Reverse Deception: Organized Cyber Threat Counter-Exploitation (13 page)

The advancement of threats and vulnerabilities developed by your adversary stems from motivations and objectives. You might ask yourself, “How do I know if I have any adversaries?” Well, anyone connected to the Internet is a desired target, either for direct exploitation and use as a pivot point (being a beginning point of infiltration that leads to deeper infection of your enterprise) or as a part of an end goal. The overall issue with modern computing is the ease in which criminal activity can grow from a single infection to a full-blown advanced persistent threat. The generally used method is client-side-exploitation or social engineering, the latter being the most effective, especially with well-funded and highly skilled adversaries.

We mentioned that all adversaries are human. Well, humans have emotional routines and behaviors that translate to programming functions and procedures similar to computers, and they can exert their human nature in their methods and techniques. Humans develop tools, tactics, and techniques that are easily repeatable for their own successful motivations and objectives. So why wouldn’t we be able to observe patterns in physical or cyber-related effects and behaviors of an adversary? This is not a trivial process in any sense of the task, but can be attained through thorough analysis and due diligence of the security team or end users.

In a world of enterprise networks like little galaxies across our Internet universe, common and unique events occur across billions of galaxies every second. These events range in severity and uniqueness between galaxies. Some of these events occur daily, and some happen rarely. Now when we get down to it, the events we are concerned with are generated by humans, and they have patterns, techniques, and observable details that can be used to your advantage. That’s how you can approach incidents and intrusions without feeling overwhelmed. Each of these events is unique in some way, and can be made discernable and attributable to a returning adversary or an event that has nothing to do with a critical threat that has occurred in the past, present, or future. As a defender, you can never tell which individual incident or event is associated with one another, or can you?

Throughout the book, we will refer to our
adversaries
. This will be used as a common vernacular to describe any form of individual or group posing a threat against your enterprise network. We will discuss various categories of adversaries and attribution that will empower you to better identify which threat is related to which adversary. This will be important as we go through the subject matter of this book and inform you of what information you can collect against your adversaries in order to manipulate them into performing actions that improve your security posture. Another topic of the book is the ability to discern which incidents or intrusions are associated with specific adversaries.

This book crosses and blends the lines of age-old techniques and cyber-related tools and techniques that have been in use by professionals throughout several fields of study. In this book, these defenses will be applied together for various aspects and roles of information systems security engineering and cyber counterintelligence. Some of the TTPs may be familiar, and some may not. You’ll learn about the methods and techniques suggested as best practices for combating cyber criminal activity, ranging from just a curious cyber criminal to advanced persistent threats that you need to understand to actively detect and combat.

Advanced persistent threats and simple persistent threats are posed through the use of physical control of your network, deception, disinformation, behavioral analysis, legal perspectives, political analysis, and counterintelligence. Having physical control of your enterprise is the focal point most single security professionals and executives regularly forget about. If you can control the boundaries of a fight or battle, why can’t you win? This is the most basic principle, but when dealing with giant enterprise networks that span the globe, things can get trickier (by using traditional deception and counterdeception techniques). However, that is what security teams and security policies were created for: providing a safe, operationally viable network that has high confidentiality, integrity, and availability. When dealing with enterprise networks, you can easily get lost in policies and laws, and may feel unable to be understood by your leadership.

For the purpose of this book, we are going to put all of the politics aside and concentrate on the possible and effective. You need to absorb these concepts and best practices, and begin working out how you can integrate these TTP into your daily workflow, team roles, and budget.

If you read this book thoroughly, you will walk away with the knowledge only a few of us exercise daily. However, you do need a good understanding of all the pieces and players. We all face threats working in our modern world overloaded with technology, and only a few of these technologies actually help us detect and thwart adversaries attempting to access and operate within our networks for personal or professional gains.

All
host-based antivirus platforms and threat-prevention systems provide a level of security geared toward the average threats and are
always playing catch-up
. An antivirus firm needs a sample of malware prior to generating a signature to detect that variant or family of malware, and that could take days to weeks. By that time, your threat or adversary has already come, gone, and installed a new backdoor.
Almost every traditional
network security appliance can be bypassed by advanced and persistent threats. Only a
handful
of network security platforms have attempted to actually integrate persistent threat detection and early warning into an actionable model. We will introduce methods and procedures for integrating specific systems and tools in a fashion that can be used to turn our practices into repeatable processes. Our goal is also to demonstrate how to update and educate stakeholders of enterprise networks in order to better defend themselves with a little passive aggression.

What This Book Covers

Do you fret over the integrity of your network? Read this book if you are interested in not only defense, but also engagement and counter exploitation of active threats in your network. Those seeking knowledge and wisdom surrounding the domains of network security, cyber law, threat mitigation, and proactive security, and most important, those working in or a part of the cyber world, should read this book. It has been written to cater to all audiences, ranging from managers to technicians.

Our book is meant to inform, advise, and provide a train of thought to follow when your network is under threat and is assumed under the control of a remote entity. This book will walk you through the ecosystem of targeted and opportunistic criminals, where they commune, and how to engage them from inside the legal boundary of your own network. You’ll learn which tools and techniques are available to interact or game them using the principles of counterintelligence and operational deception. We also provide you with several accepted techniques for analyzing and characterizing (profiling) cyber threats operating against your network. And we cover one of the most ignored aspects of countering cyber threats: operationally vetted legal guidance from a cyber lawyer.

This book is meant to be a tome of best practices and wisdom of tools, tactics, and techniques that have and are being used to actively counter opportunistic and targeted cyber threats. Please treat this book as if one of us were in the room discussing with you the options available when you are faced with an intrusion.

This comprehensive guide is designed for the IT security professional, but the information is communicated in clear language so that laymen can understand the examples presented. The book will enable you to identify, detect, diagnose, and react with appropriate prioritized actions. It explains how IT security professionals can identify these new, “invisible” threats, categorize them according to risk level, and prioritize their actions accordingly by applying expert, field-tested, private-sector and government-sector methods. Some of the tactics will include deception, counterdeception, behavioral profiling, and popular security concepts within the realm of security that focus on countering advanced and persistent threats.

The intent is to provide readers with a fresh, new perspective on understanding and countering current persistent threats, as well as advanced threats likely to emerge in the near future. You can read the book in its entirety or focus on specific areas that most interest you or your fields of study. This book is useful to everyone who
works in
or
whose work is influenced by
the world of information technology and cyber security.

Please remember that our primary goal here is to empower you with experience and knowledge of multiple professionals who combined have more than 100 years of experience encompassing every section of this guide, ranging from information operations managers, counterintelligence specialists, behavioral analysts, intelligence analysts, and reformed hackers of the 1990s. With the subject matter experts gathered, we are in a position to publish a book to help increase the understanding of cyber counterintelligence.

First, we will cover concepts and methods for applying traditional military deception and counterintelligence techniques into the shadow of cyberspace. The goal of this book is to illustrate why the use of deception and counterintelligence is imperative and important across every organization that relies on an IT infrastructure and explains why your information will be attacked through that IT infrastructure. This will help you to learn the motives and intent of the attackers. You will gain a better understanding of the causes of and motivations for malicious online behavior so that you may better understand the nature of the threat.

The book will also include strategies and techniques to entice and lure your adversary out into the open and play “cat and mouse” with them. Techniques can include ways to counter adversaries who are actively attacking or already within your network into revealing their presence, motives, and intent. You will learn the characteristics of advanced persistent threats. We’ll describe some of the ways these organizations attain access, maintain access, and regain access, which ensures they can control computers and even whole networks. We will then link the military community doctrine to the cyber domain with the intelligence benefit and operational techniques of the advanced persistent threat. The ability to penetrate and maintain stealthy access and collect information on a target is advanced persistence access, and is the bread-and-butter of premier intelligence agencies around the world.

This book focuses on intelligence analysis, cyber counterintelligence, and operational implementations of how to objectively analyze the details of an intrusion in order to generate highly accurate assessments (profiles) of your adversaries, which can help IT security professionals and/or authorities with attribution and/or apprehension of the criminal. The book includes information about the current legal and ethical ramifications of implementing deception techniques against cyber criminals. Legal components include an overview of the rule of law, preservation of evidence, and chain of custody, which could assist law enforcement officials in a criminal case. However, this coverage is not a replacement for legal representation.

We believe that after reading our book, you will understand the concept of utilizing deception and maximizing attribution, and will be equipped with tools you can implement to better protect networks and make life exponentially harder for the bad guys (black hats and state-sponsored hackers) who are hacking private and commercial assets for political, economical, and personal leverage.

The book has three parts. Part I introduces some basic concepts:

The history of deception and how it applies in the cyber realm

The age of modern cyber warfare and counterintelligence, and how it affects every enterprise, company, organization, university, and government