Cyberattackers need persistent access to your company’s network, systems, and users to steal from you. The good news is that persistence is something that can also be used against attackers, and engaging with them is a surefire way to improve your company’s response to both specific attacks and security in general.
From my work at Purdue University, The MITRE Corporation, and now at Strongarm, I’ve learned a thing or two about why trying to block a cyberattack with technology almost never favors the defender. Let me illustrate why, and express why “speaking to malware” is a more effective defense.
In 2004, while working at MITRE supporting incident response, we were given a tip that one of the systems we were in charge of was being accessed by an attacker. We investigated and put in place once of the only tools we had at the time—domain filtering. The attacker responded by finding a different domain that was on our list and could access the web app, used a proxy to get through, and turned himself/herself from malicious attacker into “one of the good guys.” It probably took about a month for him/her to re-gain access—it took us about 6 months to find the attacker again.
At that point we decided to get serious; we implemented user ID and password, a process that took roughly 1,000 man hours to design and implement. The attacker persisted, probably for a few weeks, finding a weakness in our password reset, and gaining access to our system once again with a new username and password. We thought we had really solved the password reset process, but the attacker simply upped his/her game and became a better social engineer.
By that juncture, we were three or four years into trying to defend against this attacker. We were finding that every technical countermeasure we put in place was being bested by the attacker and it took them far less time to perform their nefarious deeds than it took us to hunt them down and respond. It’s a cat and mouse game that continues to this day.
After the password reset attempt, we switched our focus to improving the response process following identification of a breach. We wanted to conduct some research and formalize our understanding of how an attacker works. We used the Cyber Kill Chain, a six-step manifesto on how attackers operate. Whether it’s to steal information or money, attackers have an objective. They perform reconnaissance (step 1) against your organization for people or systems that have access to that information. They might target a user’s email inbox with a phishing attack (weaponization is step 2). These first two phases can take anywhere from a few hours to months to complete. The following phases, delivery, exploitation, and installation (steps 4, 5, and 6) take only seconds—it’s the cyber boom that most of our security tools which live in this space don’t always get right the first time.
Our research paid close attention to the command and control (C2) channel (step 5) that an attacker uses to manipulate a victim’s system, and the fact that the attacker can park him/herself inside your company’s systems (“action on objective” is step 6) and surreptitiously steal information from you for years on end.
Once an attacker is inside, they have the ability to send commands to the victim. There’s a stream of communication back and forth between the victim and the attacker. Often this communication is encrypted so it’s difficult for firewalls and intrusion detection systems to see what’s being relayed. With only these tools in place, when you start to dig into cleaning up an attack and your executive asks, “What did the attacker get,” and “Whom did they steal from,” you can provide only very little context or few details about what the attacker was doing. Our hypothesis about how to handle this scenario became, “By controlling and observing attackers once we identify they are in, we can improve how we respond to compromise.” By putting ourselves in between the attacker and the victim we not only were able to observe the adversary but also apply control to the communication that allowed the victim to talk to the adversary in a safe way.
In my session, Speeding Up Triage and Incident Response by Speaking to Malware, at Cyber Security World, I’ll talk more about this research and what you can learn from our approach of hacking the malware, hacking the attackers, and even hacking our own people.