Know thy enemy: thinking like a hacker can boost cybersecurity strategy

As group leader for Cyber Adversary Engagement at MITRE Corp., Maretta Morovitz sees value in getting to know the enemy – she can use knowledge about cyber adversaries to distract, trick, and deflect them and develop strategies to help keep threat actors from getting whatever they’re after.

That could mean placing decoys and lures that exploit their expectations for what an attacker will find when they first hack into an environment, she says. Or it could mean deliberately disorienting them by creating scenarios that don’t match up to those expectations. “It’s about how to drive defenses by knowing how the adversaries actually behave,” says Morovitz, who is also group leader for MITRE Engage, a cyber adversary engagement framework.

The concept of understanding one’s adversary is not new. Sixth-century BCE warrior Sun Tzu promoted the idea “Know thy enemy” in his still-famous work The Art of War. Nor is its application in cybersecurity new. Ethical hacking, which dates back decades, is partially based on acting as the threat actors would to find weak spots within enterprise IT environments.

Similarly, enterprise security leaders have long worked to identify their likely adversaries and what they might be after. However, their ability to delve into the hacker mindset has been limited by both available resources and knowledge as well as conventional strategies which stressed first perimeter defenses and then graduated defenses that provide the highest protection to the most valuable assets.

Hacker thinking helps shape security strategy

Now security experts – MITRE and others – advocate for CISOs and their security teams to use threat intel, security frameworks, and red team skills to think like a hacker and – more importantly – use that insight to shape security strategies. This, they say, means considering motives and mentalities which in turn influence their levels of persistence, the pathways they may take, and what exactly they want – all of which could be different or broader than assumed. That insight should then shape the direction of a defense-in-depth security; it should be used to create a truly threat-driven security strategy.

“If you’re not thinking like a hacker, you’re not able to take the actions that are right for your environment. But the more you know about the threats, the more effective you can be in applying that technology,” says Jim Tiller, global CISO for Nash Squared and Harvey Nash USA.

The 2022 Ethical Hacking Survey, an inaugural survey on the topic from security training association SANS, speaks to those points, with report writers saying that they “aimed to understand the intricacies of how attackers think, the tools they use, their speed, their specialization, their favorite targets, etc.”

The report further notes that “these insights are critical to investment decisions across an increasingly complex attack surface that is becoming more difficult to protect. Oftentimes, we see organizations that invest in security technologies that mitigate a wide range of threats leave commonly attacked ports and protocols wide open. Adversaries will choose the path of least resistance or the one they are most familiar with – and far too often, these are the same. Overlooked or assumed safety presents too much of a risk.”

Benefiting from a hacker’s perspective

Like Morovitz, the SANS report calls out the value of having a “bird’s-eye view of an adversary – whether sanctioned or not,” noting that it “can be a guiding light for security analysts and decision makers alike.” Research, however, has found that many security teams don’t have that insight, nor do they seek it out.

“There is a misconception security teams have about how hackers target our networks,” says Alex Spivakovsky, who as vice-president of research at security software maker Pentera has studied this topic. “Today, many security teams hyperfocus on vulnerability management and rush to patch [common vulnerabilities and exposures] as quickly as possible because, ultimately, they believe that the hackers are specifically looking to exploit CVEs. In reality, it doesn’t actually reduce their risk significantly, because it doesn’t align with how hackers actually behave.”

Spivakovsky, an experienced penetration tester who served with the Israel Defense Forces units responsible for protecting critical state infrastructure, says hackers operate like a business, seeking to minimize resources and maximize returns. In other words, they generally want to put in as little effort as possible to achieve maximum benefit.

He says hackers typically follow a certain path of action: once they breach an IT environment and have an active connection, they collect such data as usernames, IP addresses, and email addresses. They use those to assess the maturity of the organization’s cybersecurity posture. Then they start doing deeper dives, looking for open ports, areas with poor protection such as end-of-life systems and resources that aren’t properly managed. “And now that hackers understand the operating systems running, they will start to understand if there’s something exploitable to launch a hacking campaign,” Spivakovsky says.

Hackers are adaptable in the search for poor security hygiene

“Hackers don’t generally approach organizations only looking to exploit CVEs, or any one tactic, for that matter. Instead, they are very adaptable to the different opportunities that present themselves while they are interacting with the organization,” he says. “As a process, hackers engage in a broad discovery and enumeration process, examining the organization for indicators of poor security hygiene. These could be factors like the lack of a web application firewall, the presence of too many anonymously accessible services, or any number of other indicators.”

“If there aren’t any attractive elements, the likelihood of breaking in decreases substantially. However, if something sparks their interest, they look to escalate the attack from there.”

That’s why, Spivakovsky says, organizations should evaluate their enterprise security not from their own perspectives but from that of a hacker.

“What attracts hackers today is how it looks externally,” he adds. “So CISOs [must ask]: am I making myself an easy target and how so?”

Understanding the hacker mindset and motivation

Others say it’s also important to understand why hackers want to target organizations – and why they might want to come after yours. “Are you just a target for ransomware? Or do you have the secret formula for Coke? And if I’m a criminal, how can I best take advantage of this to make the money I can or cause the most damage I can?” says Tiller, the CISO with Nash Squared.

This gets into motivations and mindsets, which security chiefs can also use to refine their security strategies.

The goal is to focus on identifying adversaries or adversarial groups and determining their intent, says Adam Goldstein, an associate professor at Champlain College and academic director at the Leahy Center for Digital Forensics & Cybersecurity. “Is it disruption? Is it financial gain, is it intellectual property theft? Achieving [access to] resources for other goals? And are they mission-focused so they’ll keep trying and trying and trying no matter how strong the defenses are? Or are they looking for opportunities? Having this big picture of understanding all the different adversaries and what their intents are can help you identify the different types of risk.”

Such inquiry matters, Goldstein says, as it often challenges faulty assumptions and sometimes reveals to enterprise leaders that they’re bigger targets than they realized. Such analysis could have helped universities breached nearly a decade ago by foreign adversaries who targeted faculty for their connections to US political figures and institutions.

“They used techniques to target and acquire communications – emails and documents – that were not of monetary value, were not research documents. It was really focused on gaining access to correspondence that could potentially be of value in an international political landscape with some espionage element as well. That really caught the higher ed community off guard.” It also eventually shifted security strategy within the higher education community, Goldstein adds.

Not taking the hacker viewpoint can leave security gaps

Despite such anecdotes, though, security experts say many enterprise security departments aren’t incorporating a hacker viewpoint into their strategies and defenses. “We’re still seeing attacks and breaches in areas [organizations] didn’t consider,” says Chris Thompson, global adversary services lead at IBM X-Force Red.

Thompson says he sees organizations that engage in penetration testing to comply with regulations but don’t assess the range of reasons for which they could be targeted in the first place. Take a telecommunications company, for example, he says. It may be targeted by hackers looking for a financial payoff through a ransomware attack, which typically means they’re looking for easy targets. But if that telco is also supporting police communications, it could also be targeted by more persistent threat actors who are seeking to cause disruption.

“That’s why we tell clients to really challenge assumptions. What assumptions have you made about what paths an attacker would take? Validate them by getting a red team in to challenge those assumptions,” he says, adding that CISOs and their teams must weigh the fact that hackers have “the same access to all the security blogs and training and tools out there” that they do.

Operationalizing and leveraging hackerthink

Not surprisingly, security teams face challenges in cultivating the capacity to think like a hacker and to use the insights garnered by the exercise. Security leaders must commit resources to the task, and those resources are typically people rather than tools and technologies that can be deployed and let to run, all of which is a tall order for resource-strapped security teams and security organizations struggling to find talent, Morovitz says.

Moreover, CISOs may find it challenging to get funding for such activities as it’s difficult to demonstrate the returns on them. “It’s hard for organizations to wrap their minds around something that doesn’t have a lot of alerts. And even though the alerts they do get will be high-fidelity alerts, it’s still hard to prove value,” Morovitz explains, adding that some of the tools that support these activities are relatively expensive.

Security teams may also find it challenging to shift their own skill sets from defense – for example, identifying and closing vulnerabilities – to offense. As Tiller says, “It’s a very difficult thing to do because it’s a criminal mindset. And people who are in defensive industry, the white hats, they may not always be thinking of the willingness [that hackers have] to be low and slow.”

Still, it’s worth training blue teams in some red team skills, experts say.

Organizations also now have access to a growing list of resources to help them make this shift. Those resources include NIST frameworks, MITRE Engage and MITRE ATT&CK. Additionally, there’s threat intelligence from vendors; Information Sharing and Analysis Center (ISACs); and academic, government and similar entities.

Furthermore, there’s an emerging class of technologies supporting red team-type work, Morovitz says.

Morovitz notes that organizations doing such work are tight-lipped about their activities, as they don’t want to give away any advantages their work may be generating, but she points to conference agenda items on the hacker mindset as evidence that more security teams are trying to think like hackers as a way to inform their strategies.

And there are indeed advantages, she and other experts say, in making this shift to a hacker mindset.

“Understanding the hackers’ approach,” Spivakovsky says, “would help reorient our security priorities to be more effective.”