Skip to content

An Insider’s Guide to the Active Adversary

Feb 27, 2023

Blog Security


Who are they? What do they want? How do you even know they’re there?

Cyber criminals, hackers, phishers, malicious actors…a rose by any other name and all that… We have lots of different ways we talk about “the bad guys” in the world of IT security. Active Adversary though is a term you might not have heard used a lot. What is it that they do differently and how? Read on to find out more and how to deal with possible your most challenging cyber adversary in 2023.

What is an Active Adversary?

Ransomware-as-a-Service, Phishing-as-a-Service and have been a “thing” in the cyber underworld for a while now, meaning that your entry level cybercriminal doesn’t need a whole lot of skill to wreak havoc. They can simply purchase a “campaign” on the dark web and even pay someone else to run it for them! In most of these “set and forget” style attacks, the attacker is just looking for credentials or fast access to data with minimal effort. An Active Adversary, however, is a much more highly skilled cyber criminal, possibly with sophisticated software and networking skills, who will gain entry to your systems, possibly lay dormant for a period of time, and wait for opportunities to target code or execute scripts that prevent themselves from being detected while they look for and exfiltrate higher value data and assets.

What makes them so hard to find and contain? It’s that fighting an Active Adversary requires less whack-a-mole, and more grand chess master.

The Active Adversary assumes you can play a great game of Whack-a-Mole…

The conventional approach to cybersecurity refers to an array of “defence” tools including firewalls, encryption, endpoint protection, anti-virus tools, MFA…great at defending the perimeter to keep attackers out of your systems, but largely ineffective in “capturing and detaining” an active attackers that has managed to gain access somehow and are now on the run inside your fortress.

However, if an active adversary is smart enough to have evaded your perimeter defences, then they’re not likely to walk blindly into any “traps” you set for them behind the gates. Once they’re in, they’ll head for the shadows, spend some time…active time…covering their tracks, watching and learning how your people behave and communicate, poke and prod your systems to see where there’s give…and bide their time until they get the perfect opportunity to strike. And when they do, all that IT can do is to REACT by launching a whack-a-mole style attack to try and halt their run!

But what the Active Adversary is not prepared for…

The one thing Active Adversaries are not prepared for and cannot preempt is another ACTIVE, thinking, human defender who has their eyes on the screen and their hands on the keyboard, effectively tracking, monitoring, countering and preempting the Active Adversary’s activity…live! Let’s call these cyber security specialists our Active Defenders, and the thing about Active Defenders is that whack-a-mole is not their jam. Instead, they deal in intelligence and forensics – digital breadcrumbs, and using signs, signals and calling cards left by the Active Adversary before and during their attack phase to fight fire with fire by preempting, targeting, neutralising and ultimately ejecting them from your kingdom.

What kinds of signs and signals would be seen as “suspicious”?

Leading global vendor and Maxsum security partner Sophos provides the latest info on changing attacker behaviours in their recently released Active Adversary Playbook 2022.

Here are a few key snippets of intel the Sophos Ops Team has picked up in the last year:

  • 73% of incidents Sophos responded to in the year prior involved ransomware. Of those attacks, 50% plus showed early evidence of data exfiltration BEFORE the final stage release of the ransomware, and on average there was about a 4-day window where there were signals of data exfiltration prior to the release of the ransomware.
  • Combinations of common unsuspicious PowerShell scripts and malicious non-PowerShell scripts were seen being used together in up to 64% of cases – showing that certain combinations of various tools running may provide a powerful warning signal of intruder activity.
  • The median dwell time for organisations hit by ransomware was 11 days, and much longer for smaller organisations and sectors with fewer IT resources. That means that the Active Adversary has hiding in the shadows for 11 days or so before they tool any action.

But doesn’t our IT support team make sure we’re all protected?

Knowing the signs and knowing how to use that intel to fight fire with fire are two very different things. The skills, stamina and expertise required to proactively hunt and recognise both known and new signals and translate that evidence are vastly different to the skills your organisation relies on to provide day-to-day IT support. The key to addressing this obvious and growing skills gap, is to partner with a Managed IT Security service provider that can inject this proactive expertise into your arsenal with 24/7/365 cyber threat hunting, detection and response.

What is within your full control and power as an organisation though, is to maintain that secure perimeter as best you can to remain strong against the onslaught of ever-more persistent threats. This means addressing existing baseline gaps in your IT security protections, working with your Managed IT Services Provider to strategically identify best-practice security approaches to suit your needs and to make sure your board and management are highly cyber aware and promoting cyber awareness across all levels of the organisation.

If you’d like more information on how Managed IT Security provides the threat hunting, detection and response skill set you’re lacking, and how to raise cyber awareness across all levels of your organisation, reach out to Maxsum here or give us a call on 1300 629 786.

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_empty_space][vc_single_image image=”2861″ img_size=”full” alignment=”center” onclick=”custom_link” img_link_target=”_blank” link=””][vc_empty_space][/vc_column][/vc_row]