Attackers are constantly evolving their tools and their game, but knowing their base instincts helps us defend against them.

Cyberthreats are evolving to evade antivirus and malware monitoring through the use of fileless and living-off-the-land attacks. According to the Verizon Data Breach Investigations Report (DBIR), 68% of attacks can go undetected for months or more, while only 28% of attacks in 2018 (51% in 2017) involved malware.

Attacks are also evolving to include lateral movement (70%) and island hopping (51%), according to Carbon Black’s 2019 Global Threat Report.

“The dark web has become an arms bazaar of attack tools which are being deployed by a multiplicity of actors, creating a virtual free-fire zone. Now that elite cyber weapons are available to all, CISOs need to be worried about the impact of this trick down economy,” said Rick McElroy, principal security strategist, Carbon Black.

Three phases of cognitive attack loop

Regardless of how cybercriminals evolve, their behavior by nature has to occur in a pattern. Know your enemy and your playing field, and the battle becomes more predictable and manageable. According to the experts, all cybercriminals invariably follow a three-phase attack loop:

1) Reconnaissance and infiltration: gathering intel to select a target, discovering a vulnerability through social engineering, exploits and other means, followed by infiltration and delivery of the payload.

2) Maintain and manipulate: Activating the payload and gaining elevated privileges and permissions on the network and maintaining persistent access across reboots or defense mechanisms. This phase also involves constant adaptation of behavior and code to evade detection and maintain communication channels with the attackers in order to facilitate introduction of more attack vectors.

3) Execute and exfiltrate: This is a looping point where the first two critical phases continue to execute and steal more data and send it back to the attacker — exfiltration. Where needed, data and other resources are destroyed to cover their tracks and thwart attempts to stop or recover the stolen information. 

Brush up on your poker tactics

With the emergence of artificial intelligence tools and machine-learning threat vectors, Tom Kellermann, chief cybersecurity officer of Carbon Black, strongly believes that the de facto Lockheed Martin Cyber Kill Chain model of cybercriminal behavior needs revisiting.

“To be effective at cybersecurity, we need to get inside the minds of cybercriminals and understand the motivations driving their behaviors. Attackers have “tells,” much like poker players. These “tells” often appear in the data. Defenders can exploit these tells and gain the advantage by understanding the data.”

Having identified the phases of the Cognitive Attack Loop, Carbon Black’s experts recommend the Cognitive Defence Loop where the defenders employ the same loop mechanism to counter each of the three phases of the attack loop. Just as a good poker player knows how to get into and remain in a strategic position to limit the way other players can maneuver or bluff their way, CISOs need to do the same when fortifying their infrastructure.

7-step path to a royal flush

Now that enemies’ evolving modus operandi were known better, some steps were listed to gain better visibility into cybercriminal behavior within systems using the mnemonic “DEFENCE”.

Determine the gaps in your tech stack in obtaining behavioral data, to enable automation and orchestration for customize watchlists and pattern recognitions. Create a plan to fill these gaps.

Employ frequent random penetration tests/compromise assessments from inside out to identify all viable attack paths for lateral movements.

Funds for executing preemptive strikes to fill security gaps are vital – utilize good cybersecurity research papers and use the poker analogy if necessary, to get buy-in from top leadership.

Extensive monitoring of behavioral threat patterns must be exploited to orchestrate and automate collaboration, remediation and other operational tasks across the entire security stack.

Narrow down incidence response time by setting up appropriate prevention controls, using data to get to root causes of entire classes of attacks, and zero in on incidents with all the information at your fingertips.

Continuous learning about new and trending criminal behaviors is critical. Proactively explore the data in your environment for vulnerability.

Empower your teams to constantly see both the attackers’ and defenders’ points of view in every situation, to gain a full perspective.

This application of sound poker tactics to cybersecurity may just be the way to even the score with cybercriminals. As a wise man once said, “Poker may be a branch of psychological warfare, an art form or indeed a way of life, but it is also merely a game in which money is simply the means of keeping score.”