When the Hunted Becomes the Hunter: Turning the Tables on Cyber-Attackers
Phil Zimmerman once said: “Never trust an encryption algorithm designed by someone who had not ‘earned their bones’ by first spending a lot of time cracking codes.”[1]
Whether this is true or not is hard to verify outside the multiple ringed fences of Fort Meade, but it highlights something which is often forgotten in many areas of security: the dichotomy of attacker and defender is often a false one. A defender unfamiliar with the techniques used by an attacker is likely to do a poor job keeping an experienced attacker out. An attacker unfamiliar with his target’s defensive capabilities will soon be detected.
Good attackers know this well.
Since 2010-2011, information about how skilled attackers behave has become widely known. Lockheed-Martin’s Cyber Kill Chain™ and other Computer Network Defence (CND) methodologies have highlighted the broad strokes of advanced cyber operations, often honed in years of experience defending government and Defence Industrial Base clients. This experience, and years of watching attackers in actions, is now becoming known in enterprise and commercial fields, who are facing advanced attackers as well.
For this blog post, I will use the Lockheed Martin Cyber Kill Chain to describe attack phases. Just as mature organizations know to expect attacks, a good attacker will expect a good defence. This highlights the dual role: the attacker must also defend themselves. In the early reconnaissance phases of an attack, most will use both public and private information to understand the likely defensive capabilities they will face. Some fairly common examples:
- LinkedIn searches to understand who is currently employed in security architectural and operational roles
- What experience those staff have, and what tool sets are they claiming to use
- Vendor “win” information: Are vendors claiming this organization as a “win” or a reference site?
- Commercial databases compiled by marketing organizations, indicating the IT products purchased by specific organisations, based on phone surveys
- Searches on specific email addresses in security forums, revealing issues and advice from company employees to others on the forums
This list is not exhaustive, and represents a purely passive reconnaissance phase. An active reconnaissance, whereby direct contact may be made to the company via various anonymized channels, can be even more effective, although it carries a higher risk to the attacker. Highly mature organizations realize that their publicly accessible information can be a honeypot to detect attack, and will mine their web logs and/or plant honey pots in social media to give them warning that an attacker is in the reconnaissance stage with them.
Once armed with an understanding of the sophistication of the target’s defence, the attack will proceed through the weaponization, delivery, exploitation and installation phases. Once the command and control channel is deployed, the attacker is inside. It is at this point that a good attacker will immediately become defensive. They are likely to do three things in quick succession:
1. Immediately baseline their environment, and start the process of mapping the lateral movement which will achieve their objectives
2. Start planning the establishment of a second ingress point, should their attack be detected and repelled
3. Attack authentication services, seeking authentication credentials which allow them to assume the identity of a legitimate user or users which will further cover their activities.
So why baseline the environment? Simple: they are trying to detect if they’ve been seen. Establishing a SPAN port, deploying tools on servers, putting interfaces into promiscuous mode are all clues that will tell the attacker they may have been seen. Once they suspect this, they will go to ground, shut down C2 channels (with a timed restart in the future), and stop all operations. Finding them will be exceedingly difficult.
As an architect of a CND architecture suitable for a modern, sophisticated enterprise, it is essential to enable as-needed visibility into the entirety of your network. It must:
- Enable access to any CND tool at any time for any part of your network
- Necessitate no changes to the existing infrastructure when tactically deployed, which includes hardware, software and configurational changes
- Be able to deploy relatively slow tools on very fast networks
- Be able to feed network traffic to as many tools as is needed, in parallel it must be totally invisible to an attacker
GigaSECURE®, the industry’s first Security Delivery Platform meets all of these requirements. Functionally, a visibility fabric operates like a data diode: network data can only flow from network ports (attached to attacker-invisible TAPs) to tools. This unidirectional traffic flow means that no matter what tool you deploy, the attacker cannot see it. As a defender, you have complete visibility. Your attacker has no visibility of that defensive capability.
Indeed, GigaSECURE on a fibre network can work fine with the transmit lights on the network ports completely unplugged, and the receive lights on the tool port also unconnected. The tools can be deployed in a security zone which is highly protected. For maximum security these tools can be air gapped from the network entirely, with data transit only on physical mediums. Where this is impossible, the use of tightly configured firewalls between the rest of the network and this zone is strongly recommended.
At Gigamon, one of the most common things we hear from security customers is “I wish we had more visibility for incident response.”
So let’s all stop thinking about just defence, and embrace the duality in becoming an attacker as well. We’re not just the hunted, but need to think like the hunter at the same time. At Gigamon, we often say that you cannot defend against what you can’t see. If your attacker doesn’t see your tools, then the attacker can’t know your capabilities to defend, detect and repel. Let the attacker find out the hard way.