Cyber crime has always been in a state of flux. The tactics, tools, and procedures (TTPs) of attackers are continually shifting as threat actors discover new vulnerabilities, develop workarounds for security solutions, and exploit advances in technology.
But as individual threats are changing, the very ecosystem of cyber crime is also evolving. We now have an increasingly complex, service-based shadow economy that freely trades in TTPs. The result is more sophisticated attacks that are likely to outfox traditional threat profiling. So how can organizations defend against these unpredictable attacks?
Everything’s for sale
The cyber criminal underworld has increasingly come to resemble the legitimate business world, with a service-based approach trading in all manner of malicious assets. New malware, vulnerabilities, attack tactics, and even ready-made system access can all be purchased on the dark web, often with an as-a-service model.
A recent study by WithSecure analyzing attacks across 2023 found that this trend has steadily altered how attacks are conducted.
In previous years, the entirety of an attack was likely to be the work of a single threat actor. They would undertake the initial access, conduct reconnaissance and discovery, and proceed with escalation and lateral movement. Depending on their goals, the same attacker would also be the one to execute malware, exfiltrate data, achieve persistence, and any number of other endgame actions.
Now, though, we increasingly see attacks involving multiple parties. One group may achieve initial access to the network but sell this at a very lucrative rate to another gang to conduct the actual attack. The new group may carry out their recon using TTPs purchased from another specialist and achieve lateral movement with a toolset from yet another.
Senior Security Researcher at WithSecure.
The danger of advanced toolsets in the wild
This collaborative approach makes it easier for bad actors to conduct more sophisticated attacks. In one incident we investigated this year, an attacker deployed nine separate tools for various phases of their attack. ToggleDefender was used to disable and alter certain security tools, before Advanced Port Scanner was used to conduct recon and Rubeus for privilege escalation. Each tool was carefully chosen for its job, and the combined arsenal made for a formidable threat.
In another case, an attacker deployed a fairly standard toolset throughout the incident and attempted to launch multiple payloads such as ransomware and exfiltration tools at the end of the attack. When each of these was blocked in turn, they deployed a previously unseen custom tool as a last resort.
Unpredictable tactics like these make it harder to anticipate and defend against attacks – especially for organizations relying on traditional threat profiling.
Why these new toolsets are hard to predict
Having a single actor conducting the entire attack makes it more predictable. Threat profiling can be used to accurately predict an attacker’s motives and goals and the other toolsets they are likely to use to achieve them. A particular set of TTPs at the breach and recon stage would likely lead to another set at the escalation phase, and so on. This allows the defenders to get ahead of the attacker and block or mitigate the attack.
Now though, traditional profiling techniques are falling behind in effectiveness due to their static nature. Whilst they have been designed to predict attacks based on historical data, they struggle to adapt to modern cyber attacks. Not only are attackers able to access new TTPs more easily, but they can combine them in unexpected ways that don’t match historic data.
Traditional methods may catch one or two elements of an attack but miss out on the entire chain of events that unfold in real time. This creates blind spots in security postures, leaving organisations vulnerable to undetected threats. In addition, it makes it harder to identify the threat group, denying the chance to anticipate their next moves and motives.
Defending against these shifting attacks requires a more dynamic approach that accounts for the interconnected nature of modern tactics and toolsets.
A comprehensive approach to predictive analysis
As attacks become more sophisticated and harder to predict, organizations need to move away from static profiling techniques and towards dynamic predictive models.
This approach involves finding correlations between observed TTPs and the attack matrices established in the MITRE ATT&CK frameworks. This makes it easier to understand which tactics are most often grouped together, and provides a basis for predicting the threat actor’s next moves. Real-time threat intelligence also plays a crucial role in shaping effective predictive models by providing actionable data on emerging threats and attack vectors.
Gathered data can also be used to train machine learning algorithms to aid in identifying and predicting attacks. ML-powered analytics can also be useful in proactively finding vulnerabilities, for example highlighting legitimate toolsets that are often exploited in attack TTPs. Predictive modelling also provides actionable data to help organizations invest in the right defensive tools and capabilities.
This multifaceted approach enables quicker responses to emerging threats and a more robust understanding of complex attack sequences.
The road ahead: predictive, adaptive, proactive
While traditional threat profiling will still be effective against standard TTPs, a growing number of threat actors are accessing and deploying new and varied toolsets. Static profiling methods are at risk of becoming obsolete against this fluid threat, so organizations relying on them are becoming increasingly vulnerable.
To navigate this complex threat landscape, organizations need to embrace a predictive, adaptive, and proactive approach to cybersecurity. By integrating tool pattern analysis, MITRE frameworks, and real-time threat intelligence along with machine learning analytics, organizations can build a more resilient defense mechanism against the most common and dangerous cyber threats.
