Knowing the Enemy: Why You Need to Map Adversary Infrastructure

Cyberattacks are happening almost daily across the globe. Analysts report the cost of cybercrime to reach $16 trillion by 2029—from stolen funds to lost productivity. Cybercrime doesn‘t just affect a business’s reputation, but also poses a risk to critical civil infrastructure and employee data.

More than ever, organizations need to take a proactive approach to cybersecurity risk management. Data-driven cyber resilience protocols and policies support companies to pinpoint their most critical threats and implement appropriate security measures to protect digital assets from cyberattacks.

Data breaches, malware spread, and ransomware attacks have become everyday occurrences across sectors and geographies, increasing the need for risk mitigation that goes beyond the Internet of Things (IoT).

Let‘s uncover how understanding and mapping adversary infrastructure provides a strategic advantage and why it‘s important to implement a robust cybersecurity risk management plan.

Why map adversary infrastructure?

Cyber attacks can cause devastation to a company‘s privacy and intellectual property.

Threat actors can use ransomware, for example, to exfiltrate and decrypt sensitive data, including employee data and other business secrets, to sell on the dark web. Even after the ransom is paid, the cybercriminals may still keep the data for future resale.

During supply chain attacks, the trusted third-party vendor is exploited to target the vendors‘ end users. The attack on SolarWinds in 2019 sent malicious code to end users, resulting in 18,000 SolarWinds customers having their data harvested by threat actors.

Adversary mapping enables cybersecurity professionals to understand how attackers gain initial access, execute, and persist within IT systems.

Phishing attacks, for example, are widely used by cybercriminals and rely on unaware users interacting with malicious attachments. If professionals can map the attackers‘ movements from phishing emails to lateral movement, teams are better prepared for the evolving techniques used by threat actors.

Predicting the next attack

External Threat Intelligence (ETI) reveals vulnerabilities within IT systems, leading to enhanced mitigation of risks. Monitoring your endpoints is particularly useful to define the relationship between threat actor entry points and lateral movement.

ETI takes threat intelligence one step further—instead of reacting to an attack, it supports information security professionals to predict the next attack. By analysing threat groups and trends within cybersecurity, professionals gain a profound understanding of the tactics, techniques, and motives for an attack.

With a plan in place, professionals can support organizations to make better-informed decisions about their cybersecurity policies and predict exposure to current and future potential threats.

With adversary mapping and endpoint security, CISOs and their teams can:

• Disrupt the kill chain early: By identifying Command-and-Control (C2) servers, staged domains, and malware distribution points, security professionals can preemptively block access to adversarial domains before they cause damage.
• Accelerate incident response: Mapping your security infrastructure and adversarial pathways allows security professionals to respond quickly by correlating indicators across systems, better isolate affected assets, and contain threats with precision, limiting lateral movement.
• Strengthen threat attribution: Attributing shared IP ranges, reused domains, or compromised hosting providers helps prioritize defenses against threat groups specific to your vertical or industry.
• Inform strategic risk decisions: Understanding adversary infrastructure can help inform risk management strategies and remediation efforts. Knowing whether an attacker has targeted cloud assets or third-party services allows for informed security measures.
• Enhance collaboration and intelligence sharing: Mapped infrastructure can be shared throughout an organization, with peers in the industry, or with law enforcement to enable collective defense and support wider takedown campaigns.

To predict the next cyber attack, organizations need to consider the routes that cybercriminals take, the barriers that could delay them, and how quickly a potential threat can be detected and neutralized.

The evolving tactics of cybercriminals

Threat actors use a variety of techniques to execute cyber attacks. Knowing how each vector can cause a potential impact is crucial for proactive threat management.

Threat actors disguise their infrastructure with:

• Bulletproof hosting and fast-flux DNS rotate IP addresses and domains so threat actors can target multiple victims without being caught.
• Encryption and DNS tunneling allow cybercriminals to exfiltrate data or maintain command-and-control (C2) communications.
• Proxy chains and VPNs are used to mask the country of origin and obfuscate law enforcement.
• Frequent re-registration of domains and dynamic DNS services are used to evade blacklisting, avoid attribution, and stay one step ahead of takedowns.
  

Potential cybersecurity threats are often scattered across logs, threat feeds, and sandbox reports, making it increasingly time-consuming for teams to identify risks and act in real-time.

What’s more, threat actors often use shared malware loaders or C2 frameworks, making attribution increasingly difficult.

As malware campaigns evolve rapidly, staying on top of potential risks and maintaining a proper security posture is crucial.

Pivoting for complete adversary mapping

Pivoting is a tactic used by cybercriminals to move from one compromised system to another, gaining access to a larger network. Using pivoting to inform risk management plans is essential for managing your threat landscape.

Security teams can use pivoting against a hacker. By knowing the potential pivot points within an IT landscape, cybersecurity professionals can connect the dots between seemingly isolated indicators of compromise (IOCs).

Common pivot points include:

• Compromised credentials: Attackers can pivot from one account to the next by abusing legitimate credentials, gaining higher permission status.
• Active directory: Hackers can pivot to different users and groups within the IT infrastructure without raising the alarm.
• Remote Desktop Protocol (RDP): Adversaries jump between systems using poorly maintained protocols, making detection harder.
• Endpoints: Threat actors target vulnerable endpoints to spread malware, pivoting to other parts of the system.
• Cloud services: Attackers pivot from one cloud service to another, harvesting credentials or tokens to perpetrate attacks.

Understanding how attackers can pivot throughout your IT systems supports teams with mapping adversary infrastructure, connecting disparate incidents, attributing attacks to threat actors, and strengthening prevention and remediation.

Creating robust risk management frameworks

Security teams and stakeholders face challenges when implementing cybersecurity risk management frameworks. The mountains of data and limited time to respond to an attack call for thorough risk management plans to properly mitigate risk.

Cybersecurity frameworks and thorough risk assessments not only support organizations but the wider community as well.

The non-profit organization, MITRE, launched Project Homeland, an initiative to support analysts in mapping hidden connections using advanced GIS technology. Knowing the cascading vulnerabilities throughout the power infrastructure in the US supports analysts in determining the impact of a cyber incident across multiple states and industries, such as healthcare, water treatment plants, and digital networks that communities depend on.

To accurately mitigate risk, organizations must implement a response plan informed by risk analysis:

• NIST 2.0: The NIST cybersecurity framework (NIST CSF) supports risk mitigation by mapping various cybersecurity standards across industries and sectors worldwide.
• ISO/IEC 27001 & 27005: ISO methodology specifies requirements for managing risks that affect information security based on risk management.
• CIS Controls: Sets priorities and actionable tasks to implement cybersecurity best practices with a focus on high-impact security controls to reduce risk.
• MITRE ATT&CK Framework: While MITRE isn‘t a risk management framework, its ATT&CK framework is useful for identifying gaps in detection and response capabilities.

Cybersecurity risk management processes that meet regulatory compliance reduce data breaches and disruption by informing decision-making and business objectives.

Risks can never be eliminated entirely, but cyber risk management programs reduce the impact and likelihood of threats disrupting business operations.

Wrapping up

Determining your risk profile with a cybersecurity risk assessment is the first step to creating a more resilient IT infrastructure.

Companies across industries depend on information technology to carry out key business functions today, exposing them to more cyber risks than is commonly understood.

Enterprise Risk Management (ERM) integrates risk-based methodologies into the broader framework of organizational risk management. While data security is understood well within specialist teams, it‘s important that cybersecurity risk management policies are spread throughout the organization.

Gain a strategic advantage with CybelAngel’s External Threat Intelligence

Better understand the cyber threats and vulnerabilities lurking in your system with our Cyber Threat Intelligence platform.

Automate your risk management efforts with curated IOC feeds and deep-dive threat actor profiles to arm your security teams with actionable insights.

About the author

Orlaith Traynor

...

read all the articles