Please imagine: A high-powered director of an enterprise, or a military commander, enters a conference room where a group of cyber threat analysts have crafted a brief meant to inform this leader about a malicious cyber actor known to have compromised the networks of other enterprises within the same competitive sector or military domain. The briefer proffers that the observed activities done by the malicious actor are a capability.
I disagree. What has been shown to the intelligence customer is a current inventory of what the malicious actor is known to possess and prefers to use, not a capability.
I would argue that actor’s – and every other cyber actor’s – actual capability is whatever weaponized script is being offered anywhere on the internet at that time, and which can be acquired by that malicious cyber actor for the asking price. To call a tool that an actor in the cyber domain uses a capability is tantamount to saying an assailant who was known to use a knife in prior crimes should be ascribed only the capability to slice victims, despite any opportunities they may have had since the last observed incident to acquire any other weapon within reach that can be bought or stolen.
In my experience, the two persons most susceptible to this view of defining the strict boundaries of what a (cyber) actor is capable of based mainly on prior observations of that actor’s behavior are (1) leaders who actually have the authority and means to conduct meaningful cybersecurity operations (as not all do), and (2) the cyber intelligence analysts who are fortunate to support these well-resourced leaders. The leader, under pressure to act/respond, squeezes their experts for an actionable intelligence assessment. Out of a conscientious desire to answer the request for information (RFI) in a timely manner, the cyber threat analyst provides a conservative assessment on the adversary’s confirmed assets. This assessment – almost invariably – places the adversary physically and logically in what I will call a “neat box” where nothing new (read unconfirmed) that could potentially be used against the previously victimized network was likely introduced. Unfortunately, some leaders are more inclined to accept a neat box to work with rather than a hard truth with some loose ends.
I have never seen a response to such an RFI where the analyst’s answer aligns with, “Sir/ma’am, this is what the adversary is known to have or do. However, once engaged or thwarted, it is possible the adversary’s known TTPs (tactics, techniques, and procedures) will likely evolve using whatever malicious code is available from anywhere around the world.” This is the hard answer that no commander/director/chief executive likes to hear. Yet, it is the right answer to provide, if that analyst is willing to speak truth to power, to prepare that leader for what could occur if “corners are not covered,” which is the main takeaway from this missive.
The need to cover corners, before taking action, is an acknowledgement that to defeat an adversary in the cyber domain, one must defeat what that adversary is potentially able to offer – outside of their neat box – to someone else who has dangerous knowledge or an unforeseen cyber capability that can still harm a (previously) targeted information network. In essence, to defeat an adversary in the cyber domain, I suggest that one must defeat an adversary’s ability to incentivize others outside of that adversary’s stated physical and logical borders, or limit the effectiveness of those outsourced cyber actors. Yes, it is much easier said than done; I sympathize. Further, this solution ostensibly prompts thoughts of a global financial transacting component within cyber response/defense planning. However, my use of the term “incentivize” is done purposely, as different “things” (i.e., not always money) can motivate different actors to perform harmful acts. Therefore, it is a cultural component within cyber response/defense planning that must be considered.
For those having trouble conceptualizing some possible incentives for committing a harmful cyber act on someone else’s behalf, but with very little money involved, allow me to instantiate:
- Terrorist groups’ less-involved cyber savvy supporters supporting a jihad by embarrassing targets through simple web defacement of websites;[i]
- Politically-motivated cyber hackers performing a distributed denial of service attack against a commercial entity for the sake of causing reputational damage;[ii]
- Staunch cyber savvy supporters of “hot-button issues” aggregating personal information, including addresses and schedules, on opposition personnel for some later open disclosure for all potential aggressors to see and use (aka doxxing).[iii]
I have not conducted an exhaustive, relevant study on such incidents as those mentioned above. However, anecdotally, what I have observed in my time would lead me to believe it would not take very much – by way of resources and incentives – to be offered to such malicious cyber actors to commit these crimes if both groups (i.e., the original aggressor and the outsourced aggressor) were aligned philosophically in some way, and financially if needed. These outsourced aggressors represent the “capability” not being mentioned during “neat box” assessments.
The question now is, “When the entire Internet can potentially be leveraged against you, how do you defend your enterprise network(s)?”
A Low-Cost Suggestion Likely to Work
My answer to the question above: Do what is free, or at least what is much more cost-effective than trying to defend against the most complex hacks.
In a previous missive, I outlined how a number of cyber hygiene and patching practices could help alleviate what I would consider the overwhelming majority of vulnerabilities that are used as hacks against unsuspecting networks. The unfortunate reality is that what tends to make news are huge failures in network security from hacks that were already known (sometimes for years) and which should have been mitigated, but were not. It is NOT typically complex hacks that keep bringing information networks and their host enterprises down operationally, and damagingly regarding reputation. Moreover, by doing what everyone else should be doing at low cost – while others are not doing so – you have made your enterprise networks more secure relatively to everyone else’s and, therefore, less attractive to malicious cyber actors who may now view those not keeping with current cyber hygiene and patching practices as easier targets.
In Closing
As the first step to solving any problem is properly (and honestly) defining it, understanding when you are seeing a (full breadth of) capability compared to an inventory of a cyber actor’s observed arsenal is critical. Once that inventory is defined, upkeep of cyber hygiene and patching practices will allow network owners to mitigate the simpler hacks (i.e. the potential capability) they have not seen yet against their native networks but which are likely to be leveraged by either an original aggressor or an outsourced aggressor. Consequently, cyber security leaders/planners may now focus on the “neat box” with much less apprehension concerning the impacts from likely reprisals (which have already been seen on others’ networks).
Please remember: The smart learn from their own mistakes. The wise learn from others’ mistakes.
[i] Tom Williams; Contextis.com; November 2, 2015; “The Cyber Threat and Terrorism’”; https://www.contextis.com/blog/the-cyber-threat-and-terrorism; accessed 25 March 2018
[ii] Don Reisinger; Fortune (online); May 4, 2016; “Anonymous Launches Month-Long Hacking Campaign Against Banks”; http://fortune.com/2016/05/04/anonymous-hacking-banks/; accessed 25 May 2018
[iii] Nellie Bowles; The New York Times (online); August 30, 2017; “How ‘Doxxing’ Became a Mainstream Tool in the Culture Wars.”; https://www.nytimes.com/2017/08/30/technology/doxxing-protests.html; accessed 1 April 2018
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]. Our editorial guidelines can be found here.
