|The traditional graphic to show effort to replace pieces of hacker kit although obviously at the top is "people". :)|
Part of the expense is that hackers are constantly rebuilding their tool chains. Burning their rootkits or trojans or exploits or C2s or targets has two effects: They switch to their backups or spend a few months doing a rewrite and then move on. Of course, when they rewrite their tools, they are going to do a BETTER job than before, and this means your tracking effort is going to get harder over time.
Indictments, a crucial part of the US defend forward and national pressure effort, seeks to be even more longterm, by blowing an actual individual or group's cover. One obvious thing this has done (since it has not resulting in convictions or the cessation of Chinese hacking efforts) is lock the people we indict into their government system, instead of allowing them to migrate into defensive jobs in industry, which is probably not in our best interest. Alisa Esage, while not indicted, was sanctioned as part of a US effort and cannot give speeches in Europe because of this. Did this help us? Of course the smart thing for us to do is include our HUMINT sources in our indictments to provide cover for them. Apparently this has already happened, and I am late on the update as always.
A more extreme example of defend forward in cyber is, of course, the Israeli campaign in Iran, assassinating people involved in their cyber efforts.
Layers of Vulnerability in Cyber Campaigns
I'm going to rank these from easiest to hardest, but it is also walking backwards on the kill chain, if that's your thing.
There are of course multiple ways to skin the onion that is a cyber campaign. You can hack the targets of that campaign, and from those steal the toolkit used. This is a non-inconsequential purpose of some pieces of kit we already know about (sigs.py).
You can also hack (or collect) the C2 and launch servers used by hacker groups, as appears to have been done against many of the Chinese crews, some of which decided to use Facebook and other social networks from their exploitation boxes, blowing their attribution instantly.
You can also hit the analysis arms of various APT groups (i.e. with trojaned Office documents or directly if you can figure out who they are via HUMINT/SIGINT). This is the most long-term effect you can have against your adversaries.
You can also hack the hackers themselves, which is where historically things have happened amongst hacker groups. There's a rich history here that no cyber strategist should be unfamiliar with because it's the most important analogy to what Defend Forward is trying to do. Let's list some examples:
- Mitnick Era - You can read about these exciting stories in all sorts of books, but they predate modern life so I don't recommend using them for basing cyber strategy on.
- EL8/PHC/ZF0/#ANTISEC - I'm not trying to imply these are all the same, but they are a modern history everyone in cyber policy should know.
- Lulzsec - The public story is that they were eventually rounded up by law enforcement. The private rumors is that they were a victim of an OCO.
- HackingTeam/GammaGroup - Phineous Fisher is still an unknown hacktivist force wandering around making offers for people to release databases. Lots of people drunkenly claim at conference parties to be him/her though, which is traditional in the hacker world.
- Dutch vs Russians - A classic example of modern defend forward from a partner state
- Israel vs Kaspersky/GRU - I only believe about 10% of the NYT reporting on cyber, since it's usually super off-base but it's worth a read.
- ShadowBrokers - We don't know the details of how this was done, but that was an opdisk, not stolen from C2 so belongs here as the primary example of how to do denial of national-grade capabilities correctly.
Even with this limited set of examples, it is possible to start putting together some context for how the defend forward strategy matches our capabilities and investment. Much of the public discussion of defend forward talks about escalatory ladders, but I'd like to frame a few questions here that I find more useful for analysis.
- Are we deterring adversary action, or simply shaping it to be more covert and have greater long-term impact?
- Is our activity cost effective and low on side-effects?
One thing I think people don't recognize about some of the efforts on the above list is they involve a different type of hacking team than most military or government organizations use today. In particular, 90's hacker groups (c.f. Phineous Fisher) often wrote bespoke tool chains, exploits, implants, C2, and everything, for each target. It was, in modern parlance, a vertically integrated supply chain. It epitomizes the opposite of scale and was highly targeted.
The USG has the opposite issue - a thousand potential adversaries, but with the advantages of existing HUMINT and SIGINT infrastructure. The other major difference, of course, being the goal of many of these attacks. Once most attacks happened in the list above, the result was a mailspool drop, and in many cases, along with a full chain of the attack, which adds valuable credibility, and is a tool the USG has not yet used.
The "Forward" part of "Defend Forward" is hard enough. The other major issue is finding a way to cause an impact on your adversaries longer than a hummingbird's cough. The easiest metric for whether or not your cyber security strategy is a good one is does it give my adversary more difficult equity issues than I have. The downside of releasing what you know about a target's malware is that they can trace their OPSEC compromises, potentially finding YOUR malware. The upside is that larger corporations, American and otherwise, who have automated threat feeds that include your IoC information may detect and remove the adversary's access.
On the other hand, they may not.