Active Response

Always A Bad Day For Adversaries

Category: Uncategorized

State-Associated Hackers Target Me – Here’s What To Do When They Come After You

You were just told state-associated hackers attacked your account.  Congratulations!  You’ve joined a select club and your work has received recognition.  But, probably not of the variety for which you were hoping.  According to Google, less than 0.1% of accounts unlock this achievement.  But, what do you do now?!!!

I’ve attracted the same attention over my career studying and countering targeted threats along with my work at the Global Emancipation Network disrupting human trafficking on the internet simultaneously pissing off international organized criminal groups.  I’ve also notified and counseled countless victims of state-associated activity.

I’ll tell you what I’ve done in this situation.  Hopefully you can apply some of the lessons in your own situation.  However, this isn’t going to work for everyone which will need to take their own mission and specific situation into account.  Further, I will try to dispel some myths and FUD which surrounds detection of state-associated attacks

Don’t Panic

I can’t understate this – DON’T PANIC.  You must get over your initial feelings of unease, disgust, anger, and possible fear.  Panic makes for bad decision-making, and that’s exactly what NOT to do in this situation.  Here is what you need to understand to help you make good decisions…

Myth 1: There is nothing you can do and you’re on a kill list

Reality: While there have been cases of activists targeted through their digital accounts which likely led to their death, this is extremely rare.  And, you will already know if this is a likelihood in your specific case.  Usually, they’re just interested in the following three elements:

  • Intelligence about you and your business dealings
  • Access to your contacts (to know them and further use your account to compromise them)
  • Access to your organization(s) (to use your access to compromise enterprises)

You are not without recourse and effective defense.  Those who claim that state-associated adversaries will always win are wrong.  Yes, they pose a difficult problem, but any hyperbole beyond that is incorrect.

Myth 2: If they wanted access to your account(s) and computers, they’d already have them.

Reality: Huh?  That makes no logical sense.  If they already had access how did they get access in the first place?  This is just defeatism and has not grounding in reality.  The truth is that adversaries attack not just once but MANY times.  It’s likely that if you’re a target you will remain a target.  Further, it’s likely that you are target for more than one adversary.  Also, let’s say you were previously compromised.  The adversary may have lost their access (due to either action/inaction on their part or yours) and needs to regain access.  So, DON’T YOU DARE GIVE UP NOW.  You have been given a new opportunity to defend yourself.  TAKE IT.

Myth 3: You were specifically targeted

Reality: Yes – you made it on a list.  But, you are probably one of THOUSANDS targeted in a single campaign.  Probably one of TENS of THOUSANDS targeted by that adversary this year.  It’s very likely that if the adversary doesn’t succeed you will remain on their target list for a long time and receive many attacks over time.  You will now need to remian constantly vigilant. But, it remains that you were probably not singled out.

Myth 4: You should have already taken action

Reality: Yes, taking defensive action before an attack is worth much more than action take afterwards.  However, that assumes a world that doesn’t exist.  None of us, not even the greatest security researcher in the world, takes perfect precautions.  However, assuming they were successful it doesn’t mean we give up and cede the battlefield – we fight back!  We retake what is ours.

Myth 5: State hackers can’t be detected and never attack where they will be detected

Reality: Hackers are driven by motivation to succeed in their mission.  If they don’t succeed they don’t get paid, don’t get promoted, maybe see a firing squad.  They will ultimately attack a victim via whatever method will work.  Effectiveness will almost always outweigh potential detection.  Now, I caveat with saying each adversary and their operation will contain a different risk model and so this won’t hold for EVERY operation, but for most.  So, yes, they will attack you via LinkedIn messages, Gmail, your organization’s email account, Facebook messenger, etc.  They will sometimes be caught.  How do I know?  Because they’re caught all the time.

Assess the Situation

You alone will be able to assess the situation.  What is your business or role?  Will your life be in danger?  What information is possibly compromised?  Do you know if the adversary was successful or was it just an attempt?

Use all the intelligence you have about yourself and the adversary to understand the right actions to take.

Inform Your Community

Tell others!  Tell your community!  The adversary likely targeted not just you but many others within your community, enterprise/organization, or area of interest.  By informing others you empower them with situational awareness for them to learn from you and hopefully strengthen their own defense.

Note: Those either victim-blame or otherwise talk down about those publicizing their attacks are working against the community defense and helping the adversary by stigmatizing attacks.  Our community should actively call this out and STOP IT.

Myth 6: Telling others informs the adversary you know

Reality: First, you need to understand that the adversary is not scared of you and their hubris likely keeps them from recognizing you as a capable actor.  If they find out you know they will discuss that while laughing over beer.  But probably nothing else will happen.  You will need to make a personal intelligence/gain loss decision here based on your own assessment.

However, DON’T USE A COMPROMISED COMMUNICATIONS CHANNEL TO DISCUSS THE ADVERSARY!  Use another channel.  This will likely reduce any risk.

Get Help & Defend Yourself

  1. If you don’t know what to do, or even if you think you do, get some help and advice.  Some places to turn are ProPublica and CitizenLab.
  2. Turn on 2 factor authentication – ON EVERY ACCOUNT POSSIBLE.  Hardware-based 2 factor (e.g, Yubikey) is nice and the best choice, but any is better than nothing.
  3. Reset passwords.  If possible, from a computer you don’t normally use.
  4. Set alternative notification method. If possible, set up an alert when an account receives a successful or unsuccessful login attempt)
  5. Check email accounts for any forwarding rules.  Some adversaries create forwarding rules once they gain access to the account to persist access.
  6. Check account logs.  Some providers allow you to examine account access logs.  Don’t just look at the location but also the time and method of access.  This can give you an indication if compromise was successful.
  7. Rebuild computers you use on a regular basis.  This includes phones.
  8. Increase use of encrypted communications (PGP, Signal, etc.)
  9. Start encrypting your data at rest (when stored on a drive) to prevent value being extracted after exfiltration

IMPORTANT: If you suspect successful compromise, don’t use the compromised machine.  Get help to investigate and remediate.  Unplug or turn off the machine.  Otherwise, just rebuild from a clean source.

Remain Vigilant

Once targeted, the adversary will likely target you again in the future.  Periodically conduct the defensive steps above and remember those below:

  • Be careful of those who request access to your social network, such as LinkedIn connect requests
  • It’s okay to suspect items from colleagues or illustrious organizations and ask for verification via another channel
  • Keep your applications and OS up to date with patches
  • Browse sites wisely
  • Rebuild regularly both phones and computers
  • Don’t enable macros

Threat Intelligence Definition: What is Old is New Again

Michael Cloppert, whom I hold in great esteem and friendship, argues for a new and unconventional definition of “cyber threat intelligence.”  His post is excellent and well-done.  His argument is simple: that the existing definitions of intelligence and cyber threat intelligence are lacking based on his professional experience of the domain and fail to capture its unique elements.   He offers several definitions:

Cyber threat operations as actions taken in cyberspace to compromise and defend protected information and capabilities available in that domain

Cyber Threat Intelligence Analysis as the analysis of those actions and the actors, tools, and techniques behind them so as to support Operations

I define the Cyber Threat Intelligence domain as the union of Cyber Threat Intelligence Operations and Analysis.

Michael Cloppert, Defining Cyber Threat Intelligence (2016)

I agree with his assessment that existing cyber threat intelligence definitions lack accuracy.  But, Mike’s definitions are too constrained by operations and lack inclusion of the key element of intelligence in any discipline: that intelligence serves to inform decision-making (whether that decision-making is of the technical/tactical nature such as in firewalls, or strategic at the executive level).  Intelligence doesn’t serve operations, intelligence serves decision-making which in turn drives operations to achieve policy outcomes.

Mike references some key CIA thought-pieces on their definitions of intelligence, namely by Martin T. Bimfort in A Definition of Intelligence. Mike is correct that taken at face value, Bimfort’s definition is too constrained with concern about national security to be of much value to cyber threat intelligence.

Intelligence is the collecting and processing of that information about foreign countries and their agents which is needed by a government for its foreign policy and for national security, the conduct of non-attributable activities abroad to facilitate the implementation of foreign policy, and the protection of both process and product, as well as persons and organizations concerned with these, against unauthorized disclosure.

Martin T. Bimfort’s definition of intelligence in A Definition of Intelligence

However, instead of taking Bimfort’s definition at face value, let’s instead look at its essence by removing the domain-specific (state-only) language.  By doing so, I arrive at the following revised definition:

Intelligence is the collecting and processing of that information about threats and their agents which is needed by an organization for its policy and for security, the conduct of non-attributable activities outside the organization’s boundaries to facilitate the implementation of policy, and the protection of both process and product, as well as persons and organizations concerned with these, against unauthorized disclosure.

This definition fits well what we do in cyber threat intelligence: we uncover the hidden threats to an organization (be it a company or country) to protect them against threats both attributable and non-attributable to enable their policy (which for a private company is to return value to shareholders), protect their operations, and prevent disclosure of secrets.

I propose that cyber threat intelligence is nothing more than the application of intelligence principles and tradecraft to information security.  Its outcome is nothing different from traditional intelligence: to inform and empower decision-making at all levels with knowledge of threats.  We don’t require a radical new definition of cyber threat intelligence, because the traditional definitions of intelligence are applicable by simply broadening them outside of their state-only constraint.

EDIT: Robert M. Lee blogged in response – “Intelligence Defined and its Impact on Cyber Threat Intelligence“.  He came to the conclusion that the definition is, “the process and product resulting from the interpretation of raw data into information that meets a requirement as it relates to the adversaries that have the intent, opportunity and capability to do harm.”

How I Work To Music and 15 Songs I Work With

I love to work to music.  I almost don’t even care to what genre or song I’m listening.  Of course, music is a highly personal choice.

While sometimes I listen to Pandora or another Internet radio station for variety, I also have a selection of my favorite albums at hand which I pick out like tools depending on my mood and my current task.

Here are three of my most common tasks and 5 songs that I associate with that task.


Jack Johnson –  I wrote almost my entire thesis to his early albums in a coffee shop.






Weezer – Their entire Blue and Green albums have led me through over 150,000 lines of code successfully






[Honorable Mention]







Powered by WordPress & Theme by Anders Norén