For the past ten years, my teams and I have been engaged in an epic war against cyber attackers. We know who they are, where they fight, and the weapons they use. We do not wear flak jackets and we do not carry M4s, but our fight is very real. Armed with home-grown tools and closely-guarded methods, my very experienced cyber warriors fight 60 to 80 hours each week to 1) learn the battlefield, 2) understand points of infiltration, 3) outline methods of attacker movement and covertness, 4) pinpoint methods of exfiltration, and ultimately 5) kill the attacker’s foothold in a network. The military uses words like “fight” and “deployment.” We use words like “work” and “travel.” The words are different, but much of the strategic methodologies between traditional warfare and cyber response are the same.
Only recently have I come to understand that we are not engaged in a series of disparate events from random attackers. Each of the sixteen very large cyber breach cases I have worked on over the past decade has painted a picture of advancement and maturity of a set of attackers. These attackers can be divided by their location and their goal in their attacks. There is the financial attacker group that focuses on stealing money or stealing property that can be sold for money (i.e. PII). Then there is the information (or intellectual property) attacker group that focuses on information for either governmental, military, or business purposes. Both of these groups leverage tactics from the same criminal underground industry supplied by disorganized and hobby “hackers.” However, over the past five years, these two well-funded and large attacker groups are outgrowing their “borrowed” tools for more advanced and internally-developed weapons. Ultimately, their attacks are proving to be long-term and methodically growing in sophistication.
Each case that my teams and I engage on we see a steady progression from the previous case. We engage the attackers in a rapid and holistic response methodology that provides the highest fidelity and lowest risk of future re-attacks. We do this by fixing known vulnerabilities, augmenting security postures, securing perimeters, and engaging comprehensive visibility and monitoring. We provide the target organizations with the weapons they can use to defend their property against future aggression. The attackers learn the defensive mechanisms we employ and evolve their next target to outmaneuver those defenses. I know this because when we move to the next battle, the attacker tools grow slightly in sophistication and their methods become more complex (and covert). During this next case, my teams adapt their methods of fighting the attackers, gain proper intelligence to thwart future attacks based on the new weapons, and track this progression for the next battle.
Laptops, hard drives, mice, and whiteboard markers: these are the tools we use in our battle against attackers that are becoming increasingly advanced and persistent. Today we are able to match their methods on the battlefield – and that is exactly where we work every day. Each cyber breach response is a battle in a long war where it seems that we are falling victim to “death by a thousand cuts.” The world may not see the impact to our way of life, but the effects are very real. Organizations in both the private and public sectors are spending billions of dollars on security infrastructures to thwart a war led by a cabal of attackers.
Today, we have the skills and weapons to fight toe-to-toe against aggressors stealing money and information from virtually any network connected to the Internet. My teams’ advancements in responding and defending networks are keeping-up with the steady advancements in weapons and methods used by the adversaries. History has proven that sustaining a long-term war of arguably equal matched forces is untenable. Lucky for the good guys, my teams are developing new methodologies that thwart significant advancements by the bad guys.