How do intelligence analysts know <nation-state/threat-actor> is behind malicious activity?
The simple answer is that criminals are human. Humans are creatures of habit. Humans follow certain constructs of behavior native to their geographic regions. Humans make mistakes. In intelligence terms, these human foibles translate to "tools, techniques and procedures," or TTPs.
This isn't the most illuminating answer to anyone new to threat research and adversary hunting. So in this blog, I'll go over a very basic example. I won't show a bad guy, real or based on a real adversary, for a number of reasons. First and foremost, the minute an adversary's TTPs are made public they change them up. This can set active investigations and legal cases back months. Instead, for illustrative purposes, I'll use the country's (reportedly) new cyber security czar's already-public website, Giuliani Security and Safety.
Attributing activity is similar to reconnaissance, the first step in the cyber kill chain. The only difference is that the analyst is backing into the information using artifacts collected in the initial stages of investigation. The typical first couple of the artifacts researched are the source activity's IP addresses and domain names. Let's say we found giulianisecurity.com in our logs. First, we look for the IP addresses associated with the domain:
Let's move on to see what we can learn about the domain. One of the key factors is learning who registered the domain. There are multiple ways to do this. I'll use a graphical example:
There's a lot of information here. Interested folks can look up the RFC on DNS here. Meanwhile, let's focus our attention on the registrant details:
Who's Data Docket? Might be a website or IT company but it's best not to speculate. We let the data speak. As of this writing, the search term "Data Docket" fails to yield the domain name in the Registrant Email address in the first page of Google results. That means "datadocket.com" is buried in the nether regions of the results which means it's got low traffic numbers. Sounds oddly small potatoes for such a high profile customer.
Let's try the email address. The search results for that look more promising. Here's the top hit:
So who's David Haenel? All results, and I mean ALL, relate to a lawyer in Florida. Just to be sure, I tried searches on his name plus every keyword I could think of that could turn up a web designer or host ("web," "website," "developer," "web host,""technology," etc.). The only results that came up, time after time, were related to David Haenel, Esq. He has the corner on the Internet search results. So here he is:
Now we start to ask questions. Why is a lawyer registering the domain of a cyber security company? What's his relationship to the source domain? Sure, Rudy Giuliani was a lawyer but if you're going to outsource technology-based responsibilities, wouldn't a technology company be more appropriate? Which makes this deviation from the norm seem deliberate. Or does it? Let's see what LinkedIn has to say about Mr. Haenel.
That third entry is interesting. A simple search for "Scorch SEM" gives us the domain name scorchsem.com, no surprises there. A visit as of this writing showed a parked page (placeholder). Seems unusual for a 13-year-old company. So we take a look through the Wayback Machine and find this, circa 2013:
Note the contact email, "David@ScorchSEM.com." Interesting but inconclusive. David is a pretty common name. Until we turn our attention to the bottom of the page:
Copyright by Finebloom & Haenel. Where have we seen those names before? On the header of the pages for Finebloom Haenel & Higgins, as seen above. Seems like the same guy. Going back to the search results on the name "David Haenel" it's starting to make sense - Scorch and firstname.lastname@example.org both tout SEO, search engine optimization. Mr. Haenel is clearly good at SEO given that he's managed to corner the search market on his name.
By the way, there's a reason I chose a lookback at 2013. It's the year giulianisecurity.com went live. They secured the domain name in 2004, added the first IP host in 2009, and parked the domain until Feb 2013.
From here, we would look for intersections between the lives of Haenel and Giuliani to see what, or who, brought them together. We would build relationship maps based on those intersections, the infrastructures, and end up with the story of who's who and why.
This (extremely brief) exercise has been based in what's called "OSINT" or open source intelligence. In other words, putting pieces together using publicly available information. Had this been a real investigation, we would have had non-public information to help us uncover the facts, such as logs from systems touched and traversed. If malware was involved we would have samples and/or artifacts like configuration files, supporting scripts, command and control infrastructures, and such.
Similar to a physical crime scene, all bits of data in and around the scene of cyber crime are sifted for breadcrumbs of trails that can lead to identifying the true source of malicious activity. Even when the bad guys try to trip up investigators to throw them off track, the specific tactics they use for disinformation are also fingerprints once you know how and where to look.