Q&A
Unmasking the Adversary
Cybersecurity expert Hasain Alshakarti reveals how deep-dive threat actor analysis -- not just log reviews -- can transform incident response and stop breaches before they escalate.
When it comes to incident response, understanding an adversary's complete footprint is vital. Yet, too often, organizations rely solely on logs and fragmented data.In an upcoming Cybersecurity & Ransomware Live! session titled "Tales from Incident Response: Unmasking the Threat Actor's Inner Sanctum," cybersecurity expert Hasain Alshakarti challenges that approach.
His advanced-level session shifts the focus from post-breach cleanup to comprehensive threat actor analysis. Drawing from more than two decades of experience, Alshakarti -- a Principal Cybersecurity Advisor at Truesec and one of Sweden's most respected security minds -- will share how to gain complete visibility into a threat actor's timeline, shedding light on the hidden stages of an attack.
Ahead of the event, Redmondmag spoke with Alshakarti about what attendees can expect and why this approach to incident response is game-changing.
Redmondmag: Your session promises a unique perspective -- rather than just analyzing logs, it focuses on observing a threat actor's entire timeline. Can you give us a glimpse into how this approach changes the game in incident response?
Alshakarti: Proper monitoring on the IT environment gives us the ability to revisit machines used by the threat actor to understand the full chain of activities performed. Sophisticated attacks might be difficult to discover but should be easy to uncover once anomalies are discovered.
Access brokers play a crucial role in the cybercrime ecosystem. Can you explain their operations and how organizations can detect and disrupt their activities?
Access brokers target goal is to establish steady access to an organization. This can be done using multiple attack vectors ranging from credential compromise to usage of zero days to breach services. Access is then forwarded to other specialized groups to perform specific parts of an attack or carry out a complete scenario such as ransomware.
What are some of the most common mistakes organizations make when responding to a breach, and how can they be avoided?
Not performing a proper forensic investigation. No removal of TA tooling, persistence and no reverting of changes performed by TA. Focus on recovery leads to destruction of important forensic artifacts. The inability to restrict network traffic and access to and from breached systems and parts of the environment.
What proactive steps should organizations take to ensure they're not just reacting to threats, but anticipating them?
Understand what assets they have and map the dependencies. Make sure to properly monitor and perform protective measures. Establish emergency measures and mandate to perform these measures in case of urgent events. Establish monitoring, detection and response capabilities.
As AI and automation become more integrated into cybersecurity, how do you see them influencing incident response strategies in the coming years?
AI helps increase efficiency and bandwidth. AI should also help perform more dynamic analysis to discover anomalies based on specific behavior of systems and users rather than just relying on generic TTP's.
The cybersecurity skills gap is a growing concern. Based on your experience, what are the most critical skills for aspiring incident responders to develop?
Understand how complex systems work and how to perform investigations and response activities at scale. Follow and understand trends in attacks and keep good command of the different building blocks in complex attacks.
With attackers increasingly relying on access brokers and modular attack strategies, it's no longer enough to respond to threats after the fact. Alshakarti's session will equip attendees with the knowledge to detect and dismantle attacker infrastructure before it matures into a full-blown breach.
Make plans to attend Alshakarti's session during the upcoming virtual Cybersecurity & Ransomware Live! event, taking place May 13-15. Register by March 28 to save $300!