Countering Cyber Adversary Tradecraft

Image

“The man who grasps principles can successfully select his own methods. The man who tries methods, ignoring principles, is sure to have trouble.” – Ralph Waldo Emerson. Why and how do cyber adversaries – criminals, spies, competitors, activists – continue to find success in fraud, extortion, espionage and sabotage? Governments, corporations and research institutes have focused their resources on this issue, yet the problem still remains. After years of fruitless crusading to build the holy grail of cybersecurity technology, hope is beginning to fade. Instead, data is telling us that technology is not the solution. The reason for this is that technology is not the problem. People are the problem, but people are also the solution. Cyber adversaries’ relative information superiority grants them the upper-hand. Relative information superiority means the adversary knows more about the target than the target knows about the adversary. Just like a bank robber who knows the bank layout, camera locations, guard rotations, etc. can bypass these security measures. Information superiority is essential to a cyber adversary’s advantage. Cyber defenders are at a disadvantage in the information superiority battle. Technology developers must openly market and trade their products, solutions which a cyber adversary can obtain and reverse-engineer. At the same time, targeted organizations must publicize their internet infrastructure for legitimate use, whereas a cyber adversary can develop tools and infrastructure in secret, launch attacks from an obfuscated location across the globe, and switch-up infrastructure, tools, and communications. Consequently, cyber defenders often cannot collect, analyze, disseminate threat intelligence fast enough to gain or maintain relative information superiority. Defenders must understand offensive cyber tradecraft in order to anticipate and counter cyber adversaries. In 2011, the Cyber Kill Chain emerged as the first model of cyber adversary behavior on which defenders could focus security measures. Today, the cyber adversary has evolved, and so a more sophisticated model of behavior is required. The Offensive Cyber Tradecraft Taxonomy (OCT2) offers such a model. The OCT2 describes the tactics and techniques employed by a cyber adversary during an Advanced Persistent Threat (APT) operation – a manually driven, highly targeted operation that seeks to fulfill an enduring requirement. Using the OCT2, defenders can apply first-principles thinking to anticipate adversary behavior and design and implement countermeasures.

Image

The most powerful technology in the cyber battle is the human mind. Cybersecurity technologies are essential to defensive cyber operations; however, the cybersecurity industry and society in general must take care to not rely too heavily on technology to solve the problem. Cyber adversaries are people who can adapt and master a changing environment – physical or digital. Defenders must therefore leverage this same ability to counter cyber adversaries by understanding and then outsmarting them. It’s a people problem, so it requires a people solution. At BSides Canberra in mid-April, I will be explaining OCT2 in greater detail. The OCT2 forms the basis of a five-day training course on Cyber Adversary Tradecraft; I will endeavor to explain it in a 20-minute presentation. I encourage anyone involved in cyber operations who will be at BSides Canberra to please come and enjoy my talk: "Countering Cyber Adversary Tradecraft."   About the Author: Matt Wilcox is the Founder of Fifth Domain

Image

a Cybersecurity training start up. He has almost a decade of experience in cybersecurity, working in Federal Government, top-tier consulting firms and academia. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. _{Title image courtesy of ShutterStock}