Survey of Incident Responders Shows That Businesses Need to Re-architect Cybersecurity
The cyber kill chain employed by advanced adversaries is changing. Defenders need to evolve their defensive strategies to meet the new challenge; and they need to develop silent hunting skills.
A new study from Carbon Black queried 37 incident response firms that use its threat hunting tool to gain insight into what is happening after an attacker has breached the network. “The inspiration for this report,” Tom Kellermann, the author and chief cybersecurity officer at Carbon Black told SecurityWeek, “was, I was tired of seeing reports that are focused on just the vector of attack — how they got in versus how they stay in. There has been a dramatic shift in how cybercriminals operate — they have moved from burglary to home invasion, and we now need to be asking different questions. The adversaries are typically inside networks for months.”
Key statistics from the report picked out by Kellerman include the predominance of Russia and China as adversaries. Eighty-one percent of respondents highlighted Russia, and 76% highlighted China. Thirty-five percent say that the end goal is espionage.
Sixty percent of the attacks involve lateral movement, indicating that attacks are no longer smash and grab incidents — adversaries are now intending to stick around for the long game. This is confirmed by the appearance of incident response countermeasures. Nearly half of the respondents have seen instances of counter-incident response. Sixty-four percent have seen instances of secondary C2 being used on a sleep cycle during their IR engagements. Thirty-six percent of attackers use the victim for island hopping; that is, as a supply chain attack. And — perhaps worryingly — 10% have witnessed non-ransomware destruction.
“I think the destruction figure is quite worrying if it grows,” Kellermann told SecurityWeek; noting that there are already signs that it is doing so. He suggested three primary motivations: activism (possibly patriotic), revenge (for being discovered), and the destruction of forensic evidence. “There’s a fundamental lesson we need to take away from this,” he said: “we have to become more clandestine and more quiet when we hunt the adversary in our homes. We can no longer shout out, ‘I know you’re in my house; I’ve called the police’. That is exactly what Crowdstrike did when it was responsible for investigating the DNC breach, it was too loud in its incident response which is why the Russians dug and burrowed in deeper and deeper — and that was evidenced in the indictments.”
The biggest single takeaway that Kellermann has from this survey is that the way to counter the new long-term, advanced and evasive incursions is to develop silent hunting techniques. If hunting is too noisy, the adversary will simply burrow deeper, employ incident-response countermeasures, or simply destroy the network and leave.
“This evolution coincides with mounting geopolitical tensions,” suggests the report. “Nation-states such as Russia, China, Iran and North Korea are actively operationalizing and supporting technologically advanced cyber militias.”
Kellermann believes that this new level of attack sophistication is down to the increasing level of nation-state hacking — although the hacking itself may be done by a national militia rather than direct government employees. “We’re seeing cybercriminals act as cyber militias for nation states,” he explained.
Take Russia and the GRU units indicted by Deputy Attorney General Rosenstein as an example. “Those GRU units typically in the past didn’t have any real level of cyber-attack sophistication. The Silicon Valley of cyber-attack sophistication in Russia was St Petersburg — so they called upon great cybercriminals like Alexsey Belan and Evgeniy Bogachev to essentially arm them with the greatest zero-day attack code and exploit kits in addition to showing them how to morph and change their kill chain.”
The Chinese adversaries are also learning and adapting. “The Chinese,” he said, “having learned from the mistakes of their past, where they never practiced good operational security and they were typically too loud when they broke into networks… well, they’re becoming much more clandestine and much more elegant in the way they attack corporations. Particularly,” he added, “in using island hopping — as evidenced by the Cloud Hopper campaign where they targeted the SMPs of a dozen major corporations in the West. After compromising the MSPs they then leapfrogged into the corporate networks via their cloud infrastructure for the purposes of economic espionage.”
The coincidence of changing and more advanced attacks with the rise of nation state actors is compelling; but suggestions that it is primarily Russia and China is down to the accuracy of attribution.
“This attribution comes from the incident response responders to the survey,” says Kellermann. “These folks typically worked in British or US intelligence or law enforcement communities; and they understand the fingerprints, the TTPs associated with specific threat actor groups, and the modus operandi. Not only that, you can typically see the C&Cs and the secondary C&Cs leveraging back to infrastructure that is operated or controlled by specific entities.”
Kellermann believes there really is — effectively — a cyber axis of evil, primarily comprising Russia, China, North Korea, and to a lesser extent, Iran. The first three have an unwritten operational agreement not to target each other. “None of these three will hack the others, and at the same time they are benefitting from each other’s colonization of wide swathes of the West.”
Russia and North Korea are particularly close. “Both Russia and North Korea are counteracting economic sanctions imposed by the West with cybercrime against the financial sector,” he said. “North Korea itself has become much more adept and sophisticated with their cyber-attacks as they are mirroring the Russian kill chain, and they are using more and more exploits and more and more custom malware. Just as the North Korean missile systems are typically based on Russian missiles, so you have the same amount of tech transfer in cyber capabilities.”
He sees no reduction in cyber-attacks from any of these countries, and expects South Ch
ina Sea tensions and the potential for global trade wars to simply exacerbate the problem. “In fact,” he said, “the new group Hidden Cobra has been quite prolific — you just don’t hear much about them because the financial institution victims are trying to keep this conversation quiet. But Hidden Cobra is the greatest testament to the advancement of cyber capabilities in North Korea.”
Nor does he exclude Iran from this group, pointing out that as long ago as the Stuxnet issue, it was Russia that Iran turned to for, and received from, cyber assistance. There are even suggestions that Russian experts analyzed Stuxnet and returned it to Iran in the form of the original Shamoon malware used against Saudi Aramco.
But Kellermann doesn’t think an understanding of the source of the attacks is an important as an understanding of how they are being operated. “I really think that the indications of counter incident response are the powerful statistics; and that 36% of the attacks are not directed against the initial victim — basically, after they’ve done stealing from you they’re going to use your network to target people that trust you. That has to be something we are acutely aware of and cognizant of in how we structure business partnerships, and in how we secure our information supply chain going forward.”
He feels that the U.S. is currently suffering under an Administration that is not sufficiently focused on cyber security. “Not only does the US not even have a Cyber Czar, but this Administration has not taken cyber security seriously — as evidenced by the rapid retirement rate of professionals who would have been lifers under a different administration. I am incredibly concerned that we’re dealing with an adversary that has already colonized wide swathes of British and American infrastructure, and we’re really fighting someone from the inside out.”
He believes that the real message coming from this survey of incident responders is that business needs to re-architect its cybersecurity. “We need to change the architectural model away from a castle-like structure and more towards that of a prison, where we can force the adversary to be resourced constrained, where we inhibit their capacity to move laterally and we hunt them and monitor them without them knowing that we’re doing so. That’s the type of environment we need to migrate to — I call that environment ‘intrusion suppression’.”
To achieve this, he believes that business must move to silent hunting. “This could be done with iron boxing, modern whitelisting, next gen AV that includes endpoint detection and response, and deception technology. Hunt tools need to be more widely deployed. Memory augmentation should be employed, and adaptable authentication based on the level of risk can enforce 2 or 3 factor authentication with a biometric live challenge/response, all depending on the level of risk. Existing outward-facing network defenses are largely failing. The modern network has really evolved to cloud and mobility which makes the security of the endpoints paramount, and the capacity to record and monitor all activity on the endpoints is absolutely quintessential to success.”