The cyber world is not the same as the physical world. I think we all mostly agree with that (unless you feel like you’re in the real-life Matrix). But there are kinetic, or physical, implications should an attacker manipulate a system that controls some sort of industrial process. Further, attackers who wish to do harm to critical infrastructure can, in some cases, invoke damage or impact safety. Two immediate examples come to mind. If you haven’t watched the video of the Aurora Generator test conducted by the Idaho National Labs, it provides a proof-of-concept of this reality. Secondly, the recent discovery of the TRISIS malware reveals that the Safety Instrumented Systems (SIS) of certain Industrial Control Systems (ICS) are at risk. What would the results be if this were to be successful? The long game is yet to be seen; however, it is a very real possibility that a cyber attack could be leveraged in conjunction with a physical attack to maximize the effectiveness.

Active Defense and Why Offense is Necessary

Active Defense (AD) is hotly contested and often brings mixed emotions. Part of this debate stems from an inconsistent definition. The DoD defines AD as “the employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” In the Tallinn Manual, which is the Internal Law Applicable to Cyber Warfare, Active Cyber Defense is defined as: “A proactive measure for detecting or obtaining information as to a cyber intrusion, cyber attack, or impending cyber operation, or for determining the origin of an operation that involves launching a pre-emptive, preventive, or cyber-counter operation against the source.” Others still maintain that attacking back cannot be a part of AD, or even in terms of traditional defense.

Why not?

What is meant by attacking?

What if we called it interacting?

A few years back, Christopher Hoff gave his keynote on the topic. In his talk, he made a reference to Jiu Jitsu and mixed martial arts. The example looked at two practitioners grappling. From innocent bystander’s perspective, it was difficult to see who was actually on offense and who was defending, but one was attacking and the other was actively defending. In Jeet Kune Do (JKD), the martial art heavily influenced by Bruce Lee, there are concepts that helped to guide action. For example, the stop hit, which is a method of preemptively striking before the attacker strikes you—but not before knowing they are going to strike you.

TO BE CLEAR: attacking doesn’t necessarily mean flinging exploits at a loosely formed target.

The book Offensive Countermeasures: The Art of Active Defense spells out the varying degrees of interaction with an attacker. Dubbed AAA, the continuum is Annoyance, Attribution, and Attack. Within these As, are techniques that can be leveraged to preemptively defend against an adversary. Truly, it’s a mindset, and one we should shift our thinking towards. As a threat hunter, one of the most beneficial stages to look for adversaries is the Lateral Movement stage. This has become a normal and accepted practice. But why? Why are we okay with an active adversary moving around our networks? What if we could actively deploy defenses that helped to alert earlier, more granularly, and provided means to interact, dare I say, attack back? In military defense, or even in some Somali pirate cases, a unit or ship in the defense would take some form of action should an enemy enter into particular proximity. In some cases, if the enemy fired their weapons, authorization was granted to fire back. Fighting fire with fire isn’t the goal and doesn’t always translate well in the cyber realm, but to the point that defense CAN and often does include forms of attacking back is valid.

Physical vs Cyber Deterrence

In a recent blog by Schneier on Security, Bruce calls out an example surrounding 2016 presidential election where cyber deterrence was taken into consideration. The US was cautious to retaliate in the cyber realm due to estimated or perceived cyber capability of Russia.

It brings to mind physical deterrence. A house guarded with a security system, fences, and perhaps dogs might look less appealing to rob than one without. The problem, as seen from the attacker’s perspective, is one of detection. More specifically, if the attacker thinks they will be caught (or harmed in the action), the chances are less that they will launch the attack. They may look to a more appealing target or another avenue.

Deterrence and Active Defense (Annoyance)

Enter the first A of Active Defense: Annoyance. Picture an attacker in the early reconnaissance phase of an attack. MITRE has the whole PRE-ATT&CK matrix (soon to be consolidated into one ATT&CK Matrix) that looks at the varying attacker techniques BEFORE they get into an organization. This is the space, if proactively engaged with, can help to fend off an attack before it is even launched—remember the stop hit analogy? What if during the OSINT gather step, the attacker discovered a URI for the organization that was “legit?” They then, perhaps, start to spider this URI for further directories or files of interest. Unbeknownst to the attacker, one directory is actually a trap for the spider. On access, and only discovered by an attacker, the page generates random data to frustrate the crawler. Gone un-monitored, the spider would run until manually stopped. From a detection standpoint, any interaction with this particular resource would generate a high-fidelity alert. Done at scale, AD becomes more than just a way to detect, but to deter an adversary before they are able to get a foothold.

Conclusion

Inconsistent definitions create confusion and mixed emotions. Peeling back the red-tape or emotions can reveal what we’re all after—better security. The point here is not to determine if attacking back is a viable security technique. Rather, the point is that we have been tireless fighting a losing battle in security. The mindset must change for this to change. This will take work. It won’t be easy, but I believe, if done right, we can engage our adversaries in a more neutral space, rather than from within our organizations. The focal point can no longer be on just your organization’s defenses. Maybe Bruce Lee said it best: “Don't think. FEEL. It's like a finger pointing at the moon. Do not concentrate on the finger, or you will miss all of the heavenly glory.”

We Have a Problem

If you’ve read any headlines recently, you know that breaches are an unfortunate, yet common occurrence. You’re either numb to these notifications, or you’ve been asking: why and how does this keep happening?! Although there isn’t necessarily just one common reason, the overall problem is that of deterrence and discernment. Attackers select targets, e.g. your data, because they know their chances of getting caught are low. If they are caught, they know the cost to them (jail time, fines, reputation, etc.) is not very high. Finally, understanding how your adversary views your assets (data, systems, and even reputation) is a missing key component in prioritizing your defenses. Our goal is to change that.

Our Solution: An Operationalized Active Defense

I am pleased to announce the formation of Traced. Traced is an answer to our adversary problem. This platform will empower individuals and organizations alike with the methodology and tool set to proactively annoy, attribute and interact with their adversaries.  Put another way, we want to make you a hard target that causes your attacker to move on. As your adversaries adapt, so too will this platform. It will provide a means to identify adversaries early on, while providing enough attribution to take the appropriate action. Security is no longer a wait and see mentality. It needs to be proactive--an Active Defense.

Our Newest Member

Today I am also very excited to announce the platform’s Chief Technology Officer (CTO) and Chief Software Architect (CSA), Ryan McGeary!

Ryan is a serial entrepreneur, software consultant, international speaker, and amateur triathlete. Ryan has 20 years of experience developing both business and consumer software products and is a global speaker on emerging web development technologies and processes. Ryan co-founded other companies such as BusyConf, ChargeStack, LMGTFY, FitFreak, SplashWireless and McGeary Consulting Group. He is a graduate of the University of Virginia with a degree in Computer Science and an emphasis in Economics.

Ryan brings a wealth of coding experience to the table and I will be eager to show off his talents via this platform!

In Case You Missed It

uMercs was recently featured as a guest writter on AlienVault’s blog. Head on over and check it out!

Yes, I am a criminal.  My crime is that of curiosity.  My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.        

I am a hacker, and this is my manifesto.  You may stop this individual, but you can't stop us all... after all, we're all alike. –The Conscience of a Hacker From Phrack Magazine 1986, The Mentor

According to this infamous manifesto, all hackers are alike and not unique millennial snowflakes. They are people with curiosity, convictions, apathy, anger, greed, hope, and honor. Just like people, hackers or groups of hackers may fall on a spectrum of good and evil. Where they fall may be dependent on the day or mood of that individual, or even the convictions of the larger collective. For example, the collective Anonymous was a way for anyone, and I mean anyone, to be involved in hacking for an ideal if you so desired. Hate oil and gas? There was an operation for that. How about the stock market? There was Occupy Wall Street for that. What about nation states or organized crime? They might be hackers under the hood, but their motives might be considered malformed by some. On the flip side, hackers work to bring job training and technology to areas of the world that are so impoverished, they would not be able to do so on their own.

Defining Your Adversary

So maybe that’s the problem: labeling hackers as bad or good. Maybe it’s more specific than that.  If you’re reading this, you’re probably wondering what the motives are behind the “bad” hackers of the world. The media does a great job classifying all hackers as bad and their motives as evil. Truly, a “bad” hacker, is subjective. To understand a bad hacker’s motives, it is more important to understand who your adversaries are. This is an important differentiator for two reasons:

1. An adversary implies that there is someone/somebody who has a problem with you and your organization specifically.
2. An adversary helps you to understand a motive and the targets they are after.

Forming this background is one method in understanding an adversary’s motives and even the endgame.  

A Motive Breeds the Target

A common question is often sought by law enforcement. What was the motive? This is typically to point the investigators to the why, which can help to uncover more information or evidence to support the case and why the victims were targeted. Similarly, finding the why, or motive, behind your adversary’s actions can help you better understand what they are after and how to protect those assets from an attack. Take the following motives as an example:

1. Financial: Can the adversary make money directly (via an attack) or indirectly (by selling malware or ransomware as a service)? Are their competitors who may want to destabilize your company?
2. Ideological: You adversary may want to harm your reputation, deny services to your customers, or sabotage your systems in order to further their propaganda or eliminate perceived threats to the environment, for example This could also include frustrated ex-employees.
3. Political: Can the adversary benefit from knowing your next move or most intimate secrets as an organization? Do you claim that you have impenetrable defenses? If so, you might be motivating an attacker to find a way in.
4. Prestige and Curiosity: Does the adversary want to say they compromised your organization just because? Do you have such an interesting technological footprint so enticing to an attacker?

These common motives will help you and your organization realize what could be a target and focus your budget and resources at the most vulnerable areas

All Motives Not Equal

Financial motives are among the largest reasons for targeting an organization or individual. According to estimates by Juniper Networks, the cost of data breaches will soar to $2.1 trillion dollars by 2019. This staggering statistic signals that there is money to be made. An investigative tool called Hunchly, offers a service that searches the dark web and reports its findings on a daily basis.

Crime is a commodity because it pays. Furthermore, an organization that may not be a target for one adversary, will be one for another. Simply put, if you do not make yourself a hard target, it is only a matter of time before your organization is caught in the cross-hairs.

What is the Target?

If your adversary is financially motivated, they will more than likely be after data that can be bought and sold. In the case of ransomware, they might be after the data that you need to run your business knowing you will pay anything to get it back. A recent malware outbreak, dubbed “Bad Rabbit”, is one example where the authors were after a ransom. The target: Russian media outlets and other large corporate networks. These targets were presumably chosen because of the propensity to pay the ransom. If attackers have ideological goals, they might be looking to deny services or deface an organization’s publicly facing systems. Not knowing who your adversary is and what is motivating them is like trying to plan for a trip without knowing what the weather will be like when you get there. That translates into needing to prepare for every occasion, which is time consuming, expensive, and nearly impossible. 

Conclusion

Do you know who is targeting you and why? What are they after? These questions should be at the forefront of your mind and cybersecurity planning. Not only will this view help you look at what you’re trying to protect from the adversary perspective it will help align your strategy to meaningful priorities. When in doubt follow the money. When you’re informed, prioritize your defenses on the motives of your adversaries.