There’s a significant movement in cybersecurity right now that is seeing organizations approach the problem of cyber defense through the eyes of an attacker. This is very different to the check-box approach often associated with standard security or compliance frameworks – and it requires specialist expertise. However, when properly applied, the attacker mindset helps to lift theoretical security off the clipboard and into the real world. It’s an old cyber truism that hackers don’t care about the compliance accreditations of their targets, so adopting the attacker mindset is crucial in actually understanding what your attacker does care about. Rule #1 – know your enemy.
The first question to answer when applying the attacker mindset is ‘what are our critical assets and who is motivated to attack us?’ Script kiddies, hacktivists, criminals and nation-state actors have differing ranges of both skill and persistence – and also carry different motivations to attack. Understanding this allows us to choose an appropriate lens through which to view cyber defense.
Attack motivation
For example, most large organizations, or those in specific sectors, hold assets that carry value to a nation state. In some cases, this is obvious – IP, financial and economic data, High Net Worth investments or cross-border M&A, to name some examples. Then there’s those organizations that present attractive geopolitical targets – such as power, utilities, government and media – where a disruptive cyberattack from a nation state would serve to undermine, sow uncertainty and potentially do actual harm.
So, let’s say we are a bank and we need to defend against a nation state level actor. Taking our attacker mindset to the next level, we would understand the threat to be three-fold. The attacker wants to:
- Steal information (either mass data harvesting or specific economic or corporate transaction data)
- Steal money (in the case of nation-states this has mainly been limited to North Korea, however some state aligned cyber groups also moonlight for personal gain)
- Cripple the financial ecosystem within its target country
These three scenarios all involve different objectives, critical assets, and attack paths to these assets that an attacker would have to follow. Viewing this process through the eyes of an attacker can help us to understand where our defenses are strong, where they are weaker – and what we need to do in order to secure ourselves against each scenario.
In order to address our environment through the eyes of a state-level threat actor, we need to ensure we have this same skills and experience – either in house (tough because of the scarcity of ex-nation-state attacker resource) or through a specialist security supplier (again tough because you never really know what, or who, you are buying in until it is too late).
Defining a nation-state level attacker
• First up – pragmatism. This may seem the opposite of what the media would have us believe (state-level cyber attacks are not all about lasers and zero-days) – but a pragmatic approach to breaching an organization is crucial. As a cyber-operative in a state-cyber program, you’ve been given an objective, and it is your job to execute that objective with the resources available. Normally this means starting with the cheapest attacks to execute, and working up through complexity and value until an expensive zero-day attack is applied if the target warrants it. This is important to understand on the defensive side, as we can assess how much and how far we need to frustrate the attacker until they potentially move on elsewhere. If we feel our threat model doesn’t warrant an attacker burning through such an expensive resource, then we can set our defenses accordingly lower. On the other hand, if our critical assets warrant an attacker using a zero-day to get in, then we have to think about defense-in-depth and multiple layers of detection and response in order to catch the threat actor before they reach their final objective.
• Secondly – persistence. Nation-state level threats are often referred to as ‘Advanced Persistent Threats’, or APT – and often it is the ‘Persistent’ that sets them aside from the rest. This has important ramifications from a cyber-defense perspective. We live in an age where cybersecurity – and pentesting in particular – is becoming commoditized, with small-scope, one off exercises lasting a few days deemed enough to tick the compliance box. Nothing could be further from how a persistent attacker actually operates. The attacker doesn’t care that only 10 days were in scope for your annual pentest when it might take them 12 days to get in. The attacker certainly doesn’t care which systems couldn’t be assessed because they are in a sensitive production environment. Adopting the attacker mindset means turning this on its head – answering the question – ‘how far is the attacker willing to go to achieve their objective’?
• Thirdly – deep-level technical expertise and creativity. The more technically capable you are, and the more creative you can be as an attacker – the wider the attack surface you have to work with and the higher your chance of success in a shorter time. As defenders, we need have a clear understanding of where these technical vulnerabilities are in order to know where an attacker might strike. If our grasp of these vulnerabilities and their potential is more limited than that of an attacker, then we are always going to be on the back foot.
• Lastly, and perhaps most importantly – big-picture, holistic thinking. This goes back to the pragmatism point, in that the attacker will leverage whatever they can in order to achieve an objective, in ways that someone without an attacker background might not consider. An attacker will assess the entire organization – how its business units interact with each other, the employees, the supply chain – even the senior executives and VIPs (and their families) in order to find a weakness to exploit. This suddenly seems a far cry from an annual pentest – but are critical to address if we are to take the attacker’s viewpoint. Just this week, it was reported a Tesla employee was approached by a Russian criminal gang and offered $1million in order to install malware at the Nevada factory. Last year, over 50 percent of cyber breaches occurred through the supply chain. Social engineering at the highest level of business remains endemic. While defending all of these might seem an impossible task, understanding the threat is the first step and lifting defensive maturity by even a little can be enough to deter or frustrate an attacker.
Adopting the attacker mindset is one of the most effective tools we have in modern cyber-defense, and it applies to all sizes of organization facing every kind of threat. Anyone can be subject to a cyberattack – and it’s imperative to fully understand the level of risk faced by the business. And the only way to really view this, is through the eyes of an attacker.