My Thoughts on the Utility of Offensive Cyber
Offensive Cyber, utility of.
This is a fundamental misunderstanding of how offensive cyber works.
NEW by @CarlyPage_: The feds took down LockBit, now LockBit is back.
— Lorenzo Franceschi-Bicchierai (@lorenzofb) February 26, 2024
The UK's NCA says: "Their systems have now been destroyed by the NCA, and it is our assessment that LockBit remains completely compromised.”
So now what? https://t.co/vclYcHVWDh
Offensive cyber is powerful against systems that are vulnerable to cyber. Tautological, true, but let’s dissect that.
The systems I’m talking about are any group of interacting, interdependent elements that form a complex whole. The LockBit system is not their computer infrastructure, it is the business organisation — their people, processes, technology and culture.
The business entity that is LockBit is not vulnerable to attacks on their technological infrastructure.
The LockBit system is not vulnerable to offensive cyber against their technology. They’re resilient against that attack vector because they are very well funded and can afford to reconstruct everything from scratch.
An example: small online store
A small online store is vulnerable to prolonged DDoS because the store is a critical component of the system Online Store. Other components include the finances, owners, operators, hosting providers, and so on. The revenue from the store and the costs of hosting are pinch points of the system. They’re vulnerable to cyber. The store can be seriously disrupted or even destroyed by cyber.
A counter example: Ransomware Group
The ransomware group is a system for turning unpatched edge devices into Bitcoins, it’s a business. A very well funded business.
The technology of LockBit, their malware and infrastructure etc., are exposed to offensive cyber but those are not vulnerable parts of the LockBit system. A ransomware group is an informal organisation, relies on people and personal social connections.
And so, offensive cyber actions against LockBit technology cannot be effective against LockBit. The ability to recover, reconstitute, and restore their technology — even from absolute zero — makes LockBit resilient to offensive cyber attacks via that vector.
Systems Vulnerabilities
LockBit is vulnerable to offensive cyber actions. The trick, as always, is knowing what parts of the system are vulnerabilities and how to reach them via cyber. The LockBit system, like all organisations, is built on people, processes, technology and culture. To achieve results attacking that system, I believe, requires targeting vulnerabilities in their social infrastructure.
The social infrastructure that LockBit is built upon is vulnerable to cyber because there are ways to exploit people with cyber means. But the technology infrastructure is not a load bearing element of the LockBit system.
Parting thoughts
Offensive cyber can be effective only when the system that it is targeted is vulnerable to cyber.
The system that matters here is the people, processes, technology and culture that make up the LockBit system.