Over the past year, many nation-state adversaries have shifted the end goal of their advanced persistent threat cyberattacks from stealing intellectual property to establishing footholds across critical infrastructures.
A cybersecurity advisory issued recently by the Cybersecurity and Infrastructure Security Agency, National Security Agency, and Federal Bureau of Investigation warned that state-sponsored cyber actors are seeking to pre-position themselves on IT networks for possible attacks against U.S. critical infrastructure in the event of a major crisis or conflict with the U.S.
With everything from national security to the American way of life at risk, defenders must rise to meet the ever-evolving challenges present in cyberspace. The good news is malicious threat actors, who are sometimes glorified as unstoppable, often leave a trail of mistakes that defenders can exploit to proactively prevent attacks before they occur.
Locating threat actor mistakes
Being on the offensive, many threat actors neglect to protect their own assets. Sloppy setups, including the use of outdated encryption methods, make attacker infrastructures vulnerable to defenders looking for countermeasures.
Threat actors have also forgotten to protect their own malware which ends up on open servers, providing an opportunity for defenders to pull the malware apart and protect against it before it’s even used. Vulnerabilities have even been found in malware, allowing defenders to crash attacker malware with the right packet. Some threat actors have simply forgotten to log into their virtual private networks before logging into their infrastructures, revealing critical geolocation data that has enabled law enforcement to identify them.
Defenders can exploit these mistakes and beat adversaries at their own game by embracing an operational framework known as persistent engagement.
Understanding persistent engagement
Traditionally, defenders who perform adversary detection have treated it like counter-battery artillery fire. Similar to radar, when threat actors strike, defenders deploy tracking mechanisms to identify the point of origin and respond. Unfortunately, in a counter-battery-fire scenario, defenders are required to wait until the first strike to begin defending, meaning damage is unavoidable.
Through persistent engagement, defenders can be proactive rather than reactive and pursue points of origin well before threat actors strike. These origin points can now be located through pattern matching, comparing infrastructure commonalities to connect the dots. Activities such as repeating vendor purchases, reusing common components, and using the same common engines on the backend indicate the beginnings of larger infrastructures tied to specific nation-state threat actors or groups.
These tactics are the cyber equivalent of using unmanned autonomous vehicles on the battlefield to find weapons before the opposition even sets up, let alone opens fire. In other words, it takes the initiative away from adversaries and forces them to react.
Defenders can secure this first-mover advantage by leveraging artificial intelligence and machine learning capabilities to comb through tens of thousands of new domain registrations and millions of data points each day, identifying those that are potential attacker infrastructures at speed and scale. Tracking these movements and ultimately finding these threat infrastructures as they arise allows defenders to subsequently understand and reverse engineer a threat actor’s processes. This collective intelligence can then be used to inform a new era of persona-based detections and models that can be used in the future to avoid damage or loss from these types of actors by accelerating detection of their set ups.
Imposing costs on adversaries
While the cyberattack detection and remediation cycle normally takes 162 hours, a persistent engagement strategy for tracking adversary infrastructure can deny a first attack altogether — eliminating the monetary benefit of the cyber investment. Where these threat actors normally use the gains from one venture to fund another, persistent engagement can put a significant dent in the funds needed to execute other hacking attempts.
Mounting international tensions and rapid technological advancements have spawned increasingly sophisticated cyber threats. But proactively working to intercept and halt attacks, degrade adversary capabilities and networks, and strengthen the cybersecurity of U.S. infrastructure networks and systems is the key to flipping the script on nation-state adversaries.
Part of that proactivity for the operators of the nation’s most critical infrastructure is ensuring their security is up to date, and that they are leveraging the latest standards and guidance for their defenses. Investing in security models such as zero trust can improve an organization’s security posture and help defend against evolving threats.
The cat-and-mouse game between threat actors and defenders has been ongoing for quite some time and is poised to continue. However, proactive and persistent engagement allows defenders to stay one step ahead where it matters most, making industrial espionage and the disruption of U.S. critical infrastructure markedly more difficult — and costly — than adversaries expect.
Ian Tarasevitsch and Mike Saxton are members of Booz Allen’s DarkLabs team of security researchers. Tarasevitsch is a Chief Technologist at Booz Allen and a former U.S. Army Cyber Command officer who was responsible for network management and defense of a global network with over 1 million endpoints. Saxton is the Technical Director for Defensive Cyber Operations at Booz Allen.