Defending a network is not purely a technical exercise. An organisation can gain a tactical advantage in knowing who its adversaries are likely to be and the types of attack they are likely to face. This can help focus mitigation measures and monitoring activities. Ideally, threat assessments should be conducted ahead of a problem being identified, thereby giving the organisation an opportunity to counter the threat before an incident occurs, however, for the most part Context investigates threats post-incident. Being able to attribute attacks to specific threat actors is important to the organisation. Understanding why the organisation may be a target and determining where the requirement for specific data to be stolen originates from, while understanding the technical methodology of an attack, can help with an investigation and aid future protection.
Organisations will always be interested in the attribution of an attack or Advanced Persistent Threat (APT), in particular when that attack is targeted against a certain user, job function or the organisation in general. Moreover, when an organisation comes under sustained attack, knowing who the attacker is may help an organisation plan how to protect certain types of data, how to adapt its strategy for dealing with a certain country or how to conduct a certain project. In extreme cases it may influence a company’s expansion into a particular market.
Context will take a wide view of the attack. Some of the clues will be found in the malware: Where was the malware written and who by? Where is the command and control infrastructure located? Have we seen samples of the malware elsewhere on targets where the attacker is already known? But these are clues to attribution, not proof; malware once public can be used by anyone and infrastructure is generally located in other countries.
Context will also look at the organisation being targeted, to better understand the type of business and activities in which it is engaged, where sensitive business is taking place, what it concerns, who and where the organisation’s competitors are located; and which individuals have been targeted. More often than not, if an attacker is a nation state it will be fairly obvious at the end of this process who is responsible and what they want from the target organisation.
In the case of state sponsored attacks our extensive experience and intelligence led approach may allow us to identify the group carrying out the attack, rather than simply the country of origin. Chinese state sponsored hackers, for example, do not all use the same tools and techniques; there are many different groups with different skillsets and motivations working for different parts of the state apparatus. Through studying the actions of these groups, at first hand and through the findings of other open and closed source reports, we are able to pass on a deeper level of understanding of their source and purpose.
Context consultants will never tell a client that they understand the on-going attack against your organisation before they have seen and analysed it. Our consultants understand many different methodologies used by attackers and can often guess who may be responsible for an attack or APT, but we take the time to understand exactly what is going on in each case and collect evidence to support those theories.
We look to the kill-chain concept to identify and categorise different parts of the attack; and to tailor and adapt our Protect advice. Most attackers will have to carry out most of the steps in the chain in order to execute a successful attack.
Context will brief stakeholders on typical attacks and will brief a client on how the attack is taking place on the network once we are in a position to do so.