Active Response

Always A Bad Day For Adversaries

Category: Education

State-Associated Hackers Target Me – Here’s What To Do When They Come After You

You were just told state-associated hackers attacked your account.  Congratulations!  You’ve joined a select club and your work has received recognition.  But, probably not of the variety for which you were hoping.  According to Google, less than 0.1% of accounts unlock this achievement.  But, what do you do now?!!!

I’ve attracted the same attention over my career studying and countering targeted threats along with my work at the Global Emancipation Network disrupting human trafficking on the internet simultaneously pissing off international organized criminal groups.  I’ve also notified and counseled countless victims of state-associated activity.

I’ll tell you what I’ve done in this situation.  Hopefully you can apply some of the lessons in your own situation.  However, this isn’t going to work for everyone which will need to take their own mission and specific situation into account.  Further, I will try to dispel some myths and FUD which surrounds detection of state-associated attacks

Don’t Panic

I can’t understate this – DON’T PANIC.  You must get over your initial feelings of unease, disgust, anger, and possible fear.  Panic makes for bad decision-making, and that’s exactly what NOT to do in this situation.  Here is what you need to understand to help you make good decisions…

Myth 1: There is nothing you can do and you’re on a kill list

Reality: While there have been cases of activists targeted through their digital accounts which likely led to their death, this is extremely rare.  And, you will already know if this is a likelihood in your specific case.  Usually, they’re just interested in the following three elements:

  • Intelligence about you and your business dealings
  • Access to your contacts (to know them and further use your account to compromise them)
  • Access to your organization(s) (to use your access to compromise enterprises)

You are not without recourse and effective defense.  Those who claim that state-associated adversaries will always win are wrong.  Yes, they pose a difficult problem, but any hyperbole beyond that is incorrect.

Myth 2: If they wanted access to your account(s) and computers, they’d already have them.

Reality: Huh?  That makes no logical sense.  If they already had access how did they get access in the first place?  This is just defeatism and has not grounding in reality.  The truth is that adversaries attack not just once but MANY times.  It’s likely that if you’re a target you will remain a target.  Further, it’s likely that you are target for more than one adversary.  Also, let’s say you were previously compromised.  The adversary may have lost their access (due to either action/inaction on their part or yours) and needs to regain access.  So, DON’T YOU DARE GIVE UP NOW.  You have been given a new opportunity to defend yourself.  TAKE IT.

Myth 3: You were specifically targeted

Reality: Yes – you made it on a list.  But, you are probably one of THOUSANDS targeted in a single campaign.  Probably one of TENS of THOUSANDS targeted by that adversary this year.  It’s very likely that if the adversary doesn’t succeed you will remain on their target list for a long time and receive many attacks over time.  You will now need to remian constantly vigilant. But, it remains that you were probably not singled out.

Myth 4: You should have already taken action

Reality: Yes, taking defensive action before an attack is worth much more than action take afterwards.  However, that assumes a world that doesn’t exist.  None of us, not even the greatest security researcher in the world, takes perfect precautions.  However, assuming they were successful it doesn’t mean we give up and cede the battlefield – we fight back!  We retake what is ours.

Myth 5: State hackers can’t be detected and never attack where they will be detected

Reality: Hackers are driven by motivation to succeed in their mission.  If they don’t succeed they don’t get paid, don’t get promoted, maybe see a firing squad.  They will ultimately attack a victim via whatever method will work.  Effectiveness will almost always outweigh potential detection.  Now, I caveat with saying each adversary and their operation will contain a different risk model and so this won’t hold for EVERY operation, but for most.  So, yes, they will attack you via LinkedIn messages, Gmail, your organization’s email account, Facebook messenger, etc.  They will sometimes be caught.  How do I know?  Because they’re caught all the time.

Assess the Situation

You alone will be able to assess the situation.  What is your business or role?  Will your life be in danger?  What information is possibly compromised?  Do you know if the adversary was successful or was it just an attempt?

Use all the intelligence you have about yourself and the adversary to understand the right actions to take.

Inform Your Community

Tell others!  Tell your community!  The adversary likely targeted not just you but many others within your community, enterprise/organization, or area of interest.  By informing others you empower them with situational awareness for them to learn from you and hopefully strengthen their own defense.

Note: Those either victim-blame or otherwise talk down about those publicizing their attacks are working against the community defense and helping the adversary by stigmatizing attacks.  Our community should actively call this out and STOP IT.

Myth 6: Telling others informs the adversary you know

Reality: First, you need to understand that the adversary is not scared of you and their hubris likely keeps them from recognizing you as a capable actor.  If they find out you know they will discuss that while laughing over beer.  But probably nothing else will happen.  You will need to make a personal intelligence/gain loss decision here based on your own assessment.

However, DON’T USE A COMPROMISED COMMUNICATIONS CHANNEL TO DISCUSS THE ADVERSARY!  Use another channel.  This will likely reduce any risk.

Get Help & Defend Yourself

  1. If you don’t know what to do, or even if you think you do, get some help and advice.  Some places to turn are ProPublica and CitizenLab.
  2. Turn on 2 factor authentication – ON EVERY ACCOUNT POSSIBLE.  Hardware-based 2 factor (e.g, Yubikey) is nice and the best choice, but any is better than nothing.
  3. Reset passwords.  If possible, from a computer you don’t normally use.
  4. Set alternative notification method. If possible, set up an alert when an account receives a successful or unsuccessful login attempt)
  5. Check email accounts for any forwarding rules.  Some adversaries create forwarding rules once they gain access to the account to persist access.
  6. Check account logs.  Some providers allow you to examine account access logs.  Don’t just look at the location but also the time and method of access.  This can give you an indication if compromise was successful.
  7. Rebuild computers you use on a regular basis.  This includes phones.
  8. Increase use of encrypted communications (PGP, Signal, etc.)
  9. Start encrypting your data at rest (when stored on a drive) to prevent value being extracted after exfiltration

IMPORTANT: If you suspect successful compromise, don’t use the compromised machine.  Get help to investigate and remediate.  Unplug or turn off the machine.  Otherwise, just rebuild from a clean source.

Remain Vigilant

Once targeted, the adversary will likely target you again in the future.  Periodically conduct the defensive steps above and remember those below:

  • Be careful of those who request access to your social network, such as LinkedIn connect requests
  • It’s okay to suspect items from colleagues or illustrious organizations and ask for verification via another channel
  • Keep your applications and OS up to date with patches
  • Browse sites wisely
  • Rebuild regularly both phones and computers
  • Don’t enable macros

15 Knowledge Areas and Skills for Cyber Analysts and Operators

Rodin’s The Thinker


Here are some knowledge areas which I consider necessary to conduct effective intrusion analysis and operations. In future articles I will go into further details on how to improve your skills in each of these areas (and link them from here). The knowledge areas are not listed in any particular order.

Every organization’s mission, focus, and needs are different and therefore I don’t pretend to define the ‘perfect’ analyst for any mission.

Critical Thinking and Logic

I will be forthright and say that I consider this skill the most important above all others.  It is a gateway skill which allows an analyst to become proficient in many others.  It is also the skill upon which I rely for analysts to temper their judgments and make the best decision as to how to approach a problem.  Logic is complementary to critical thinking and the two cannot be separated.  Without a proper foundation in logic critical thinking is ineffective.

US-CERT Incident Reponse Report

Critical Reading and Writing

Critical reading is being able to dissect the text of a document to extract the most important information and apply critical thinking skills to the information.Effective/Critical writing and documentation refers to writing correctly, logically, concisely, and effectively for your audience (which likely includes yourself).  Most importantly, write in an organized manner to help others use their critical thinking skills.


As I have said previously: “Study History.  It provides perspective.”  Works like The Cuckoos Egg are a great start; but branch into other areas: military history, biographies of famous leaders, studies of famous events.  Learn how others have been able to assess strategic situations, derive tactics, and evolve their strategy to a quickly changing situation.  All of these skills are useful in intrusion analysis and incident response.  Be able to step back from a situation and apply the lessons learned from others to your own.

Research Methods

In the cyber security domain we face more unknown than knowns.  My favorite saying is “no analyst is an island” meaning that there is nobody who knows it all and we need to rely on others and the greater community to help to solve problems.  Therefore, a significant skill is the ability to conduct effective research on hard problems to find existing solutions – preventing, as the saying goes, “recreating the wheel.”   This skill, more than any other, will increase your effectiveness and efficiency.

This skill can and should be mixed with other skills described – critical reading to get through research material quicker, critical thinking to see through the B.S. and FUD, and effective writing to document your findings so you use it again in the future.

Analytic Approaches and Methods

When facing any problem, being able to identify and evaluate the various approaches to solving the problem is invaluable – some would say critical.  Being knowledgeable in as many analytic approaches as possible is invaluable, and being able to create new approaches on-the-fly is even more invaluable.

Learn analytic methods from others.  Look for their mixture of logic, research, tool use, and lines of critical thinking and apply them yourself.

Network Protocol Map

Network Protocol Map

Network Protocol Analysis

Know your network protocols.  More importantly, be able to research, analyze, and identify new or previously unknown protocols.  Don’t be afraid of packets.  Use your research methods and critical reading skills to dissect protocol definitions and RFCs.



A basic knowledge and ability to write computer programs is very useful in that it practices logic skills, helps one better dissect cyber security activities, and allows one to create and/or modify tools quickly as necessary.


An understanding of the fundamental theorems of psychology is useful when attempting to determine the intent, context, and motivations of an adversary.  For example, knowing and being able to apply the fundamentals of Maslow’s Hierarchy of Needs or Operant Conditioning will go towards influencing your adversary through operations to achieve a positive outcome and better protect your network.

See Also: A Hacker’s Hierarchy of Operational Needs based on Maslow’s Theory of Human Motivation

Hacker Tools and Methodology

Obviously, a working knowledge of hacker tools and methodologies is a must.

Binary Reverse Engineering

IDA Pro Binary Reverse Engineering

IDA Pro Binary Reverse Engineering

All hackers use capabilities and tools to achieve their desired effects.  Most of these are binaries either live on command-and-control nodes or are delivered to the target for operations.  Having a working knowledge and ability to reverse engineer a binary is necessary to conducting effective analysis   Even if your organization has dedicated reverse engineers having this knowledge to effectively communicate and ask intelligent questions of these engineers is just as important.

Host-Based Log File and Forensic Analysis

Understanding the internal workings of a host and operating system help not only in investigations where host data is available but also as a learning tool to understand the adversary’s target environment.  This will further inform the analyst by providing greater context to the choices of an adversary given the host environment.

This knowledge should be coupled with that of hacker tools and methodologies and network and host configuration and administration for full effect.

Network and Host Configuration and Administration

As I’ve said in another post, 5 Intrusion Analysis Ideas in 10 Minutes, I believe that cyber security professional should be just as proficient in understanding how networks and hosts are administrated and configured as in how those systems are attacked.

Signature Writing and Detection Tools

Snort Rule Header

Example Snort Rule

Finding malicious activity on your network is important, being able to track that activity and detect when it returns is an imperative.  Therefore, analysts and operators should be proficient in their organization’s particular signature and detection tools and learn how to author the best signatures.

It is just as important to understand how a detection tool works but also it’s biases and limitations – so you know when there are potential false positives and false negatives.  This is one of my 20 Questions for an Intrusion Analyst.

Incident Response Methodology

Incident response methodology is obviously a requirement for anybody who is part of the incident response team in their organization.  However, incident response should be well-known by every intrusion analyst.  This is simply because they will likely be generating documentation and analysis for the incident response team.  The better they understand the methodology, the better they can tailor their documentation and feedback to the needs of response and mitigation.




I am fond of saying, “there is no one tool to rule them all,” meaning no single tool will do everything you need. While I think that too much time is spent by cyber security professionals in becoming proficient in a specific tool-set, I cannot under estimate the criticality of these tools to our profession.  However, I believe that over reliance on our tools breeds ignorance of the data the tool is processing and analysts become unwilling to challenge and blindly trusting the output.

Therefore, it is important to know how to operate and understand the tools that are best for your mission be it OllyDbg or Wireshark.

Lastly, with a strong or competent programming background, as described previously, you are empowered to write your own tools or improve existing tools for the benefit of the community.

Powered by WordPress & Theme by Anders Norén