“In the moment when I truly understand my enemy, understand him well enough to defeat him, then in that very moment I also love him. I think it’s impossible to really understand somebody, what they want, what they believe, and not love them the way they love themselves. And then, in that very moment when I love them…. I destroy them."
- Orson Scott Card, Enders Game
The cutting edge of cybersecurity is moving away from a reactive defense. Instead of analysts waiting for a threat to happen, they are proactively searching out attackers in their environment. Attackers are dynamic. They are always changing and improving their capabilities, which means that defenders need to lean in and adapt even faster to keep up. Proactive defense is about predicting, understanding, and preventing as many moves as possible that an attacker could make against you. You have to stay a step ahead of the enemy and lure them into a trap of your own.
In the cybersecurity space, this is why we red team. A group of red teamers takes on the characteristics of an adversary to challenge an organization to improve its defenses. They eat, sleep, and breathe adversary behavior …legally.
Red teaming is a well-regarded and crucial part of defense in cybersecurity. It has its place and it makes an impact, but it is solely targeted at improving defenses. What if we took this idea of understanding the enemy one step further, outside of defense?
Anonymous, WikiLeaks, and nation-state threat actors use open-source intelligence (OSINT) and espionage campaigns to drill down into the lives of targeted individuals. They use hacker techniques, tactics, and procedures to aggressively target individuals as a means of control. Once they have access to this information, they can do any number of bad things with it, from sabotage to assassination. But what if we took these adversary methods of OSINT and used them for the greater good? Must these techniques be used solely for evil?
As a society, we have gone from outright shunning of hacker culture, stereotyping hackers as hoodie-wearing teenagers in the basement, to the beginnings of acceptance and appreciation of hackers. We have started to recognize that many hackers are curious individuals that want to try something new. They are the puzzle solvers of the Internet age. Moreover, they are necessary for the cyber-resilience of the technology industry. Much like being a germaphobe puts you at more risk of becoming ill, not appreciating and adopting a hacker mindset results in weakly secured systems. As part of the revolution of acceptance around hackers, we should start to accept and turn the head on adversary techniques to see where we can apply them proactively today, not just for defense. What can we do today using OSINT and espionage techniques to better the lives of those around us?
We have seen cases where individual, white-hat hackers will help hacker victims, like in the case of Fabian, a hacker world-renowned for destroying ransomware. However, these instances are few and far between, and nowhere near as coordinated as adversary activity.
Groups are cropping up that use adversarial tactics, but for good. An example of this is Trace Labs, a non-profit group that liaises between the police and hackers to find actual missing persons. Instead of using the OSINT techniques commonly associated with espionage for evil, this group takes experts in the field and puts their talents towards helping bring home missing children to their parents, relatives to their families. This is a use case for cyber that breaks out of the attack-defend mold the industry is dominated by.
With a little innovation, the methods we have so long associated with crumbling privacy and the threat of attack can be used for proactive good to get ahead of the active, dynamic attackers and make us more resilient. This is not just about defending against bad guys or shoring up your defense. This is about taking part in safe, legal practices to make the world a better place in your own way.
If you're looking to leverage your existing talent and tools to iteratively improve your SecOps performance, read our recent whitepaper to start establishing a process.