Thank you for your interest. We Will Contact You Soon...
Your email ID is already registered with us.
How to Identify the Behavior of Cyber Adversaries?
Risk And Compliance - April 08, 2022
Early identification of security breaches and accurate forecasting of attack progression are
critical aspects of an effective and timely response to cyber-attacks. The progression of the
cyber assault is determined by the attackers' future moves, their objectives, and their
motivation—i.e., the "profile" that characterizes the malefactor's behavior in the system.
Typically, an "attacker profile" is a collection of an attacker's characteristics—both internal,
such as motivations and abilities, and external, such as financial assistance and tools
employed. The formulation of the attacker's profile enables the determination of the
malefactor's type, complexity of responses and can ease the process of attacker attribution
during security incident investigations. This blog aims to identify the behavior of cyber
adversary by understanding the motivation behind the attack by analysing the attacker profile
and exploring the different stages of cyber-attacks. We then look at some of the available tools
and techniques that can help identify the perpetrators and discuss the challenges associated
with identifying the malicious actors.
Understanding the Attacker: The Attacker Profile
Attackers, or cyber threat actors,' can be classified according to their objectives,
motivations, and capabilities. This way we can have a better understanding of their identity and
purpose of the attack. It can also help us draw up suitable defense plans. The different types
of cyber attackers are:
The substantial surge in ransomware attacks over the last five years is often linked to
cyber-criminal groups that also engage in other forms of crime for profit. They are also
well-known for the growth of bots and botnet attacks, in which infected endpoints are
collectively organized by a command-and-control, or C&C, attack server.
2. State-Affiliated Organizations
High-profile attacks on infrastructure, governments, voting systems and big enterprises are
frequently perpetrated by state-sponsored organizations. These nation-state-sponsored assailants
are motivated by political considerations. They are frequently organized to influence or
destabilize a social, political, or economic market's confidence.
Hacktivist groups stage high-profile attacks in order to bring attention to their political or
social causes. They frequently seek public recognition or reputation in order to draw attention
to their particular cause.
4. Cyber Terrorists
Cyber-terrorist acts are frequently linked to state ties. Cyber-terrorists frequently target
power grids and other critical infrastructure. Shutting down of the Ukrainian power grid by
Russian attackers in 2015 can be a cited as a good example.
5. Script Kiddies
The term "script kiddie" refers to inexperienced attackers who make use of publicly available
attack tools without fully comprehending the consequences of their actions.
6. Insider Threat
Insider threat is a term that refers to a threat to an organization's security or data that
originates from inside the organization. These threats are most frequently made by current or
former employees, but they can also come from third parties, such as contractors, temporary
workers, employees, or customers.
Understanding Cyber Attack Stages
Cyberattack stages can help us understand the mediums utilized by the cyber adversaries to lure
and attack their victims. This helps us throw light on the attacker’s motivation by exploring
the mediums and stages of operation.
Generally, cyberattacks fall into two categories: targeted and untargeted. A targeted attack is
one in which an organization is targeted because the attacker has a particular interest in the
industry or has been compensated to do so. The approaches may involve sending emails to targeted
persons that contain malicious software attachments. Another type of attack is Un-targeted
cyber-attacks. Here, attackers target as many devices, services, or users as possible
indiscriminately. They are unconcerned with the identity of the victim, as there will be a large
number of vulnerable devices or services. Examples include sending emails to a huge number of
people requesting sensitive information (such as bank account information) or enticing them to
visit a bogus website.
Regardless of whether an attack is targeted or untargeted, or whether the attacker employs
commodity or bespoke tools, all cyberattacks follow a similar path. An attack, especially one
launched by a determined adversary, may consist of repeated stages. The attacker is effectively
exploring organization defenses for vulnerabilities that, if exploited, will bring them closer
to achieving their objective. Understanding these stages will enable you to protect yourself
In most cyber-attacks, there are four distinct stages:
Survey - During the survey phase, attackers will employ every available means to identify
technological, policy, or physical weaknesses that they may exploit. They will rely on
open-source data sources such as LinkedIn and Facebook, as well as domain name management and
search services, as well as social media. They will collect and analyze any information about
organization's computers, security systems, and staff using commodity toolkits and
methodologies, as well as conventional network scanning tools.
Delivery - During the delivery stage, the attacker will attempt to place himself in a
position to exploit a vulnerability they have uncovered or believe may exist.
Breach - During the breach stage, the attacker exploits the vulnerability(s) to get some
type of unauthorized access.
Affect - During this stage, the attacker may attempt to explore your systems, get
additional access, and establish a persistent presence (a process referred to as consolidation).
Typically, assuming control of a user's account ensures a persistent presence. They can attempt
to install automatic scanning programs to learn more about your networks and gain control of
additional systems with administration access to just one system.
Tools and Techniques to Identify Cyberattacks
Cybercrime investigators can do cyber attribution (processes that help us track and identify the
cyber attacker) using a variety of diverse, specialized approaches. However, decisive and
precise cyber attribution is not always attainable.
To gather essential information regarding assaults, investigators employ analytic tools,
scripts, and algorithms. Cybercrime investigators frequently unearth information regarding the
programming language and associated data, such as the info about compilers, the compilation
time, the libraries utilized, and the sequence in which actions connected to a cyberattack were
executed. For instance, if investigators find that a piece of malware was built using a Chinese,
Russian, or another language keyboard layout, this information might aid in narrowing down cyber
Cyber attribution investigators also investigate any metadata associated with the attack. The
metadata, which may include source IP addresses, email data, hosting platforms, domain names,
domain name registration data from third-party sources, might assist in establishing
attribution. The cyberattack systems frequently interface with nodes outside the network
landscape. However, these data points also may be fabricated.
Additionally, investigators may evaluate metadata gathered from several attacks against distinct
companies. This permits specialists to make some conclusions and statements based on the
frequency with which they discover fake data. For instance, security experts may be able to
track down an anonymous email address used in an attack and attribute it to the attacker based
on domain names used in the assault that was previously recognized as being used by a particular
Investigators might also investigate the strategies, processes, and tactics utilized in an
attack, as cyber-attackers frequently have distinct styles. Investigators are occasionally able
to identify culprits based on information about attack patterns, such as social engineering
strategies (tactics where hackers exploit the natural inclination of people rather than hacking
the software. For example, it is much easier to fool someone into giving you their password than
it is for you to try hacking their password) or repurposing malware from previous operations
(majority of new malware reuses huge portions of previous malware's source code with minor
modifications and additions)
Some of the more specific cyber attribution techniques are:
1. Prediction of Attacker Behavior Using Attack Graphs
The building and implementation of attack graphs to predict and forecast attacks is an
extensively utilized technique. In general, an attack graph is a collection of connected nodes
that reflect the assailant's objectives and actions. Typically, the attack graph is constructed
by analysis and examination of the network's topology, vulnerability assessment, and software
and hardware configuration assessment. As a result, it demonstrates the relationship between
vulnerabilities and the system's overall security status. In most circumstances, the model of
the attacker is characterized by two critical characteristics: capabilities and location.
2. Prediction of Attacker Behavior Using a Hidden Markov Model
Markov-based approaches are similar to attack tree models. They are often formed based on system
states and the transitions between them that occur as a result of events. Each transition is
defined by a probability that is independent of the preceding state and is reliant only on the
two states involved, i.e., the nature of a process at a specific time is determined solely by
the state of the process at the preceding point in time.
3. Pattern Recognition of Attacker Behavior Using Fuzzy Inference
The advantages of fuzzy logic techniques stem from their capacity to work in the face of
ambiguity. In many instances, fuzzy logic is employed to generate an average description of the
characteristics required to represent either benign or malignant behavior. For instance, in the
fuzzification process, the metrics characterizing the TCP service channel between two IP
endpoints—count, uniqueness, and variance are used.
4. Assigning Responsibility for Cyber Attacks
The notion of attack attribution is determining the originator of an attack based on behavioral
clues. Combinations of behaviors and other signs of harmful conduct are referred to as
behavioral indicators. These indications might be atomic or computational. Atomic indications
are isolated bits of data that cannot be disassembled without sacrificing their forensic
IP addresses, email addresses, domain names, and short amounts of text are all examples of
atomic indicators. Computed indicators are essentially discrete units of data, but they have a
A 'hash' is an example of a unique signature that is derived from input data, such as a password
or a program. The hashes of applications operating on the machines in their network may match
those of malicious programs.
Incorporating Cyber Attribution Skills in the Incident Response Plan
It is highly recommended to incorporate cyber attribution skills into organisation incident
response plan (IRP). By data, the larger the organization, the more significant is the
attribution. For government agencies and groups working in extremely sensitive areas, such as
national security, knowing who is behind an assault might be important. A recent example is the
NotPetya cyberattack that the US government has recently traced to Russia following a protracted
investigation. There is always something to be learned from every incident.
The significance of attribution is determined by the organization involved and its capacity to
carry out an inquiry. As the dust settles and questions about "who" and "why" are raised,
attribution could be the only way to conclude.
Challenges in Identifying Malicious Actors
Businesses generally lack the resources or experience necessary to trace cybercriminals, and
they typically contract with external information security professionals. However, even with
cybersecurity professionals, cyber attribution might prove to be difficult.
To identify the person or actors responsible for a cyberattack, specialists frequently perform
thorough forensic investigations, which include evaluating digital forensic evidence and
historical data, identifying intent or reasons.
However, one of the difficulties associated with cyber attribution is that hackers often conduct
assaults from their homes or places of work, rather than from computers or devices held by other
victims that the attacker has already penetrated.
Identifying an attacker is further made more difficult by the fact that attackers can fake their
IP addresses or use other tactics, such as proxy servers, to bounce their IP addresses around
the world to mislead cyber attribution attempts.
Additionally, jurisdictional constraints might obstruct attribution in cross-border cybercrime
investigations. Each time a law enforcement agency needs to conduct a cross-border
investigation, it must request assistance through official channels. This can obstruct the
process of acquiring evidence, which must be done expeditiously.
Cyber attribution attempts are harmed further in some circumstances when jurisdictional concerns
might potentially jeopardize the evidence's integrity and chain of custody.
Understanding the attacker's motivations can assist in cyber attribution, as it is not always
about money. Investigators would also want to determine if cybercriminals are simply loitering
or have been watching for an extended period. Additionally, they attempt to determine whether
hackers are seeking specific data during their assaults and how they intend to utilize what they
Although cyber attribution is not an exact science, the strategies explained in the blog can
assist cybercrime investigators in identifying the perpetrators.
Surya Jatavallabhula is a Cyber Security and Risk professional with an extensive history in
Banking, Biotech, Medical,
and Education sectors. Surya has played various roles under security domains including CISO,
Security Partner/SME for
Information and Cyber Security, DevSecOps, Risk Management, Data privacy, Enterprise Security
Data Architecture, Technology Risk, and Portfolio Management after graduating in MS Risk
Management from Stern School
of Business, New York University, U.S and M.B.A from Leeds University Business School, U.K.
experience and provide personalized recommendations. By continuing to use our website, you agree to our