“If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Sun Tzu, The Art of War
Security pros need to uncover hacker motivation in understanding the tactics, techniques, and procedures (TTPs) that are likely in play with any given hack. Once security teams know the techniques being used by a particular attacker, they can quickly rule out less likely attack categories. Understanding TTPs are also important in tracking attacker campaigns and mounting effective, proactive defenses. For example, once the team knows that an attacker favors a common technique, they can pre-warn likely targets with actionable information that lets them protect themselves.
Take financially-motivated attackers. They are typically constrained by the cost of exploitation: why would a threat group spend $1 million on an exploit if they can only use it once and it will not yield the same in return? Financially-motivated hackers operate like businesses. Their ecosystem looks like an enterprise ecosystem, with suppliers providing different parts of the operational needs and steps taken to offset costs to maximize profits.
In all cases, understanding the TTP becomes critical in preparing adequate and cost-effective defenses that better align with business needs and ensure accurate forensic analysis of attacks that have already taken place. Here are four ways to better recognize hacker motivations:
- Don’t consider penetration testing a silver bullet.
Security pros need to run penetration tests, but they are neither a silver bullet nor a panacea. Leverage them as a last step in rounding off a well-defined information security strategy. Think of a pen test as kicking the tires on your vehicle before setting off on a long journey.
Start a pen test by having the team address the low-hanging fruit first. The company doesn’t want to pay tens or hundreds of thousands of dollars to a professional organization for them to report a collection of vulnerabilities that should have been taken care of by internal processes — such as those in the development lifecycle or organizational security hygiene policies. In the best-case scenario, the test will fail to find any obvious or simple flaws, and naturally, the harder the security team makes the job for penetration testers, the better its organizational security practices. Security teams should run penetration tests regularly — before each journey, or at a minimum, when circumstances substantially change.
- Practice red team exercises.
If performed properly, red team exercises push pen tests to the next level. Have the security team behave as much as possible like a real-world adversary, leveraging weaknesses inch-by-inch to achieve a specific goal.
A red team exercise lets the team see the overall health of its information security system enterprisewide, from defenses to detection capabilities and responses. Instead of looking to report as many vulnerabilities as possible, a red team looks for weaknesses that get them where they want to go. Good red teams observe what real-world attackers do – look for weaknesses, test them, see how far they can go, and then pivot to find new vulnerabilities that let them go further.
- Lead with threat intelligence.
Threat intelligence should be the lifeblood of any effective information security program. Think of vulnerability management as the guards on a castle wall, and threat intelligence the lookout. Security teams use threat intelligence to identify attacks that may have slipped under the radar by correlating events, intelligence from external sources, and research to paint as clear a picture of the threat landscape as possible. Attackers never sleep, and as the threat landscape continually evolves faster every year, an organization that isn't on top of changes to threats can easily be caught unaware.
Security teams may find choosing which external feeds to use both challenging and daunting. The best feeds are often extremely expensive, and the data inside an organization are often vast and unwieldy. The biggest mistakes typically happen when companies handle their own data and over-rely on external information. External feeds are another organization’s view of the world, and they are usually an extremely valuable perspective — but unless properly correlated with the data that the enterprise itself sees, it adds limited value.
It’s important for the team to walk before it runs with threat intelligence and build feed integration in a way that ensures the results are accurate. False positives waste resources and create alert exhaustion, while false negatives mask what's really going on. Both kill and continue to kill threat intelligence programs. Take threat analysis performed by humans and then use threat intelligence tools to automate and scale those same actions. Anything a human can do a machine can do faster, with one caveat – tasks that human analysts can’t do are difficult to build in automation and can lead to noisy, often useless data.
- Engage in threat hunting practices.
Every threat hunting organization should look to identify attacks, categorize them, correlate them, and to some degree, attribute them. Attribution does not need to be person x in country y; simply identifying a repeated signature or identifiable aspect in campaigns will help the team understand the type of attacker it’s facing, how often they are attacking, and how those attacks are evolving (if at all). Later on, this becomes critical for forensic analysis of breaches, and if detailed enough, the team can use it for proactive defensive measures targeted at specific campaigns.
The most important rules of threat hunting include:
- Always keep it ethical. It’s easy to cross lines in the heat of the moment.
- Know your limits and set defined goals for classification, tracking, and monitoring. Remember: It’s a big world out there, and it’s easy to get stuck in a rabbit hole.
- Keep an open mind and open eyes. Sometimes, it’s hard to see the forest for the trees, but that doesn’t mean everything is linked.
- Embrace automation. If team members find themselves doing something repeatedly, consider using automation to make the team more effective so it can scale.
- There are some great tools out there. Platforms like MISP and TheHive can help build a professional threat hunting operation on a shoestring budget.
- Be careful – there are dragons out there. While it’s not likely that enterprise threat hunters will run into nation-state actors, it’s possible. Keep OpSec in mind, and don’t take unnecessary risks.
To properly defend enterprise data, leaders need to know what they’re up against — and it’s fundamental to know attacker techniques and methods. We can only confront and combat against today’s evolving threat landscape by understanding what drives attackers, how they operate, and in sharing relevant information with one another.
Marc Rogers, vice president of cybersecurity strategy, Okta