Partner Perspectives //

Carbon Black

6/20/2016
01:30 PM
Ben Johnson
Ben Johnson
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

A Real World Analogy For Patterns of Attack

Patterns reveal exponentially more relevant information about attempted malfeasance than singular indicators of an attack ever could.

In last week’s post, we talked about the important differences between indicators of compromise (IOCs) and patterns of attack (POAs).  To better understand why patterns of attack are exponentially better, consider this physical-world analogy.

Convenience Store Robbery

Investigating Using IOCs: Investigators come to find that during this robbery, the criminal used a crowbar to break the glass on the front door; wore a blue shirt; had short, light-colored hair; and used a hiking backpack to stash the cash from the register.

What exactly have the investigators learned, if anything? 

  • Crowbars are sometimes used in smash-and-grab robberies. 

“Ok, let’s make sure to look out for anyone carrying a crowbar in plain sight.”

  • Sometimes, people wearing blue shirts with short, light-colored hair may commit crimes. 

“Ok, let’s look out for anyone wearing a blue shirt that has light-colored hair.”

  • Hiking backpacks are sometimes a tool used during burglaries.

“Ok, let’s try to monitor hiking backpack sales in this area moving forward.”

That’s not a lot of substance to go on for this investigation. We have an incomplete picture.

Investigating the Same Crime Using POAs: Investigators come to find that for the past two weeks, someone has been parked in the store parking lot at night noting what time the clerk locks up for the night and what time the rent-a-cop security detail passes by the store. The burglar drives to the store at precisely the right time of night to break in. He knows there’s an archaic alarm system on the door so he successfully cuts power to the building prior to entering to deactivate the alarm. Once inside, he approaches the register, opens the register drawer, takes the cash and exits the store.

What patterns has the burglar exhibited here?

  • In order to get to the store, the burglar needs to drive to (or close to) the store’s location.
  • He has to deactivate the alarm.
  • He has to enter the building before getting access to the real goal, the cash register.
  • He has to open the register drawer.
  • He needs to leave the premises with the cash in hand.

Individually, these single indicators of an attack tell an incomplete picture. Driving to, or near, a store doesn’t reveal a whole lot to investigators. Thousands of people do that every single day. What about entering the store? Same idea. Thousands of people. And while deactivating an alarm or opening a register drawer appear to be a lot closer to “burglary-type” activity, there are numerous instances where both are done on a regular basis. These are simply indications that a crime might be committed.

It’s only when this sequence, or pattern, of attack behaviors shows up do we really start to see what is happening from an investigation standpoint.

When someone drives near the store late at night THEN attempts to enter the building THEN attempts to deactivate the alarm THEN opens the register drawer, we almost CERTAINLY have an attempted burglary on our hands.

Also notice how none of the behavior patterns exhibited can be changed. Failure to do any one of the steps will result in a failed mission for the robber. It’s ripe for disruption-in-depth, but we’ll leave that for another day.

Patterns reveal exponentially more relevant information about attempted malfeasance than singular indicators of an attack ever could. Context, relationships, and the sequence of events all matter. If you’re just looking for one item in the sequence of events, that’s when issues like too many tips or -- in the cyberworld -- false positives start becoming a bigger issue than the malicious behavior itself.  After all, if you cannot respond to a tip or an alert, it’s just noise.  

Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/22/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.