A guide to Offender Profiling Malicious Actors
At a very high level the way in which security operation centres work is quite simple. They work by having a customer, who would have an IDS on their network, and a SOC. If the IDS detected any malicious traffic on the network it would then send that data to the SOC. Once in the SOC security analysts would review that data and decide if it was a legitimate attack. This model woks really well for getting quick remediation to customers. The main problem with this model is that it does not take into account that attacks can be linked and that not all attacks are singular entities. That being the case it’s important to add a means to profile and cross reference these attacks. This can be done by looking at the bigger picture and implementing a profiling framework.
Such offender profiling frameworks can be used to sit alongside SOCs to build that insightful information on malicious actors. This can help derive information such as: significance, likelihood, impact and risk of attacks. To understand how this could be used we can look at an example.
We can imagine that we have a Norwegian hacker group that is targeting one of our customers with continuous DOS attacks. We can then use offender profiling to analyse when our customer is being targeted the most. From this maybe we derive that our customer is being targeted between the hours of 1am and 6am most days. Using this data we can then tell our customer to put extra load balancers in place at this time. In turn we’ve used offender profiling to implement preemptive security for our customer. We’ve done this by doing a little work and research now to help protect our customer in the long run.
There are a myriad of ways in which offender profiling can be performed. This can vary from using industry recognised tools like the Cyber Kill Chain® and Diamond model to using in house tools. As well as this however there are a handful of frameworks out there for this very purpose.
Over the past year I have created one such framework. This framework is broken into 7 modules that can be used one at at time or all together. The purpose of this framework is to create a bigger picture of an attack. It does this by allowing for the cross referencing of attacks and accumulation of attack data.
As stated there are seven modules in this framework that can be used for a variety of situations. Below I’ve taken one of these modules to describe in further detail. If you’re interested in the remaining modules you can download the framework with the link to the right.
Attack Significance Plotting
The first module in this framework looks at the significance of attacks. The way in which this is derived is based off longevity. This meaning the longer an attack is the more significant it is. This is not always the case but it is a good baseline. With this a time-frame is set, it can be: months, weeks, days, hours, etc. Then if multiple events occur in a time-frame the significance will increase. With that if events don’t occur in a time-frame the significance will decrease. This leads to having peaks and troughs when attacks have occurred. This can be seen in an example below.
Taking this attack significance data multiple attacks and malicious actors can be cross examined (as seen above). This allows for patterns to be derived from the data. In turn we can start looking at the bigger picture of this malicious actor and understand that most if not all of their attacks are linked in some manner.