In this week’s bulletin, Charlie discusses the questions that organisations should be considering when carrying out a potential response to a cyber-attack, including how the attacker got into the system and what their potential motives could be.
When organisations are the subject of a cyber-attack, many plans I have seen do not include some questions or a checklist to remind them to get information from those managing technical recovery and information on the attacker. This could be carried out as part of the technical response team’s recovery actions, but it may not be giving the importance and the urgency that is required. I also think it is important that crisis teams are aware of cyber threat intelligence, what it is, and how understanding the attacker and their motives can help crisis teams develop their response. It must be noted that all the answers may not be available immediately, but I think crisis teams should press for information as soon as it is available, and even small indicators will help in guiding the response.
So, what are the questions they should be asking?
- What was the attack?
There are lots of different types of attack which may indicate who carried out the attack and what they are trying to achieve. The malware used in the attack may give an indication of the attacker, especially with ransomware, as the malware used may have a fingerprint of a certain gang.
2. Who has carried out the attack?
Understanding the threat actor can help understand the motive of the attacker and therefore perhaps what they are trying to achieve by the attack.
Possible ‘who’s’ are:
- Cybercriminals – this could be a known criminal gang or an unknown entity who has not been seen before.
- Nation-states
- Terrorist groups
- Thrill-seekers
- Insider threats
- Hacktivists
3. Do we know what the attacker’s motive is or appears to be?
I have not done this list of motives as a table, as the individual or groups carrying out the attack do not always follow a hard and fast rule. Although you might suggest that cybercriminals are always after money, this might not always be the case, as they may be carrying out an attack as a revenge attack or on behalf of a nation-state.
Possible motives could be as follows.
- Money / profit
- Punishment or revenge
- Spreading disinformation and conspiracies
- Sowing / stirring up discontent
- Cyber warfare / conflict
- Sowing fear
- Disruption of infrastructure
- Because they can or to show off to others
- Promotion / drawing attention to a cause
- Making a point e.g., your organisation’s security is poor, and it should be improved.
Note: if you get a ransom note, it may be fairly obvious what the attackers motive is and who they are.
4. What was targeted?
Again, what was targeted may give an indication of what the attacker was trying to achieve. A defacement of your website may be the work of a hacktivist, while a ‘man in the middle attack’ is likely to be trying to steal money. If data is stolen, this could be to ransom the data, or the attack could have been carried out by a nation-state.
5. Is this attack aimed at us or are we collateral damage in a wider attack?
NotPetya, the most damaging cyber-attack ever, was not aimed at the organisations it caused the most damage to, such as Maersk or DLA Piper, as it is alleged that it was a Russian attack on a Ukrainian business. The organisations that were affected by it were mainly collateral damage. If it is only your organisation affected by the attack, then question 3 – the motives of the attackers and what they were trying to achieve – becomes very important.
6. How did they get into our system?
If the attack was carried out using a known vulnerability, or an unpatched system, then the organisation may well be seen as responsible for the attack, and it is harder to reputationally defend the organisation. If the attacker is a nation-state, they can often have very skilled cyber personnel and have the money, patience, and skills, to penetrate most systems. Being attacked by a nation-state is easier to defend reputationally.
7. What is the attacker’s modus operandi?
If the attacker is one of the known cybercriminal gangs, there is a lot of public information available on who they are: what were their motives, do they keep their word, and do they have a standard way of conducting their attacks? If you report your attack to law enforcement, they may be able to give additional confidential information which is not in the public domain. This could include: are their decryption keys available, have ransoms been paid in the past, who are they linked to, and is there any chance of law enforcement apprehending them?
8. How long might they have been in your system?
The longer they have been there, the more likely that data may have been exfiltrated, and the more you may have to explain why your systems didn’t detect them.
9. What else could be happening and are our initial impressions right?
Cyber-attacks are not always what they seem. The attacker who did it and their motives may seem obvious, but there are many cases of organisations trying to look like one type of attack or a particular threat actor, and using this as a smokescreen for achieving something else. In the BBC Lazarus Heist Series 2, the Lazarus Group tried to use the code and the coding quirks of a Chinese hacking organisation to mask their own involvement in a cyber-attack.
I think educating senior managers and members of the crisis team on the importance of threat intelligence is vitally important. They may not always be aware of the amount of information that is available on cyber-attacks and who is carrying them out. The more they know about who the attacker is, their ways of working, and what they are trying to achieve, the more they can use their information to frame their response. So, in your next exercise or training session, include something on threat intelligence.
