Table 1 Classes of information, derived from artifacts from various sources and an estimation of the trustworthiness of this information for attribution
From: Under false flag: using technical artifacts for cyber attack attribution
Type of information for attribution | Sources of artifacts | trustworthiness |
|---|---|---|
(T1) General TTPs (typical modus operandi) in a step-wise attack. This includes pattern-of life, focus on certain services/applications, usage of zero day exploits etc. For instance, one group may be proficient in developing browser exploits and deploying them in watering hole attacks; another one more focused on social engineering attacks. | API monitoring, application logs, authentication logs, DLL monitoring, DNS records, e-Mail gateway, file monitoring, HIDS, kernel driver, netflows, network device logs, NIDS, packet captures, power shell logs, process command line parameters, process monitoring, SSL/TLS inspection, Web logs, Windows registry. | 4.2 (0.7) |
(T2) Software tools frequently used (related to TTPs); Notice this is a highly controversial topic. On the one side attacker groups tend to reuse tools, which they know well. So, from the set of used tools and their combination one may be able to characterize attackers. On the other side, tools are also picked depending on the target infrastructure in order to reach a specific goal and thus may look differently for the same group but for different targets. | API monitoring, application logs, binary file meta data, disk forensics, file monitoring, HIDS, kernel driver, process monitoring, Web logs, Windows registry. | 3.1 (0.5) |
(T3) Phishing attempts in form of e-mails, social networking, messengers, and therein certain spellings, usage of words, grammar mistakes, writing styles etc. | e-Mail gateway, social networking sites/crawlers, Web proxy, malware analysis. | 2.1 (0.9) |
(T4) Identities, pseudonyms and Personas, potentially re-used from previous attacks. | e-Mail gateway, social networking sites, Web proxy, numerous messenger services, payment/billing information from providers. | 3.2 (1.8) |
(T5) Cloud services and C2 infrastructure used, including re-use of domains, usage of certain botnets. | authentication logs, DNS records, server logs, payment information from cloud provider. | 4.6 (0.4) |
(T6) DNS patterns, such as registration information, parked domains (A records), which are quickly changed during an attack; passive DNS data (Bilge et al. 2011). | DNS records, payment information from cloud provider, passive DNS service. | 4.4 (0.5) |
(T7) Local Malware and their properties, such as compiler language, programming language, compile time, libraries used, keyboard layout,... | malware reverse engineering. | 2.3 (1.3) |
(T8) Traces in the darknet consistent with technical artifacts, e.g., attempts in forums to acquire zero day exploits, hire a hacker, rent a service in the planning phase; or even the attempt to sell confidential information after a successful breach. typical traces: usernames, bitcoin wallets etc. | forum/board entries gathered through "spiders" and mining (Nunes et al. 2016). | 1.2 (2.1) |
(T9) Encounters in the real world, e.g., blackmailing of employees, political statements, verbal threats, baiting, physical security breaches,... | monitoring of news feeds and analysis for keywords. | 3.3 (1.2) |