As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— With hackers and state-sponsored attackers on the rise, Lior Zatlavi of Ermetic wants you to think like an attacker to improve your approach to cybersecurity.
Defending against cyber-attacks gets more complex every day. Cyber-criminals are nothing if not creative and constantly evolving their tactics. Most CISOs and CSOs want to be more proactive, but often maintain a cookie-cutter approach with a fixed set of technologies and tools while relying on security vendors to enhance their detection and prevention capabilities. Instead, defenders need to match the creativity and flexibility of their adversaries and think outside the software vendor box to manage risk and reduce their attack surface.
The best way to do that is to think like an attacker.
Widget not in any sidebars
Think Like an Attacker…
Recently, the CSO of a large enterprise that had experienced a series of breaches determined they were likely part of an attack campaign, so he hired an offensive security firm to study the incidents and hone in on the attacker’s objective. After studying logs of attacks carried out over two years, the investigators zeroed in on one management application in use that seemed to be the ultimate target for the hackers. With that insight, the organization set up a trap: a “hack-back” operation that opened a harmless back door to the network, “fingerprinted” the attacker and traced the activity back to its source, and with the help of law enforcement shut down the threat. Based on the intelligence gathered from the investigation, the organization also modified its configurations to prevent similar attacks in the future, and engaged penetration testing experts to gain more context on potential threats to its environment.
Organizations can no longer assume they are safe from hackers. Supply chain attacks have become common, with attackers breaching a vendor or partner company as a way to open a back door to a more valuable target. Assuming systems have or will be breached and minimizing the potential for damage– reducing the “blast radius”– is the way to manage this risk. Knowing who’s attacking your network and why can be an excellent first step to establishing a defensive posture that can stay in step with emerging threats. This insight can help build a more robust security plan and gain buy-in from stakeholders. The stereotype of a loner in a hoodie, hacking from his parent’s basement, is woefully out of date.
The Modern Day Attacker
Today, cyber attackers fall into two major categories that shape much of their activities: cyber-criminals and nation-states. State-sponsored hackers are usually spies, although sabotage is another strong motive. Remember the hack of emails from Sony in 2014 was retaliation for a movie critical of the North Korean leader. But nation-state hackers are mainly tactical; for example, federal authorities recently warned that Chinese state-sponsored hackers are breaking into U.S. telecommunications networks.
While most cyber-criminals are profit-motivated, such as DarkSide, the group that cashed in on the ransomware attack against Colonial Pipeline in 2021, some activist groups also carry out attacks like the hacker collective Anonymous that carried out a campaign against Russian targets in the wake of the invasion of Ukraine. Financially-motivated hackers have even evolved a new subset: cyber-attacks as a service, which offers all the tools and capabilities for an attack to a less-proficient criminal– for a price. These criminal networks often include ex-military personnel and sophisticated hackers, so they sometimes overlap with state-sponsored hacker networks.
Know Thy Enemy
Knowing which attacker to worry about is a good first step. The two groups have different motivations, and tend to favor different targets. So proactive protection against one can be different from another. A defense contractor may need to worry about both cyber-criminals and state-sponsored hackers. Whereas a company that doesn’t work in defense or national security should worry more about financially-motivated cyber-criminals staging ransomware or denial-of-service attacks, looking for a payoff.
Determining what to protect is equally important. Identifying the organization’s crown jewels- those sensitive, high-value assets a cyber-criminal may target- makes it easier to figure out where an attacker may strike and how. It narrows the search for weak spots and possible ways an attacker might exploit them. Finally, map all the potential attack vectors and segment the crown jewels from the rest of the network and public interfaces in use. This makes it much easier to reduce risk and implement the right security controls. Following the best practices outlined above can provide a starting point for moving to an attacker-mindset approach for defending the organization from threats. Starting small will enable the security team to gradually expand its repertoire of skills and capabilities in order to make offensive thinking a guiding principle of the organization’s security strategy.
Widget not in any sidebars
Lior Zatlavi
Lior Zatlavi is Senior Cloud Security Architect at Ermetic. He has more than 15 years of experience in cybersecurity, working for the Israeli government and with the elite cybersecurity unit of the Israel Defense Forces (IDF). Lior is a Certified Information Systems Security Professional (CISSP), has a Master of Science in Electrical Engineering from Tel Aviv University, and a Bachelor of Science in Applied Mathematics from Bar Ilan University.
