What makes the threat actors tick?

World Health Organization Director-General Tedros Adhanom Ghebreyesus speaks during a daily press briefing on the COVID-19 virus at the WHO headquarters in Geneva. The WHO has been a consistent target of attackers looking to gain sensitive health information during COVID-19. Today’s columnist, Tom Kellermann of VMware Carbon Black, writes that security teams can only stop these attacks when they understand what motivates cybercriminals. (Photo by FABRICE COFFRINI/AFP via Getty Images)

While organizations spend enormous amounts of their cybers budget on preparing for a data breach and determining how a breach occurred, there’s an important element they need to take into account – understanding the actual minds and motivations of the attackers.

A clear understanding of attacker motivation lets organizations better anticipate, prepare for and build a proactive advantage against threats. VMware Carbon Black's recent 2020 Cybersecurity Outlook Report found that attacker behavior continues to become more evasive, and organizations must respond accordingly. Offense should inform defense, and it’s important to uncover ground truth. Once organizations have the full picture, they can effectively shift thinking, people, processes and technologies to account for new attacker behaviors. Let’s consider the security practices that can help better understand the motivations of these attackers.

The cognitive attack loop

There are three phases of cybercriminal behavior:

  • Recon and infiltrate. In this initial stage of cybercriminal behavior, the attacker prepares the operation. This can include selection of the target, determining the best means to gain access to the target and actually gaining that access.
  • Maintain and manipulate. When attackers have accessed your network, they work to maintain a foothold in this environment while continuing to  improve their position to move forward with their goals. Often, to achieve whatever ends the attacker has in mind, they need additional access levels or to circumvent existing controls.
  • Execute and exfiltrate. Entering this final stage means the attackers now have the ability to execute on their end goals, which could include lateral movement-island hopping, and therefore compromising the integrity, confidentiality or availability of information.

Studying this attack loop and using it to build a cognitive defense approach allows for greater precision in remediation steps and drives consistent and positive security changes. Really understanding these behaviors offers unique insight into the motivations behind an attack, helping to guide the prevention and detection of a breach and the appropriate response.

Proper cyber testing and threat hunting teams

Organizations need to go beyond traditional penetration testing. They should not limit testing to outside-in, rather it should expand to inside-out to better understand attack paths. Island hopping and lateral movement has exploded, creating a greater need to understand the escalation of adversaries when they choose to commandeer digital transformation efforts. For example, recent research among incident response professionals found that island hopping was a feature in 41 percent of the breach attempts they encountered.

Red team exercises offer a human element as well as an understanding of the nexus between facility security and cybersecurity. It’s imperative to get a baseline understanding of where vulnerabilities lie. A baseline red team (using third party plus in-house security experts) audit and/or cyberhunt exercise can help expose where systems are vulnerable and where the organization needs to increase controls. Fielding an in-house threat hunting team helps organizations identify behavioral anomalies, which present a harbinger of criminality.

Intrinsic and continuous threat intelligence   

Security teams require threat intelligence to build a strong security posture – better outlining a cyber attacker’s motivation. It helps organizations discover new threats and proactively put up barriers to defend against them. Without threat intelligence, organizations become reactive. Threat intelligence feeds must get integrated into endpoint detection and response (EDR) and made relevant to the specific threats facing an organization's industry.

Consider threat intelligence an intrinsic part of a continuous cyber strategy that includes weekly threat hunting. The security team must also standardize on a best-of-breed EDR. In today’s mass shift to a remote workforce, threat hunting needs to go beyond traditional intelligence and include process injection, the misuse of Windows Management Instrumentation and exploitation of non-persistent virtual desktop infrastructures. Given that cybercriminals fight back by leveraging counter-incident response and destructive attacks, organizations must stay vigilant to escalation when hunting and focus on the following:

  • Identify what new threats have arisen.
  • Test systems for vulnerabilities to these new threats.
  • Take steps to defend against these potential attacks.

Improve internal communications, combat re-entry

Organizations must stand up a secondary line of secure communications because it’s vital to discuss the ongoing incident. Assume that hackers can intercept as well as view, modify and otherwise compromise all internal communications. These communications should allow for talk, text and file transfer. Security teams should also assume that the adversary has multiple means of gaining access into the environment. Shutting off one entry point may not actually remove attackers from an organization's network. This will very likely have the opposite effect by notifying the attackers that you’re on to them.

Next, organizations need to watch and wait. Do not immediately start blocking malware activity and shutting off access or terminating the C2. To understand all avenues of re-entry, organizations must monitor the situation to fully grasp the scope of the intrusion to effectively develop a means of successfully removing the adversary from the environment. Another action to consider includes deploying agents (if necessary) in monitor-only mode. If organizations begin blocking or otherwise impeding their activities, attackers will catch on and change tactics, potentially leaving an organization blind to additional means of re-entry. Finally, organizations can deploy honey tokens or deception grids – especially on attack paths that are difficult to harden.

Taking action to really understand a cyber attacker and why they act the way they do will make the organization better prepared for a data breach. It’s only when their methods are understood through practices such as cyber testing, the use of threat intelligence and communication can an organization fully prepare for the next impending cyber threat.

Tom Kellermann, head of cybersecurity strategy, VMware Carbon Black

prestitial ad