In the last articles, we have made an introduction to LACS approach and why it’s important to navigate through the complex world of cyber defence. If you have not read them, feel free to checkout LACS Volume 1 and LACS Volume 2. You can also listen to my interview with Sascha Schumann, where we cover topics closely related to cyber risk assessment and LACS.
The best defence is a good offence
Governments, intelligence agencies, law enforcement and private companies are evaluating the possibility to adopt offensive approaches to defend their assets from cyber attacks.
While in private industry the concept of an offensive approach to cybersecurity is relatively new, the idea has been extensively evaluated in government and military environments. In these settings, offensive cybersecurity has long been debated. Countries have gone to great lengths to develop systems that can respond if an attack is detected.
In this article, we will go over the first two phases in the offensive approach. You can find a brief overview of these below.
- Planning – Counter defence, battle planning, attack options, risk assessment
- Reconnaissance – Advantage reconnaissance, espionage, situational awareness
Offensive approach is considered to be highly efficient in case you are protected legally and have a green light from authorities. Remember it’s a highly aggressive method of defence and is regulated by law across industries in developed countries. So I would not advise you to repeat it at home unless you have strong reasons to do it.
Planning is a crucial phase for institutions. Having a good action plan for every single incident that includes cyber breach can be a good starting point, but that’s not enough.
Businesses need to approach cybersecurity with the assumption that the fact of being attacked is inevitable at some point. Attacks are on the rise and companies of all types and sizes are at risk. Right questions should be raised at the right time. Plans should be up to date and flexible to be adjusted based on demand. If an organisation decides to go offensive, then they have to be prepared to fight a war game with hackers and competitors, and as you know, you can never have a brilliant plan that works in every case. Instead, you should have short-term plans ready to respond to specific situations.
“Invincibility lies in the defence; the possibility of victory in the attack.“
― Sun Tzu, The Art of War
During the planning of your offence, you should consider the following points:
- The main points of contact in your organisation that hold the decision making power
- Elements of the infrastructure which hold the highest likelihood of attack
- Departments which have been previously attacked or affected by social engineering
- Departments that have the most significant volume of freshly hired employees
- Contracts signed with vendors or partners, and public announcements accordingly
- Vendor and partner infrastructure protection
- Vendor and partner employees education
- Software and Hardware assets that control financial transaction or hold points of access
- Parts of your network which are constantly under DDOS attacks
- Vendor software that is used to keep you source codes
- Vendor servers that provide you an infrastructure and domains
- Third-party applications or frameworks used in your business
- Vendor Software that is supporting in your day to day operation
Reconnaissance phase includes crucial information about your potential attackers, your employees and competitors. It can be achieved and summarised using reasonably simple list:
- Regular checks and education of employees
- Risk assessment of partner and vendor infrastructure
- Monitoring of company infrastructure and network
- Ethical hacking of local and external infrastructure
- Automated bots checking source codes and engineering teams
- Monitoring of public breaches for competing companies
- Hack attempts with limited impact
- Constant monitoring of publicly available information regarding latest cyber breaches
- Monitoring of public posts and announcements where the company name is mentioned
- Constant monitoring of external and internal communication for the signs of social engineering
- Tracking of the most notorious hackers and their activities
- Using smart plan adjustments based on public data for breaches and attacks
- Constantly perform spying, social engineering attacks for possible attackers
- Constantly test and attack the network of possible attackers without actual breaches
- Identify badly protected access points of possible enemy
- Espionage on personal data of possible enemy
- Collaboration with law reinforcement structures with information sharing gained from ethical hacking or espionage
- Decryption attempts for passwords or keys stored in publicly shared resources
- Phishing attacks from well-covered sources
- Hidden cells in enemy organisations with high readiness to perform data leak
- Sleeping viruses planted in enemy organisations
- Meetings with decision makers in enemy organisations, groups
- Collaboration with other hackers who have the same target as your organisation to have readiness of attack response and collective computing power in case response is needed
This list can go endlessly, however, my target is not to teach you how to hack your enemies but explain how dangerous this approach can become in case you get deep into the game.
Remember the more data you have, the better you are prepared, the most important is not to be dogmatic and be ready to adjust the defence plans based on the data received from reconnaissance. War is a complicated and exhausting process so be prepared to act fast.
In the next articles I am going to cover in details the two last action points in offensive approach which are:
- Proactive defence
To be honest, I try to avoid this particular approach, but sometimes it can be highly efficient if you are ready to face risks and get into a long-lasting war with cybercriminals or competing groups. But the choice depends on how well are you covered legally and financially to be able to win this fight.