A harsh reality for the information security sector is that the businesses we are asked to protect are battling businesses that are built to attack.
We are rarely, if ever, up against the lone-wolf attacker wearing a hoodie. We are battling crime syndicates, nation-states and cyber thieves whose main concern is simple: earn money. According to a 2016 Ponemon Survey, more than half of attackers are motivated exclusively by economics.
To an attacker, staying in business means:
- Being opportunistic in selecting targets. Making money means going after the softest targets first without wasting time on attacks that will not quickly yield information that can be monetised. Attackers almost always select the path of least resistance in launching attacks. During the reconnaissance phase of the cyber kill chain, attackers ask a simple question: “How difficult is it going to be for me to monetise this victim?”
- Optimising attack time – the more time an attacker spends without success on a target, the less time he/she can be hitting softer targets. According to the Ponemon survey, even a technically proficient attacker will quit an attack and move to another target after about a week without success. An attacker will attempt to exploit the tried and true vulnerabilities and use successful attack methods from the past - the tactics, techniques and procedures in their toolbox (TTPs) - before inventing new ones.
Worldwide, businesses will continue to act in isolation. According to the Ponemon survey, the number-one factor in deterring an attack is threat intelligence shared between an organisation and its peers. Sharing the right kind of threat intelligence means that an attacker cannot simply use the same attack vector over and over again. He/she must reinvent tactics every time, which can be extremely expensive.
The bottom line is that our goal in playing defence is not necessarily to become the hero and dramatically unmask major crime syndicates. Our objective is to make the cost of conducting a cyber attack more expensive – so much so that a cyber criminal views attacking an organisation as a bad return on investment.
Shifting the Economic Balance
Patterns of attack (POA) are exponentially more revealing than individual indicators of compromise (IOC), and understanding the root cause of an attack can help a security team to close an original infection vector within minutes. Such indicators offer hope, and patterns deliver confidence.
For attackers, finding a unique vulnerability and effectively exploiting that root cause can take months of research costing more than $1 million. It is no surprise that attackers will use and reuse the same pattern of attack for months, if not years, on target after target until they are successful. According to the Verizon DBIR, the most exploited vulnerabilities are more than a year old.
Usually patterns of attack are not complicated. For example:
- Outlook runs Word, which runs PowerShell
- Notepad has a child process or makes a connection to the internet
- Svchost is executed by a non-system user account
- Internet Explorer runs Java, which then runs a command shell
For an attacker, changing an indicator of compromise is as easy as a physical-world criminal changing a shirt, or wearing a wig. It is a very simple, economically friendly task. While investigators are looking for a man with the blue shirt and short blonde hair, that same criminal is committing exactly the same crime wearing a red shirt and a shoulder-length black wig.
This is why cyber defence has often been referred to as a game of cat-and-mouse, or an arms race. ‘Shirts' (IOCs) can be changed easily as they are cheap and simple. Too often we are trying to detect an outdated shirt.
But what if we didn't care so much about shirt colour or hair length and instead focused on the way that same criminal walked, or something truly inherent to their natural behaviour while attempting an attack. Those patterns are far more expensive to change.
In the cyber world, it's incredibly easy to spin up a new server, register a new domain or re-compile a payload to change its hash. But it's very difficult (and expensive) to change your method of fooling the user with the spear-phishing attack, how you download second- and third-stage payloads, how you persist, and how you traverse the network.
This is why patterns of attack are so valuable. The same techniques are used with different servers, different applications for exfiltrating data, etc. The overall ‘story' stays the same.
As we consider the way patterns play into collective defence, and uniting the cyber-security community, think how difficult it would be for attackers to change tactics or techniques if we shared their inherent behaviours with every store or bank in the world.
That network effect would make it exponentially more difficult (and expensive) for the attacker to attempt making even the slightest change before being caught almost immediately. There are only so many entry vectors into an environment, and then only so many ways to traverse the environment to the crown jewels. The more we look for these, the better off we are.
Traditional security companies and their products tend to look at singular events only. They consider the IOCs with no link to understand the cause-and-effect relationships among the events, and complete blindness to migration patterns. The security industry has often accepted IOCs as the default currency for threat discovery.
In identifying an attacker's patterns of attack, Carbon Black offers a significantly improved detection rate and, more importantly, the root cause of the attack. This level of insight prevents an attacker from using the same entry mechanism twice. When we share that pattern with our entire community, everyone becomes stronger and better protected.