Hyas Blog | The Secret Ingredient to Preempt Cyberattacks: Digital Exhaust
- Understanding whether a given communication steam is normal, expected, or anomalous and adversarial is an essential part of cybersecurity efforts. Many solutions rely on lists and feeds of domains to block, but this strategy isn’t efficient enough to protect digital spaces in 2024.
- Why? Bad actors constantly update their command and control infrastructure, making it almost impossible to maintain up-to-date information. Organizations are only blocking what has happened in the past, not what is going to attack them in future.
- Deny lists are essentially a hope-based, reactive strategy. True business resiliency requires a proactive strategy — one that ensures that regardless of how the attack occurs, it can be identified, stopped, and dealt with before damage ensues.
Adversary Infrastructure: The Backbone of a Cyberattack
What is adversary infrastructure? Cybersecurity experts often call it command and control or C2 for short. Communication streams with adversary infrastructure are the telltale signs of an active breach, the digital exhaust that emanates from an attack.
Fundamentally, adversary infrastructure is the sub-rosa backbone bad actors set up when in advance prior to compromising a system — it’s used for instructions, to facilitate malware updates, for data exfiltration, and in general across all phases of the attack.
There are many kinds of cyber attacks: supply chain attacks, zero-day, BEC, insider-risk, and even abusing Google ads to phish and spread malware. Regardless of how or where the bad guys break in, however, they need to communicate with their adversary infrastructure to command, control and direct their attacks.
And the unfortunate reality of today is that everyone will be breached at some point — truly, no one is immune. It doesn’t matter if you are a large company or a small company, if you think you have sensitive data or not. And despite massive spending, most cybersecurity solutions on the market don’t really solve the problem. Ransomware attacks alone increased by 430% last year.
We need a different approach. Often solving a problem requires looking at it from a completely different angle. Rather than hoping you can prevent each and every new attack, why not understand how attacks work and make the organization able to detect the telltale signs and thus be resilient against them?
Regardless of the attack vector or technique, bad actors always leave “exhaustive” telltale trails in their wake - aka“digital exhaust.” By studying their moves, and realizing that their command-and-control must be created prior to their attack, a fundamental understanding of adversary infrastructure can not only make an organization resilient against digital risk but stop bad actors in their tracks.
Read on to learn how and why a proactive approach is the only way to protect and prevent cyberattacks.
If Security Is Compromised, Look for the Digital Exhaust
The first step of an attack is the breach – breaking into the organization. The bad actor might crack a password or steal someone’s credentials. Maybe they phished an employee. Regardless of how they broke in, they always send a signal out to confirm they’re in, get instructions, and continue the attack: Hey, I’m alive. I’m here. What do you want me to do?
Some of the most notorious, headline-grabbing cyberattacks in recent years use this tactic with a twist: The SolarWinds attackers, for example, penetrated thousands of organizations and installed Sunburst malware in their systems. But they didn’t immediately ask for instructions. The malware laid low for 15 days before it woke up and alerted the criminals that it was ready to wreak havoc. And it did, with privilege escalation, lateral motion and data exfiltration — all of which utilized instructions between the hackers outside the enterprise and the malware lurking within.
Those instructions are sent to adversary infrastructure, also known as attacker infrastructure.
Regardless of the attack vector or technique, bad actors always leave “exhaustive” telltale trails in their wake - aka“digital exhaust.” By studying their moves, and realizing that their command-and-control must be created prior to their attack, a fundamental understanding of adversary infrastructure can not only make an organization resilient against digital risk but stop bad actors in their tracks.
When the United States Office of Personnel Management was attacked, it took six months for its security team to discover the breach. In other cases hackers were inside the network for years, stealing data and silently watching. In all these cases, the malware is tuned to covertly phone-home – to the attacker’s adversary infrastructure.
Everyone has lists of external domains that shouldn’t be communicated with, are risky, or fraudulent in some way. There are quite a lot of lists — even the FBI publishes a regular feed of “bad” domains.
Relying solely on domain lists, though, is essentially a hope-based strategy. It’s hoping that the list covers all potential threats and that none slip through the cracks. It’s hoping that your organization updates your defenses with the latest list before the bad actors attempt a breach. However, bad actors continually update their command and control, so it’s almost impossible to maintain an up-to-date list. And given that many of these lists are generated by detonating malware, they are by definition always behind the curve, one step behind the criminals. While it sounds mean, essentially you are hoping that someone else gets attacked before you do, so that your list can be updated in time.
In the world of cybersecurity, hope is not a strategy. Domain lists represent a fundamentally reactive approach to cybersecurity — one that waits for threats to emerge before handling them. Being reactive is not enough. We must be proactive in our approaches to drive any sense of resiliency and confidence.
Think Like a Hacker To Find Breaches (and Learn From Them)
When we have visibility into the communication going out of an enterprise — and we understand what is and isn’t adversary infrastructure — we can spot the digital exhaust of a breach.
Once we stop that nefarious communication, we render the attack inert. What’s more, we can turn all that digital exhaust metadata into actionable intelligence. By building an Adversary Infrastructure Platform composed of all of this metadata, and putting the raw data into a graph database form, we can understand the fundamentals around verdicts, related infrastructure, and attribution or VRA.
We can understand what new infrastructure is going to be used for nefarious purposes. This lets us break out of the relentless cat-and-mouse game so many of us play and start to actually get proactive against that attack that is being formed, but hasn’t been launched yet.
Monitor DNS and Detect Anomalous Behavior
Think of it this way: If I told you that every Friday afternoon at 4:00 p.m., Jane makes a phone call to a known drug dealer — and those calls happen reliably — you will probably assume that Jane is buying drugs. You don’t need to know the content of their phone conversation.
We can do the exact same thing at a DNS level. More than 90% of malware and attacks use DNS to facilitate their communication with adversary infrastructure (instead of a static IP address). The answer lies in DNS. We don’t need to know exactly what the bad actors talk about at this stage. They can try to obfuscate their methods, but they can’t hide the fact that they’re using infrastructure on the open internet. That infrastructure has to be DNS-routable and therefore publicly visible.
That’s the fatal flaw in their plans. And that’s how we can keep our systems resilient against their onslaught of attacks.
Continuous Improvement and Optimization of Security Processes
The combination of an Adversary Infrastructure Platform and the knowledge of where communications are going on the internet enables us to get proactive, stay ahead of the curve, and automatically update the defenses before their next attack.
Perhaps best of all, a proactive approach fosters a culture of continuous improvement within cybersecurity teams, encouraging ongoing research and skill development. And if we want to be able to get any sleep at night, we want the ability to run our networks and organizations with confidence that we can protect all aspects of the business and address digital risk, then we need to take a proactive approach and ensure that the defenses remain on the cutting-edge. The bad actors hope that we continue to utilize yesterday’s hope-based strategies; resiliency approaches fundamentally change the game and level the playing field.
Make the smart move to HYAS solutionstoday and protect your organization with top-notch threat intelligence and proactive defense. Contact us to learn more about how HYAS can empower and elevate your cybersecurity strategy.