July 15, 2022 By Mike Elgan 4 min read

After decades of playing defense, the United States government went on the offense in the past few years against global state-sponsored cyber attackers. U.S. Cyber Command conducted “hunt forward” operations recently in 16 countries, including in Ukraine, as part of a policy set in 2018.

This policy involves partnering with foreign countries on finding cyber threats against them. The idea is that, instead of the U.S. and its smaller allies each facing common adversaries alone, they do so together. The U.S. provides more resources and its allies provide access to its critical networks. What can cybersecurity teams working with other organizations learn from their tactics?

U.S. Cyber Command in Ukraine

Cyber Command chief General Paul Nakasone said hunt forward operations enable the U.S. to put ‘sensors’ on their networks that provide better intelligence about cyber threats abroad. He said they’re mostly about information sharing. As a matter of national security, the specific actions taken under the ‘hunt forward’ label are not public. Nakasone has said in interviews that the agency is conducting a full spectrum of activities, including offensive ones, presumably.

Nakasone testified before the Senate that U.S. Cyber Command “supported” the Ukrainian side before the hot war even began. And this conflict represents the first internet-based cyber proxy war between two nuclear powers.

Russian cyber attackers reportedly deployed at least six malware instances during the Ukraine conflict against Ukrainian targets designed to wipe data. As part of hunt forward projects, the U.S. started a policy of persistent engagement and ‘continual action.’ This is constant engagement with rivals in the cyber realm.

The Russian Ministry of Foreign Affairs on June 6 accused Ukraine and the United States of working together to carry out “cyberattacks on the critical infrastructure of the Russian Federation,” and threatened retaliation.

So while the purpose of this plan is defensive, the techniques used mirror those used by offensive cyber attackers. Whether internationally accepted conventions of armed conflict find this legal is controversial and unsettled. We don’t know exactly what has occurred during these operations.

Living in the legal gray areas

What lessons can we learn in the civilian realm from the government’s hunt forward operations? Conducting attacks on the networks of another organization is legally and ethically problematic. But it happens all the time. A great many ‘freelance’ so-called “hackers” conduct cyberattacks that are technically illegal, but considered by many to be ethical because they’re driven by the desire to learn about, find and report vulnerabilities.

The general cause of cybersecurity tends to rely on probably illegal and possibly unethical attacks by unpaid lone actors. In part, this comes about because people are squeamish about offensive projects in both business and academia.

Universities tend to be reluctant to train students in offensive security practices, fearing they’ll be “accused of teaching evil hackers,” according to IBM X-Force Red Global Strategy Lead, Cris Thomas (aka Space Rogue). As a result of this reluctance, the skills gap is even greater in the offensive security domain of pen testers, which are legitimate, legal and ethical offensive hackers.

White hat codes of ethics

To be clear, pen testing performed by certified ethical hackers is very different from freelance, self-motivated ethical attackers not granted permission. Certified ethical hackers follow an accepted code of ethics. Organizations hire them to breach their networks — with explicit advanced permission granted for the so-called “attack”. This is very different from many of the practices undertaken currently by U.S. Cyber Command in their hunt forward plans.

Neither has permission to enter the systems they seek to penetrate. However, the self-motivated ethical hacker wants to help the target, while the hunt forward operators with the U.S. Cyber Command intend to damage the target.

A private organization actively breaking into the networks or systems of assumed cyber attackers without permission with the intention of disrupting their operations is illegal. That part of hunt forward tactics is off the table, legally.

The world of ethical offensive hacking

However, other aspects of hunt forward plans are fair game. The concepts of persistent engagement and proactive cybersecurity can be both legal and ethical.

The proactive part includes ethical hacking, pen testing, automated intelligence, running and nurturing a zero trust approach and artificial intelligence that hunts for indicators of behavior. Persistent engagement is possible, but only on one’s own networks, the networks of partners and others who have granted permission and other legally breached systems. It also helps to pursue services that are informed by teams of offensive hacking experts.

Many of the tactics that inform criminal cyberattacks are, in fact, legal. One of these is to explore black hat message boards, dark web marketplaces and the published content of cyber criminals. This is a kind of know-your-enemy approach. Not enough people appreciate this approach, but it can be highly valuable.

Compare other real-world examples

And, finally, it’s important that white hats constantly educate themselves about real-world cyber attacks — malicious, illegal, military and otherwise. While this seems obvious, the actual craft of using this information to inform the work is a particular discipline.

It’s important to review the published details of actual malicious attacks. Make sure to look at the details published by the researchers that discovered them. These often have the best and most detailed insights. They’re a helpful way to think about the parts of these attacks categorically.

For example, in studying the SolarWinds cyberattack, it’s important to understand that it’s not about SolarWinds. Instead, look at how attackers can smuggle malicious code in through authorized software. In that case, the victims themselves brought in the malware by simply updating a tool called Orion. How can this categorical scenario be pen tested? How can you test the malicious behavior of such malware before a problem starts? Every serious student in this field should ask questions about how one’s own organization may be at risk of similar attacks.

Learning from offensive actors

For non-military needs, offensive attacks on systems without permission are off the table. Still, cybersecurity specialists are adjacent to offensive attackers. They practice the dark arts of offensive hacking in red team exercises, learning from those who do it both legally and illegally, using many of the same approaches to hunt forward as legally and ethically as possible.

More from Threat Hunting

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today