Tomer Bar, a cybersecurity expert with 20 years of experience, says attackers sometimes make critical mistakes, letting defenders take a peek into their operations.
At DEFCON, one of the world's largest hacker conventions in Las Vegas, Bar talked about his latest breakthroughs from years-long research of the advanced persistent threat (APT) operational security.
Bar, who now leads the team at SafeBreach Labs as the director of security research, began his journey by researching state-sponsored surveillance-targeted and large-scale financially motivated attacks from the Middle East to the Far East, including the Palestinian Authority, Turkey, Iran, Russia, China, and North Korea.
He found a "multitude of unbelievable critical mistakes" threat actors make. This opened a window to understanding the tactics, techniques, and procedures criminals use to target victims. In many cases, the researcher could join internal communication channels and observe criminals' chats, emails, bank accounts, and crypto wallets.
"Based on this access, it was possible to understand their business models and the scale of sensitive data sharing taking place, including entire citizen databases, passports, and social security numbers. In some cases, it was even possible to take down the entire campaign," Bar's blog reads.
He said he played a seven-year mind-game against a sophisticated Infy threat actor with links to Iran. After years of looking at the attackers' operational security, Bar has concluded that, first of all, attackers are humans just as prone to mistakes as anyone else.
“Although they are experts in developing malware and launching sophisticated attacks, they are not necessarily experts in operations security. The most advanced threat actors are prone to mistakes,” he said.
“Complete digital forensics and incident response (DFIR) investigations should include an analysis of the attacker's infrastructure in legit checks allowed by law. Mistakes made by the adversary may help measure the attack timeline and scope, provide damage control estimation, and assist in the remediation of infected machines and required actions such as credentials replacements,” Bar added.
In an interview with Cybernews, principal researcher at Sophos, Chester Wisniewski, said that some cybercriminals are simply dumb. He acknowledged that researchers come across much more information than they disclose in their blog posts simply because they don't want to tip off criminals.
"It's important to remember that these criminals are not perfect. They do make mistakes. We do stumble across stuff regularly where the criminals have disclosed their IP addresses," he said.
More from Cybernews:
Subscribe to our newsletter