How to Respond to Incidents Quickly Despite Intentionally Confusing False Flags

Imagine this: You're investigating a security incident at your company when you come across a piece of information that helps you identify the perpetrator. Say, an IP address that comes from a specific country, a code snippet linked to a particular attack group, or a user agent that indicates the Russian Yandex web browser. That type of identifying information could be false flags—deliberately planted details meant to distract or mislead investigators about where the attack came from.

At the very least, false flag information can sow just enough doubt to cause organizations to be uncertain about attribution. That might be all that's needed from an attacker's perspective, says Jake Williams, Co-Founder of Rendition Infosec. He explained how attackers use false flags during reconnaissance, delivery, exploitation, command and control, and other stages of the Cyber Kill Chain in a Black Hat webinar, How Attackers Confuse Investigators with Cyber False Flag Attacks.

You can download a PDF summary of the presentation here.

During the webinar, ExtraHop Principal Security Engineer Vince Stross demonstrated how Reveal(x) can help investigators piece together a more full picture of attacker behavior during investigations. With more context about the attack, analysts can quickly assess the severity and measure the scope of an incident, even if the attribution is muddied by false-flags planted by the attackers.

Watch the webinar to see Jake Williams' presentation and also a demo of how Reveal(x) speeds investigative workflows. Watch the webinar now: How Attackers Confuse Investigators with Cyber False Flag Attacks

Also, if you haven't already, I recommend following Jake Williams' Twitter account (@MalwareJake) where he teaches cybersecurity concepts through internet memes. For each meme he posts, study the topic until you can laugh at the joke. You'll be a cybersecurity expert in no time!