Waging a Counter-Cyberinsurgency via Collective Action

Tom Kellermann, VMware Carbon Black head cybersecurity strategist

The miscreants of the dark web have become emboldened. Gone are the days of simple cybercrime. Cybercriminals and spies are embracing exploiting the world’s most popular brands for economic gain.

While street crime (in general) is decreasing, ransomware and other more nefarious cybercrimes are up, thanks to “dark capitalism” and continuous technology advancements.

The good news is that the situation is far from hopeless—but only if we join forces.

Common Adversaries

Security products today should both boost your organization’s digital transformation efforts and help protect your brand. By that, I mean they should help you:

  • Stop intruders in the first place.
  • Stop a cybercriminal that’s breached the perimeter and refuses to leave.
  • Stop intruders from commandeering your digital transformation efforts.

The metaphor I like to use is the burglar who conducts a home invasion during Thanksgiving dinner. They know you’re home, and they want to stay longer than one meal. In fact, they want to commandeer your property and use that control to exploit your extended family. In the world of business, this threat is called island hopping. And it means your customers are at risk.

Island hopping can quickly become your worst-case scenario. It’s not about the destruction or selling of data. It’s about using your infrastructure to attack your constituencies—and ruin your brand.Consider the reverse business email compromise approach. Unbeknownst to you, attackers may attempt to compromise your mail server to resend sensitive files with fileless malware. Attackers are now so sophisticated that they’re using machine learning to identify who and what’s most important.

Another new threat avenue is access mining. That’s when a cybercriminal or team of cybercriminals allow other hackers to buy access to a brand’s systems. For example, paying cash on the darkweb for a backdoor way into a large financial institution.

  • Benefit to the hacker: A ransomware opportunity.
  • Benefit to the seller: Another penetration using common code for potential gain.

Remember Johnny Appleseed? It’s the same model: code dropped into your system, waiting to grow by providing an always-available foothold for attackers to communicate with your system from the inside out.

What this type of security breach does is introduce multiple command and control (C2) threats into your environment. It means you’re no longer defending against one attacker. Rather, you’re defending against both the hacker who bought the code and the criminal(s) who wrote the code. So while one is exploiting you now, the other is in a sleep cycle. They’re just waiting to take advantage of additional secret passageways to attack your system.

Cyberspace has become increasingly hostile. Your digital transformation efforts will be commandeered. Enterprises must look from the inside out when conducting incident response.

How Good Communities Win

Destructive attacks are rising. Most adversaries will destroy your infrastructure when they’re discovered.

No one entity can stop all attacks. That’s why if you haven’t already, your enterprise should join forces with one of the growing communities of defenders around the world. Not every organization uses the same commercial solution, but all leverage a common, open API as part of a user exchange focused on behavioral anomalies and intrusion suppression.

Why? Because no one entity can stop all attacks. But many working together and “watchlists” can manifest intrusion suppression through:

  • Detection.
  • Diversion.
  • Containment.
  • Hunting of adversaries in a collective fashion.

A community approach to fighting cybercrime enables you take advantage of hundreds of investigations in the wild each week without adding internal staff or resources.

 

Together, the incident response (IR) community and new safeguards (such as intrinsic security) can boost your brand protection. Enterprises with intrinsic security recognize the threat and prevent it from freely moving laterally. That’s because the threat has no construct of how to move through the infrastructure or communicate with the outside world—and potentially any other intruders already inside. Ultimately, this design principle helps with intrusion suppression.

My advice for enterprises dealing with bad actors and cyber adversaries is to join forces. Team up with a community. Practice better cyber hygiene. Start embracing the idea of intrinsic security, because your business can’t operate on an island when it’s fighting today’s unprecedented level of threats.