Free Reverse Deception: Organized Cyber Threat Counter-Exploitation by Sean Bodmer

grueling duties as “whack and tag a mole,” which is to detect and generate a signature for the active threat. Human counterintelligence teams look at threats and breaches as sourcing directly from adversaries to their organization as “whack, tag, and track a mole,” where detection, pattern recognition, and reuse come into play. This is how it should be across all organizations. Every threat or breach should be evaluated based on several weights, or criteria.
    The following is a list of the criteria that should be identified as quickly as possible in order to discern between a PT and an APT (well-funded threat):
Objectives The end goal of the threat, your adversary
Timeliness The time spent probing and accessing your system
Resources The level of knowledge and tools used in the event (skills and methods will weigh on this point)
Risk tolerance The extent the threat will go to remain undetected
Skills and methods The tools and techniques used throughout the event
Actions The precise actions of a threat or numerous threats
Attack origination points The number of points where the event originated
Numbers involved in the attack How many internal and external systems were involved in the event, and how many people’s systems have different influence/importance weights
Knowledge source The ability to discern any information regarding any of the specific threats through online information gathering (you might be surprised by what you can find by being a little proactive )
     
    Let’s talk about these nine primary points of observation, or observables , from a counterintelligence perspective. These observables can more often be discerned from each and every intrusion or threat that comes across the wire and enters a portion of the enterprise or systems you control. In a sense, they are a way of looking at all of the information you have at hand from a step-back approach that enables you to see things a little more clearly.
    Most organizations look at events after they have occurred, or “postmortem,” so the reactive mode repeatedly occurs after an intrusion has been detected by security professionals. Dealing with intrusions, whether advanced or persistent, can be highly difficult when simply focusing your operations on a reactive model. The following diagram breaks down what we have observed over the years. This diagram does not cover every organization, but it does illustrate the overall victim’s perceptions when handling a threat postmortem based on our professional experiences.

     
     
    As you can see, the most perceived observable is the objectives of the threat. What was stolen, taken, or modified is commonly perceived as the end goal. However, the totality of the breach needs to be measured in order to attempt to understand the end game of the adversary or attacker. By the time a security team responds to an attack after it occurs, the other pieces of the puzzle can become more convoluted and difficult to discern. Logs get lengthy, tools are disabled, and patterns are not recognized in time to understand the other observable details a threat can leave. These details are like a trail of bread crumbs. The observables can be combined into a concise report of the attacker’s overall motives and intent.
    All too often, stakeholders are concerned with simple remediation and cleanup after the fact, and then business goes back to usual. One of the major issues with this model is always being in reactive mode. You are not looking at what’s going on currently and what may be coming in the future. Always reacting to intrusions costs you nothing but headaches and money. Most organizations will simply rebuild a hard drive prior to examining the evidence on the host system.
    The waiting is the most painful part for most security professionals—waiting for the proverbial other shoe to drop. An intrusion is going to happen—it is just a matter of time. So let’s start talking about being proactive and establishing a model