Ep. 8: Learning from the Adversary

Cybersecurity is not an IT problem to solve—it's a business risk to manage. In the Managing Cyber Risk podcast series, Mark Sangster, Vice President and Industry Security Strategist at eSentire, and Cybercrime Magazine’s Hillarie McClure lead conversations with cybersecurity experts, using the dollars-and-cents language of the C-suite to expose the issues, challenges and pitfalls which are often obscured by ones and zeroes.

Want to listen to the full episode instead? Click here.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

It’s unlikely that Sun Tzu was writing about cybersecurity, but he might as well havße been.

Today’s adversaries are well-organized, well-funded, and well-equipped, and they operate as structured enterprises—leading Mark Sangster, VP Industry Security Strategy at eSentire, to describe them as the “Misfortune 500.”

Knowing your adversary is an essential element of cyber warfare, which is why Mark and Cybercrime Magazine’s Hillarie McClure spoke to Col. (Ret.) Timothy Evans, SVP, Co-Founder and Chief of Strategy at Adlumin.

During the conversation, they touched on a wide range of topics, such as common misconceptions about cyberattacks, today’s adversaries and their goals, how cyberattacks are conducted, and spotting them before it’s too late.

What are some common misconceptions about cyberattacks?

Early in the conversation, Mark and Tim touch on three dangerous, and stubbornly persistent, misconceptions:

1. “We’re not a target”: No matter how big, how small, how ‘boring’ or how well-defended your organization is, cybercriminals can and will target you.

2. “Most cyberattacks are obvious, only a fool would fall for them”: We’re all accustomed to receiving obvious spam emails, and that can trick us into a state of overconfidence. But cyberattacks against corporations are very different. Phishing emails are often personalized, and they increasingly make use of public and private information to look legitimate. Assuming that cyber threats are obvious only increases the odds that an attack against your company will be successful.

3. “Well, I guess there’s nothing we can do if a sophisticated cybercriminalattacker targets us”: This one is closely related to the after-the-fact outcry of “there were no signs”. But the truth is that cyberattacks aren’t instantaneous and there are always signs. Your cybersecurity team just needs to know what to look for and more importantly, they need to have the security operations capabilities to do so.

Who are today’s adversaries?

Businesses are finally understanding that today’s cyber threat actors aren’t rogue individuals, but run highly sophisticated operations with many of the same functions (e.g., recruitment, R&D, operations, and business development) as modern enterprises. What’s more, they operate in a mature ecosystem complete with specialty services, marketplaces, channel, and affiliate programs, and so on.

Prosecution for ransomware gangs remain relatively rare, often due to the cross-border nature of the cybercrime. In fact, Tim also noted that he’s seen evidence of ransomware operators installing and maintaining backdoors for possible use in a wartime scenario.

Learning how today’s adversaries operate and their psyche can significantly help your team understand the best way to protect your organization and mitigate your cyber risk.

What are threat actors’ goals?

Cybercriminals are after money—the rewards of a successful cyberattack are high, especially when threat actors introduce multiple revenue streams by combining ransomware attacks with stealing and selling valuable information.

Although adversaries are motivated by stealing a company’s intellectual property or proprietary data, disabling systems and services and making crucial information unavailable continues to generate impressive returns for ransomware operators. The average ransom across all industries reached $570,000 in the first half of 2021, an 83% increase over 2020.

Additionally, cybercriminals routinely use double- and triple-extortion tactics to compel the victim to pay to recover access to systems, prevent the publication of protected health information (PHI) and personally identifiable information (PII), and avoid the potential regulatory fines.

The fact remains, whether the victim pays the ransom or not, ransomware groups may still sell stolen data in cybercrime marketplaces given the specific benefits associated with different types of data:

• Financial information is used to compromise bank accounts and commit wire transfer frauds

• Employee information can be used for identity theft, to commit fraud, and to engage in longer, more complex operations like business email compromise (BEC) and highly targeted phishing scams

• Patient information can be used to blackmail individuals—PHI, in particular, is regarded as being much more valuable than credit card information, with each record worth anywhere from $10 to $1,000

How do threat actors conduct cyberattacks?

The broad stages of a cyberattack are standardized—initial access is gained, intrusion actions are performed, and then malware is detonated—but the specifics of execution differ.

While staying up to date with the latest tactics, techniques and procedures (TTPs) can be challenging since they’re always evolving, Mark suggests that the corrective action plans (CAPs) prepared by the Office for Civil Rights (OCR) in response to HIPAA violations are a good source. Although they don’t spell out the details, it’s usually straightforward to determine how an organization succumbed to a cyberattack.

How can you spot adversary activity before it’s too late?

Sophisticated threat actors will target your company sooner or later and they’re very adept at gaining access into your environment. But cyberattacks—particularly ransomware attacks—don’t happen instantaneously.

Once inside an environment, cybercriminals engage in ‘intrusion actions’ like domain reconnaissance, creating new accounts, finding backups, exfiltrating data, harvesting credentials, creating backdoors, and identifying the systems and services that should be targeted to inflict maximum pressure on the victim.

These activities take time, and they create Indicators of Compromise (IoCs) that are detectable with the right tools.

“You have to know every time an account is created, and you have to be able to verify that we created that account…which is really hard for large organizations,” Tim stressed.

To underscore the point, Mark shared an example of a recent breach of a healthcare delivery organization (HDO) in which an IT technician noticed some strange account creation and reached out to HR, who subsequently escalated the matter to the IT manager. Unfortunately, it was a long weekend, the IT manager was busy and decided to look at things on Monday—by which point ransomware had shut down the organization.

Similarly, user behavior analytics can recognize strange file transfers, lateral movements and other unusual activities, like a user suddenly running PowerShell for the first time.

Fortunately, organizations don’t have to wait until they’re under attack to recognize and address their own vulnerabilities. At a minimum, Tim recommends looking for compromised accounts on the dark web and using tools like Shodan to understand what cybercriminals see when they look at your network.

You can also adopt a more proactive, risk-based approach to cybersecurity that leverages a comprehensive vulnerability management program, Phishing and Security Awareness Training (PSAT), engaging an Managed Detection and Response (MDR) provider, to identify and contain cyber threats that bypassed existing defenses, and Incident Response (IR).

Moving forward

Doing the basics—strong passwords, multi-factor authentication, controlled and encrypted access, least privilege, and network segmentation—is essential and while these countermeasures might not stop cybercriminals outright, they can slow down adversaries and give you the opportunity to detect their presence.

In fact, Tim reiterates the importance of monitoring for the telltale signs of intrusion: “There are certain things that you absolutely need to monitor. If you’re an organization of CISOs, you have to put this at the top of your agenda. You need to know what you need to be monitoring.”

Learn more from your adversaries

Listen to the full Learning from the Adversary episode of the Managing Cyber Risk podcast series as Mark Sangster and Hillarie McClure interview Col. (Ret.) Timothy Evans what we can learn from the adversary, the evolution of ransomware, and more.