Counterintelligence for Cyber Defence

Intelligence analysis enables better defences against threat actors

In intelligence parlance the terms used are:

These are the foundational characteristics of a threat actor that a counterintelligence analyst considers when developing a defence. They’re valid for cyber security threats of course, but where things get interesting is using the framework to model defence techniques. That is, how does a given defence technique impact the threat actor’s fundamentals? For example, hardening systems (such as ASLR) are essentially a “capability” defence, and those rapidly devolve into an arms race. An “air gap” is an “opportunity” based defence, which can be extremely robust due to the offence costs imposed on the threat actor.

These fundamental aspects of threat actors provide paradigms through which cyber defence techniques can be assessed.

Conducting this type of intelligence analysis can reveal attacker weaknesses that defenders can, and should, exploit.

There are three potential vectors on which to battle an adversary in cyberspace:

Countering the reason for the attack — the motivation driving the threat actor — is a powerful defence with a better chance of success than engaging in an expensive arms races against attackers’ capabilities.

The intent of the threat actor is the primary factor which generates intrinsic vulnerabilities. Attackers are all attempting to achieve mission success (exfiltrating data, monetizing access, defacing a website etc.) without getting caught, and as quickly and quietly as possible. Mission success occurs as soon as the the threat actor achieves their intent. Defeat their intent and they are denied the ability to achieve mission success.

Considering cybersecurity it is worth remembering a couple important points: a) adversaries have resource constraints, and b) they have motives.

Cyber operations are conducted by threat actors. They are limited by their resources (e.g. nation state vs individual). They conduct operations which are enabled, and restricted, by their technical sophistication. The operation may be part of a wider campaign, or an isolated incident. Operations can have purpose or be aimless and opportunistic. Consequently, victims can be targeted or unlucky (opportunistic).

Operations all have an operational cycle (made up of a series of phases). Since cyberattacks are operations, they obviously have a sequence of stages the threat actor operators progress through. Here’s one division of operational stages for a cyberattack:

The threat actor selects a target and prepares their attack. This may be inverted (“I have a capability for SoftwareProduct v1.0 — v1.24, who’s vulnerable?”). The planning and preparation are entirely dependent on the type of threat actor. If the execution of their attack was successful they will typically attempt to cleanup traces and hide their activities. And they will attempt to exploit their success in some way, possibly exfiltrating data or monetising their access. This final stage, the post-exploitation exploitation, is where the attacker’s intent is most relevant.

It can be most beneficial to understand cyber operators in terms of the final stage of the operational cycle — exploitation. How the threat actor (or their superiors) expect to benefit from the operation reveals their intent…the goal of the operation is to effect that exploitation, which means the best defence strategies will mitigate against that exploitability.

Properly implementing cybersecurity defences requires threat models that factor in opportunity, understand capabilities, but which minimise, neutralise, or counter attack the threat actor’s intent. Battling threat actors capabilities is an arms race. Defences based on reducing opportunity (“air gapped systems”) require discipline to maintain and have limited utility. But remove the point of even compromising the system at all, that is winning before the battle begins.

Once threats have been modelled based on there capability, intent, and opportunity the counterintelligence approach to developing a defence plan is to apply strategies of denial and deception. This also maps over really well into the cyber domain.

The majority of cybersecurity products on the market are focused on attacker capabilities (“stops 0days and malware!”). This is an arms race and it is one where the attacker has a distinct advantage because they have a reliable feedback loop — they know when something works: #!

This is a market for lemons and silver bullets. Vendors have an idea of the capability of their systems, but their customers don’t. Defenders are trapped in a battle between vendors where they’re unable to tell a good product from bad. Attackers know when an attack works, they have only to “get lucky” once, while defenders are stuck in a market for lemons. Worse, they are battling attackers on the “capability” vector, which reduces to an arms race where the offence has the advantage (a working, instantaneous, unmistakable, accurate feedback loop).

Fundamentally for defenders, the truly effective techniques, the ones that work, are the same ones that have always worked (and still are so seldom implemented): network segmentation, patching, asset management, credential management, minimising trust relationships, least privilege, vigilant monitoring of long tail rare events, etc. etc.

Capability centric cybersecurity defences rapidly become arms races, and those are expensive. Worse for defenders, attackers have natural advantages (such as more rapid and accurate feedback loops). While the fundamentals are certainly necessary to raise attacker costs, capability centric cybersecurity approaches are heavily tilted in the attacker’s favour.

There is some security gained by engaging in a contest to limit a threat actor’s opportunity to attack — such as air gapped networks — however, that is not as reliable a solution as many hope.

Not only are perfect air gapped networks generally of limited utility, but they are also extremely expensive and hard to maintain over long periods of time. It gets worse when the size of the network and number of users is large, because then the security is not insurmountable, rather just a higher cost to adversary resources — primarily time. Creating an air gapped networks is easy. Maintaining one, and preserving the integrity of the gap, that is difficult.

Regardless, for most businesses it simply isn’t a viable option. Without Internet connectivity they don’t have a competitive business. Granted, this is not true for all part of a company — for example industrial control systems should not be on the Internet — however it is true for the functioning of many day to day business needs.

Although I include reducing attack surface in this category (i.e. an attacker can’t compromise a system, or service, that doesn’t exist) that methodology is also hard to implement. Finding unnecessary systems and removing them is hard and thankless, and not especially a great career move – not many people get promoted for decommissioning systems. There isn’t a lot of management recognition for successfully not deploying a system. “Great job not growing your teams’ assets, roles, and responsibilities! Here’s more budget and a raise.”

The high cost of maintaining systems which effectively limit attacker opportunity mean that few businesses even bother to try. Vendors are not about jump into the space and make it easier for companies either, since much of what preserves an air gap is process, not technology. Threat actors have the opportunity to attack everything on the Internet, and they do.

The role of motivation and intent in driving threat actor actions is not a hot topic of analysis — not compared to the sexiness that is 😱day. As a defence it can be very simple to implement. For example, to reduce the attractiveness of a database for attack, simply don’t store PII data. This risk reduction approach can be extremely effective in dissuading an attacker from even investing resources in the attack as they're guaranteed to be wasted. Remove the ROI, and the attack is no longer worth the hassle.

Attackers that are motivated by financial gain, or information, can be disincentivized by not storing the data which attracts their interest. But pure denial based techniques aren’t the only approach for this cyber defence vector. There are even more interesting options, particularly around deception operations.

By understanding the intent of the threat actor, knowing their motivation, it becomes possible to manipulate their actions in ways that increase their vulnerability to defenders. And make no mistake, attackers are very vulnerable, its just that they’re mostly operating in environments where their vulnerabilities are never exploited.

A popular truism is “defenders have to find and mitigate every security problem, but attackers only need to find one.” This is only half true, because as soon as the attacker has breached the target, the tables turn. From then on, “attackers must never leave a trace of their activities, but defenders only need to find one.”

Before the breach, any security flaw could be the entry point. After the breach, any action could be the one that alerts defenders. The more accurate aphorism is one that’s applicable to both sides:

Related posts:

QQBonus Situs Judi Bola Online Terpercaya dan Resmi di Indonesia adalah salah satu situs penyedia permainan judi online terbaik saat ini, ikuti berita selengkapnya hanya di situs kami. Diketahui…

Jobs in the fields of science, technology, engineering, and math (STEM) often require a bachelor’s degree or higher, leaving few STEM opportunities for workers younger than 25 who shape the nation’s…

Teach the older men to exercise self-control, to be worthy of respect, and to live wisely. They must have sound faith and be filled with love and patience. Similarly, teach the older women to live in…