The increase of nation-state actors hiring companies, some of which appear to develop cyber-security products, to conduct hacking operations is akin to a firefighter who’s also an arsonist.
“If you found your fireman out back lighting a fire, you might get a little upset and that’s what we’re seeing,” Cybereason Chief Product Officer Sam Curry told CSO Online on the sidelines of last week’s RSA Conference. Curry was discussing a report from the Cybereason Threat Intel Team that looked at this new breed of cyber privateer.
BoyuSec, a Chinese cyber-security company that’s been accused of secretly carrying out espionage operations for that country’s Ministry of State Security intelligence service, exemplifies this trend of governments outsourcing cyber operations to private companies, Curry said.
“The company ostensibly sells penetration testing tools and hacking tools and services but behind the scenes they’re still doing the hacking and maleficence. The great irony, of course, is that an ostensibly Communist country is seeing the benefits of privatization,” he said.
This approach provides the government that initiated the attack a way to plausibly deny any accusations that the victim may make against it.
The types of attacks being carried out by these hackers for hire have a few common traits, said Curry. First, the attackers are attempting to throw off threat intelligence teams by spreading disinformation. This creates strange patterns that the good guys respond to poorly and throws off machine learning, or how people broadly view a threat. Another common quality: Adversaries are also going further down the stack and attacking firmware.
Finally, “nobody uses malware anymore. It’s not just hackneyed. It is the exception when they use it,” Curry said. Instead, the bad guys are using fileless malware, code injection and tools that are already in the environment they’re hacking since this decreases the chances that traditional security tools will detect them.
Combatting this threat requires rethinking the traditional approach of detecting malware on individual machines since, ultimately, people who behave in a certain manner create these programs, Curry said.
“We’re not, as an industry, trying to stop malware. We’re trying to stop bad people, organized bad people who have QA labs,” he said.
IT departments exist so that good people with the right machine on the right networks can interact with data, a point not lost on hackers who will try to emulate this behavior and evade detection.
This is where behavioral detection comes in to play, a point Curry stressed. The greater message he conveyed was that some type of behavior - whether it's endpoint behavior, user behavior or network behavior - needs to be monitored if security teams want to detect attacks.
Building the best mousetrap isn’t the best approach to solving the challenges brought by hackers hired by nation states, he said, advocating for a less myopic, broader perspective.
“It’s how we’re looking across the enterprise or many companies and saying, “Alright, what can we tell in the aggregate about human behavior?” Curry said.
