Home / Blogs

How to Track Online Malevolent Identities in the Act

Jonathan Zhang

Want to be a cybersleuth and track down hackers?

It may sound ambitious considering that malevolent entities are extremely clever, and tracing them requires certain skills that may not be easy to build for the typical computer user.

But then again, the best defense is offense. And learning the basics of sniffing out cybercriminals may not only be necessary nowadays, it has become essential for survival on the Web. So where can you begin?

Place Honeypots

Hackers take great care to cover their tracks. So, it's important to catch them with their hand in the cookie jar. You can do so by setting up a bait — called a honeypot — to lure them out. It can take the form of a spammable domain or an easily hackable virtual machine which can appear as legitimate targets.

Once attacked, honeypots help you observe what intruders do to the system, know the tricks that they employ to infect devices, and subsequently find ways to counter them. Such forensic evidence enables law enforcers to track unsolicited access and then locate and catch perpetrators.

Reverse-Engineering Malware

Let's say that despite all the precautions, malware still succeeded in infiltrating your company's system. Instead of losing sleep, you can use the infection to understand how the malicious program operates and what it's been engineered to do, such as what vulnerabilities it's been designed to exploit.

This process is called reverse engineering. It involves disassembling the program to be able to analyze and retrieve valuable information on how it is used or when it was created. It is extremely helpful in finding substantial evidence such as encryption keys or other digital footprints that can lead investigators to the cybercriminals.

Leverage WHOIS Information

When a complaint is received over a dangerous website, the first step in the investigation is to identify the operator of the suspect domain.

This can be done by querying the domain name registry where the site has been registered. A whois database download service, for example, enables users to retrieve the WHOIS data that contains the name, location, and contact details of domain registrants. With this information in hand, security teams can report the matter to law enforcement agents who can then track down malicious operators and apprehend them on the spot.

Inspect Files' Metadata

Once in possession of files and devices from a suspicious entity, you can analyze the evidence that is saved in them and discover crucial details that can be followed back to the source.

Word, Excel, or PowerPoint files, for example, contain relevant information, called metadata, that can blow a hacker's cover. They include the name of the person that created the file, the organization, the computer, and the local hard drive or network server where the document was saved.

It is also important to analyze the grammar used in comments that are embedded in the software code. Socio-cultural references, nicknames, language, and even the use of emojis — all can reveal clues on the nationalities of the criminals or their geographical location.

Go On with Tracerouting

One of the best ways to catch perpetrators is by identifying their IP addresses. However, they usually hide these IPs by spoofing or by bouncing communications from different locations. Luckily, no matter how shrewd and clever these individuals may be, malicious addresses can still be identified through an approach called tracerouting.

The technique works by showing the hostnames of all the devices within the range of your computer and a target machine. More often than not, the last machine's hostname address belongs to the hacker's Internet Service Provider. With the ISP known, investigators can then pinpoint the geographical location and the areas where the culprit is probably situated.

* * *

Every time you venture online, you're exposed to malevolent entities that can harm your system and disrupt business operations. Knowing how to trace the source of an attack can stop it in its tracks and prevent the intervention from happening again.

By Jonathan Zhang, Founder and CEO of Threat Intelligence Platform
Follow CircleID on
Related topics: Cybersecurity, Malware, Spam, Whois
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

IP Addressing

Sponsored byAvenue4 LLC

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign