Security / October 24, 2018

Money, Power and a 401k: Even Bad Guys Get Performance Reviews

What do you think when you hear the term “hacker?” Is it a shady character in a black hoodie, typing furiously on a keyboard, or a teenager in a basement cackling wildly because they just bought 500 pairs of Nikes with your credit card? It could be some miscreant in a foreign country locking your computer with ransomware and extorting you out of your grocery money. All of them motivated by greed, malice or all-around evil.  

Note that I hesitate to use the terms “bad” or “good,” but I’m going to stick with these words for ease of narrative. What this blog will show is it’s a matter of macro, diplomacy between two superpowers, and micro, looking at it from the position of the individual.

With that said, our industry tends to discuss adversaries in abstracts and archetypes. The ever ominous, ephemeral “bad guy,” for example. It could be a hoard of remote-controlled botnet computers coming to steal your information. From director Michael Bay, Computers Everywhere Coming to Get You! coming Spring of 2019.

The reality is, artificial intelligence isn’t a thing. Your toaster isn’t sentient and the blockchain isn’t hacking you, at least not that we know of. Actually, nobody really understands blockchain; it very well could be out to get you. I hope blockchain doesn’t read this blog.  

Understanding the Human Is Necessary to Win

If we can push aside all this fear, uncertainty and doubt (FUD), the reality is that the face of the modern adversary is far from these tropes and stereotypes. These bad guys are no different than you or I. We talk a lot about kill chains and life cycles, but in reality, we are all humans defending against other humans.

Knowing tactics, techniques and procedures is not enough. Dumping a list of IP addresses and filenames into a database and then searching for them is not enough. We need to understand the human. What do they need? Why do they need it? How are they going to get it?  

One of my favorite illustrations of the human vs. human ideal comes from a DerbyCon 2017 talk by Ryan Nolette entitled, “How to Hunt for Lateral Movement on Your Network.” The recording of his talk is worth every minute of your time.

For now, I’ll expand on Ryan’s “Attacker Personal Lifecycle,” which is discussed in the talk. There is a poor sysadmin who hates their job. They realize they can make money doing bad stuff for hire. They get other like-minded people together and soon we have a hacking group. Get enough people in that group, it becomes a business like any other. Deadlines, quotas, logistics, miscommunications. These businesses also have their own departments. Department x is good at web application injection attacks, department y specializes in malware development and department z is adept at phishing.  

Now think about your own company. Is everyone there an A player? Probably not. Just like Bob in sales routinely misses filing his client invoices and Alice keeps stealing your lunch from the fridge, these humans make mistakes too. It’s our job to figure out where they could have gone wrong and adding ghost peppers to your sandwich to teach Alice a lesson.

Hacking for the Motherland: Just Another 9 to 5 Job?

Next, we move from Adversary, Inc. to a fun illustration of things going wrong within a nation-state. Jack Rhysider has a remarkable podcast entitled DarkNet Diaries, and episode 10 “Misadventures of a Nation-State Actor” should be required listening for anyone in the information-security community. 

In the episode Jack interviews a person who worked for a nation-state hacking team. They detail their operations, motivations and even their failures, such as deploying an exploit that routinely crashed the targets’ computers, which almost blew the whole operation. I list this as an example to illustrate that adversaries are humans, adversaries make mistakes and, just like you and I, they have bills to pay and bosses to please. Even bad guys get performance reviews.

Viewing Things from Another Perspective

Next, consider a more culturally based discussion on what defending against an adversary really means. There’s been a lot of discussion within the information security community on the recent U.S. indictments against Chinese nationals.  Our first reaction might be that they are absolutely guilty, bring them to justice. Criminals, every one of them; but let’s think about it another way.  

These people are exceptionally adept at their craft and live in a nation that thrives on technology. It’s a decent living and they don’t even see these acts as illegal or wrong. They’re helping their country and making their family proud. It’s a job like any other.

Another less wholesome take is that they are compelled to do these hacks by their own government. “No” isn’t an option for them. For more analysis on nation-state tactics and an analysis on good vs. bad guys, I highly recommend the blog post “I Have the High Ground” by Mitch Edwards, intelligence analyst and authority on Chinese cybercrime and Advanced Persistent Threat (APT) activity.

Understanding Your Foes Can Inform Your Defense

So, what do we do with all this information? Blogs like this are useless without some actionable advice at the end, something to sink your teeth into and affect some real change in your organization. Since the NSA is the only entity with mind control technology, we can’t possibly see inside the hearts and minds of every adversary that means to cause havoc on your bottom line. We can come close, though.  

We can start by getting our intelligence feeds in order. This includes things like knowing your own environment. What assets do you have that, if compromised, would devastate your balance sheets? Once you know that, become aware of who would want that information. What would they do with it? How would they go after it? I’ll save you the obligatory Sun Tzu quote, but if you don’t know yourself, you’ll never truly know your adversary.

From there we can move towards adversary emulation. I’m not talking about your run of the mill vulnerability scan or penetration test with a scope so narrow it couldn’t pass a SOC1 audit, but something immersive and scary enough to worry Liem Neeson from the movie Taken. I’m talking about actual red team engagements.

Additionally, no matter your experience level in information security, I recommend getting in the habit of reading whitepapers and reports on threat groups. The FireEye Advanced Persistent Threat reports and the Verizon 2018 Data Breach Investigations Report are both excellent starting points.  

In conclusion, it’s important to begin our conversations not with the latest and greatest in blinky boxes and buzzwords, but with an understanding of who we are defending against. It’s not an easy task, but a necessary and impactful one. These are conversations that begin as they end, with the hands on the keyboards. Happy hunting! 



Back to top