Using passive technology is not enough to defeat cyberattackers, according to the experts at root9B (R9B)—active adversary pursuit is required.
Military speak is no longer reserved for members of the world's armed forces—terms like attack surface and kill chain are now being promoted by commercial cybersecurity experts with good reason. Simply put, very little—with the possible exception of scale—differentiates a cyber conflict between nation states and one between businesses and cybercriminals.
Eric Hipkins, a security and intelligence professional with over 25 years of experience in the military and National Security Agency, is one such expert. When asked why adversaries seem to be having their way with over 1,700 major data breaches reported in 2017, Hipkins suggests current technology-based cyber defenses are unable to stave off attacks because:
- Cyberattack tools and techniques have evolved well beyond the capacity of existing cybersecurity platforms;
- Attackers can study and develop tools and methodology that evade passive defenses;
- Adversaries understand it is unlikely they will face an active human defender; and
- Once the network perimeter has been penetrated, the attackers will likely have uncontested movement within the victim's network.
"Unfortunately, static defenses will always lag behind an active attacker in processing situational information," explains Hipkins. "The only effective counter to a skilled, thinking, active attacker is an active, well-informed, thinking defender. That is, a defender who can compete with and surpass the attacker."
Interestingly, Hipkins' "active adversary pursuit" philosophy is gaining traction in the cybersecurity community. According to CSO Online, ORION 2.0—a cybersecurity platform created by developers at root9B (R9B), the company founded by Hipkins in 2011—was one of the hottest products at this year's RSA convention.
SEE: Intrusion detection policy (Tech Pro Research)
R9B's HUNT services
The ORION platform is a component of R9B's HUNT services (Figure A) and premised on the active human-led pursuit of adversaries.
"The model is focused on identifying adversaries and their tactics, understanding the client's business context to preemptively defend against cyber-attacks, and implementing pragmatic, cost-effective mitigation strategies," write Hipkins and co-authors John Harbaugh (R9B's COO), Michael Morris (R9B's CTO and chief architect of HUNT), and David Aucsmith (R9B's chief scientist) in the white paper HUNT: Securing the Commercial Sector since 2013.
Staying true to Hipkins' contention that the best defense is a well-informed, thinking, active cyber defender is one reason why R9B is located in Colorado Springs, CO, home to four military bases and the Air Force Academy. Thinking like an adversary rather than focusing solely on technology requires individuals with specific training, according to CTO Michael Morris, who adds, "Military personnel make the best cyber defenders simply because they have been steeped in fighting adversaries."
Besides training, cyber defenders need tools to pursue adversaries in real-time and mount an active defense. Developers at R9B, via HUNT services, provide defenders with advanced detection and proactive response tools that allow them to maneuver through the client's network and systems to identify indicators of a network attack and preemptively counter these threats.
"This new defender also needs accurate and relevant intelligence to hunt for the adversary who is actively targeting the network," mentions COO Harbaugh. "Since tactics, techniques, and procedures of the adversary—their trade-craft—are constantly evolving, it requires dedicated resources with sophisticated means to remain cognizant of the adversary."
When it comes to the company's offerings, R9B has two paths: Adversary Pursuit Center and adversary-pursuit training.
Adversary Pursuit Center: A manned information-security operations center providing clients 24/7/365 subscription-based remote defense and threat intelligence services, including:
- Adversary pursuit
- Perimeter- and host-based defense
- Network anomaly analysis
- Incident response
- Malware analysis and credential security
Adversary-pursuit training: If a client prefers to keep cybersecurity in-house, R9B—a credentialing authority for Department of Defense (DoD) cyber operators—offers cybersecurity training courses for their customers. The R9B training, tailored specifically for each client, provides curriculum in:
- Defensive cyber operations
- Adversary tactics and techniques
- System forensics
- Advanced programming methodology
- Mobile forensics and JTAG
- Wireless exploit and defenses
To give an idea of what is covered by the training (current classes and locations), R9B's "Adversary tactics and techniques" course consists of a five-week class covering the methodology and technical details of how attackers recon, gain access to, pivot, and remain hidden within a target network. The course also provides instruction on locating artifacts left behind by attackers.
The people at R9B are dedicated to enhancing traditional cybersecurity approaches with advanced tactics, techniques, and procedures developed in the defense and intelligence communities. Even the company name—root9B—speaks to the resolve of Hipkins, Harbaugh, Morris, and the rest of the R9B team:
"Root refers to 'rooting' a system. When hackers root a system, they take complete control. '9B' is a hexadecimal number that, when converted to decimal form is 911, a reference to that infamous date in American history. Put together, root9B underscores the potential dangers and critical importance of cybersecurity in today's increasingly interconnected world."
- Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (cover story PDF) (TechRepublic)
- Why businesses have the wrong cybersecurity mindset, and how they can fix it (TechRepublic)
- 10 tips for reducing insider security threats (TechRepublic)
- Digital forensics: A cheat sheet (TechRepublic)
- Incident response policy (Tech Pro Research)