The takedown of the Hive ransomware-as-a-service group has been in the news over the past week, and it’s good news indeed. Beyond the obvious benefits of disrupting this criminal enterprise, there are some other discrete takeaways which are particularly important to note.
- Cross-jurisdictional cooperation and coordination can be done, and done effectively. Any of us who have served on committees know about Parkinson’s Law, which correlates a group’s size to the amount of time needed to accomplish its goals: the bigger the group, the longer the time taken, even without a change in scope. The fact that this global law enforcement effort was a success is even more impressive when we see no fewer than thirteen different jurisdictions, different cultures, different languages, with different legal systems come together so effectively to protect not just American businesses, but businesses large and small around the world. It’s great to see what can be accomplished when the common language is the pursuit of justice and public safety.
- When to pull the plug on an adversary. A SOC team diagnosing an attack-in-progress may arrive at a decision point where an adversary is located within the environment, before that adversary has completed its mission. XDR technologies, especially those with a network visibility foundation, can not only show you where an adversary has been, but where they are right now. Why not quash the adversary at this point? Tracking movements across a network can sometimes reveal a different target than you originally assumed. Laying low and watching them can bring unexpected payoffs. And sometimes those are literal payoffs, as it was here where the embedded good guys found and delivered decryption keys to would-be victims around the world, apparently without the knowledge of the adversary.
- Criminals have their own business models and ecosystems. Special kudos to the DOJ for their language in stating that this international effort ‘busted [Hive’s] business model.’ This is absolutely the right characterization to take to the public. Cybercriminals are running a business, following a business model, just like the victims they seek to exploit. The sooner we all realize that these criminal entities are businesses, the sooner we’ll be able to combat them more effectively. Supply chains matter to all businesses, and in this case it was the identification of the adversary’s supporting business functions and infrastructure which ultimately made this takedown possible.
- Total eradication of a threat actor’s infrastructure isn’t necessary to make a material impact. Every business process has at least one bottleneck: a place where other process steps feed into or feed out of that phase of the process. Even if there’s not a slowdown in the process flow, that bottleneck can still introduce risk as a single point of failure. Smart process owners try and design around this risk, but circumstances (and budget!) frequently dictate acceptance of that risk. The good guys located that Achilles Heel – almost certainly one of many, by the way – and took effective action against those targeted servers. When we consider that the ransomware-as-a-service ecosystem is pretty centralized today, there’s extra bang-for-the-buck in knocking down that one critical piece of the puzzle, as it may affect more than one adversary group relying on that common infrastructure.
- These battles are not futile. The pessimists out there will look at this merely as the latest chapter in an ongoing whack-a-mole game, even characterizing this as simply a speed bump for the bad guys. And yes, it’s virtually assured that we’ll see individuals within the Hive collective show up again in the future. But the optimists realize that the game we are all playing here is actually chess. It’s a long-term game, and each side is playing with pieces whose capabilities may not fully be known or even defined today. But there is considerable benefit to the good guys demonstrating their capabilities, which always serve as a deterrent. Don’t overlook that there was an offensive component to how the good guys responded here – this is very unusual in these types of publicized takedowns, and a signal of a new front the bad guys must now recognize.
Let’s be sure to look at this takedown while wearing our “glass-half-full” shades. Good guys consistently and publicly demonstrating that we can see, plan, coordinate and jointly act against threat actors is how we will all ultimately prevail.