Victimology:  in the shoes of a cybersecurity analyst

Steve Rivers, International Technical Director, ThreatQuotient
Steve Rivers, International Technical Director, ThreatQuotient
5 years ago

A recent report from the government showed that 32% of businesses identified a cyber security attack in the last 12 months, and one of the most common attacks is spear-phishing – which involves sending targeted sophisticated emails to fool the victims. When a threat arises, the security team role is to investigate and determine the reality of an attack and its severity. This investigation makes it possible to set up a plan to defeat the offensive and, generally, better protect against certain type of attacks.

One of the ways to investigate when a situation such as this happens is called victimology. This process allows security teams to quickly determine if they are dealing with a targeted offensive against businesses or traditional phishing.

To explore this type of investigation, we’ll take the example of a protection system indicating in its alerts that it has blocked six spear-phishing attacks from the same sender, over a period of 45 days.

Victimology: identifying the motives and target of the attack 

The first step is to understand who these e-mails were targeted at. As the head of the investigation does not necessarily know all the company’s employees, their identities – including their title, position, manager’s name, geographical location, etc – should be imported in a Threat Intelligence Platform (TIP).  There are several ways to build this list; they range from simple export from Active Directory to script that automatically inject data into the TIP via an Application Programming Interface (API), using standard software fields like PeopleSoft.

With this set of data, it becomes easier to spot the similarities between the recipients of this spear-phishing campaign. An example would be they all work in the financial department. Therefore, a custom-designed attack against employees of that enterprise means the attackers motivation would be financial.

Conduct a technical analysis to know which countermeasures to deploy 

The second step is a technical analysis of the attack. The timestamp of each event is sometimes a hint: if e-mails are sent at the same time of day, we can deduce that a script was programmed by an assailant who attacks on a substantial scale, which would mean that said company is only one target amongst a larger campaign. If this is not the case, it means that the company occupies all the attention of the attacker and that they are all the less likely to throw in the towel.

The detailed analysis of the recipients can also reveal interesting points. For example, it may be that one of them only appears several days after the attacks began and that, according to HR, he was not part of the financial team before that. Here, the opponent keeps up to date on the employees.

E-mail scanning allows you to know if radically different content is being used for each dispatch, including attached items, vulnerabilities they address, and/or malicious code they embed. If this content evolves, it means that the attacker changes techniques to test the defences of the company and it is likely that he will continue to do so. Note that it is difficult to say if the attacker is only one person with a large arsenal of offensives or several pirates each with a specialty, but it is a safe bet that attacks are co-ordinated.

This technical analysis enables to make arrangements when facing an attack. The company is in fact able to know how to make the teams aware, how to clean the posts, what technical countermeasures to put in place and better prioritise its vulnerabilities.

The perspectives brought by the investigation 

The investigation does not stop there. As the attack is obviously targeted, it will be necessary to compare the next spear-phishing attempt to those studied here and determine whether the attacker is still targeting the company and if the techniques used are the same.

As part of this example, the next spear-phishing e-mails will be integrated into a Threat intelligence platform and it is likely that future correlations are discovered, if for example we could see that the assailant began targeting the HR team.

Ultimately, this investigation has revealed that the company had an opponent and had to redirect its strategy to defend against them. Such investigation gives tangible elements to reassemble information at the highest level and thus raise awareness throughout the company.