In the acclaimed military strategy book, The Art of War, Sun Tzu writes “[a]ll warfare is based on deception.” This tenet holds true for cyber warfare as many advanced attackers try to deceive their victims by using misdirection tactics such as launching Distributed Denial of Service (DDoS) attacks before, during, or right after a data breach to tie up IT resources and cover the real heist.
It is extremely important to understand the motives and the nature of the attackers to create a counter strategy. Just like great chess players calculate several moves in advance to achieve the prized checkmate, it is critical for the investigative teams to understand the big picture and create a sound strategy to thwart an intruder.
Lack of strategy often results in a “whack-a-mole” style investigation, which means that the response team investigates every alert from security appliances and conducts remediation without thinking ahead. These types of investigations create confusion and frustration for the victim organization. For example, as a first remediation step, investigators will often request a password change for each and every user account in the organization, only to find out a few days later that attackers were able to dump password hashes (which can be cracked to obtain real passwords) after the password change date of all users, necessitating yet another password reset. An investigation without a strategy can also result in losing track of active threat actors in the environment; if, for instance, investigators decommission a compromised Terminal Server actively used for lateral movement by attackers, they lose visibility of the attackers in the network. In chess, great players will often sacrifice a weaker piece as a disguise to capture their opponent’s stronger piece and achieve the ultimate goal of checkmate. Likewise, calculated risks may be taken by investigators in consultation with the client’s management team and legal counsel, if investigators believe these risks can result in greater visibility of the attack lifecycle and comprehensive remediation.
Related Blog Posts
One sound basis for an investigative strategy — the “OODA Loop”, or observe, orient, decide, and act, — refers to a cycle developed by military strategist and U.S. Air Force Colonel John Boyd. In cyber investigations, the “observe” phase addresses the gathering of logs, malware, and all relevant data about the attack. The “orient” phase is one of the most important as this is where critical analysis is done, incorporating threat intelligence and previous experiences. The “decide” phase is where the strategic chess moves come in, considering consequences of all possible actions and then choosing the best ones. The “act” phase is where decisions are carried out, and results are then fed to the “observe” phase to continue the loop.
Typical investigations account for the “observe” and “act” components of the OODA loop; however the addition of the “orient” and “decide” components can greatly enhance an investigation. In today’s cyber-attacks, malware is no longer the only persistent communication channel. Attackers are usually successful in acquiring legitimate VPN credentials to gain access to the network and collect critical information via Windows PowerShell, Windows Management Instrumentation Command-line (WMIC), Scheduled Tasks and other custom tools. As a result, “whack-a-mole” style investigations that involve decommissioning infected systems or remediating them without tracing the full attack lifecycle can be counterproductive because attackers can quickly reestablish access shortly after. A sound and thoughtful strategy that addresses a tactical order of remediation can play a decisive role in containing an incident and understanding the full scope of an attacker’s activities within the environment.