Font Size: A A A


Hands-on fieldwork in cyber

Adrian-Liviu Arsene, Director of Threat Research and Reporting at the cloud security and threat intelligence product company CrowdStrike, writes of the continued importance of hands-on fieldwork in cybersecurity.

Effective, modern cybersecurity practice is a partnership between man and machine. Advanced technology is an entirely essential ingredient in the cybersecurity mix because computers are very good in areas where humans are less capable. Their ability to collect, analyse and catalogue many billions of endpoint and network events across the globe, for example, would be entirely beyond any human team of defenders, no matter how large.

Humans, on the other hand, are not adept at juggling billions of data points to draw conclusions. More than three is a challenge for many of us. Where we continue to excel, however, is in creativity, making tangential connections and deductions, seeing beyond the visible data, and constantly improving the efficacy and performance of machine learning capabilities. Under certain circumstances, human intelligence can do much better than the most advanced AI, assisted by unlimited compute and storage capacities. Proper protection must call upon the partnership of both technology and human intelligence to be effective.

This is becoming more true than ever today, as both the scale and the sophistication of cyber attacks reach new heights. The profile of these attacks has changed in recent years, as the arms race between cybercriminals and cybersecurity providers continues to accelerate.

Historically, a key concern has been computer viruses or malware, downloaded through infected files, email attachments and purpose-engineered web pages. This is still true to date and they certainly remain virulent and potentially devastating, but technology has become very capable at detecting and neutralizing such threats. However, cyber criminals have adapted their tactics, seeking to achieve intrusions in ways that can evade the attention of traditional cybersecurity products.

While time-consuming, hands-on, targeted big-game hunting attacks against businesses are very lucrative. Ransomware demands in 2021 cost an eye-watering average of $1.1m (US dollars). Colonial Pipeline paid $4.4mn (USD) to recover control of its systems in May 2021. So the extra time and effort put into these manual, hands-on-keyboard attacks isn’t much of a deterrent if it makes those attacks much more likely to be successful.

As the latest CrowdStrike Overwatch report details, cyber attacks in 2021 are very likely to be interactive, which is to say, there are real people – hackers – sitting at keyboards to work their way into systems, obtain control and gain access to sensitive data. This type of attack has increased in volume by 60pc over the last year. (Note: all of the statistics in this article are from the Overwatch report, unless stated otherwise).

Indeed, cyber criminals have largely moved beyond malware. More than two-thirds (68pc) of detected intrusion attempts recorded in the summer of 2021 were malware-free. These attacks are typically conducted using legitimate credentials – obtained through phishing campaigns, as the fruits of other breaches, or from access brokers. Then, escalation and privileged access is achieved using standard operating system ingredients, such as PowerShell and very commonly installed network management tools. In addition, hackers are keen to exploit any unpatched operating system, application or supply chain vulnerabilities to increase their control without raising alarm.

What is fieldwork?

It’s this evolution of tradecraft by adversaries that brings the value of human fieldwork, working in combination with technology, to the forefront of cybersecurity. Just as adversaries have adopted hands-on-keyboard approaches, so must defenders.

For example, adversaries that take advantage of system resources and tools, such as the benign activity of taking screenshots, could fly below the radar of technology-based controls. Abusing legitimate and built-in screen captures tools can become a powerful weapon in the hands of threat actors, as they can access and collect sensitive information, such as passwords, banking information, the contents of emails, and instant messaging communications, directly from the victim’s desktop. The use of legitimate file compression and archiving utilities and even images written to disk may seem like benign activities unless human-led threat hunting teams dive into these actions and behavior to assess and disrupt any potential abuse by adversaries before impacting the organization. This fieldwork typically happens in three ways.

First, machine intelligence is very capable of detecting outliers in network and endpoint activity – activities that are very uncommon or anomalous at enormous speed and scale. But the machines may not always be able to interpret whether such rare and seemingly benign activities like taking a screenshot are legitimate or not. Global analyst teams are thus instantly informed of these outliers in real time and work around the clock to conduct live investigations to discover if the activity is simply uncommon, or malicious.

The second avenue of field work comes from human intuition and from sifting through intelligence reports. Analysts create hypotheses for potentially successful attack vectors, and use intelligence drawn from how cybercriminal groups operate and the Dark Web, and test their theories on a continual basis, often working with customers in penetration testing and red team vs. blue team exercises, for example.

The third approach comes from forensic investigations. Analysts unpick these new attacks step-by-step, working to understand and be able to replicate the exact sequence of actions the adversary had taken. New kill-switch conditions can then be created to prevent this attack reoccurring.

Man and machine

For each of these fieldwork approaches, the crucial final step is to close the loop with the technology aspect of cybersecurity. The Artificial Intelligences behind modern cybersecurity products – which analyze data at scale – are prized for their ability to infer from taught examples. Once trained that a particular approach or sequence of actions is an indicator of attack or compromise, it can almost instantaneously protect every system under its watch against unknown yet similar attacks.

Thus the value of fieldwork isn’t necessarily in the individual investigation: these are indeed resource heavy and not every cybersecurity provider is willing to invest significantly in the area. The value comes when the results of those investigations performed by man and machine prevent new attacks affecting every other system under the provider’s protection.

This partnership between man and machine thus creates a virtuous circle, with the artificial intelligences continually improved through every human investigation.


Related News