The Best Defense is a Good Offense

Key to Winning: When I was a kid, I used to play football. When our defensive team was on the field most of the game, we usually lost.  However almost every time, when our offense had the ball longer and was scoring, we won the game.  In the cyber world, we are always playing defense.

A Change in the Game: With the current administration, the national strategy of how to deal with “advanced persistent threats” and organized cyber-crime has been turned upside down.  From a recent Washington Post article, the commander of U.S. Cyber Command and the NSA, Gen. Paul Kakasone, refers to the new way of handling hackers as “persistent engagement.”   The idea is to impose a cumulative cost on the adversary by keeping them constantly engaged.  With this shift in paradigm, we go from responding to wherever we are attacked, to proactively searching attackers and disrupting their operations. 

Trickbot: Gen. Kakasone did this recently by disrupting Trickbot botnet operation, run by a Russian-speaking cyber-crime organization.   The Trickbot botnet has an army of at least 1 million hijacked computers from around the world.   Trickbot is malware that can steal financial data and drop other malicious software onto infected systems.  The hijacked computers send out beacons to the command and control centers that provide instructions for the controlled bots.  These bots send out malware to other computers to infect and steal financial data or hold them hostage with ransomware. 

Last month the Trickbot botnet attacked Universal Health Services, locking their systems with the Ryuk ransomware.  This caused over 400 facilities to revert to manual and paper records.   The attack caused some facilities to turn patients away.  However, on September 22nd, the tables were turned on Trickbot and there was a disruption of their command and control servers.  Someone hacked the hacker’s servers, severing the connections between the bots and the command and control servers.  The hackers recovered and restarted operations in a day.  A similar attack occurred on October 1st. where it took two to three days for the hackers to recover.

Not Exactly New: The attack on Trickbot is not the first of its type.   From an article in Wired magazine, the same organization in 2016 helped take down the digital arm of ISIS. One by one, Cyber Command took out the ISIS accounts controlling their media.   One analyst noted that “they were lazy just like most internet users” and ran their entire operation on just 10 accounts.  This made it relatively easy to dismantle their network.

Don’t Be Vigilantes: Now, I am not advocating that we take it upon ourselves to become cyber vigilantes.  At this time, only the NSA and Cyber Command are legally allowed to take offensive action like those discussed above.  What corporate America can do is what is called pro-active cyber defense.  We can perform threat-hunting.  Threat hunting pro-actively searches out malware on your network by searching for clues that hackers leave behind.   We’ll talk more about that next week.  End point detection agents that continuously monitor can also help with being more proactive. 

The Way Ahead: What Gen. Kakasone and the U.S. Cyber Command are doing is a step in the right direction for our national security.   They have the skills that it takes to be effective and their mission is to disrupt the enemy.  If the hackers are busy fixing their networks, they won’t have time to disrupt ours.  In the cyber world, governments are starting to understand that the best defense is a good offense.