Profiling and Cyber Threat Intelligence — 2
Let’s continue where we left off.
The incident occurred and you could not access this information at the time of the incident. Therefore, you could not notify your customer. So is this so important? Contrary to popular belief, it doesn’t matter most of the time. If your intelligence strategy is based on “I LOVE CA$H KA-CHING!!” themed posts made by criminals on Facebook, there is a problem from the beginning.
But even after the incident, there are some things you can do to produce predictive intelligence. In fact, the most important steps take place exactly at this stage. In other words, the information obtained as a result of post-mortem analysis actually forms the basis of predictive intelligence.
So you found out that there is an incident, now what’s the first step? First, the details of the incident must be investigated and definitive intelligence must be produced. In this step, answers are generally sought for the following six questions; what happened, what was targeted, who did it, when it happened, how it was done and why it was done. That’s the 5W1H. The what, how and why questions are the most important ones. It is necessary to gather as much detail as possible about the question of how in particular.
Answering the who question may not be possible in all situations. But what is meant by “who” is not necessarily the identity of a real person. It could be a nickname, a classification, or even just a tag you gave it. I will describe its use in another article.
A comprehensive descriptive intelligence report should contain at least the following information:
- Answers to the 5W1H question
- Detailed steps of the attack (killchain, ttp etc.)
- Events before and after the incident**
A report prepared in this way will provide a good basis for predictive intelligence.
In the second step, this event should be associated with other similar events. How to establish a similarity relationship depends on what you are investigating. An association can be made over the characteristics (country, industry, company) of the victim. If the perpetrator of the attack is known, a relationship can be established through that. Relationships can be established through the type of attack and other similarities in anatomy (ttp, ioc, etc.).
As an example, you see a set of interrelated cases below.
Continuing from our own example, it is possible to make an association study using the following parameters:
- Other attacks by the same perpetrator (regardless of method and target)
- Other attacks targeting cryptocurrency users (regardless of perpetrator and method)
- Other attacks using SIM card cloning method (regardless of perpetrator and target)
Depending on which parameter you use, the information you get will also differ. At this stage, it would be useful to get an opinion from an analyst who is specialized in the actor, region or sector you are investigating. For example, an analyst specializing in the Emotet gang, the APAC region, or the banking industry can contribute to your analysis with information and insights on that subject that you may not get from open sources.
In the third step, this set of cases needs to be analyzed and inducted. Hypothesis generation and analysis is a very detailed topic that should be dealt with under its own title. But the most important thing to consider is this: Due to the nature of the work, we can never do a formal induction. We can only do informal induction. Therefore, our hypotheses always have to be based on assumptions. Every hypothesis contains at least one assumption, and revealing those assumptions is an important part of the analysis.
In our example, after the definition-association-analysis phases, let’s reach the following information about the case:
- The incident occurred with the organized work of more than one person with different abilities. Each of these individuals has previously carried out independent actions. However, no evidence has been found that they previously operated together. So for now, this is the only activity known to have done together.
- Cryptocurrency users face many types of threats. Phishing sites, malware, and more traditional phishing attacks are some of them. The method of hijacking accounts through SIM card cloning is less common than other attack methods.
- In the investigated case, it was claimed that in addition to the SIM cloning method, leaked data containing information such as name, phone number and balance of crypto exchange users were used. Given the number of users affected by the attack, this claim is likely to be true.
- Apart from this case, the SIM card cloning method is a frequently used method to rob bank accounts. A person who has the information of a bank account he wants to rob can steal the balance in the bank in return for a commission by giving this information to someone who provides “2fa bypass” service.
In the third part, I will explain how we can produce predictive intelligence with this information, how we can determine indicators and make predictions using them.
See you in the next chapter.
