Want to cripple your attackers' R&D arm? Look for them on your network

March 2, 2017 | 3 minute read

In a previous post, I discussed hacking back. Hacking back can constitute a crime and rarely does significant damage to the attacker given the disposable, tactical nature of the attacker's assets, typically targeted and exposed during a hack-back operation.

Inflicting damage on a cyber-attack organization is to target the non-scalable, strategic assets of the R&D arm of the group. To do that, organizations don't need to go after the attacker. The attacker's R&D assets are exposed by the attacker to its victims as part of the attack. To expose the attacker's set of capabilities and mode of operation (Tools, Techniques and Procedures) organizations must develop deep, focused visibility into their own compromised environment.

In my experience, the thing hacking organizations are most sensitive to is exposure of their toolset and techniques. This is a result of the fact that these tools are developed in cycles, just like any other software product, and cycles take time. A new tool like a local privilege escalation tool, requires research, prototyping, prototype testing, development, QA and so on. It can take weeks or months per every tool in the attacker's tool belt, creating an operational limitation common to every cyber attacker, even the larger, more sophisticated attacks. There is always a limited supply of attack tools, and permanent exposure of a tool will lead the attacker to potentially lose strategic assets. A small number of repeated exposures can wear down an attacker's tool set, to a point where they may have to discontinue operations that leverage these exposed tools, forcing them to stand down, and take a few weeks or months to reorganize, before they come back.

Let's not make a mistake, in many targeted threat actor cases, the attacker will come back eventually. The value of the target usually outweighs the value of lost tool sets and operations, but the above approach may buy the targeted organization significant breathing time between attacks, to improve and better prepare. In some cases, repeated exposures may set the threat actor so far back in their operational capabilities, that they may go out of business, losing their edge over other hacking groups that compete on the same market niche.

Once an accurate, comprehensive detection and analysis of a threat actor's generic Tools, Techniques and Procedures (TTPs) has been done, based on the tools and operational procedures used by it in the compromised network (i.e. The set of techniques used by the attacker to escalate privileges, to persist, and to laterally move etc.). The most damaging response from the attacker's perspective would be for the victim to expose those TTPs either publicly or to a private consortium of relevant target organizations. This will not only set back the hacking operation in your organization but if you share that TTP information the threat actor will have little choice but to discontinue the exposed line of products.

Traditionally, organizations were concerned about exposing the information they had about threat actors, but that was mostly based on the concern that an attacker becoming aware of an exposed indicator of compromise (IoC) will quickly act to change its IoCs, leading organizations to lose track of it. That is the case, however, for “Static IoCs”, i.e. attacker IP addresses, domain names, file hashes, registry key names etc. The concern with sharing these is justified, since these are generated by the operations arm of the attacker, and can easily be changed while continuing to use the same essential attack tools and techniques. Exposing a more general TTP, however, is a very different story. A TTP describes a broader, more generic, technique or mode of operation, and changing that required the threat actor's R&D to come up with a new attack tool, or a new type of exploit, which takes significant time. Hence, the overall damage an exposure will inflict on the threat actor really outweighs the risk of losing sight of the attacker's operation.

Doing this right will require specialized technology and for the security team to adopt a new mindsetThe security community has coined the phrase ‘threat hunting' to describe this process. Conceptually, threat hunting harkens back to the military, certainly in Israel and the US. it's an activity that is based on the premise that it is impossible to prevent a skilled and tenacious attacker from penetrating their target network. Therefore, any enterprise looking to improve its cyber defense posture and ability to deter attackers needs to consider adopting ‘threat hunting' capabilities. These require security analysts to look for abnormal behavioral patterns–behavioral IoCs.  Behavioral IoCs will stem out of things such as rare privilege escalation patterns, abnormal lateral movement or software persistence techniques. In many cases, where there's smoke, there's fire.

Let's take privilege escalation as an example. Regardless of how it's done, a threat hunter can be looking for is a process execution tree that starts with a low privilege user and ends with a high privilege user.  When dealing with anomalies on your network, you have more visibility and control over the situation and more options about how to handle it.

To raise the security bar, we must shift the culture to accept the fact that breaches are a fact of life, not an operational failure. Learn how to spot them and shut them down. Modern attackers are bringing their R&D intellectual property to your doorstep. If you want to send your attacker a message, don’t “hack back” --- keep the fight on your network.

This post was originally published in SC Magazine.

Lital Asher-Dotan
About the Author

Lital Asher-Dotan

Lital is a Marketing Team Leader, Storyteller, Technology Marketing Expert. She joined Cybereason as the first marketing hire and built a full marketing department. Specializing in brand building, product marketing, communication and content. Passionate about building ROI-driven marketing teams.