Tips for using a threat profile to prevent nation-state attacks

Is your organization concerned about state-sponsored attacks? Threat profiling can help prevent nation-state attacks. Get advice on how to create an effective threat profile.

Threat profiles are detailed descriptions of attackers' previous activities that help security teams track and mitigate threats. The more information teams collect about their threats, the better prepared they are to detect warning signs and prevent security incidents -- particularly when dealing with nation-state attacks.

Unlike traditional attacks that target a wide net of victims, advanced state-sponsored attackers -- which often have unlimited access to resources -- can spend months or longer scoping out, infiltrating and monitoring their targets.

"When you're dealing with an advanced attack, there are usually humans behind it who have an objective -- and humans create patterns," said Jon DiMaggio, author of The Art of Cyberwarfare, published by No Starch Press.

Many organizations may wonder if they even need threat profiles, as well as what the odds are that a nation-state will target them.

In his book, DiMaggio explained why every organization needs to prioritize nation-state threats and detailed real-world attacks sponsored by China, Russia, Iran, North Korea and the United States. He also offered technical advice on how organizations can protect themselves from advanced nation-state attacks.

Here, DiMaggio explains the importance of threat profiles, including who should make them and what they should include. He also discusses the importance of preparing for a nation-state attack, the top signs of such an attack and more.

Editor's note: This text has been edited for length and clarity.

Book cover of The Art of Cyberwarfare by Jon DiMaggioClick to learn more about
The Art of Cyberwarfare
by Jon DiMaggio.

Learn why it's difficult to attribute nation-state attacks in an excerpt from Chapter 2 of The Art of Cyberwarfare by Jon DiMaggio, published by No Starch Press.







Who will benefit most from reading your book?

Jon DiMaggioJon DiMaggio

Jon DiMaggio: The book is for security professionals and those aspiring to join the industry. I wrote the first half of the book for anyone with an interest in nation-state attacks or organized government crime. The hope is that, by discussing the history of nation-state attacks, readers will then be interested in the second half of the book, which teaches how to find, track and identify advanced threats.

I wanted to give readers the 'why' upfront so there are no questions around why this topic is important. Seasoned security analysts see hundreds of thousands, if not millions, of flagged threats a year, 90% of which are automated day-to-day threats that come in via email, bad websites, etc. The other 10% of threats are from advanced attackers with targeted motives. I give real-life examples in my book to explain why we need to treat and defend against these threats differently.

Have more organizations started to prioritize nation-state threats in recent months?

DiMaggio: Organizations are starting to treat these threats differently. However, all the headlines around ransomware have muffled some of the attention on nation-state attacks -- it's like the tree that falls in the woods that nobody hears. Although, it has started to change recently with the news of Ukraine and Russia.

While ransomware continues to make headlines, news about nation-state attacks is still getting out there. Some ransomware groups have started copying techniques from nation-state attacks. So, yes, people are starting to listen. The problem, however, is there's still so much day-to-day threat activity that takes away the focus from advanced threats. Organizations are starting to change their mindset, but there's still a ways to go.

Are all organizations potential targets of a nation-state attack?

DiMaggio: Yes, absolutely. Nation-states don't just target big companies. Imagine Company A is a technology vendor that does research and development for a defense contractor and is sourcing a jet engine for a device it is making for the government. Company A sources the jet engine from Company B -- who has nothing to do with defense contracting. Company B is three removed from the real target, but nation-state attackers still break into its system so they can get closer to their primary target (the government).

Smaller organizations are easy targets because they don't have the same funding and budgets for security as larger companies. Attackers can take six months to a year pivoting from one company to another until they get where they want to go. So, small mom-and-pop shops should take note.

What are the top signs an organization has been attacked by a nation-state actor?

DiMaggio: First, nation-state attackers take time to profile their victims. Let's say it's a spear phishing email, for example. It would be tailored to the victim. This would be different from normal day-to-day threats, where threat actors send out mass phishing messages in hopes a few click on the link.

Second, an aspect of the attack vector often involves someone who is related or has an affiliation with the victim. Threat actors may use LinkedIn, for example, to find a former employee who is known to the target so it appears like a legitimate interaction to the victim.

Third, the level of malware used by a nation-state is usually far more advanced than traditional cybercrimes because nation-state attacks are often well resourced.

How can threat profiling help detect nation-state threats?

DiMaggio: Humans have preferences on tools and processes that security analysts can track over time, such as nuances in code or the malware or infrastructure they use. You can put all that information in a one-page threat profile for your analysts, so when they say, 'This doesn't look like a normal attack; it looks familiar,' analysts can compare the current attack to the information in the threat profile. It's a way to identify future attacks, and it helps track bad actors who you don't know anything about over time.

In The Art of Cyberwarfare, DiMaggio included a list of questions to ask when creating a threat profile, including the following:

  • What is the timeline of the activity?
  • What type of malware does the group use? Is it publicly available or custom-developed malware?
  • Is a digital certificate used to sign the malware? Who is the signer?
  • Is there a pattern or relationship with the infrastructure used? This could be the IP address or domain the email originated from.
  • What industries are targeted?

Who within an organization is responsible for making a threat profile?

DiMaggio: At minimum, organizations should have one person who focuses specifically on advanced threats. Someone who won't be distracted by the noise of day-to-day security alerts. The individual should track and become familiar with patterns so they can detect future attacks.

What are the most important details to include in a threat profile?

DiMaggio: First, each bad actor will adopt a persona -- the voice an attacker pretends to be. For example, Russian attackers created the Guccifer 2.0 persona when they hacked the Democratic National Convention during the 2018 U.S. presidential election. Attackers might change their persona for different attacks, but they often have similar themes, backgrounds, languages or time zones. It's good to track personas because, even when threat actors change them, there's usually a familiarity or common theme among them.

Also, include the type of infrastructure the attacker uses in the threat profile. Tracking registration information used to be helpful, but with all the privacy laws and protections, you don't get to see much of that data. But you can still see the type of infrastructure an adversary is using. There's often a theme, whether it's that they register with the same provider or they use a common theme to name them. I've seen new domains and immediately known or had a good assumption about who was behind the attack because the theme fit with a group I'd tracked.

It's also important to identify and track custom malware. Nation-state attackers usually use homegrown malware; therefore, there's nothing else like it out there in the world. There's going to be unique aspects of the malware that are repeated. It might be a year down the road, or attackers might come up with a whole new version of the malware, but an aspect of its functionality will remain the same. We're lazy as people. We don't want to restart everything from scratch. For example, I might use a piece of malware for a year and then change it by 80% the next year. But I'm still going to reuse certain components of it because I don't want to write all new code.

Dig Deeper on Threat detection and response