It is easy to see why many CISOs and security professionals respond to threats with the same phrase, “I don’t care who is attacking me, I just want it to stop.” It is a natural reaction to want to stop the attack at all costs. However, this is not always the most effective way to protect against malicious actors. To truly stop an attack, it is necessary to disrupt the attacker’s infrastructure and flow of funds. This is often done by the activities of U.S. law enforcement and intelligence agencies, as well as major commercial data hosting providers.
In order to disrupt the attacker’s infrastructure, context must be provided by the private sector. This can be in the form of IPs, emails, website hosting information, phone numbers, profile names, account names, and more. Additionally, service providers, victims, and the cyber industry must come together to provide data that can help lead to a successful takedown. Attackers make mistakes, and it is important to identify them in order to prevent future attacks.
Examples of mistakes that attackers may make include obfuscation errors such as forgetting to enable private registration or failing to properly encrypt their traffic, as well as infrastructure re-use and ego. Infrastructure re-use occurs when attackers attempt to save money by reusing elements of their infrastructure, and ego is when attackers become too confident in their success and make careless mistakes. It is necessary for threat intelligence and incident response teams to investigate and triage these mistakes in order to provide stakeholders with timely and relevant answers.
In conclusion, it is clear that stopping an attack is more than just deploying security tools and hoping the attacker will go elsewhere. A collaborative effort between service providers, victims, law enforcement, and intelligence agencies is necessary in order to provide the context and data that is needed to disrupt the attacker’s infrastructure and prevent future attacks. Additionally, it is important to investigate and triage any mistakes that the attackers make in order to properly defend against them.
Key Points:
- To truly stop an attack, it is necessary to disrupt the attacker’s infrastructure and flow of funds.
- Context must be provided by service providers, victims, and the cyber industry in order to disrupt the attacker’s infrastructure.
- Attackers make mistakes, such as obfuscation errors, infrastructure re-use, and ego, that can be identified to prevent future attacks.
- Threat intelligence and incident response teams must investigate and triage mistakes in order to properly defend against them.
