2024 Global Cyber Confidence Index

Arrow pointing right
ExtraHop Logo
  • Productschevron right
  • Solutionschevron right
  • Why ExtraHopchevron right
  • Blogchevron right
  • Resourceschevron right

Arrow pointing leftBlog

How to Respond to Incidents Quickly Despite Intentionally Confusing False Flags

Chase Snyder

September 4, 2020

Imagine this: You're investigating a security incident at your company when you come across a piece of information that helps you identify the perpetrator. Say, an IP address that comes from a specific country, a code snippet linked to a particular attack group, or a user agent that indicates the Russian Yandex web browser. That type of identifying information could be false flags—deliberately planted details meant to distract or mislead investigators about where the attack came from.

At the very least, false flag information can sow just enough doubt to cause organizations to be uncertain about attribution. That might be all that's needed from an attacker's perspective, says Jake Williams, Co-Founder of Rendition Infosec. He explained how attackers use false flags during reconnaissance, delivery, exploitation, command and control, and other stages of the Cyber Kill Chain in a Black Hat webinar, How Attackers Confuse Investigators with Cyber False Flag Attacks.

You can download a PDF summary of the presentation here.

During the webinar, ExtraHop Principal Security Engineer Vince Stross demonstrated how Reveal(x) can help investigators piece together a more full picture of attacker behavior during investigations. With more context about the attack, analysts can quickly assess the severity and measure the scope of an incident, even if the attribution is muddied by false-flags planted by the attackers.

Watch the webinar to see Jake Williams' presentation and also a demo of how Reveal(x) speeds investigative workflows. Watch the webinar now: How Attackers Confuse Investigators with Cyber False Flag Attacks

Also, if you haven't already, I recommend following Jake Williams' Twitter account (@MalwareJake) where he teaches cybersecurity concepts through internet memes. For each meme he posts, study the topic until you can laugh at the joke. You'll be a cybersecurity expert in no time!

Explore related articles

Experience RevealX NDR for Yourself

Schedule a demo