The scene is a compound in the remote hills of Pakistan, cut off from phones and Internet, carefully designed to conceal its inhabitants not just from prying eyes, but drones and spy satellites as well. The walls of the compound not only ensure privacy for the occupants, but also self-sufficiency as well with orchards, vegetable gardens, and even some livestock. And the occupants practiced operational security – or opsec – like one would practice a religion, devoutly.
One would be forgiven for thinking this sounds like a dime store potboiler, or the latest espionage drama series. Instead, it was the reality for nine years for one of the world’s most infamous terrorists: Osama Bin Laden, as detailed in the book “The Rise and Fall of Osama Bin Laden.” The book is a fascinating read on the hunt that lasted over 10 years. But the book also has some interesting parallels to cyber security, and especially true threat hunting.
Osama Bin Laden, along with his family and bodyguards, practiced rigid opsec to help conceal his location and activities. This left a lot of the high-tech spy gear intelligence agencies have come to rely on entirely ineffective. The inhabitants had no telephone or Internet connections; every part of the compound was surrounded by privacy walls; and the house was designed with as few windows as possible. This meant that the CIA – the agency that led the hunt – had to go back-to-basics, tracking pattern-of-life data. In other words, they had to start looking for suspicious behaviors. And it was these, often unconscious, behaviors that betrayed Osama Bin Laden and enabled the CIA to hunt him down.
This ability for an adversary to circumvent detection by practicing good opsec is true for cyber security as well: disciplined adversaries with well-practiced opsec are often able to evade even the most high-tech security tools. This opsec does not need to be complicated, either. In fact, much like with Bin Laden, the simpler it is – like constantly recompiling tools — the more effective it can be. It’s great when organizations detect a tool or malware payload through an IOC like a hash match, but with only a modicum of opsec, adversaries can bypass this security and remain undetected without the need for innovative tools and zero-day exploits.
In fact, in today’s terms, relying on IOCs for detection would be like the CIA relying on someone sending a birthday card addressed to Bin Laden directly. It would be very convenient, but not highly likely. Despite this, many of the most popular security tools and platforms are still relying on these indicators to detect malicious activity and protect their customers. And while these platforms may detect those unsophisticated attacks, it leaves the door wide open for more disciplined actors. But there is a another parallel to cyber security that I think is worth examining further: specifically, the efficacy of using behaviors, even in the absence of hard evidence like those IOCs, to detect adversaries.
In the hunt for Osama Bin Laden, the CIA was able to take the behaviours of the adversary and his associates and use them against him. The book detailed a few of them that caused analysts to raise an eyebrow: the compound had no telephone wires or Internet access; despite the size of the compound few people were seen coming or going; those that did always took the batteries out of their cellphones and relied on pay phones; the compound itself was surrounded with tall walls and barbed wire; and the visible clothesline had clothes for many more people than supposedly lived there. Each of these behaviors, on their own, were little more than mildly curious facts. Had the CIA raided every home that displayed just one behavior such as that they would have been raiding hundreds or thousands of homes across Pakistan and may have tipped off their real target in the process, driving him deeper underground. But those behaviors, in aggregate, allowed the CIA to assess that there was someone in there that did not want to be found.
The cyber security community needs to stand up and take note of this. True behavioral threat hunting cannot be done looking for individual behaviors in a vacuum. This is why platforms and tools that claim to automate threat hunting and threat detection using behaviors only result in wasting analysts’ time and an organizations’ resources as they launch investigations into hundreds or thousands of systems across an environment with nothing to show for it. Worse still, it may even alert the adversary to your capabilities and drive them even deeper. But by aggregating those suspicious and malicious behaviours into true behavioral threat hunting content which can then be layered into the context of the environment, threat hunters can find adversaries and tools that do not want to be found. But the comparisons and lessons for the cyber security industry, from the hunt for Osama Bin Laden, do not end there. It is also worth exploring how the CIA gathered these behaviors.
The hunt for Osama Bin Laden was successful because of intelligence, but it is also worth discussing how these key observations of behaviors were made by the CIA and how they apply to threat hunting content. In the book, it is revealed that the Agency set up a safe house near to the target of interest. The house was staffed with surveillance experts that recorded every observation, visitor, and change that occurred. Those observations were then piped back to Langley, where subject matter experts ripped apart and questioned every detail from the surveillance. No stone was left unturned, no observation went unchallenged. This serves as a parallel for how security teams can build that threat hunting content.
Now, it may be that setting up a digital equivalent of a “safe house” to track adversaries’ actions across the Internet is beyond the scope of most security teams. It does, however, highlight what is truly needed to build behavioral threat hunting content. That is, effective threat intelligence teams capable of seeing and identifying technical observables like changes in code and tactics, techniques, and procedures. It also requires subject matter experts and engineers that can take those observables and interrogate them to build threat hunting content that looks not at a single behaviour, but an aggregate of behaviors that can continuously detect these adversaries. It means that relying heavily on glossy vendor reports, static blog articles, and code sharing sites is neither sufficient or sustainable, either.
The story of the hunt for Osama Bin Laden is one that can serve as a lesson for security operations as a whole. High tech security platforms are no match for a well-supplied and disciplined adversary. Relying on “hard evidence” like IOCs is no longer realistic. Hunting using individual behaviors results in needless effort and noise and may even drive the adversary deeper. And finally, building true behavioral threat hunting content requires dedicated teams of subject matter experts and analysts capable of gathering and interrogating technical observables and turning that into high fidelity and continuously updated content. It is this reality that inspired Cyborg Security to build our threat hunting content platform, HUNTER, to move the needle forward and show the industry and the broader community what true effective behavioral threat hunting content looks like. We can’t keep hoping to find a birthday card addressed to Osama Bin Laden.