The Cognitive Attack Loop of a Cybercriminal

By Tom Kellermann, Head of Cybersecurity Strategy, VMware Carbon Black

While organisations spend enormous amounts of their cybers budget on preparing for a data breach and determining how a breach occurred, there’s an important element they need to take into account – understanding the actual minds and motivations of the attackers.

A clear understanding of attacker motivation lets organisations better anticipate, prepare for and build a proactive advantage against threats. VMware Carbon Black’s recent 2020 Cybersecurity Outlook Report found that attacker behaviour continues to become more evasive, and organisations must respond accordingly. Offense should inform defence, and it is important to uncover ground truth. Once organisations have the full picture, they can effectively shift thinking, people, processes, and technologies to account for new attacker behaviours. Let us consider the security practices that can help better understand the motivations of these attackers.

The Cognitive Attack Loop

There are three phases of cybercriminal behaviour:

Recon and infiltrate. In this initial stage of cybercriminal behaviour, the attacker prepares the operation. This can include selection of the target, determining the best means to gain access to the target and actually gaining that access.

Maintain and manipulate. When attackers have accessed your network, they work to maintain a foothold in this environment while continuing to improve their position to move forward with their goals. Often, to achieve whatever ends the attacker has in mind, they need additional access levels or to circumvent existing controls.

Execute and exfiltrate. Entering this final stage means the attackers now can execute on their end goals, which could include lateral movement-island hopping, and therefore compromising the integrity, confidentiality, or availability of information.

Studying this attack loop and using it to build a cognitive defence approach allows for greater precision in remediation steps and drives consistent and positive security changes. Really understanding these behaviours offers unique insight into the motivations behind an attack, helping to guide the prevention and detection of a breach and the appropriate response.

Robust cyber testing and pro-active threat hunting

Organisations need to go beyond traditional penetration testing. They should not limit testing to outside-in, it should expand to inside-out to better understand attack paths. Island hopping and lateral movement has exploded, creating a greater need to understand the escalation of adversaries when they choose to commandeer digital transformation efforts. For example, recent research among incident response professionals found that island hopping was a feature in 41 percent of the breach attempts they encountered.

Red team exercises offer a human element as well as an understanding of the nexus between facility security and cybersecurity. It’s imperative to get a baseline understanding of where vulnerabilities lie. A baseline red team (using third party plus in-house security experts) audit and/or cyber hunt exercise can help expose where systems are vulnerable and where the organisation needs to increase controls. Fielding an in-house threat hunting team helps organisations identify behavioural anomalies, which present a harbinger of criminality.

Intrinsic and continuous threat intelligence 

Security teams require threat intelligence to build a strong security posture – better outlining a cyber attacker’s motivation. It helps organisations discover new threats and proactively put up barriers to defend against them. Without threat intelligence, organisations become reactive. Threat intelligence feeds must get integrated into endpoint detection and response (EDR) and made relevant to the specific threats facing an organisation’s industry.

Consider threat intelligence an intrinsic part of a continuous cyber strategy that includes weekly threat hunting. The security team must also standardise on a best-of-breed EDR. In today’s mass shift to a remote workforce, threat hunting needs to go beyond traditional intelligence and include process injection, the misuse of Windows Management Instrumentation and exploitation of non-persistent virtual desktop infrastructures. Given that cybercriminals fight back by leveraging counter-incident response and destructive attacks, organisations must stay vigilant to escalation when hunting and focus on the following:

  • Identify what new threats have arisen.
  • Test systems for vulnerabilities to these new threats.
  • Take steps to defend against these potential attacks.
  • Improve internal communications, combat re-entry

Take action

Organisations must stand up a secondary line of secure communications because it’s vital to discuss the ongoing incident. Assume that hackers can intercept as well as view, modify and otherwise compromise all internal communications. These communications should allow for talk, text, and file transfer. Security teams should also assume that the adversary has multiple means of gaining access into the environment. Shutting off one entry point may not actually remove attackers from an organisation’s network. This will likely have the opposite effect by notifying the attackers that you’re on to them.

Next, organisations need to watch and wait. Do not immediately start blocking malware activity and shutting off access or terminating the C2. To understand all avenues of re-entry, organisations must monitor the situation to fully grasp the scope of the intrusion to effectively develop a means of successfully removing the adversary from the environment. Another action to consider includes deploying agents (if necessary) in monitor-only mode. If organisations begin blocking or otherwise impeding their activities, attackers will catch on and change tactics, potentially leaving an organisation blind to added means of re-entry. Finally, organisations can deploy honey tokens or deception grids – especially on attack paths that are difficult to harden.

Take action to really understand a cyber attacker and why they act the way they do will make the organisation better prepared for a data breach. It’s only when their methods are understood through practices such as cyber testing, the use of threat intelligence and communication can an organisation fully prepare for the next impending cyber threat.