Know Your Enemy, Know Yourself: Examining the Mind of a Cyber Attacker
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."
Sun Tzu’s simple concept can be applied to virtually any type of confrontation: know yourself and know your enemy. The degree of knowledge on both fronts predicts the outcome regardless of the type of confrontation. Forensic psychology investigates the motives and minds of criminals and can predict what would otherwise be unknown about criminal behavior. Interestingly, cybersecurity can follow a similar path to defend forward in any organization but often doesn’t.
Know yourself. The best cybersecurity teams go through painstaking measures to know themselves. They implement attack surface discovery, asset inventory, data classification, vulnerability scanning – the list goes on and on – and many security teams have a good sense of themselves. Defensive decisions are made based on risk in relation to business impact and investments are made accordingly.
Know your enemy. While knowing yourself is challenging, knowing your enemy is nearly impossible in cybersecurity. In a perfect world, you would be able to interrogate cybercriminals who are caught to better understand how they choose targets and select techniques. We invest in the science of forensic psychology for a reason – communicating with criminals teaches us what led to the reasons behind committing crimes.
In the absence of these insights, cybersecurity teams have traditionally turned to the past to predict the future. Studies such as the Verizon DBIR Report and Ponemon’s Cost of a Data Breach aggregate thousands of data points relevant to past and often dangerous encounters with adversaries. These reports emphasize the urgency around important metrics like an end-to-end attacks taking less than a day. Even more alarming, the top “delivery method” for more than half of breaches is “actor disclosure” essentially meaning ransomware notes, or posts offering evidence and/or data for sale in criminal forums are the mechanisms for alerting security teams to a breach. The bottom line is that security teams are still struggling mightily with detection and response.
It’s no secret that attackers are evolving faster than defenses can keep up. By the time detection measures are in place, attackers have a new way to circumvent them. It’s a game of cat and mouse that attackers are poised to win. But what if we could shift the knowledge in our favor? What if we could know our enemy better than ever before?
While it’s not realistic to interview our attackers (or at least nearly impossible) … What if we can get insights from the next best thing?
It dawned on us that there are thousands of ethical hackers out there in our community that emulate our enemy. They are armed with the same tools, tactics, techniques, and procedures; however, they simply operate within ethical boundaries. So, we set out on a mission to understand the way an attacker thinks – a concept built around the idea of “exploring the mind of a modern-day adversary.”
Partnering with the SANS Institute, we outlined our objectives and carefully constructed our survey to ensure our results not only represent the attacker community, but illuminate targets, tendencies, and preferences based on the respondent’s specialty, experience, and other factors. In contrast to other surveys that take a defender’s point of view and provide more theoretical models of potential threat, attacks, and compromise, our report aimed to explore how adversaries view specific environments and show where they find the most success.
We surveyed more than 300 ethical hackers around the world – and believe me when I say that the results are not only fascinating but terrifying. Here are some teasers.
Nearly 64% of surveyed ethical hackers reported being able to collect and potentially exfiltrate data in five hours or less, with an astounding 41% in two hours or less.
Close to 75% of survey respondents indicated that only a few or some organizations have adequate detection and response capabilities to effectively stop an attack.
These results are just the tip of the iceberg. Favorite types of targets, the speed at which attackers are learning, differences in techniques by specialty and experience, most impactful defenses – all of these data points together gave us a treasure trove of information we want to share with defenders. And that’s why we’re happy to release this first inaugural report in partnership with SANS.
Readers will find details on the ethical hackers we surveyed including experience, industry specialty, role, and more. This demographic information is key to cross-tabbing responses that ultimately help you more accurately predict what the attackers you face will do vs. what they have done.
It’s our hope that this study and subsequent studies will fulfill Sun Tzu’s equation “If you know the enemy and know yourself, you need not fear the result of a hundred battles”.
Read the report and check out our related resources to learn more about the groundbreaking survey data that explores the minds and methodologies of modern cyber adversaries.
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.