Partner Perspectives //

Carbon Black

6/20/2016
01:30 PM
Ben Johnson
Ben Johnson
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

A Real World Analogy For Patterns of Attack

Patterns reveal exponentially more relevant information about attempted malfeasance than singular indicators of an attack ever could.

In last week’s post, we talked about the important differences between indicators of compromise (IOCs) and patterns of attack (POAs).  To better understand why patterns of attack are exponentially better, consider this physical-world analogy.

Convenience Store Robbery

Investigating Using IOCs: Investigators come to find that during this robbery, the criminal used a crowbar to break the glass on the front door; wore a blue shirt; had short, light-colored hair; and used a hiking backpack to stash the cash from the register.

What exactly have the investigators learned, if anything? 

  • Crowbars are sometimes used in smash-and-grab robberies. 

“Ok, let’s make sure to look out for anyone carrying a crowbar in plain sight.”

  • Sometimes, people wearing blue shirts with short, light-colored hair may commit crimes. 

“Ok, let’s look out for anyone wearing a blue shirt that has light-colored hair.”

  • Hiking backpacks are sometimes a tool used during burglaries.

“Ok, let’s try to monitor hiking backpack sales in this area moving forward.”

That’s not a lot of substance to go on for this investigation. We have an incomplete picture.

Investigating the Same Crime Using POAs: Investigators come to find that for the past two weeks, someone has been parked in the store parking lot at night noting what time the clerk locks up for the night and what time the rent-a-cop security detail passes by the store. The burglar drives to the store at precisely the right time of night to break in. He knows there’s an archaic alarm system on the door so he successfully cuts power to the building prior to entering to deactivate the alarm. Once inside, he approaches the register, opens the register drawer, takes the cash and exits the store.

What patterns has the burglar exhibited here?

  • In order to get to the store, the burglar needs to drive to (or close to) the store’s location.
  • He has to deactivate the alarm.
  • He has to enter the building before getting access to the real goal, the cash register.
  • He has to open the register drawer.
  • He needs to leave the premises with the cash in hand.

Individually, these single indicators of an attack tell an incomplete picture. Driving to, or near, a store doesn’t reveal a whole lot to investigators. Thousands of people do that every single day. What about entering the store? Same idea. Thousands of people. And while deactivating an alarm or opening a register drawer appear to be a lot closer to “burglary-type” activity, there are numerous instances where both are done on a regular basis. These are simply indications that a crime might be committed.

It’s only when this sequence, or pattern, of attack behaviors shows up do we really start to see what is happening from an investigation standpoint.

When someone drives near the store late at night THEN attempts to enter the building THEN attempts to deactivate the alarm THEN opens the register drawer, we almost CERTAINLY have an attempted burglary on our hands.

Also notice how none of the behavior patterns exhibited can be changed. Failure to do any one of the steps will result in a failed mission for the robber. It’s ripe for disruption-in-depth, but we’ll leave that for another day.

Patterns reveal exponentially more relevant information about attempted malfeasance than singular indicators of an attack ever could. Context, relationships, and the sequence of events all matter. If you’re just looking for one item in the sequence of events, that’s when issues like too many tips or -- in the cyberworld -- false positives start becoming a bigger issue than the malicious behavior itself.  After all, if you cannot respond to a tip or an alert, it’s just noise.  

Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-17305
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a Bleichenbacher Oracle vulnerability in the IPSEC IKEv1 implementations. Remote attackers can decrypt IPSEC tunnel ciphertext data by leveraging a Bleichenbacher R...
CVE-2017-17311
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a DoS vulnerability in the IPSEC IKEv1 implementations of Huawei Firewall products. Due to improper handling of the malformed messages, an attacker may sent crafted...
CVE-2017-17312
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a DoS vulnerability in the IPSEC IKEv1 implementations of Huawei Firewall products. Due to improper handling of the malformed messages, an attacker may sent crafted...
CVE-2018-12115
PUBLISHED: 2018-08-21
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second...
CVE-2018-7166
PUBLISHED: 2018-08-21
In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misint...