Defense strategies to counter escalating hybrid attacks

In this Help Net Security interview, Tomer Shloman, Sr. Security Researcher at Trellix, talks about attack attribution, outlines solutions for recognizing hybrid threats, and offers advice on how organizations can protect themselves against hybrid attacks.

What are the most promising technologies or methodologies for distinguishing between false flags and authentic attribution markers in cyberattacks? Can behavioral analysis contribute to identifying an attacker’s motives when both nation-states and cybercriminals use overlapping tactics?

Distinguishing false flags from authentic attribution markers requires a combination of advanced methodologies. Behavioral analysis is particularly effective in this context, as it focuses on the operational habits and strategic objectives of threat actors.

Nation-states, for example, often exhibit meticulous planning and long-term objectives, while cybercriminals tend to pursue immediate financial gains. This distinction becomes evident when analyzing their attack patterns, target selection, and infrastructure use.

Additionally, employing machine learning models trained on historical attack data can uncover subtle inconsistencies in TTPs.

Forensic analysis of artifacts, infrastructure correlation, and even geopolitical intelligence play a significant role in understanding the increasing sophistication of attackers deliberately blending tactics to obscure their origins.

What role do linguistic and cultural nuances in malware or attack behavior play in identifying the geographic origin of attackers? How reliable is this method? How can the challenges that arise when using shared infrastructure to trace the origins of an attack be overcome?

Linguistic and cultural nuances embedded in malware, such as language settings in code comments, time zones in metadata, or the specific use of regional idioms, can provide valuable clues about an attacker’s geographic origin.

However, these markers are increasingly exploited in false flag operations, making them less reliable in isolation. For example, using Cyrillic text or East Asian language settings might be a deliberate ploy to shift attribution.

When attackers use shared infrastructure, attribution becomes even more challenging.

Addressing this requires a holistic approach, including infrastructure clustering, historical use analysis, and identifying overlapping campaigns linked to known threat actors. Cross-referencing this data with geopolitical and contextual intelligence often provides a clearer picture, even when shared infrastructure clouds the trail.

Can you discuss the role of threat actor profiling in identifying hybrid operations that blend espionage and financial motives?

Threat actor profiling plays a pivotal role in uncovering hybrid operations by going beyond surface-level indicators and examining deeper contextual elements.
Profiling involves a thorough analysis of the actor’s history, their strategic objectives, and their operational behaviors across campaigns.

For example, understanding the geopolitical implications of a ransomware attack targeting a defense contractor can reveal espionage motives cloaked in financial crime.

Profiling allows researchers to differentiate between purely financial motivations and state-sponsored objectives masked as criminal operations.

Hybrid actors often leave “behavioral fingerprints” – unique combinations of techniques and infrastructure reuse – that, when analyzed within the context of their history, can expose their true intentions.

Do you know of instances where advanced forensics or machine learning successfully identified a threat actor, even when attribution appeared impossible at first?

Yes, there are several notable cases where advanced forensic techniques were crucial in identifying threat actors. For example, in the SolarWinds campaign, memory analysis and reverse engineering of the SUNBURST backdoor exposed unique code traits and deployment methods that ultimately connected the operation to a nation-state actor.

These forensic efforts revealed how the attackers avoided detection and exploited trusted software supply chains, demonstrating the value of deep technical investigation in attribution.

Machine learning also could be instrumental in ransomware investigations, linking seemingly unrelated campaigns to specific APT groups based on infrastructure overlaps and unique deployment methods.

While Trellix leverages AI extensively to support detection and correlation efforts, these cases highlight that human-driven forensic work remains a cornerstone of successful attribution, particularly in uncovering the nuanced links between actors and operations.

What lessons can we learn from high-profile attribution successes or failures in recent years?

The primary lesson is that attribution is a process, not a moment!

In 2024, the UK Electoral Commission experienced a significant data breach, compromising the personal information of approximately 40 million voters. Initially, the attack’s origin was unclear, with limited indicators pointing to potential perpetrators. Through meticulous forensic investigation, including analysis of malware signatures, network traffic, and infrastructure patterns, cybersecurity experts identified the involvement of a Chinese state-sponsored group, APT40. This attribution was later supported by coordinated sanctions from the UK and the United States against entities linked to the Chinese Ministry of State Security.

Conversely, premature or speculative attribution can harm credibility and hinder effective response. The key takeaway is that successful attribution requires patience, collaboration across the cybersecurity community, and an evidence-based approach that avoids over-reliance on any single data point.

With the increasing convergence between nation-state actors and organized cybercriminals, what strategies can organizations use to differentiate between these threats in real time?

Organizations need to focus on contextual awareness, and real-time behavioral analysis can provide critical insights.

For example, while nation-state actors often target critical infrastructure or sectors with geopolitical relevance, cybercriminals typically focus on maximizing financial gain with broader targeting.

Threat intelligence feeds enriched with historical data can help correlate real-time events with known threat actor profiles. Additionally, implementing deception techniques, such as industry-specific honeypots, can reveal operational objectives and distinguish between actors based on their response to decoys.

How should organizations adjust their defense strategies to account for the escalation of hybrid attacks?

Organizations must adapt by adopting a defense-in-depth strategy that combines proactive threat hunting, continuous monitoring, and incident response preparedness.

Zero-trust architecture should be a foundational element of any defense strategy, ensuring strict verification of all access requests. Furthermore, investing in advanced detection capabilities, such as anomaly-based monitoring and AI-driven analytics, enables early detection of hybrid campaigns.

Lastly, organizations must focus on resilience. This includes robust backup strategies, tested recovery plans, and employee training to recognize social engineering tactics often employed in hybrid operations.