Offense should inform defense. Knowing the threat landscape and TTPs can help guide organizations to toughen their cybersecurity posture.

Organizations spend enormous amounts of their security budget preparing for data breaches. Yet, 90% of security professionals across the globe had said that attacks have increased. Additionally, 94% of organizations worldwide surveyed had suffered a data breach as a result of a cyberattack in the past 12 months.

A critical aspect that is often overlooked is understanding the motives of attackers. It is time organizations start asking the right questions to help determine how and why they have been breached.

A clear understanding of attacker motives allows security teams to anticipate, prepare for and build an effective defense against threats better. VMware Carbon Black’s 2020 Cybersecurity Outlook Report found that attacker behavior is evolving to become more evasive, so organizations should take a proactive stance and respond accordingly.

Offense should inform defense, and it is important to uncover ground truth. Only when organizations have a full view of their networks and threat landscape will they be able to effectively shift people, time and resources to account for new attack behaviours.

The cognitive attack loop

There are three phases of cybercriminal behavior that organizations need to familiarize themselves with.

Phase 1: Reconnaissance and infiltration
This initial stage occurs when an attacker prepares for an operation, which includes selecting targets and determining the means to gain access to the target.

Phase 2: Maintaining of foothold/manipulation
This is when attackers have gained access to the target network and they work to maintain a foothold in the organization’s environment. This is a critical stage as they will continue to improve their position to move forward with their goals, which often requires additional access levels or to circumvent existing controls.

Phase 3: Execution and exfiltration
Entering this final stage means that attackers are now able to act on their end goal, which could include lateral movement or island hopping. This ultimately compromises the target organization’s information integrity, confidentiality, or availability.

By studying this attack loop, organizations will gain unique insights into the motivations behind an attack which can then feed into the development of a cognitive defense approach. Understanding attack behavior will guide security teams in the prevention and detection of breaches—bringing about overall consistent and positive security changes.

Offense informs defense

The traditional penetration test is no longer sufficient. Organizations should not be limiting testing to the outside-in. Rather, they need to look at security from the inside-out to better understand attack patterns.

The inside-out approach focuses on setting strong prevention and intervention methods that are proactive rather than reactive. Globally island hopping and lateral movement attacks are escalating, creating an even greater need to understand the escalation of adversaries when they commandeer digital transformation efforts.

One way to look inside-out is to execute a cyber-hunting exercise, which provides situational awareness of the behavioral anomalies that exist within your digital infrastructure.

The name of the game is to understand if systems have been compromised before island hopping occurs. Increasing visibility on endpoints to discern behavioral anomalies provides you with a harbinger of criminality.

It is imperative to get a baseline understanding of where behavioral anomalies exist and where vulnerabilities lie. A cyber-hunting exercise (using third party plus in-house security experts) can help expose where systems are vulnerable and where the organization needs to increase controls.

Intrinsic and continuous threat intelligence

Threat intelligence should also be utilized to build a strong security posture. This helps outline an attacker’s motive and enables organizations to discover new threats and proactively put up barriers to defend against them. With threat intelligence, security teams become proactive. That said, intelligence feeds need to be integrated into endpoint detection and response (EDR) and made relevant to the specific threats facing an organization’s industry.

Consider threat intelligence an intrinsic part of a continuous cyber strategy that includes weekly threat hunting. The security team should also standardize on a best-of-breed EDR. In today’s remote workforce, threat hunting needs to go beyond traditional intelligence and detect process injection, misuse of Windows Management Instrumentation; and exploitation of non-persistent virtual desktop infrastructures.

Cybercriminals are now fighting back by leveraging counter incident response (IR) and destructive attacks. In response, organizations must stay vigilant when conducting threat hunting exercises and focus on identifying potentially new threats. It is also imperative that organizations regularly test their systems for vulnerabilities and take steps to defend against new threats.

Prepare for the opportune moment

Organizations should set up a secondary line of secure communications that allows for secure talk, text and file transfer. Why? Because it is vital to discuss an ongoing cyber incident. Always assume that hackers can intercept, view, modify and compromise all internal communications.

Security teams need to assume that the adversary has multiple means of gaining access into the network. Shutting off one entry point may not actually remove attackers from an organization’s network. This will very likely have the opposite effect by alerting the attackers that they have been noticed.

Next, organizations need to watch and wait. To understand all avenues of re-entry, organizations should monitor the situation to fully grasp the scope of the intrusion.

Do not immediately start blocking malware activity, shutting off access or terminating the command and control servers (C2). This is to effectively develop the means to successfully remove an intruder from the network. Pre-mature blocking attempts to impede their activities may cause hackers to change tactics. This can potentially leave an organization blind to additional means of re-entry. In addition, hackers will escalate by employing counter incident response and potentially destructive attacks.

Taking action to understand what motivates cyber attackers will enhance organizations’ preparedness for a data breach and deploy cyber testing, threat intelligence and communications to prepare for the next impending cyber threat.