The evolution of cyber threat tactics [Q&A]

Data breaches and cyberattacks are seldom far from the news, and it's an area that seldom stands still for long.

We spoke to founder and CEO of White Knight Labs, Greg Hatcher, to discuss how threat tactics are evolving and what organizations can do to protect themselves.

BN: What are the latest attack trends and how much of a risk do they present?

GH: One of the latest attack trends that WKL has seen in the wild and is replicating in red team operations is using Azure device codes for bypassing MFA. A successful Azure device code phish results in access to the target organization's internal Azure AD environment where the attacker can enumerate and establish persistence.

Another attack trend that WKL is seeing since Microsoft has disabled Excel macros by default, attackers are getting desperate and resorting to other means. For instance, the trend right now is to use iso files that have executables embedded in them.

APT and criminal hacker groups are switching from using executables to dynamic link libraries (DLLs) due to endpoint protection solutions heavily scrutinizing executables. Endpoint protection products have notoriously poor detection for malicious DLLs, and threat actors know this.

We're also seeing several threat actors registering and using the new zip TLD that Google created. A cyber security researcher has already created a new 'File Archivers in the Browser' phishing kit that abuses ZIP domains by displaying fake WinRAR or Windows File Explorer windows in the browser to convince users to launch malicious files. That means that hackers are now able to register phishing domains like installer.zip and setup.zip. It remains to be seen why Google thought creating a zip TLD was a good idea.

BN: How big a threat do AI tools like ChatGPT present to cybersecurity?

GH: Before ChatGPT was connected to the internet, there was a company that created a polymorphic keylogger that can bypass top tier EDR products; and they used ChatGPT to make it, the researchers didn't code any of it. AI has significantly lowered the bar to creating custom software by eliminating the need to actually understand how programming works. Now that ChatGTP is connected to the internet, it is a very real threat to cybersecurity because it can scrape the entire web and use hyper current information that was previously inaccessible.

BN: Do governments need to take a more proactive role in cyberdefense?

GH: The answer to this question is always going to be yes. Governments need to be proactive in cyberdefense by creating initiatives that incentivize partnerships between the public and private sectors. Also, governments need to focus on offense just as much as defense. Governments need to shift their paradigm; it’s important to remember that cyber warfare is still warfare. Countries that don't invest in cyber defense and offense are going to be increasingly vulnerable to countries that are heavily invested in cyber and tech.

The Department of Homeland Security's cyber arm, CISA, is still in its infancy (created in 2018), but I believe that it could have a profound impact in leading the cyberdefense charge in America. As a former red team lead for CISA, the services that CISA offers at no-charge to government municipalities and critical infrastructure are exceptional. The head of CISA, Jen Easterly, has been doing an excellent job as director; she attends cyber events throughout the world and advocates strongly for recruiting more Americans into cyber.

BN: Will we see offensive cybersecurity strategies playing a greater role in future?

GH: Yes, China is the global leader when it comes to offensive cybersecurity strategy. China's APT groups attack with impunity, and have unlimited time and budget.

The Biden administration announced their national cybersecurity strategy in March that the United States will strategically employ all tools of national power to disrupt adversaries and engage the private sector in disruption activities through scalable mechanisms. This means that the United States is going to utilize private companies to conduct offensive cyber operations on behalf of the United States. I think this is an incredibly forward leaning initiative, how and when the US government executes this initiative remains to be seen.

We've also seen how cyber warfare has shaped the Russia/Ukraine war. The war has shown how far behind Russia is in offensive cyber operations than the west. Russia's offensive cyber troops have been trained almost solely for misinformation campaigns and spreading propaganda. Russia’s Information Operation Troops primarily consist of approximately 100 recent university graduates and novice programmers. This suggests, in addition to a high degree of competition among Russian agencies for a relatively small pool of technical talent, a relative lack of both service and operational experience.

BN: How important is it for government and industry to collaborate to pool security intelligence?

GH: It is extremely important for the government and private sector to pool cyber security intelligence. Just like the United States government learned the hard way after 9/11, a failure to increase the aggregation and access to critical intelligence can be devastating. Hopefully we don't have to experience a cyber 9/11 to learn this lesson.

Image credit: alexskopje/depositphotos.com