Free Reverse Deception: Organized Cyber Threat Counter-Exploitation by Sean Bodmer Page A

that provides the security professional a better understanding of the state of threats, adversaries, and intrusions.
    To be proactive, you employ tools and tactics within your operational boundaries that increase your ability to detect, identify, track, and counter PTs and APTs. There are tools and methods available both commercially and publicly (which does not necessarily mean free) that combined can assist a security professional in establishing a definitive list of observable traits of a threat. The following is a chart that we use when working with customers to define the value added to a security program with our recommended tools and tactics.

     
     
    As you can see, there is a significant difference between the postmortem and proactive breakdowns in the two pie charts shown here. These charts are based on solved cases where attribution via intrusions was successful and led either to the identification or apprehension of the individual or group behind the threat. Although charges may not have been brought against the perpetrators, intelligence dossiers have been built and are being maintained by intelligence and law enforcement agencies around the world.
    Now when looking at the analysis breakdown after each example of the overall approach to adversary analysis, you should see that we are drilling down on more than one observable that most professionals are generally unable to quantify when operating in a postmortem or reactive model. Please understand even when being proactive and actively countering your threats and adversaries, you will eventually get hit by something or someone out of the blue and end up in postmortem mode. However, by reading this book thoroughly, when these moments do occur, you, your team, and your staff will be more prepared and empowered with the tools and tactics to counter advanced and persistent threats.

    Examples of Advanced and Persistent Threats
    In order to convey the severity of advanced and persistent threats, we’ll take a look at some of the more prominent ones that have made it into the public eye over the past several years. We will walk through each one, and introduce some concepts and principles that are core to identifying what type or level of threat you are up against. As you read earlier, you can generally relate an APT to a highly funded and backed organization, which is just as likely to be found in a PT. It is simply a matter of attributing the who, what, when, where, and why behind each intrusion.
    Sometimes, the only way to understand a threat is to have it placed right in front of you for all the world to see. The lengths, depths, and brass balls of some of these examples—from not only an advanced perspective but also a highly persistent perspective—may not blow your mind, but will certainly raise your blood pressure.
    As we revisit and briefly examine some of the more mentioned APTs that have been publicly disclosed, we will not get into the politics of it all, point fingers, or divulge any information that is not publicly available or has not been previously mentioned in public forums. We will simply look at what has been publicly disclosed and the information about these events in order to introduce, illustrate, and convey why it is important to identify advanced and persistent threats as soon as possible. We will also show the nine observable points mentioned earlier in this chapter for each threat.
    Note that in many of these examples, the activity had been ongoing for more than a few years, and there had been little to no success by the defenders in publicly attributing any associated individuals or groups with the series of events, because the attackers did not need to follow any rules or laws.
NOTE

Some of you may sit back and freak out that we’re mentioning this information, but trust in knowing everything is either publicly available or has been properly reviewed prior to publication. Some of you may coyly smile, knowing you were behind one or more