Use of Cyber Threat Intelligence to Guide Crisis Response: A Checklist for Crisis Teams

Charlie Maclean-Bristol discusses questions you should consider when responding to a cyber-attack, including how the attacker got into your system and their potential motives.

When organizations are the subject of a cyber-attack, many plans I have seen do not include some questions or a checklist to remind them to get information from those managing technical recovery and information on the attacker. This could be carried out as part of the technical response team’s recovery actions, but it may not be given the importance and urgency that is required. I also think it is important that crisis teams are aware of cyber threat intelligence, what it is, and how understanding the attacker and their motives can help crisis teams develop their response. It must be noted that all the answers may not be available immediately, but I think crisis teams should press for information as soon as it is available, and even small indicators will help in guiding the response.

So, what are the questions you should be asking?

What was the attack?

There are lots of different types of attacks which may indicate who carried out the attack and what they are trying to achieve. The malware used in the attack may give an indication of the attacker, especially with ransomware, as the malware used may have a fingerprint of a certain gang.

Who has carried out the attack?

Understanding the threat actor can help you to understand the motive of the attacker and perhaps what they are trying to achieve by the attack.

Possible ‘who’s’ are:

• Cybercriminals – this could be a known criminal gang or an unknown entity that has not been seen before.
• Nation-states
• Terrorist groups
• Thrill-seekers
• Insider threats
• Hacktivists

Do we know what the attacker’s motive is or appears to be?

I have not done this list of motives as a table, as the individual or groups carrying out the attack do not always follow a hard and fast rule. Although you might suggest that cybercriminals are always after money, this might not always be the case, as they may be carrying out an attack as a revenge attack or on behalf of a nation-state.

Possible motives could be as follows.

• Money/profit
• Punishment or revenge
• Spreading disinformation and conspiracies
• Sowing/stirring up discontent
• Cyber warfare/conflict
• Sowing fear
• Disruption of infrastructure
• Because they can, or to show off to others
• Promotion/drawing attention to a cause
• Making a point, e.g., your organization’s security is poor, and it should be improved.

Note: if you get a ransom note, it may be fairly obvious what the attackers’ motive is and who they are.

What was targeted?

Again, what was targeted may give an indication of what the attacker was trying to achieve. A defacement of your website may be the work of a hacktivist, while a ‘man in the middle attack’ is likely to be trying to steal money. If data is stolen, this could be to ransom the data, or the attack could have been carried out by a nation-state.

Is this attack aimed at us or are we collateral damage in a wider attack?

NotPetya, the most damaging cyber-attack ever, was not aimed at the organizations it caused the most damage to, such as Maersk or DLA Piper, as it is alleged that it was a Russian attack on a Ukrainian business. The organizations that were affected by it were mainly collateral damage. If it is only your organization affected by the attack, then question 3 – the motives of the attackers and what they were trying to achieve – becomes very important.

How did they get into our system?

If the attack was carried out using a known vulnerability, or an unpatched system, then the organization may well be seen as responsible for the attack, and it is harder to reputationally defend the organization. If the attacker is a nation-state, they can often have very skilled cyber personnel and have the money, patience, and skills, to penetrate most systems. Being attacked by a nation-state is easier to defend reputationally.

What is the attacker’s modus operandi?

If the attacker is one of the known cybercriminal gangs, there is a lot of public information available on who they are: what were their motives, do they keep their word, and do they have a standard way of conducting their attacks? If you report your attack to law enforcement, they may be able to give additional confidential information which is not in the public domain. This could include: are their decryption keys available, have ransoms been paid in the past, who are they linked to, and is there any chance of law enforcement apprehending them?

How long might they have been in your system?

The longer they have been there, the more likely that data may have been exfiltrated, and the more you may have to explain why your systems didn’t detect them.

What else could be happening and are our initial impressions right?

Cyber-attacks are not always what they seem. The attacker who did it and their motives may seem obvious, but there are many cases of organizations trying to look like one type of attack or a particular threat actor, and using this as a smokescreen for achieving something else. In the BBC Lazarus Heist Series 2, the Lazarus Group tried to use the code and the coding quirks of a Chinese hacking organization to mask their own involvement in a cyber-attack.

I think educating senior managers and members of the crisis team on the importance of threat intelligence is vitally important. They may not always be aware of the amount of information that is available on cyber-attacks and who is carrying them out. The more they know about who the attacker is, their ways of working, and what they are trying to achieve, the more they can use their information to frame their response. So, in your next exercise or training session, include something on threat intelligence.