Malicious code is big business. There’s some disagreement on the exact figures, but IBM clocked the average ransomware attack as costing $4.24 million. The problem with this is simple, every time hackers extort money like this or sell personal information on the dark web, they have more resources to keep doing it.
The old way of dealing with hackers is not really effective anymore. With an endless array of variations and malicious software toolkits for sale (so even a lay person can commit cybercrimes!), we can’t afford to be chasing our tails. This lead to the novel innovation: what if we got hackers to do the heavy lifting for us.
I’m not talking about some White Collar (TV show) or Catch Me if You Can (film) situation wherein we bring in the hacker to show all the dirty tricks they have. We do that, of course, but that’s a discussion for another time. I’m talking about building massive frameworks that compile enough information to give us predictive capabilities to stop attacks in their tracks before they become a catastrophe. If this were a film, it’d be Minority Report.
In this case, let’s take a look at the MITRE ATT&CK framework. Older AV software did a lot of list cataloging, and we don’t have to throw the digital baby out with the cyber bathwater here. We just need better lists. So, we’re compiling lists of known threat actors, malware, scripts, droppers, and behaviors.
What do we get with all this information? We can classify types of attacks, learn what kinds of processes are common at the moment, and respond more quickly. Essentially, this is a way to build a behavioral profile that’s based on tactics, techniques and procedures (TTPS).
For example, when alleged (wink) Chinese state actors and hacker group HAFNIUM started operating in 2021, it made sense to build a dossier on their TTPS.
We learned that they gather network information online. Then, using American based-virtual private servers they exploit public facing servers to drop PowerShell scripts and gather local and domain accounts. Next, they try to escalate their privilege for info gathering and to get that information out.
Why does this matter? Well, a group like Hafnium is busy and sophisticated. They’ve target infectious disease researchers, universities, law firms, even defense contractors. Importantly, big threat actors like this make a lot of noise. That makes it easier for log events and learn from them, so everyone is less vulnerable next time.
What can you do with this?
Maybe the most important part is to realize that not all detection response platforms are created equal. Do your diligence in researching to make sure that you’re getting the telemetry you need. The most successful hackers have a lot of expertise, and it helps a lot to have people whose whole job is protection looking out for you. Cyber security should always be on your mind, but it makes sense to bring in folks to lessen the load for you. We help MSPs with that.
