Hunting hackers: An ethical hacker explains how to track down the bad guys

The immediate response
Many times, the initial investigation centers on collecting, organizing and analyzing large amounts of network data. Computer networking equipment and servers keep records of who connects, where the connection comes from and what the user does on the system.

Depending on what that analysis shows, the administrator may be able to fix the problem right away, such as by preventing a particular user from logging in, or blocking all network traffic coming from a particular place. But a more complex issue could require calling a sophisticated incident response team.

Ideally, each company or organization should have its own internal team or rapid access to a team from outside. Most countries, including the U.S., have their own national response teams, often government employees supplemented by private contractors with particular expertise. These teams are groups of ethical hackers who are trained to investigate deeper or more challenging intrusions. In addition to any self-taught skills, these people often have additional experience from the military and higher education. Their most vital expertise is in what is called “just-in-time learning,” or figuring out how to apply their skills to new situations on the fly.

They conduct larger-scale digital forensic inquiries and analyze malicious software that may have been introduced during the attack. Typically, these teams work to stop the attack and prevent future attacks of that type. The teams can, at times, hunt down the attackers.

Attributing an attack
Determining the identity or location of a cyberattacker is incredibly difficult because there’s no physical evidence to collect or observe. Sophisticated hackers can cover their digital tracks. Although there are many different attribution techniques, the best approach takes advantage of more than one. These techniques often include looking very closely at any files or data left behind by the attackers, or stolen and released as part of the incursion.

Response teams can analyze the grammar used in comments that are commonly embedded in software code, as programmers leave notes to each other or for future developers. They can inspect files’ metadata to see whether text has been translated from one language to another.

For example, in the DNC hack, American cyber experts could look at the specific files published on Wikileaks. Those files’ metadata indicated that some of them contained text converted from the Cyrillic characters of the Russian alphabet to the Latin characters of English.

Investigators can even identify specific sociocultural references that can provide clues to who conducted the attack. The person or group who claimed responsibility for the DNC hack – using the name Guccifer 2.0claimed to be Romanian. But he had a hard time speaking Romanian fluently, suggesting he wasn’t actually a native. In addition, Guccifer 2.0 used a different smiley-face symbol than Americans. Instead of typing “:)” Guccifer 2.0 just typed “)” – leaving out the colon, implying that he was Eastern European.

Experienced cyber-investigators build an edge by tracking many significant threats over time. Just like with “cold cases” in regular police work, comparing the latest attack to previous ones can sometimes reveal links, adding pieces to the puzzle.

This is particularly true when dealing with what are called “advanced persistent threats.” These are attacks that progress gradually, with very sophisticated tactics unfolding over long periods of time. Often attackers custom-design these intrusions to exploit specific weaknesses in their targets’ computer systems. That customization can reveal clues, such as programming style – or even choice of programming language – that combine with other information to suggest who might be responsible.

The cyber-defense community has another advantage: While attackers typically work alone or in small groups and in secret, ethical hackers work together across the world. When a clue emerges in one investigation, it’s common for hackers to share that information – either publicly on a blog or in a scholarly paper, or just directly with other known and trusted investigators. In this way, we build a body of evidence and layers of experience in drawing conclusions.

Very often, a report from an attack investigation will yield clues or suggestions, perhaps that an attacker was Russian or was using a keyboard with Korean characters. Only when the conclusions are clear and irrefutable will investigators directly accuse specific attackers. When they do, though, they often share all the information they have. That bolsters the credibility of their conclusions, helps others identify weaknesses or failures of logic – and it shares all that knowledge with the rest of the community, making the next investigation that much easier.

The most skilled hackers can write self-erasing code, fake their web addresses, route their attacks through the devices of innocent victims and make it appear that they are in multiple countries at once. This makes arresting them very hard. In some attacks, we are able to identify the perpetrator, as happened to celebrity-email hacker Guccifer 1.0, who was arrested and imprisoned.

But when the attack is more advanced, coordinated across multiple media platforms and leveraging skillful social engineering over years, it’s likely a government-sponsored effort, making arrests unlikely. That’s what happened when Russia hacked the U.S. presidential election. Of course, diplomatic sanctions are an option. But pointing fingers between world superpowers is always a dangerous game.

Timothy Summers is Director of Innovation, Entrepreneurship, and Engagement, University of Maryland. This article is published courtesy of The Conversation (under Creative Commons-Attribution / No derivative).