, most often using fraudulent methods such as using fake IPs and email addresses. When it comes to cyber spy attacks, the vast majority (85 percent) of attackers work for various states. In second place with a 4 percent share in cyber espionage are attackers linked to organized crime, while former employees are responsible for cyber espionage in only 2 percent of cases. This is a bit strange considering how often we read about protection from corporate espionage in which former employees participate. But this brings us to one of the biggest problems in dealing with cyber spy incidents, and that is the complicated identification of attackers, which can often be wrong. Namely, the digital forensic investigation should primarily focus on answering six questions: who, what, where, when, how, and why? The problem is that many of these questions are sometimes impossible to answer because the actors in the field of cyber espionage are very good and experienced in hiding their traces and identities. Therefore, cyber security reports generated based on certain technical data such as IP addresses may be inaccurate and misleading security experts.
False clues
The increasingly advanced malware used by attackers, which can imitate activities and falsify technical data that has nothing to do with attackers, also contributes to this. Private investigators in the field of cyber investigators do not rely on such reports, especially nowadays, when there are significant tensions between different political blocs and states. To make it more interesting, there are also so-called false flag cyber spy attacks, in which attackers want to create the impression that a particular state or organization is responsible for the attack. Laws and regulations in individual countries can also contribute to the misidentification of attackers. Namely, inadequate rules when it comes to corporate cyber security, as well as the protection of information systems in public institutions and organizations can contribute to easier masking of attackers' activities. The same is true when it comes to regulations on the use of cryptocurrencies. There’s also the Tor network for anonymously browsing the internet and accessing content on the dark web, which also - in addition to a number of positive things - allows for an extra level of hiding the identity of the attacker. And finally, when cyber spies are properly identified, there are difficulties in prosecuting them, as they are in most cases protected by certain states.
How to defend yourself from cyber espionage?
Advanced hackers in the field of cyber espionage sometimes use attack methods that do not involve files at all, which combined with unknown vulnerabilities in the network makes such campaigns very dangerous and difficult to defend. Some of the methods of defense against cyber espionage include network segmentation and separating the virtual local area network from the Internet infrastructure, server farms, internal and administrative networks. This makes it difficult or impossible for potential attackers to explore the network. Multifactor authentication should be used for complete administrator access, and systems should be configured to send alerts to security teams each time someone logs in to service profiles for emergency access.
The knowledge of our cyber investigators is crucial in investigations
Investigating cyber spy campaigns is different from investigating standard cyber security incidents. The motive for the detected cyber attack is mostly the end of intellectual property. Prior to the same research, our experts first collect network topology data and talk to network and system administrators to identify possible attack channels. They then collect logs from various sources to analyze employee activities and applications, which should certainly be done from time to time, regardless of whether there is a suspicion that the organization is under attack. One of the key objectives of any investigation is to identify the starting entry points of an attacker in the infrastructure, whether it was an application connected to the Internet, hacking data to log in to a specific profile, or phishing emails. Of the aforementioned most common starting points for a cyber spy, campaigns were phishing e-mails, which are far more conditionally designed than those seen in ordinary hacker attacks. By identifying targets, capabilities, and attacker methods, security teams can develop attack models to better prepare for defense against them. A major problem for security professionals is the fact that cyber spy campaigns often use valid credentials and existing legitimate tools used in the target company, such as those for network mapping and remote access. Therefore, our team uses advanced platforms to analyze and detect any irregularities within the system and infrastructure organization.
Tips for responding to an attack
Once the attack is learned, the most important step is to find out how it was actually discovered. It is then necessary to determine how the attacker gained access to the organizational network infrastructure and look for common vectors, such as targeted phishing emails that aim to entice the recipient to run malicious software. And the last, but no less crucial step, is to look for solutions that the company will have on hand when a similar attack occurs so that it can get back on its feet as soon as possible and recover from the attack.
Private Investigator Switzerland
Schaffhauserstrasse 550., Postfach,
CH-8050 Zürich
Switzerland
Comments