VMware Head of Cybersecurity Strategy Tom Kellermann discusses the three phases of cybercriminal behaviour, and shares tips on how organisations can use these insights to proactively prevent future cyberattacks.
By Tom Kellermann
Organisations spend enormous amounts of their security budget preparing for data breaches. Yet, in 2019 alone, there were more than 9,400 reported cases of cybercrime in Singapore, an increase of more than 50 percent from 2018, according to the Cyber Security Agency of Singapore (CSA). This gap reveals that investing in cybersecurity solutions alone is not enough.
A critical aspect that is often overlooked is understanding the motives of attackers. It’s time organisations need to start asking the right questions to help determine how and why they’ve been breached.
A clear understanding of attacker motives allows security teams to better anticipate, prepare for and build an effective defense against threats. VMware Carbon Black’s 2020 Cybersecurity Outlook Report found that attacker behaviour is evolving to become more evasive, and it is high time organisations take a proactive stance and respond accordingly.
Offense should inform defense, and it is important to uncover ground truth. Only when organisations have a full view of their networks and threat landscape will they be able to effectively shift people, time and resources to account for new attack behaviours.
The cognitive attack loop
There are three phases of cybercriminal behaviour that organisations need to familiarise themselves with. The first phase is reconnaissance and infiltration. This initial stage occurs when an attacker prepares for an operation, which includes selecting targets and determining the means to gain access to the target.
Cyber attackers then move to the second phase – maintain and manipulate. This is when attackers have gained access to the target network and they work to maintain a foothold in the organisation’s environment. This is a critical stage as they will continue to improve their position to move forward with their goals, which often requires additional access levels or to circumvent existing controls.
Last, we have the execution and exfiltration phase. Entering this final stage means that attackers are now able to act on their end goal, which could include lateral movement or island hopping. This ultimately compromises the target organisation’s integrity, confidentiality, or availability of information.
By studying this attack loop, organisations will gain unique insights into the motivations behind an attack which can then feed into the development of a cognitive defense approach. Understanding attack behaviour will guide security teams in the prevention and detection of breaches – bringing about overall consistent and positive security changes.
Offense informs defense
The traditional penetration test is no longer sufficient. Organisations should not be limiting testing to the outside-in. Rather, they need to look at security from the inside-out to better understand attack patterns. The inside-out approach focuses on setting strong prevention and intervention methods that are proactive rather than reactive.
Globally island hopping and lateral movement attacks are escalating, creating an even greater need to understand the escalation of adversaries when they commandeer digital transformation efforts. VMware Carbon Black’s research found that island hopping was prevalent in 12 percent of breaches in Singapore this year and is now the most commonly experienced attack among Singapore respondents.
One way to look inside-out is to execute a cyber-hunting exercise, which provides situational awareness as to behavioural anomalies that exist within your digital infrastructure. The name of the game is to understand if systems have been compromised before island hopping occurs. Increasing visibility on endpoints to discern behavioural anomalies provides you with a harbinger of criminality.
It is imperative to get a baseline understanding of where behavioural anomalies exist and where vulnerabilities lie. A cyber-hunt exercise (using third party plus in-house security experts) and can help expose where systems are vulnerable and where the organisation needs to increase controls.
Intrinsic and continuous threat intelligence
Threat intelligence should also be utilised to build a strong security posture. This helps outline an attacker’s motive and enables organisations to discover new threats and proactively put up barriers to defend against them. With threat intelligence, security teams become proactive. That said, intelligence feeds need to be integrated into endpoint detection and response (EDR) and made relevant to the specific threats facing an organisation’s industry.
Consider threat intelligence an intrinsic part of a continuous cyber strategy that includes weekly threat hunting. The security team should also standardise on a best-of-breed EDR. In remote workforces, threat hunting needs to go beyond traditional intelligence and detect process injection, the misuse of Windows Management Instrumentation and exploitation of non-persistent virtual desktop infrastructures.
Cybercriminals are now fighting back by leveraging counter incident response (IR) and destructive attacks. In response, organisations must stay vigilant when conducting threat hunting exercises and focus on identifying potentially new threats. It is also imperative that organisations regularly test their systems for vulnerabilities and take steps to defend against these new threats.
Prepare for the opportune moment
Organisations should set up a secondary line of secure communications that allow for secure talk, text and file transfer. Why? Because it is vital to discuss an ongoing cyber incident. Always assume that hackers can intercept, view, modify and compromise all internal communications. Security teams need to assume that the adversary has multiple means of gaining access into the network. Shutting off one entry point may not actually remove attackers from an organisation’s network. This will very likely have the opposite effect by alerting the attackers that they have been noticed.
Next, organisations need to watch and wait. To understand all avenues of re-entry, organisations should monitor the situation to fully grasp the scope of the intrusion. Do not immediately start blocking malware activity, shutting off access or terminating the command and control servers (C2). This is to effectively develop the means to successfully remove an intruder from the network.
Pre-mature blocking attempts to impede their activities may cause hackers to change tactics. This will then potentially leave an organisation blind to additional means of re-entry. In addition, hackers will escalate by employing counter incident response and potentially destructive attacks.
Taking action to understand what motivates cyber attackers will better prepare organisations for a potential data breach. It’s only when their methods are understood through practices such as cyber testing, threat intelligence and communication, can organisations fully prepare for the next impending cyber threat.
(Ed. Featured image by photographer Zachary DeBottis.)