Big-Game Cyber Hunting: [Exposed]
Big game cyber hunting is a type of cyberattack that usually leverages ransomware to target large, high-value organizations or high-profile entities. So the question is simple, how do they [the Hackers] determine high-value?
In the grand scheme of things, victims are selected based on their ability to pay a ransom, as well as the likelihood that they will do so in order to resume business operations or avoid public scrutiny. Common targets may include:
- Aerospace & Defense
- Enterprise Corporations
- Banks / Other Financial Institutions
- Utility Providers / Critical Infrastructure
- Hospitals / Clinics / Healthcare Institutions
- Federal, State, and Municipal, Government Agencies
- High net worth individuals, such as celebrities and prominent business leaders
- Any organization that holds intellectual property, trade secrets, private personal data or other sensitive data
Exploring today’s big game cyber hunting landscape
Over $100 million dollars per quarter are being paid in ransom in the U.S. alone! Beginning in September 2021 and right up and until the present day, big game cyber hunting activity has returned to near peak levels, indicating that this trend is clearly on the rise, and so are the pay-outs!
Annually, a joint cybersecurity advisory is issued by CISA (Cybersecurity and Infrastructure Security Agency), the FBI, and other security groups. They indicate that there was a temporary drop in big game hunting beginning in the second half of 2021 when the pandemic occurred. Analysis by the Agencies suggested that adversaries may have turned to other tactics sighting the increase in law enforcement monitoring, and possibly due to the diminishing returns following the May 2021 Colonial Pipeline Co. cyberattack, which was widely publicized and resulted in a partial ransom payment recovery by the FBI.
Who are big game cyber hunters?
Big game cyber hunters are nothing less than highly skilled technically sophisticated adversaries, often working as part of an organized group to take down significant targets. In many cases, these groups operate as highly structured and organized networks, similar to any modern business. They are often state-sponsored and are suspected to have close ties to government agencies or prominent public figures.
According to the DHS, information about cyber hunting is widely available and it tracks the behavior of major adversary groups around the world. The goal of the DHS Continuous, Diagnostics & Mitigation (CDM) program is to provide its users with near Real-Time dashboards to view threats that they face, which devices are vulnerable, how they are vulnerable, who is behaving poorly, (and much more) in an effort to deliver perspective, intelligence, forensics, and e-Discovery functionality. Worthy of note, Anamo is an advanced, commercial-grade CDM cybersecurity platform designed for the job of detecting vulnerabilities, identifying a technical adversary, eliminating “dwell-time” of hackers, and providing essential support for the security of intellectual property.
How do big game cyber hunters attack?
Big game cyber hunters have always used a variety of techniques against divers attack vectors to conduct their probing and attacks. In most instances, the payload method of choice is ransomware, which is a type of malware that encrypts a victim’s data so they can then demand a ransom payment to restore access.
To simplify the required effort, technical adversaries are also leveraging ransomware as a service (RaaS), which, as the name would indicate, is a rapidly growing business model that rents ransomware variants in the same way that legitimate software developers sell or lease other SaaS products such as Windows.
The table below outlines a few well-known examples of RaaS events:
| RaaS | Technique | Big Game Hunter |
|---|---|---|
| DarkSide | DarkSide operators traditionally focus on Windows machines and have recently expanded to Linux, targeting enterprise environments running unpatched VMware ESXi hypervisors or stealing vCenter credentials. DarkSide RaaS is also believed to be the attack vehicle leveraged in the high-profile Colonial Pipeline attack. | CARBON SPIDER |
| REvil (also known as Sodinokibi | REvil is a RaaS most commonly used by PINCHY SPIDER. In such attacks, victims usually receive a warning of an impending data leak if a ransom is not paid. REvil is credited with being the ransomware behind one of the largest ransom demands on record: $10 million USD. | PINCHY SPIDER |
| Dharma | Dharma ransomware attacks are mainly associated with remote desktop protocol (RDP) attacks. Dharma variants come from many sources and are nearly identical in nature, making it difficult to ascertain who is behind an attack. | Linked to a financially motivated Iranian threat group Not centrally controlled |
| LockBit | In development since 2019, LockBit attacks demand a ransom to avoid the publication of a stolen data set. The RaaS is confirmed to have been involved in at least nine attacks. | Affiliated with Russian-speaking users or English speakers with a Russian-speaking guarantor |
In addition to relying on ransomware and RaaS to conduct attacks, big game cyber hunters also leverage various other vulnerabilities to advance their operations. These include:
- Vulnerability exploitation: The CrowdStrike 2022 Global Threat Report indicates that malicious actors tend to opportunistically exploit known remote code execution (RCE) vulnerabilities in server software, typically scanning for vulnerable servers. After initial access, actors may deploy a variety of tools to advance the attack path. Multiple adversaries, particularly big game cyber hunters, have leveraged such vulnerabilities to gain initial access to the system.
- Zero-day attack: Threat actors release malware to exploit software vulnerabilities before the software developer has patched the flaw. The term “Zero-day” is used because the software vendor was unaware of their software vulnerability, and they have had “0” days to work on a security patch or an update to fix the issue. These types of attacks are extremely difficult to detect, making them a serious security risk.
Big-Game Cyber Hunting: [Solved]
How do you defend against cyber big game hunting?
To quickly identify threats and reduce the risk of big game cyber hunting, operators should aim to establish a robust cybersecurity strategy that defends their organization on multiple levels. Here are some helpful recommendations for setting up a comprehensive cybersecurity strategy:
- Train all employees on cybersecurity best practices: Establish Policies and Procedures based upon a standardized Cybersecurity framework such as CMMC or NIST and implement them at your earliest opportunity. Your employees are on the front line of your security, so make sure they follow good cyber-hygiene practices such as using strong password protection, connecting only to secure Wi-Fi and never clicking on links from unsolicited emails.
- Keep your operating system and other software up to date and patched: Deploy CDM functionality (see ANAMO). Cybercriminals are constantly looking for holes and backdoors to exploit. By vigilantly updating your systems, you will minimize your exposure to known vulnerabilities.
- Implement and enhance email security: US ProTech recommends implementing an email security solution that conducts URL filtering and attachment sandboxing. To streamline these efforts, an automated response capability can be used to allow for retroactive quarantining of delivered emails before the user interacts with them.
- Continuously monitor your environment for malicious activity, bad actors, and indicators of attack (IOAs): Deploy (ANAMO) CDM Endpoint Detection and Response (EDR) which acts like a surveillance camera across all endpoints, capturing raw data (events) for automatic detection of malicious End-User activity not identified by prevention methods.
- Integrate threat intelligence into your security strategy: Using CDM, monitor your systems in real time and keep up with the latest threat intelligence to detect an attack quickly, understand how best to respond, and prevent it from spreading. Tracking transactions, ports, users, groups, and permissions is essential and easily accomplished with Anamo CDM.
- Develop ransomware-proof offline backups: US ProTech suggests immutable and air gapped backup systems. When developing a ransomware-proof backup infrastructure, the most important idea to consider is that threat actors have targeted online backups before deploying ransomware to the environment. For these reasons, the only sure way of salvaging data during a ransomware attack is through ransomware-proof backups. For example, maintaining offline backups of your data allows for a quicker recovery in emergencies.
- Implement a robust identity protection program: Organizations can improve their security posture by implementing a robust identity protection program to understand on-premises and cloud identity store hygiene (for example, Active Directory, Entra ID, and Anamo CDM). Ascertain gaps, analyze user/group behavior and related deviations for every workforce account (human users, privileged accounts, service accounts), detect lateral movement and implement risk-based conditional access to detect and stop ransomware threats.
Protecting the organization from big game cyber hunters and ransomware with Continuous, Diagnostics & Mitigation (CDM)
For cyber protection teams that are struggling to respond to cybersecurity alerts and don’t have the time or expertise to get ahead of emerging threats, Anamo delivers the critical intelligence you need, while eliminating the resource-draining complexity of incident investigations. Anamo CDM is one example of available solutions that truly integrate attack vector threat intelligence, endpoint protection, and Security Incident Event Management (SIEM) to automatically perform investigations, deliver speedy response, and enabling security teams to move from a reactive to a proactive, even predictive state of awareness.
Key benefits:
- Automates investigations into all threats that reach your endpoints
- Delivers custom IOCs to proactively guard against evasive threats
- Provides complete information on attacks to enable faster, better decisions
- Empowers your team with analysis from Anamo SOC experts
- Simplify operations and delivers Real-Time dashboards to the entire team
Defend, detect, respond and recover with Anamo SOC
Anamo’s Next Generation Security Operations Center services and solutions, together with the Anamo® CDM cybersecurity platform, provide industry-leading protection and detection capabilities with cyber threat intelligence and 24/7 threat hunting to gain a significant advantage over ransomware threats. The solution offers joint customers immediate, real-time visibility into their organization’s environment, identifying and eliminating potential compromises and preventing silent failure. This powerful combination helps to contain active threats and assists in ejecting them from networks quickly, eliminating the threat of ransomware immediately and efficiently.
Special “Thanks” to our industry colleagues who helped provide background and statistics for this article:
- Beta News / https://betanews.com/2023/12/17/big-game-cyber-hunting-will-return-in-2024/
- Tech Target / https://www.techtarget.com/searchsecurity/news/252513216/Ransomware-groups-shift-from-big-game-hunting
- CISA / DHS / https://www.cisa.gov/continuous-diagnostics-and-mitigation-cdm
- Cloudstrike / https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/