After decades of playing defense, the United States government went on the offense in the past few years against global state-sponsored cyber attackers. U.S. Cyber Command conducted “hunt forward” operations recently in 16 countries, including in Ukraine, as part of a policy set in 2018.

This policy involves partnering with foreign countries on finding cyber threats against them. The idea is that, instead of the U.S. and its smaller allies each facing common adversaries alone, they do so together. The U.S. provides more resources and its allies provide access to its critical networks. What can cybersecurity teams working with other organizations learn from their tactics?

U.S. Cyber Command in Ukraine

Cyber Command chief General Paul Nakasone said hunt forward operations enable the U.S. to put ‘sensors’ on their networks that provide better intelligence about cyber threats abroad. He said they’re mostly about information sharing. As a matter of national security, the specific actions taken under the ‘hunt forward’ label are not public. Nakasone has said in interviews that the agency is conducting a full spectrum of activities, including offensive ones, presumably.

Nakasone testified before the Senate that U.S. Cyber Command “supported” the Ukrainian side before the hot war even began. And this conflict represents the first internet-based cyber proxy war between two nuclear powers.

Russian cyber attackers reportedly deployed at least six malware instances during the Ukraine conflict against Ukrainian targets designed to wipe data. As part of hunt forward projects, the U.S. started a policy of persistent engagement and ‘continual action.’ This is constant engagement with rivals in the cyber realm.

The Russian Ministry of Foreign Affairs on June 6 accused Ukraine and the United States of working together to carry out “cyberattacks on the critical infrastructure of the Russian Federation,” and threatened retaliation.

So while the purpose of this plan is defensive, the techniques used mirror those used by offensive cyber attackers. Whether internationally accepted conventions of armed conflict find this legal is controversial and unsettled. We don’t know exactly what has occurred during these operations.

Living in the legal gray areas

What lessons can we learn in the civilian realm from the government’s hunt forward operations? Conducting attacks on the networks of another organization is legally and ethically problematic. But it happens all the time. A great many ‘freelance’ so-called “hackers” conduct cyberattacks that are technically illegal, but considered by many to be ethical because they’re driven by the desire to learn about, find and report vulnerabilities.

The general cause of cybersecurity tends to rely on probably illegal and possibly unethical attacks by unpaid lone actors. In part, this comes about because people are squeamish about offensive projects in both business and academia.

Universities tend to be reluctant to train students in offensive security practices, fearing they’ll be “accused of teaching evil hackers,” according to IBM X-Force Red Global Strategy Lead, Cris Thomas (aka Space Rogue). As a result of this reluctance, the skills gap is even greater in the offensive security domain of pen testers, which are legitimate, legal and ethical offensive hackers.

White hat codes of ethics

To be clear, pen testing performed by certified ethical hackers is very different from freelance, self-motivated ethical attackers not granted permission. Certified ethical hackers follow an accepted code of ethics. Organizations hire them to breach their networks — with explicit advanced permission granted for the so-called “attack”. This is very different from many of the practices undertaken currently by U.S. Cyber Command in their hunt forward plans.

Neither has permission to enter the systems they seek to penetrate. However, the self-motivated ethical hacker wants to help the target, while the hunt forward operators with the U.S. Cyber Command intend to damage the target.

A private organization actively breaking into the networks or systems of assumed cyber attackers without permission with the intention of disrupting their operations is illegal. That part of hunt forward tactics is off the table, legally.

The world of ethical offensive hacking

However, other aspects of hunt forward plans are fair game. The concepts of persistent engagement and proactive cybersecurity can be both legal and ethical.

The proactive part includes ethical hacking, pen testing, automated intelligence, running and nurturing a zero trust approach and artificial intelligence that hunts for indicators of behavior. Persistent engagement is possible, but only on one’s own networks, the networks of partners and others who have granted permission and other legally breached systems. It also helps to pursue services that are informed by teams of offensive hacking experts.

Many of the tactics that inform criminal cyberattacks are, in fact, legal. One of these is to explore black hat message boards, dark web marketplaces and the published content of cyber criminals. This is a kind of know-your-enemy approach. Not enough people appreciate this approach, but it can be highly valuable.

Compare other real-world examples

And, finally, it’s important that white hats constantly educate themselves about real-world cyber attacks — malicious, illegal, military and otherwise. While this seems obvious, the actual craft of using this information to inform the work is a particular discipline.

It’s important to review the published details of actual malicious attacks. Make sure to look at the details published by the researchers that discovered them. These often have the best and most detailed insights. They’re a helpful way to think about the parts of these attacks categorically.

For example, in studying the SolarWinds cyberattack, it’s important to understand that it’s not about SolarWinds. Instead, look at how attackers can smuggle malicious code in through authorized software. In that case, the victims themselves brought in the malware by simply updating a tool called Orion. How can this categorical scenario be pen tested? How can you test the malicious behavior of such malware before a problem starts? Every serious student in this field should ask questions about how one’s own organization may be at risk of similar attacks.

Learning from offensive actors

For non-military needs, offensive attacks on systems without permission are off the table. Still, cybersecurity specialists are adjacent to offensive attackers. They practice the dark arts of offensive hacking in red team exercises, learning from those who do it both legally and illegally, using many of the same approaches to hunt forward as legally and ethically as possible.

More from Threat Hunting

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

Threat hunting 101: How to outthink attackers

6 min read - Threat hunting involves looking for threats and adversaries in an organization’s digital infrastructure that existing security tools don't detect. It is proactively looking for threats in the environment by assuming that the adversary is in the process of compromising the environment or has compromised the environment. Threat hunters can have different goals and mindsets while developing their hunt. For example, they can look for long-term threats in the environment that advanced threat actors can exploit. Or they can look for…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…