The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
Sun Tzu wrote that mastery in the art of war is about subduing one’s enemy without having to fight. As the modern world contends with increasingly sophisticated cyberattacks from both criminal and political adversaries, this 2500-year-old cliché is key to enterprise security strategy.
Today, the “bad guys” of the Internet are both professional in their business tactics and entrepreneurial in how they leverage opportunity. They’re well-organized and use a mature supply chain. They’re operating cloud-based services offering bots, exploit kits, and more. Cybercrime as a Service (CaaS) shares many of the features of legitimate enterprises, and cyber warfare has become as much about business as it is about malfeasance.
The variety and frequency of attacks can make defending against cybercrime feel like a Sisyphean effort, but understanding the motivations and socio-economic model of modern cybercrime provides practical insight to protect, detect, and respond to likely attacks.
Know the adversary
There are many sorts of criminals who use the Internet for chaos and profit. The lone “haxx0r” trying his “leet skillz” against the establishment is still a relevant trope, but most of today’s cybercriminals operate in increasingly sophisticated teams.
- Non-professional hackers. Non-professional hackers tend to use cobbled-together kits and communicate in open forums. Success is often due to luck as much as skill, but it only takes one breach to cause hundreds of millions of dollars in damage to a vulnerable enterprise.
- Black hat hackers. These are the industrial-grade hackers who combine business expertise with technical prowess to create and use CaaS services. Their customers are other black hats, non-professionals, state-sponsored groups, and some rogue ones. Black hat hackers underpin a multibillion-dollar Dark Web economy that crosses borders and trades in compromised and stolen data.
Motives of malicious hackers can range from theft for barter and profit to professional fame or even a vendetta. Understanding these motives is to your advantage. If you can increase the level of effort required to breach your network and reduce or eliminate the attacker’s potential ROI, then you decrease interest in your system as a target for cybercrime.
Survey the battlefront
The Dark Web is both marketplace and delivery system for cybercrime activities, though to be clear, not everyone using the Dark Web is engaged in commercial/criminal hacking. The appeal of not being tracked lures many to anonymity networks (such as Tor) where activities include peer-to-peer file sharing, black market trafficking, political organizing, and so on. Anonymity and untraceability make the Dark Web the environment of choice to run botnets and buy and sell CaaS services.
Black hat hacking methods might vary based on a region or culture, but globalization is as much a factor in production, labor, and monetization patterns of CaaS as it is for legitimate multinational enterprises.
Recon enemy tactics
From exploit kits to ransomware, the products and services of CaaS are numerous and evolving. Cybercriminals use attack methods that are elusive by default and designed to exploit their target’s specific vulnerabilities. For a deep dive on black hat methodology, read “Understanding Cybercrime,” a Microsoft white paper. Here are some common CaaS services:
- Exploit kits. Black hats buy and sell kits that target software vulnerabilities to infect PCs and devices with malware.
- Anti-AV. These are services that allow cybercriminals to distribute malware without fear of being detected by commercial anti-virus products.
- Breaching services. Black hats buy and sell tools and hacking services for breaching websites and company systems.
- Compromised account data. Black hats can sell any of the assets they steal, or trade in stolen data among 2nd– and 3rd-party cybercrime entities.
Craft a defensive strategy
Another warfare truism is that the attacker only needs to succeed once, while the defender must succeed every time. Therefore, the goal in cybersecurity is not about being able to fight attacks from all comers; instead, it’s about making your enterprise so difficult or costly to attack that cybercriminals prefer to look elsewhere.
- Examine your company’s business model and infrastructure from an adversary’s point of view. What do you have that might appear valuable to an attacker? Profile the type of person or organization who might have the motive, means, and opportunity to attack your interests.
- Think through what would happen in the event of a data breach. An “assume breach” strategy emphasizes breach detection, incident response, and effective recovery. “Wargame” potential scenarios to fine-tune your defenses, so you’re able to respond quickly to threats and minimize impact.
- Remember that people are both your greatest asset and your biggest potential liability. Social engineering (i.e., exploiting human nature) is one common way that black hats attack businesses and individuals. Identify points of vulnerability in regular human processes, such as when people switch between work and personal activities on devices. Train your teams to be smart and empowered defenders.
By the way, you might want to check out a test that Microsoft developed to help identify stack defense against attacks in the wild. Find out where your company’s gaps are and where you’re overdefended.
Last but not least, cultivate alliances
Business leaders sometimes worry that moving business processes to the cloud will increase vulnerability to cybercrime threats, but the reverse is actually true. At the risk of stretching the military strategy analogy, businesses defending themselves against cybercrime are more effective when they share intelligence, work together to contain enemy resources, and coordinate countermeasures.
CISOs must consider pros and cons when it comes to outsourcing data defense strategy, but walling in the enterprise is seldom a viable solution. (Military history is full of examples showing how well walls work. Which is not very.) Stay on top of threat intelligence through information security groups such as the Information Sharing and Analysis Center (ISAC) specific to your industry.
And it’s good to have help. At Microsoft, our Trusted Cloud commitment to enterprise customers is founded in 30+ years of studying malicious hacking and developing technology to defend against it. We have end-to-end expertise deploying on-premises and cloud-based networking solutions, infrastructure, and formal processes.
The Microsoft Digital Crimes Unit (DCU), in partnership with international law enforcement and global cybersecurity experts, works to discern patterns across the cloud, across industries, and across borders for comprehensive threat modeling, which enables us to develop predictions about cybercriminal behavior. In addition to disrupting cybercrime, the DCU focuses on child protection and preserving intellectual property rights. Read how the Microsoft DCU fights cybercrime in “Digital Detectives.”
To paraphrase The Art of War, success in battle comes from knowing the enemy’s motivations, means, and methods as well as you know your own.