Just like in combat operations, cyber operations are changing on a second-to-second basis. To effectively combat an insurgency, organisations must drive to an intelligence-driven operations centre. In this ever-changing battlefield, internal and external threat intel are now crucially important to combating attackers.
Even as a steady drumbeat of headlines keeps the world’s attention focused on cybercrimes, such as ransomware and cryptojacking, in the dark corners of the internet, attackers are busy refining their craft. Cyber attackers are honing their ability to remain undetected inside the enterprises they’ve breached, and evolving their attacks to counter defenders’ response efforts.
Business leaders can no longer get by thinking an attack won’t happen to them. Attacks that were once reserved for sophisticated campaigns have become an everyday reality. Most organisations remain woefully unprepared to combat such attacks, with the majority yet to create and implement proactive incident response plans, continuing instead to lean heavily on outdated legacy antivirus and firewall tools for protection.
IT leaders need to understand the ever-shifting landscape of their environment. In a tactical sense, this can be best facilitated in an automated fashion by collecting and using the proper telemetry and intelligence. A strategic understanding of your environment will be key to driving a winning strategy, starting with these fundamental factors:
- Time – How much time does your staff have? What is delta on dwell time of the last adversary?
- Money – What is your security budget?
- Equipment – What tools do you have? Are they integrated?
- Culture – What’s the culture of your organisation?
- Attackers – How are they attacking you and for what aim?
The war for our systems is now upon us and it’s time we adopt new ways of thinking about and addressing the problem. We need to think less like law enforcement and soldiers and more like an insurgent.
Counterinsurgency in cyberspace manifests shared risk. We must discreetly observe the adversary and suppress their activity as we force them to become resource constrained.
According to our Quarterly Incident Response Threat Report (QIRTR) counterinsurgency is playing out in a number of ways:
Nearly half (46%) of incident response professionals say they’ve experienced instances of counter incident response, another concerning sign that attackers have become increasingly sophisticated and are initiating longer-term campaigns — as well as a clear signal that incident response must get stealthier.
Nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organisation. They’re getting in, moving around and seeking more targets as they go. Of note, 100% of respondents say they’ve seen PowerShell used for attempted lateral movement.
A growing number of hackers won’t stop at a single network — they’re after your clients’ partner and customer infrastructure as well. A full 36% of our respondents say they see attacks where the victim was primarily used for island hopping.
Intrusion suppression is a viable architectural model whose core tenant lies in can you detect, deceive, divert, contain, and hunt an adversary, unbeknown to the adversary. We must dig at the roots of the insurgencies footprint on our networks and begin the hunt.
As military strategist Sun Tzu advised, “Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness. Thereby you can be the director of the opponent’s fate.”
The commercial cyber equivalent of that would be: identities, data, systems, applications and communications. Ask yourself, “Is my list of identities accurate, how do I ensure no unauthorised identities have been added or privileges have been escalated?” For example, is your list of data updated manually or automatically and how do you know a change has been made?
For too long, we have relied on Lockheed Martin’s Kill Chain to understand and predict attacker behaviour. This framework does not account for the psychology of the adversary, nor does it truly dig into the tactical phenomenon associated with the phases of attack. We would suggest embracing a new, predictive model, one which takes into account the intent and cognition of a cybercriminal – a framework that studies the threat behaviours a.k.a.- modus operandi of elite hacker crews and allows you, as the defender, to anticipate and suppress the contemporary phases of a cyberattack.
