The motivation for this blog is a question that has been circling in my head for a long time, and I have asked this question to many security analysts: Have they played a game with an adversary? or in other words - Have they engaged with an adversary?
I got mixed responses. Many security analysts gave me an affirmative answer and shared their war stories when they have engaged with adversaries. Specifically, when they faced attacks from nation-wide APTs, and the adversaries kept coming back to the network even after blocking them.
On the other side, some security analysts ask me a question: Is it possible to play a game with an adversary? or watch the adversary continuously? To answer this question, we need first to understand what it means to play a game or watch an adversary?. Whenever we talk about a game, e.g., Chess, the players know about their actions, and strategies and they have complete visibility of each other’s actions. In the case of cybersecurity, the game is infinitely complex than Chess. The adversary’s actions are hidden, and the defender does not know about them. The defender does not even know if the adversary is present in the enterprise. The defender can play a game with an adversary only if he can detect him continuously and able to determine that he is the same “returning” adversary. The returning adversary is the same one who was blocked earlier and has come back now. It can be typically established based on the similarity between TTP of various incidents.
To monitor the adversary continuously while he is in the network, we need to have technology and infrastructure that can enable it. The adversary can pick up any of the exploits and launch an attack from any attack surface. Hence, to define a game or an engagement with the adversary, there is a need to define the adversaries activities in a framework. Mitre Attack matrix offers a framework to encapsulate the adversary tactics and techniques. Next, we need a way to detect the adversaries actions continuously. One can use a combination of high interaction deceptions, and AI techniques to provide a unique infrastructure to monitor the adversary activities continuously. The adversary could be diverted or lead to a high interaction decoy using credentials, shares and other types of breadcrumbs. The high interaction decoys could employ multiple cameras in the form of HIDs, Bro, and other tools that enable to continuously log the attacker's activities. These logs can be further analyzed using various AI techniques to filter, summarise the identify the notable events and track the adversary activities.
To summarise, watching/playing a game with an adversary has only been possible for a small percentage of defenders. However, a combination of deception and AI can lower the bar and enable more defenders to watch and engage with the adversaries.