Martin Narciso, StoneTurn Consultant, is a co-author of this article.
In 2022, a plethora of factors have disrupted the threat actor ecosystem including war, economics, regulatory activity, and ever-evolving defensive best practices. These shifts have forced threat actors to change their strategies at the micro-level, finding new methods to bypass emerging controls or shifting old techniques to novel mediums. For those of us in the business of defending our institutions from technical or legal perspectives, these micro-level shifts may feel seismic. How can today’s organizations possibly remain a step ahead of attackers who always seem to have the advantage? Continuously assessing multiple sources of information such as cyber threats, business and geopolitical intelligence can help evolve entities toward a more predictive posture.
The traditional hyper focus on specific attacker means, such as tools used or vulnerabilities exploited, hinders our ability to see the consistent throughline existent in their objectives. Many threat actors are financially motivated and will work to obtain sensitive data for the purpose of extorting or manipulating their victims into surrendering to their demands. Thus, they seek to first gain access into networks and elevate their level of access. With their newfound privilege, they explore enterprise resources, identify the crown jewels, and steal or otherwise compromise them for leverage or resale.
Threat Actors are Crisis Generators
Threat actors continually evolve malicious tactics, techniques, and procedures as quickly as defenders adapt and challenge them. There are several notable examples, such as the shift from attackers sending phishing emails containing weaponized documents, to sending messages with password protected attachments which when clicked behave as if a user plugged in a removable hard drive containing trojan-horse files. This occurred in the wake of Microsoft blocking certain features heavily used by hackers in Office by default. Regardless, the end goal remains the same for the attacker: compromise a system and gain initial access to elevate privileges, move laterally across the network, discover valuable information, and take it. Another good example is the rise in text message, also known as short-messaging service (SMS), phishing (smishing). Many users have been through countless trainings on the perils of traditional phishing emails, and mail providers themselves have grown quite capable of filtering out would-be phishing messages. Consequently, attackers have now shifted to SMS where limited filtering capability exists, and users are less likely to recognize or suspect a phishing attempt.
These new strategies will be effective for a time, until we can mount new defenses. To some extent, this is because threat actors still maintain the “attacker advantage.” The traditional view of attacker and defender dynamics requires threat actor offensive action first before we can defend. In this model, their ingenuity drives the responses we need to develop. This forever relegates us to a position of significant disadvantage, in which attackers control crises. However, if we dismiss this traditional view in favor of more strategic thinking we can get in front of attacker techniques, both new and old.
Moving From Reacting to Predicting
Focusing on the specific methods threat actors use may feel overwhelming because, on a whim, attackers can change their tactics and render that focus obsolete. There are two ways, however, to view the dynamics described above:
- Burgeoning attacker techniques we react to; or
- As pieces of a larger picture, which we can reasonably predict.
We cannot sensibly intuit what malware an attacker will use as a payload in a social engineering attack (i.e. phishing, smishing, etc.), but we can seek to be informed enough to predict what tactics would work in our respective environments. When we have sufficient intelligence regarding the objectives and tactics of cyber threat actors who would benefit from exploiting our equities, natural questions should arise about our own posture.
- Are ransom/extortion groups currently using desktop sharing software (RDP) and email as primary vectors for exploitation? Does our environment use RDP and is its use adequately secured?
- Are our employees adequately trained to recognize a fake help desk call or a phishing email?
- Is our company in the news or exposed in some other way as going through a merger or acquisition?
In fact, many security practitioners did ask those exact questions in early 2022 as a result of what threat actors were doing at the time. Some learned that when put together, risk exposed by what the answers to those questions were, meant the chances of experiencing an incident rose exponentially. Successful cybersecurity programs continually assess how attractive the company may be as a potential target, predict the likelihood of threat actor exploitation and success, then drive action to reduce that probability.
Who Will Drive Your Next Crisis?
Moving towards more predictive postures, leveraging multiple sources of information such as cyber threat, business, and geopolitical intelligence, allow organizations to gain a better handle on crises before they occur. By making strategic decisions, entities can reduce their attractiveness as a viable threat actor target. Like other aspects of business, preventing or discouraging a crisis is always preferable to responding to one. Taking steps today will pay dividends for organizations tomorrow.