US armed forces must root out unknown threats to win cyberwar, says ex serviceman
With the US military facing calls to up its game on cyberwarfare, the pressure is on to resist attacks by threat actors employed by enemy states. But in an ever-evolving environment, what exactly does best practice constitute?
Former US Navy sailor Chris Haller, who now works for a defense contractor and cybersecurity specialist Centripetal, believes the military is equal to the task of keeping them out but must adapt its strategy to cope with the ever-expanding array of attackers.
With millions or even billions of threat alerts bombarding defense organizations every day, Haller believes that the industry should be more proactive in its approach – using designated hit lists to block known bad actors from the web and free up time and energy to go after as yet unidentified threats.
He also thinks that ‘lone wolf’ hackers like P4X – who recently took down North Korea’s internet in a revenge attack – would better serve American interests by cooperating with the defense industry rather than going at it alone.
CyberNews sat down with Haller to speak further about the issues facing the US military and defense contractors in 2022.
Are there particular forms of equipment that you think are vulnerable to targeting, which if I was a hacker employed by an enemy state would be my go-to point of access?
Yeah, that's a tough one. Really anything connected to the internet directly is a big threat – one of the biggest things that will show up is a target on the reconnaissance [an attack launched by threat actors ahead of another attack to glean as much information as possible about a potential victim]. So being able to remove that attack surface or reconnaissance stops everything else further down that kill chain.
A cybersecurity professional I interviewed recently said the human factor – by way of phishing and social engineering – posed a greater danger to the US military than attacks on field equipment. What do you think about that?
That's a really interesting question. I definitely feel like that is a big factor, but not necessarily the biggest threat to the US military. One of the biggest things that causes issues is the large attack surface. There are so many assets available on the internet that it's constantly being barraged by attacks.
Phishing is one of the bigger attack surfaces in any organization, but with the military, there are so many specific layers of defense: when the email gets delivered, it gets checked and scanned, and then if the user opens the email, they [also] have to open the attachment and run the stuff inside it. Then that stuff gets flagged as well, and usually, it’s some kind of staging malware, which has to reach out and download something else, a whole other [client-to-network] C2N point, or something along those lines.
So I feel the constant attacks coming across all of the endpoints on the internet definitely represent more of a threat. How do we get all of these known bad things? Anybody can look and say, “these are bad,” but where the rubber really hits the road is finding the very sophisticated and detailed attacks coming in, which just get blended in with all the noise.
One of the biggest things is moving from a reactive to a proactive approach. There are billions of alerts that come through every day, so the millions from known bad infrastructure should be blocked. Using an active Cyber Threat Intelligence (CTI) solution like Centripetal's takes all of these known bad events off the network, allowing defenders the time and flexibility to investigate potential unknown bad actors.
Then we can focus on the really interesting things that aren't on cyber threat intelligence, which should be investigated more because they are doing something that seems out of place or odd. But without a solution in place to block the known bad events, it will be almost impossible to sift through the noise.
Talk me through that a little more. How would you separate the wheat from the chaff and determine which threat alerts are a priority?
The most effective tool for that is CTI [where] somebody has already done analysis and shown a [software program] is clearly bad and should not be connecting to any other network. Traditionally CTI is used in a forensic capacity, so if somebody gets hacked, they look through all the information security evaluations to find out who was attacked by whom. But what we do at Centripetal is flip that paradigm. We have a list of known bad actors – why not just stop them from getting into the network in the first place?
So how would you identify bad actors? The FBI has a Most Wanted List, do you have a version of that – a list of groups like REvil who are considered top priority?
Absolutely. We source our CTI from about 80 providers, so we have a huge library of information that we're constantly looking through and is always being updated. Through our proprietary tools we're able to take that information and apply it on the wire. There's no network latency [i.e., time lag] either.
The Government Accountability Office’s findings on US military cybersecurity, which were updated last year, seem quite damning. And just last week, a GAO spokesperson said the US military had made little progress on addressing gaps in its cybersecurity. That suggests to me that it isn’t taking the issue seriously. What are your views on that?
I've spent a lot of time with the Navy – eight years on active duty, four of those with Cyber Defense Operations Command. The military definitely takes cybersecurity seriously – it is just difficult because it is so widespread and such a new sector of warfare that the books are still being written on how to do it. The military is on the right track, but there are still a lot more places to go.
So do you think that the GAO is being unhelpful with its comments?
The GAO is looking at it from a regulatory compliance [perspective], whereas my experience comes from the more defensive aspect. I can say that I do feel very confident in the Department of Defense (DOD) and the direction it is moving in.
I want to talk briefly about Zerodium. On its website, it claims to source clients responsibly, but it seems to be potentially a bad actor because of the high prices it is selling on at – a really obvious buyer would be a rogue nation that could afford that kind of fee. And the company is based in Washington DC – is it just a matter of time before the US Congress decides to take action?
That's definitely very interesting. Who knows what really goes on inside the black box, who they sell it to, and who they don't? As for regulation, I don't have any specific opinions about that.
Next, I wanted to touch on the concept of the cyber vigilante, in particular P4X, who hacked North Korea’s internet in a revenge attack recently. Some think this actor is doing more harm than good, because he's putting up red flags for North Korea, which now knows it got hacked and needs to improve its digital defenses. As a former military professional who works in cybersecurity, do you think these lone wolves are a liability?
Yes, those were my initial thoughts as well. Like you said, it definitely does show those regimes their weak points and things that they could fix. Beyond that, it could cause retaliation much further past the original hacker P4X, and even get to nation-state-level targeting.
So we're talking escalation here?
Then do you think there needs to be a move to bring actors like P4X into the fold? To say to them: ‘Come and work for us, so you can do what you want to do – but as a part of a team effort.’
One hundred percent. I believe that if we take all of our known good hackers and researchers – as you were saying, these vigilantes – we can use them in a coordinated effort to help protect the country and level up our cybersecurity and offensive capabilities. Vigilantes have the correct kind of perspective, [though] they don’t necessarily want to defend their country so much as remove capabilities from bad ones.
More from CyberNews:
Subscribe to our newsletter