The cyber intent strategy is to seek out the reconnaissance traffic that precedes an attack and manipulate it so well that the attack never succeeds. Leveraging and countering malicious cyber intent as your earliest defense draws from information warfare. Investing a small misdirection here could pay dividends later.
The opportunity to harness and change the outcome of an attack based on perceiving malicious intent during the very first stage of an attack is often overlooked. When this type of traffic is simply blocked the opportunity to do more with it is lost. In the best-case scenario, the successful application of a cyber intent strategy completely disrupts an imminent attack. In the worst-case scenario cyber intent-powered defenses elevate the stealthy adversary to pop up on the radar of traditional security defenses.
Why start here?
If you ask three cybersecurity subject matter experts to list the stages of a cyberattack you will get three different answers. But we don’t care because Reconnaissance leads all three:
Reconnaissance |
Initial Reconnaissance |
Reconnaissance |
| Incursion |
Initial Compromise |
Weaponization |
| Discovery |
Establish Foothold |
Delivery |
| Capture |
Escalate Privileges |
Exploitation |
| Exfiltration |
Internal Reconnaissance |
Installation |
|
Move Laterally |
Command & Control (C2) |
|
|
Maintain Presence |
Actions on Objectives | |
|
Complete Mission |
WordPress
WordPress is no longer just a humble blogging platform but now powers 38% of the internet according to w3techs.com. WordPress also supports large sites such as The White House, Fortune, Walt Disney, and even some eCommerce. WordPress is just today’s example, but the same lessons can be applied to the name brand products you are running within your enterprise and the attack strategies carry over.
A hacker’s usual approach to breaching WordPress sites includes using a legitimate security tool like WPScan to discover usernames as well as installed plugins and themes. The attacker then tries to brute force passwords for the previously discovered user accounts. At the same time, they check exploit databases for known vulnerabilities in any of the installed plugins and themes, and then try to hack in through those if account access cannot be obtained.
Why not block it
When this type of traffic is detected, the common approach is to simply block it. But the biggest drawback we care about with this is the incredibly short feedback loop for the adversary – they know immediately that they were blocked and when their gathering of high-fidelity intelligence was terminated. To circumvent this, they might switch IP addresses, rate limit their requests, or just come back later. They build a bigger and bigger picture of your attack surface and security posture. They amass pieces slowly, but each of those pieces of intelligence are trustworthy.
Disrupt the intelligence gathering
So why not disrupt the information gathering step of the attack? It is entirely possible to disrupt the Tactics, Techniques, and Procedures (TTPs) such as username discovery and the enumeration of plugins and themes. So, when the attacker scans for usernames, return ones that don’t exist. When they scan for any of 88.5k+ known plugins that might be installed, respond indicating that they are all installed. The same goes for when they scan for 400+ themes.
In this scenario the attacker gathers an overwhelming amount of what they think is high quality intelligence. Usually their problem is too little intelligence. They’ll blindly launch attacks against accounts, plugins, and themes that don’t exist, so the exploits will never work.
Turn up the heat
There are lasting benefits to misleading the adversary into thinking that they succeeded in gathering quality intelligence. They move on to step 2 of their attack without knowing they already failed in step 1.
Building upon our example, if they use the “discovered” usernames to attempt to gain access themselves they will hit a wall when the credentials don’t work no matter how many passwords they try. At this point they may think that there is a bug in their tools or maybe the administrator is onto them already. They wouldn’t think to question whether the discovered usernames even exist. That’s inconceivable, because it’s never been something they’d have questioned before.
This is a much longer, taxing feedback loop and the attackers don’t know where in the process things went wrong. They will become frustrated and start to make mistakes in their attempts to rectify this, becoming increasingly noisy, reckless, and easier to detect for traditional security defenses. This brings their stealthy efforts to the surface. Otherwise, this intelligence gathering activity could have gone under the radar and the attack executed with incredible precision.
Security through obscurity
At this point some readers are probably asking themselves “Isn’t this just security through obscurity?” No, there’s a subtle but important difference that can be distilled down to:
- Security through obscurity is denying information to the adversary
- Information warfare is supplying false, but believable information to the adversary
By leveraging cyber intent, we get them to make decisions against their own interest without being aware.
Tactics, Techniques, and Procedures (TTPs)
David J Bianco’s concept of the Pyramid of Pain is hyper relevant here. If we use his Pyramid as a guide, exploiting cyber intent for pre-attack protection allows us to defend at the most elite level: Tactics, Techniques, and Procedures (TTPs).
“When you detect and respond at this level, you are operating directly on adversary behaviors, not against their tools. From a pure effectiveness standpoint, this level is your ideal.... you force them to do the most time-consuming thing possible: learn new behaviors.” David writes on his site detect-respond.blogspot.com.
Eventually the repeated disruptions will make the adversary reinvent themselves or give up completely.
The cybercriminal economy
Let’s take a step back to see the big picture and how this could undermine the cybercriminal economy using just our credential discovery example. If the attacker is in the business of selling stolen credentials then there are potential long-term consequences to their reputation, and by extension, revenue. Like any business, reputation matters. When an esteemed underground seller starts selling degraded information, their customers will begin to desert them.
This presents two threats to their business overall: obviously the first is immediate and is the lost revenue, but the second is more insidious, and is cost. To gain customer trust back the seller needs to better validate the information they are trying to sell. They may never have had to do this before because the stolen credentials just worked. Now they need to figure out what to do to continue the profitable operations to which they are accustomed. If they have to go back and somehow recheck every stolen credential they are trying to sell, this consumes time and money. Eventually time or money are exhausted, and it is no longer feasible to harvest and sell credentials, and their business collapses.
Disrupting the cybercriminal economy is the long game. But you can benefit immediately by building a cyber intent strategy. Start using cyber intent today to Deny, Disinform, and Document attacks right from their beginning.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.
