Characteristics of a Cyber Marauder
Traits of digital bad actors reveal clues as to their operations.
The persistence, frequency and destructiveness of cyber attackers in this day and age propels digital defenders to search the Internet to understand how attackers operate in order to thwart attacks or fix vulnerabilities. Amidst all of the nefarious activity, cyber defenders must discern between credible threat players and less dangerous actors. One company, New York-based Flashpoint, searches the deep web and the dark web to gain intelligence on malicious cyber activity, including where, when, why and how bad actors are operating. More and more, threat actors are selling stolen, sensitive or valuable information, or they are selling awareness of vulnerabilities of companies.
“There is a lot of information to gain from places you don’t expect, even from people who operate sort of silently, who post infrequently and are rarely online,” said Bryan Oliver, cybersecurity intelligence analyst at Flashpoint.
Oliver and two other colleagues from Flashpoint spoke at AFCEA Alamo’s recent webinar, Tracking Disinformation Campaigns in Illicit Online Communities.
The Flashpoint analysts examine patterns of life, analyzing behavior and online personas, as well as the digital forums bad actors frequent. “Analyzing behavior can help us know what’s real from what’s not,” Oliver said. “Even the kinds of forums or areas they tend to join can tell a lot about why they are operating and who they are.”
Digital forums are often geographically or topically or credibility specific, which can help point to information about an actor. Oliver added that actors’ online personas, especially ego-driven postings, reveal clues about their operations. The forums resemble an enclosed bubble to digital criminals, and they feel it is a safe space where they like to take credit for their actions. When actors engage as such, it tells the analysts who actors might be and what their aims are and sometimes for whom they are working, he stated.
“That helps us to not only identify criminals in certain situations, but also to separate fear, uncertainty and doubt, or FUD, what is basically spam, and how to tell if something is a real threat and something is not,” he said.
The analyst noted that many times activity is meant only to drive FUD. “We see open news forum reporting that is based on outdated information of massive hacks or data sharing, and all too often it turns out that the person is unreliable and there is no evidence that they have the [stolen] data or that data is just old,” Oliver explained. “So, I think that one of the most important things that we can learn from watching threat actors and their discussions is whether or not we can trust them.”
In addition, the Flashpoint analysts examine the language, context and lingo included in solicitation messages posted by cyber attackers in online forums to potential buyers. Flashpoint examines these postings, looking for clues from highly credible threat actors. For example, the overuse of emojis or capital letters may point to an actor that is not credible.
More commonly, Oliver said, credible actors will reveal as little data as possible about their opportunity for sale, sometimes only including type and cost. And credible bad actors will often have an in-depth use of language in regard to an opportunity that they are selling, demonstrating an understanding of banking terminology, for example, or other industry-specific lingo.
The analysts also identified the chat platforms most widely used by credible threat actors, to include Telegram, followed by Discord, Whatsapp, QQ and the other major social media platforms.