Advanced persistent threats describes the highly evolved nature of today’s cyberattacks. Hackers have developed sophisticated techniques – in-memory exploits, living-off-the-land attacks, remote access trojans, and more – that allow them to evade detection and attack in obscurity. However, as much as these techniques have changed over time, the underlying goal, or “tactic” as MITRE calls it in their ATT&CK framework, remains the same: stealing something valuable.
The motives of your average hacker haven’t changed much in the past few decades. Although we now have to contend with nation-state hackers carrying out a geopolitical agenda, the reality is that the methods are largely the same as hackers seeking to profit or cause chaos. For as much as the cybersecurity landscape has grown larger and more malicious over the last 20 years, it’s been a circular process that perpetually returns to the same core strategies – the ones the cybersecurity industry as a whole is still struggling to solve.
The MITRE ATT&CK framework catalogs cyberattacks by breaking them down into advanced techniques and tactics. Techniques refer to the type of attack the hackers employ, such as sending a spearphishing link or compromising a hardware addition. Tactics refer to the outcome the hacker wanted to engineer, including escalating privileged access or exfiltrating data.
Notably, the list of techniques has added many new items over time as hackers have devised new methods, yet there’s only been one new tactic added in the entire history of the framework. Even with the addition of Impact, the argument can be made that it always existed but wasn’t included in the framework before. Here we see a clear example of how the threat landscape changes constantly from a technical perspective but not from a tactical one. Hackers devise new tricks in the service of what are ultimately the same goals.
This may seem obvious, but it’s a fact the cybersecurity industry often overlooks, as most defensive solutions focus on techniques. They’ll shut down specific types of attacks, such as a drive-by compromise or a UAC bypass, and potentially miss other attacks – especially zero days. It’s no wonder then that 80 percent of successful attacks are new or unknown zero days; defenders spend their time chasing something that’s constantly changing instead of protecting what doesn’t change. Cybersecurity prioritizes techniques over tactics when it should be just the opposite.
In a digital world, hacking is a geopolitical tool. That’s why Russia, Iran, North Korea, and even the US, have all used cyberattacks to exert their influence in recent years thus adding a new layer to the threat landscape. More importantly, it will likely lead to an overall increase in cyberattacks, many of which will be well funded. Even with the rise of state-sponsored groups, however, the fundamental tactics won’t change.
Now as always, hackers are mostly trying to turn exfiltrated data into something of value; no different from any organized crime syndicate trying to profit from theft. For most hackers, that means turning data into money, but value might look different to state-sponsored hackers. Regardless, all hackers will use similar tactics to achieve their desired end.
This is yet another example of cybersecurity changing without becoming fundamentally different. Worrisome as the rise of politically motivated hacking may be, it doesn’t change how companies should approach their defense: focused on advanced cyberthreat tactics above all.
Cybersecurity hasn’t changed much, but the dominant approach is long overdue for something new. The detection-centric strategy most organizations rely on can only protect against something already known – not the new techniques hackers are constantly creating or the advanced persistent threats that disguise their true nature. When cyber defenses face off against hackers on the front lines of the battlefield, the hackers have the advantage because, as the Department of Homeland Security wrote, the static nature of most computer systems makes them easy to attack and hard to defend. As a result, defenders have been perpetually reactive in their approach to cybersecurity with the idea that breaches are unstoppable and the only pathway forward is to mitigate the damage.
There is another way though. Focusing on preventing the tactics, agnostic of the specific technique, can empower defenders to short-circuit an attacker’s end goal. For example, attack surface reduction rules that can be applied on your office application and prevent child processes from being executed within the office (available in Windows 10). This of course can have a limited impact on legitimate applications, but will essentially have a much greater value of dramatically reducing the exposure risk to the “Executing” tactic.
Hardening by removing administrative privileges from employees who should not have them is another proactive way of reducing exposure risk to the “privilege escalation” tactic. In many cases, removing privilege escalation as a possibility can halt an attacker from progressing toward their ultimate goal of data exfiltration.
Further, applying moving target defense in the form of morphing application memory reduces the risk of infiltration, defense evasion, and exfiltration. The reason is that moving target defense turns the static application memory into a dynamic target; it essentially makes it impossible for attackers to accurately identify the target, thus providing a strong defense and similarly halting the attack chain.
It’s worth noting that there is a risk of exposure involved in a tactic-centric approach. However, thinking like an attacker and working to guard against the high-level goal is overall more effective in the long-term versus trying to block every possible technique. To put things differently, neutralizing a technique doesn’t stop an attack from proceeding. Hackers can pull something else out of their arsenal or invent something unstoppable. But when you shut down the attack chain at the tactic level, you halt an attack in its tracks. As companies strive to make cybersecurity both easier and more effective, this proactive approach to cyber threat prevention is more critical than ever.
Not every aspect of cybersecurity needs to shift, however. On the contrary, the basis of IT hygiene should stay the same regardless of the focus on preventing advanced threat tactics. That means keeping routers and firewalls properly installed and configured, updating authorizations, installing patches/updates, enforcing password rules, and segmenting systems: all things necessary to keep techniques and tactics alike from ever being successful.
The future of cybersecurity looks a lot like the past. Hackers will still use either force or stealth to infiltrate systems and steal at will, except their attacks will be more sophisticated and arrive in higher volume. That makes for a bleak outlook until you remember that you already know the ultimate goal that attackers hope to achieve; that information allows you to take a more holistic viewpoint of security and evolve beyond technique-focused technologies that focus on detecting attacks after they have already occurred.