Analytics // Threat Intelligence
1/13/2014
09:42 AM
Connect Directly
RSS
E-Mail
50%
50%

Knowing Your Cyber Enemy: New Services Open Up Possibilities, But Experts Differ On Techniques, Value

As commercial capabilities for identifying online attackers improve, experts, service providers debate methods, costs

How much would you pay to know who your organization's online attackers are? And what would you want to know about them?

These two questions are at the heart of a burgeoning market for sophisticated threat intelligence services that promise to improve enterprise cyberdefenses by identifying attackers -- and helping customers to develop a tailored defense against them. Such services, sometimes called "attribution services" or "active defense," promise to change the face of IT security by re-focusing defensive strategies on protecting data against human adversaries, rather than just the malware they create.

"Today's defense-in-depth strategies are not working well, because to build a defense against malware, you have to be right 100% of the time, but the attacker only has to be right once," says Dmitri Alperovitch, CTO of CrowdStrike, the company that coined the term active defense and a leading voice behind "offensive security," which advocates hunting for attackers as well as passively building walls against them. "But if you focus on attribution -- on defending against the adversary -- then the reverse is true: The attacker has to be good all of the time, and you only have to find one instance where they make a mistake and give themselves away."

The idea of identifying the organization's attackers and building a tailored defense against them is enticing -- perhaps game-changing -- in a market full of arms-race-weary IT organizations, which for decades have been buying new technologies and developing new defense strategies -- only to watch the bad guys develop newer, better exploits that often elude currently-available technology designed to stop known attacks.

"There's a saying in security that if you're trying to stop everything, you're probably stopping nothing," says Ned Moran, a senior malware researcher at next-generation security tool vendor FireEye. "But if you know the source of your attacks, you understand better what they are trying to acquire, and that may change your defense. You can pinpoint your defensive measures in a way that creates lower costs and a better payoff."

But Moran and other experts point out that there are a variety of methods of attribution -- and some of them may be prohibitively expensive and resource-intensive for some enterprises.

"You can pursue the direction of identifying the actual people who are writing the code -- their names and where they are sitting, and who's launching the attacks that they write," Moran says. "Or you can focus on a defense around 'indicators of compromise,' which means you're not so worried about the attacker's personal identity, but you want to identify their tools and techniques and develop a 'fingerprint' that will help you create a defense against them. Identifying the attacker personally is possible, but the cost is very high -- in general, focusing on indicators of compromise gives you better bang for the buck."

While analyzing a malware developer's "fingerprint" can be accomplished through deep data analysis, connecting the malware to a specific attacker requires data and threat intelligence that goes well beyond most enterprises' internal resources, experts say. Gaining that level of knowledge may require full-time, skilled staffing and/or outside services that may cost tens of thousands of dollars, or even more.

Stuart McClure, CEO, president and co-founder of advanced threat detection vendor Cylance, questions the value of identifying the attacker, particularly at the seat level. "As humans, we all want to know why we're being attacked -- why do they hate me? But on a security level, there isn't much value in identifying the butt in that seat, because there isn't much you can do about it unless you're going to try to disrupt them personally -- which is difficult, and sometimes illegal. And at a business level, that sort of attribution requires a ton of resources, and there's not much payoff."

The debate over attribution's value is fundamental to the broader debate over the growth of digital forensics and threat intelligence services and technologies, which have become the darling of the IT security industry. Over the past two years, the proliferation of sophisticated attacks has created a cottage industry for technology and skilled enterprise staffers capable of analyzing the earmarks and components of an advanced cybercampaign -- and stop it before it can infiltrate enterprise defenses. But such technology and skills come at a high cost, leaving some enterprises wondering how deeply to invest in them.

CrowdStrike, which monitors and tracks the techniques and behaviors of some 50 groups of threat actors worldwide, believes that its threat intelligence -- combined with big data analysis that enables enterprises to determine if they are under attack by a specific adversary -- is driving a sea change in digital defense. Knowledge of the attacker can not only pave the way for a more efficient defensive strategy, Alperovitch argues, but it also opens up the possibility of disrupting or frustrating a specific attacker, a capability that CrowdStrike offers.

"In the end, the adversary is human, and their objectives tend to be very specific," Alperovitch says. "If you understand who they are and what they want, you have a much better chance of stopping them."

While few vendors so far offer the ability to identify -- much less disrupt -- a specific attacker, experts say that enterprises' increased focus on detection and analysis of threats and attacks is having a calculable effect on enterprise defenses.

"In our 2012 trends report, we found that only about 6% of our clients had discovered their security breaches using their own means of detection -- most of them found out about their breaches through law enforcement or a third party," says Charles Carmakal, director of the services department at Mandiant, one of the security industry's best known digital forensics and incident response service providers, which is often called in by clients to investigate the cause of a major breach. "But in our 2013 report, we found that 37% of organizations had detected their own compromises. What that says is that organizations are getting better at doing their own detection and analysis."

But McClure argues that enterprises' improved success centers around better detection of attackers' methods, not their identities. Cylance, for example, has built technology that features mathematical algorithms which help users quarantine potentially malicious code based on its characteristics and behavior.

"There is a lot of new malware out there, but there really aren't many new methods -- attackers basically are using the same techniques that they've used for years," McClure says. "Historically, enterprises have bought products and trusted the vendors to tell them what's bad. Now, enterprises are being told to do their own analysis and forensics, and trust themselves to determine what's bad. What we're saying is trust the math to isolate potential problems and do your own analysis from there."

While the value of discovering the attacker's identity remains a matter of some debate, most experts agree that understanding an adversary's motivation may be helpful in developing an effective defense.

"Most of our customers are not too worried about identifying the specific attacker, because most of them are not interested in attacking back," says Dean De Beer, co-founder and CTO at ThreatGRID, which does deep malware analysis to detect and remediate malicious code. "What they want to know are the motivations of the attacker -- what were they after? That's the type of data they can use to escalate or de-escalate a potential threat, and to assign criticality to it."

Mandiant's Carmakal agrees. "The one thing about the more sophisticated attackers is that they are very determined," he says. "Even if you succeed in kicking them out the first time, they often come back, so it's good to know a little bit about them and what indicators there might be that you are dealing with the same threat actors."

Analyzing an attacker's "indicators of compromise" may enable enterprises to recognize a persistent threat actor -- not by name, but by the tools, techniques, and procedures they use, notes FireEye's Moran. "The code and techniques used by some [malware] developers are often re-used by other attackers, so if you understand the developer, you can sometimes knock out a whole swath of attacks that come downstream."

CrowdStrike takes this idea a step further by identifying and naming groups of malware developers and tracking their habits and targets on an ongoing basis. "We've identified about 30 different groups in China alone," Alperovitch says. "There's one group, which we call Anchor Panda, which primarily targets maritime transportation. There are others which focus on the oil and gas industry, or on financial systems, or on government. What we're doing is focusing on understanding what those groups are doing, so that we're not dealing with a piece of malware, but with a real adversary."

Most of today's malware -- such as worms and viruses -- is still automated, attacking computers randomly according to their configurations and vulnerabilities, experts agree. But while such broad-based attacks can typically be handled by off-the-shelf tools, a sophisticated, targeted attack may require more knowledge about who's attacking, or at least what their motivations and methods are.

"What we see is that the enterprise may not be so interested in identifying their specific attacker, but there's a lot more demand for context -- they want to know not only the domain that the attacker is coming from, but what are the characteristics of that domain," says ThreatGRID's De Beer. Just learning the source IP address is not enough anymore -- they want to know more about the specifics."

Alperovitch agrees. "There are two types of organizations: those that know they've been attacked, and those that don't," he says. "Giving them an IP address is not attribution. They need to know who the threat actors are, and what's the likelihood that they will attack again."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5142
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

CVE-2010-5302
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.

CVE-2010-5303
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.

CVE-2014-0965
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted SOAP response.

CVE-2014-3022
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted URL that triggers an error condition.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.