In 2021, some of the best cybersecurity advice comes from a 2500-year-old book. In The Art of War, Chinese military leader Sun Tzu said: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
It’s important to know your enemy, but today they are often online, hidden half a world away behind a virtual jungle of IP addresses and domain names. What can we learn about them? Here are some things that we’ve gleaned after years of tracking online adversaries at Nuspire.
Many people still envision lone teen misfits hacking targets from their parent’s basements. These script kiddie hackers still exist, but the professionals have long since evolved.
These days, online intruders are part of sophisticated enterprises stemming from organized crime or even allegedly state-backed groups such as Russia’s APT 29. They devote considerable resources and expertise to researching and infiltrating their targets, and frequently develop their own zero-day attacks.
These adversaries have different motives depending on their background. State-backed actors often have non-financial goals. Iran often seeks to disrupt critical national infrastructure, for example, while hackers working for China’s military often seek commercial and military secrets.
Conversely, organized crime groups are typically after money. They develop sophisticated business models that continually evolve. Early ransomware gangs evolved into ransomware-as-a-service (RaaS) operations featuring complex networks of affiliates and commission schemes. They have also expanded into ‘double dipping’ attacks that steal data before encrypting it. This gives attackers another extortion opportunity by threatening to publish sensitive files online.
This ruthless professionalism also makes attackers more reliable than they used to be because their livelihoods depend on it. RaaS operations wouldn’t last long if they didn’t make it easy for victims to pay up and then honor their decryption promises. Their support operations are slicker than many legitimate software companies, offering chat support, discounts for prompt payment, and in some cases online cryptocurrency-based e-commerce and decryption key download sites.
Online criminals are adaptive, frequently aligning their attacks with current events such as the pandemic. Interpol noted a marked rise in COVID-themed phishing scams, malware, and malicious domains during the first months of the crisis. Exploiting current events renders victims more susceptible to attacks because it exploits curiosity and fear.
Social engineering attacks like phishing are often part of a multi-layered attack chain that increases an adversary’s chance of success. For high-yield targets, they might break out zero-day attacks either developed in-house or purchased on dark markets. However, these gangs are also economical with their attacks. Where possible, they’ll use existing vulnerabilities that victims have failed to patch.
If there’s one thing we’ve learned about the enemy, it’s that they don’t respect breaks and holidays. An attacker doesn’t stop just because you’re off for the July 4 long weekend. In fact, that’s when they’re likely to launch an attack because they know that your guard will be down and your security operation will be running on a skeleton crew if it has one at all.
The REvil ransomware gang’s attack on hosting company Kaseya’s customer base was a case in point. It surfaced on July 2, the Friday before the long weekend, forcing the company to respond when many people would have been away.
The internet may have leveled global boundaries, but that doesn’t make it a level battlefield. It offers significant advantages to those who can exploit it properly, protecting them against retaliation.
Many attackers operate in countries that depend less on the public internet, making it difficult to retaliate against them. Their governments, in countries like Russia, China, Iran, and North Korea, are careful to wall off their internet infrastructures and are often slow to assist western law enforcement in shutting cybercriminals down. In some cases, authorities may even implicitly sanction their activities.
This creates an uneven battlefield for western victims who depend heavily on the public internet to do business and are therefore heavily exposed to attack. It exacerbates the concept of asymmetric warfare. While western cyber attack targets must be lucky every time to avoid compromise, their attackers need only be lucky once.
How can network defenders keep being lucky? A little help goes a long way on this uneven battlefield. Nuspire keeps track of what adversaries are up to using three techniques.
The first is open-source intelligence (OSINT). This scours the public domain for information about attacker activities and indicators of compromise. The second, threat intelligence, uses specialist data-gathering platforms that compile and disseminate information about emerging threats. Finally, analysts employ human intelligence (HUMINT), in which they track the enemy and watch their communications via platforms like the dark web to better understand their plans.
At Nuspire, we mine the information that we’ve learned from these sources along with our own internal customer network to identify new threats and techniques. We alert customers about these threats at a sector-specific level. We ensure that our customers don’t need luck to stay protected.
We treat the constant battle between attackers and defenders in cyberspace as a form of warfare. We must, because the sophisticated enemies we face certainly do, and they’re constantly improving their weaponry. With our help, you can harden your armor and retain the advantage.