Skip to content

Collective Defense: How to achieve cyber-attack herd immunity

Collective Defense: How to achieve cyber-attack herd immunity


By Major General (Ret.) Brett Williams, Co-Founder and Cyber Strategist, IronNet Cybersecurity

Supply chain exploits with 1,000+ developers. Exploits of on-premise email servers involving four zero-days. The supply chain is an area that is often overlooked.  In the face of such aggressive adversaries, a renewed vigilance for securing the supply chain is critical to defending our networks.  

We have been concerned about advanced persistent threats (APTs) for many years , but recent activity has made this concern proximate and very real — a clear and present danger — to many more organizations and sectors, as well as to a much broader set of companies than in the past.

In a recent investigation into the abuse of vulnerable legitimate software, Bitdefender Labs uncovered an attack campaign conducted by the threat group NAIKON that ran from at least June 2019 to March 2021. NAIKON has been active for more than a decade and is known to pursue high-profile targets, such as government agencies and military organisations, specifically in the Asia Pacific (APAC) region.

In its most recent campaign, NAIKON abused legitimate software to side-load malicious payloads, namely the first-stage backdoor RainyDay and the second-stage malware Nebulae. NAIKON deployed the RainyDay backdoor (also known as FoundCore) to perform reconnaissance, upload reverse proxy tools, perform lateral movement, execute password dump tools, and establish persistence.

Staying ahead with a robust defence system

Detections are the table-stakes of cyber defence. After all, how can even the most astute analysts and vigilant hunters defend a network if threat activity is undetectable? Across all sectors, we’ve had a wake-up call that focusing on known indicators of compromise (IoCs) no longer is enough. Signature-based detection is inherently reactive, and, worse, is readily circumvented.

Behavioural detection, which can spot unknown anomalies on networks, gets us much closer to closing gaps in detection. It is true that network detection and response tools traditionally can alert on too many false positives when tuned to be sensitive to unknowns.  To avoid this and stay ahead of the next unknowns, we must increase the signal-to-noise ratio in our processing of detections spotted by behavioural analytics.

 Making use of alert correlation within a single enterprise is a principled method to reduce false positives while maintaining high recall. Truly novel attack vectors, however, require additional measures to create a fuller picture of the threat landscape at any given time. Enter: Collective Defense

Collective Defense is the key in a world of rapidly escalating unknowns  

Collective Defense means that enterprises that may be related targets of the same attacker, such as electrical companies or banks, agree to share anonymized data about the threats they are seeing, on an ongoing basis, on their networks. This flips the script on the attacker — a brilliant one-ups-man move against the adversaries given how hard it is for them to change their TTPs. Collective Defense uplevels the defensive capabilities of any one player; there is strength in numbers when analysts across sectors can share threat intelligence in real time.

Within a Collective Defense platform, IoCs that may get lost in the noise at an individual company can take on greater prominence and, hence, relevance and priority. One DNS Tunnel to an MSFT domain, for instance, when combined with multiple companies, now becomes a cluster of beacons if others are seeing the same anomaly, around the same time. If the companies have the opportunity to collaborate with this data, there becomes strength in numbers.

Of course, few companies like to share evidence of an attack or even lower-level eventing data on an ongoing basis. But this data can be anonymised relative to enterprise entities. In fact, data threats on networks can be detected without needing any corporate or personally identifiable information (PII); instead, we can focus on the attributes of the event, such as packet size and beacon timing, as well as external entities and the potential attacker infrastructure. 

This is Collective Defense, and this approach is the future of widespread cyber defence in a world of rapidly escalating unknowns. All of us working together to help each other identify attacker behaviour, and at the same time, better protect our own networks. To me, that’s how you build herd immunity against the adversaries who are running rampant in an attempt to unravel our global digital economy by stealing intellectual property or spying on both private enterprises and public entities.


About the author:

Major General (Retired) Brett T. Williams is a co-founder of IronNet Cybersecurity. IronNet delivers the power of collective cybersecurity to defend companies, sectors and Nations. He served nearly 33 years in the U.S. Air Force and his last assignment was Director of Operations, U.S. Cyber Command. In that position, he was responsible for the operations and defense of Department of Defense networks as well as the planning and execution of offensive actions in support of national security objectives. General Williams is a highly experienced fighter pilot with more than 100 combat missions in the F-15C. In addition, he held several large operational commands to include Commander of the Air Force’s largest combat wing located in Okinawa Japan.