The most important question we should ask is “Why do I care?”
You should care because the perspectives and technologies discussed in this article are intentionally designed to shift left on NIST CSF and MITRE ATT&CK, delivering early detections. They are intended to increase cost and risk to adversaries by rendering their investment in attack vectors meaningless to you.
Want a tagline? Here it is: We aspire to make adversaries irrelevant. This won’t happen today, but we believe it can happen by making adversaries over-invest in recognizable patterns, organizational structures, and the testing and validation of novel technologies and techniques.
At RockITek, we believe threat-informed strategies are pivotal to the effective prioritization of security controls that increase the cyber economic cost to adversaries. Simply said, at a minimum, you need threat data and continuous monitoring to minimize uncertainty.
Our goal is to find and enable preemptive emerging technology companies that move the needle. For example, technologies that increase the cyber economic cost to attackers by making them invest in new technologies, and TTP’s to achieve impact. So, how do threat-informed strategies help protect, detect, and respond to adversaries trying to traverse networks, using identity to get to our data?
It starts by understanding a fundamental truth. Adversaries are a business and have a mission, just like you. They have a business model – a plan to use resources that monetize their efforts – just like you. They pay attention, and pivot, based on conditions, just like you.
Don’t believe me? That’s ok, the data is out there for you to see for yourself. Some data points in 2021 include the fact that DarkSide ransomware is funded by cybercriminal investors.
Yep, just like legitimate venture capital, adversary groups are supported by investments from older, more established operations, typically through bitcoin payments.
In the article “Why You Should Worry About the Booming Dark Web Economy,” they discuss how cybercrime groups are creating new profitability for everyone – from ransomware gangs to cybercrime-as-a-service gig workers. They identify that 90% of posts on popular dark web forums are from buyers looking to contract someone for hacking services.
Want to go back further? How about 2018? When I was at AWS, I presented on how agencies could become superheroes by using serverless technologies to increase resource effectiveness through automation. The session was called, “Serverless Cyber Ops for Government.”
In 2018 the global cybercrime market hit an estimated $600 billion and got its own “As A Service Category.” This was true in 2018. It is necessary for 2021, and beyond.
Cybercrime is a business.
Doesn’t matter if it’s attributed to nation-states or e-crime groups. They both have business decisions to make based on costs, resources, and risk. Their decision criteria may be different, but the process is like yours. Is the reward worth the cost and the risk? This and similar questions have been asked for thousands of years. They are predictable, and logical conclusions can be understood.
For example, when you want to create and deliver value, you need to invest in ideas and physical or virtual infrastructure to deliver and monetize that value. For adversaries to initiate attacks like Colonial Pipeline or SolarWinds, it requires strategy, planning, and eventual execution. When adversaries prepare for the execution, they build. That means there are changes.
Guess what, for an adversary to create and deliver malicious value for their investors, they use the openness of the Internet in America (as opposed to closed national networks some countries are aspiring to build, thus generating a different form of cyber asymmetry). The openness also allows for innovative companies to create detection capabilities that use information from the companies, systems, and technologies that enable the open Internet. This data can be used to predict whether new Internet infrastructure (IPs and domains) are intended for malicious intent.
Want to hear more about how they detected the colonial attack infrastructure 360 days before the attack was detected? Want to hear how they similarly detected the SolarWinds infrastructure well before the campaign started? Want to know more about how you can integrate this early detection capability with your protective controls to automate blocking for infrastructure that has a high malicious probability?
Let me know and I can tell you some stories…
About RockITek, LLC | RockITek is a value-added distributor providing white glove services to both up-and-coming and commercially established manufacturers with emerging technologies. Our Preemptive Cybersecurity and Image Intelligence portfolios consist entirely of transformational solutions that rapidly meet mission goals and address high priority issues. We specialize in building and managing purpose-built consortiums that accelerate adoption of next gen solutions with a focus on government space. We are a small business (NAICS 541519) with a GSA Federal Supply Schedule 47QTCA19D0085.