By Robert J. Shaker II, CISSP, CCSK, CGEIT, CRISC
Since the dawn of man there has been intelligence. Hunter gatherers would venture out and learn from the world around them what each sound, smell, and taste meant. The growl of a large predator would alert them to prepare for a defensive effort or to change paths. The smell of smoke meant other humans were nearby, and the taste of bitter meant something wasn’t edible. As time marched forward, needing to learn more about the other packs of humans around them became more important. There was competition or cooperation for resources but this required getting to know the other pack. Sometimes the best way to do that was to spy on them, to gather human intel about the way they behaved, the way they interacted with each other and to determine how strong or weak they were.
Regardless of the point in history, this has always proven to be true. We can see it as we progress through our modern era. In fact, this became so important that commercial intelligence companies began forming. The Age of Exploration saw a boom in this industry as the colonial armies grew. Their need for intelligence required outside parties, whether to help with the sheer volume of work, geographic disbursement or to give plausible deniability. Is it so different now?
Today, we are up against countless adversaries. They’re nameless, faceless and shrouded behind false information. The ships that are on the horizon, the spies in our midst and the fortress we protect are all in the digital domain. The virtual skies are foggy and visibility is low. Today’s environment is much more difficult to navigate. The one commonality between these two vastly different times is the importance of human intel, and I’d argue that today it’s even more important than ever. A couple scenarios below will illustrate just how important it is for our innately human talents to remain a vital part of cyber security.
Symantec is clearly a large organization providing security solutions on a global scale. We also provide security services for many of those clients. The Security Strategy & Advisory team is made up of former C-level security executives and expert security assessment professionals focused on direct interactions with Symantec’s customer CISOs to understand real-world IT security challenges and work closely with them to provide cyber security strategy, assessments and penetration testing.
The team also acts as a trusted adviser to security executives, business leaders, and IT executives and management. IE – When a customer is faced with a cyber-attack we work closely with them to get through the incident and get back up and running. For the purposes of this article, it seems appropriate to highlight a couple of brief, real-world incidents where the data alone wasn’t enough to solve the problem. It wasn’t until the unique abilities of the human mind were added into the mix that a breakthrough happened.
Scenario #1: Testing the Media
There was a large media outlet under attack, and they didn’t know it. Symantec observed that there was malicious traffic being directed against the victim’s Content Management System (CMS) with application layer attacks employed to maximize disruptive impact to the victim’ servers above and beyond the normal traffic load. The application layer tactics included repeated queries against the CMS’s search system as well as repeated requests for likely bandwidth and processor resource intensive video objects served by the news site. Based on experience with such characteristics through our Global Intelligence Network, the observed targeting was quickly identified as being consistent with a more sophisticated operator. It was also likely that his operator knew that the target was a large media company that normally serves large amounts of content. Thus the attackers anticipated the need to defeat a robust web server that would be commonly used in a media organization’s content delivery infrastructure.
Based on human experience, Symantec was able to see and correlate that the attack actors were a known cyber-criminal group. The strange thing is that this attack group was not known to target media outlets. In the past, they’d specialized in attacks on financial services. By applying human intelligence it was determined that the media outlet was being used to test a new variant of attack to determine how a defender might react. When contacted, the media outlet’s response was typical. “What attack? We’re experiencing a network outage. We’ve got our team working with the service provider to rectify the problem.” Once the media outlet understood the full context, they were able to redirect their efforts and properly defend against the attack.
By understanding the perspective and motivations of the attack actors, human intelligence was able to not only rescue the media outlet but also provide a head start on preparing financial organizations for possible future techniques that could be used against them. Human intelligence, the original tool we all relied on, has been somewhat lost over recent years as automation and machine learning became the buzz words in security defense trends. As the threat landscape and attack actors have evolved to new heights of sophistication, human intelligence is back proving its worth once again. Speaking of financial organizations…
Scenario #2 – Always Know What the Other Hand is Doing
Symantec observed a financial services company that was under a distributed denial of service (DDoS) attack. This can affect organizations in many different ways, but in this case could prevent money from coming into the company. However in this example, using the incoming telemetry and human intelligence, we were quickly able to determine that the bad guys were conducting a multi-flanked attack. The DDoS was just a diversionary tactic! While the organization put all their efforts into combating a DDoS, there was a small targeted attack against their treasury and mobile banking systems. Even their internal intelligence team didn’t notice the stealthy second flank. By bringing the full picture into the light, they changed they defensive posture and were able to see and prevent the actual attack.
By studying attack actors, we gain insight into patterns and aberrations that clue us into what’s really going on. We need opportunities to do more than just imagine what attackers think. We need to be able to put ourselves in their shoes and get into their frame of mind. A computer can’t get into a person’s mind (at least not yet). For the foreseeable future, this still requires humans. Without the benefit of experience and human intelligence, this type of attack has a much greater chance of success.
Where Do We Go From Here?
The attack actors are no longer lone gunman. Not only has each organization matured in their methods and execution, they now have created an entire ecosystem of players. These players, some underground and others not so much, have different jobs to play as part of a successful attack. They can be separate ‘business units’ within a criminal organization or can be ‘independent contractors’ hired for their expertise in individual fields such as reconnaissance, incursion or exfiltration. If you have a target, it is relatively easy to find the different pieces needed to pull off a successful attack. It also has the added benefit of protecting the attackers from being discovered. That makes it quite difficult to stop and virtually (pun intended) impossible to capture them.
We need live fire tests and exercises that let us become the attackers – see what creative thoughts we can come up with to circumvent ourselves. We need to learn our history and use that knowledge to gain insight into the future of organized cyber-criminal enterprises. Understanding their ecosystem and strategies requires human intelligence; these are people performing correlation of system-generated data, real-world knowledge of the past and present and the experience to bring it all together into an effective plan of action.
There is light at the end of the tunnel. Many executives are starting to recognize the effectiveness of training on the offensive side of the ball in addition to constructing a great defense. Organizations of all sectors including media, finance, government, education and everything in between are starting to recognize the value in attaining ethical hacking skills. Although training with this mindset is a positive step, gaining the practical experience is another beast entirely. To avoid the catch-22 of no experience yet can’t be hired without it, there are thankfully now numerous ways to play without pay. From Symantec’s own free CtF competitions known as the Cyber Readiness Challenge and the numerous free linux distros dedicated to ethical hacking such as Kali Linux, to wonderful online magazines and communities such as The Ethical Hacker Network (EH-Net), gaining practical experience in offensive techniques is becoming more and more attainable. And that, my friends, is a wonderful thing.
So for goodness sake, go learn to be a little bad… but never forget that you’re human!
Bob Shaker is the Chief Technology Officer for Symantec Security and Advisory Team. As Security CTO, he leads a team of security thought leaders focused on direct interactions with Symantec customer CISOs. Bob works closely with Security Business Unit Executives, Sales Organizations and Customers and is responsible for providing security strategy and direction, governance and compliance, industry security trends and threat landscape evolution, best practices and trusted advisor to security executives, business leaders, and IT executives and management.
Prior to joining, Bob worked for Wellington Management Company, LLP. for 9 years where he was Vice President, Director, Information Security and Internal Controls. He was responsible for the strategic direction of information security for the firm including policy, architecture, engineering and the internal controls program. Managing and working directly with a team of security professionals he provided security solutions, and evolved them over time, to meet the growing needs of the firm including; global ITGRC, firewalls, IPS, IDP, two factor authentication, encryption, DLP, and several other leading edge technologies. He was also the central resource for information services for all clients, regulatory, and internal due diligence and audit requests, including SAS 70, OCC, SEC, etc. Bob also was elected and served as the Information Security Officer for the Wellington Trust Bank, NA.
Prior to joining Wellington Management in 2003, Bob worked as the Director of Information Services/Security Solutions Director for Primix/Burnstand Inc. (2000 – 2003) responsible for the global IS resources. He developed, sold and executed security solutions with a team of security professionals. Before that, he held senior security positions in several consulting firms (1993 – 2000).