June 18, 2019updated 18 Jul 2019 8:18am

Victimology: In the shoes of a cybersecurity analyst

By Steve Rivers

A recent report from the UK government showed that 32% of businesses identified a cybersecurity attack in the last 12 months, and one of the most common attacks is spear-phishing – which involves sending targeted sophisticated emails to fool the victims.

When a threat arises, a security team’s role is to investigate and determine the reality of an attack and its severity. This investigation makes it possible to set up a plan to defeat the offensive and, generally, better protect against certain type of attacks.

One of the ways to investigate when a situation such as this happens is called victimology. This process allows security teams to quickly determine if they are dealing with a targeted offensive against businesses or traditional phishing.

To explore this type of investigation, we’ll take the example of a protection system indicating in its alerts that it has blocked six spear-phishing attacks from the same sender, over a period of 45 days.

Victimology: identifying the motives and target of the attack

The first step is to understand who these e-mails were targeted at.

As the head of the investigation does not necessarily know all of the company’s employees, their identities – including their title, position, manager’s name, geographical location, etc – should be imported in a Threat Intelligence Platform (TIP). There are several ways to build this list; they range from simple export from Active Directory to script that automatically injects data into the TIP via an Application Programming Interface (API), using standard software fields like PeopleSoft.

With this set of data, it becomes easier to spot the similarities between the recipients of this spear-phishing campaign. An example would be they all work in the financial department. A custom-designed attack against employees in that department means the attackers motivation would likely be financial.

Conduct a technical analysis to know which countermeasures to deploy

The second step is complete a technical analysis of the attack.

The timestamp of each event is sometimes a hint: if e-mails are sent at the same time of day, we can deduce that a script was programmed by an assailant who attacks on a substantial scale, which would mean that said company is only one target among a larger campaign. If this is not the case, it means that the company occupies all the attention of the attacker and that they are all the less likely to throw in the towel.

The detailed analysis of the recipients can also reveal interesting points. For example, it may be that one of the employees targeted only appears several days after the attacks began and that, according to HR, they was not part of the financial team before that. This would suggest the opponent keeps up to date on the employees.

E-mail scanning allows you to know if radically different content is being used for each dispatch, including attached items, vulnerabilities they address, and/or malicious code they embed. If this content evolves, it means that the attacker changes techniques to test the defences of the company and it is likely that they will continue to do so. Note that it is difficult to say if the attacker is only one person with a large arsenal of offensives or several pirates each with a specialty, but it is a safe bet that attacks are coordinated.

This technical analysis enables enterprises to make arrangements when facing an attack. The company is in fact able to know how to make the teams aware, how to clean the posts, what technical countermeasures to put in place and better prioritise its vulnerabilities.

The perspectives brought by the investigation

The investigation does not stop there. As the attack is obviously targeted, it will be necessary to compare the next spear-phishing attempt to those studied here and determine whether the attacker is still targeting the company and if the techniques used are the same.

As part of this example, future spear-phishing e-mails will be integrated into a TIP and it is likely that correlations will be discovered.

Ultimately, this investigation has revealed that the company had an opponent and needs to redirect its strategy to defend against them. Such investigation gives tangible elements to reassemble information at the highest level and thus raise awareness throughout the company.