Partner Perspectives //

Carbon Black

6/13/2016
10:32 AM
Ben Johnson
Ben Johnson
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

Patterns Of Attack Offer Exponentially More Insight Than Indicators

In the cyberworld, patterns of attack provide investigators with context and the precise sequence of events as a cybercrime unfolds.

When investigating a crime in the physical world, successful detectives are able to put together individual pieces of evidence to unveil a criminal’s pattern of behavior. A single footprint is interesting; it gives you the size of the bad guy’s foot and what type of shoes he wore. The bad guy can change his shoes between crimes, of course, but he probably won’t come up with a new technique for breaking into individual houses. An understanding of a criminal’s behavior – his patterns, if you will -- can give investigators a level of insight that will help them catch that criminal the next time he attempts to do something bad, new shoes or not.

This way of approaching the problem can also tie together multiple incidents that were previously thought unrelated, perhaps because the weapons or descriptions of the individuals performing the crimes weren’t exactly the same.

In the cybersecurity world, we call these behavior patterns “patterns of attack,” and they are revolutionizing the way breach detection and incident response is being conducted around the world.

You’ve no doubt heard the term “indicators of compromise.” IOCs are -- in the way the security community typically thinks about them -- atomic pieces of information or singular attributes. Examples of IOCs are IP addresses, domain names, URLs, file hashes, and similar metadata around tools or actions that occurred during an attack. But context matters -- a lot -- and it’s hard to know context when all you have is an IP address or file hash.

Context Is Critical

Solving cybercrimes (or any crime, really) requires context, and to get context you have to look at relationships. Relationships between IOCs and other events are often patterns of behavior, and that’s why the shift beyond IOCs is occurring.

When your company’s intellectual property and reputation are on the line, the CEO wants to hear something a lot more confident than: “We have an indication of how we might have been attacked.” Instead, she wants to hear: “We have a precise record of what this attacker tried to do. We know exactly what they actually did. We’ve closed the gap. They cannot attack us this same way again.”

Patterns of attack provide investigators with the precise sequence of events as a cybercrime unfolds. There is clear cause-and-effect insight into where an attacker gained access, what he tried to do, how he attempted exfiltration, and ultimately what the exact root cause of the attack was. If an investigator does not understand the root cause of the attack, he’s provided no additional insight into how an organization can be better protected in the future.

Patterns reveal exponentially more relevant information about attempted malfeasance than singular indicators of an attack ever could. Context, relationships, and the sequence of events all matter. If you’re just looking for one item in the sequence of events, that’s when issues such as too many tips -- or in the cyberworld, false positives -- start becoming a bigger issue than the malicious behavior itself. After all, if you cannot respond to a tip or an alert, it’s just noise. 

Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Abandun
50%
50%
Abandun,
User Rank: Apprentice
6/14/2016 | 10:41:34 AM
Are we attempting to change terms now?
I liked this article better the first time when "patterns of attack" were called TTPs. thanks for the new information?>
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-2765
PUBLISHED: 2018-08-20
pyro before 3.15 unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks.
CVE-2018-15594
PUBLISHED: 2018-08-20
arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests.
CVE-2018-15572
PUBLISHED: 2018-08-20
The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks.
CVE-2018-15573
PUBLISHED: 2018-08-20
** DISPUTED ** An issue was discovered in Reprise License Manager (RLM) through 12.2BL2. Attackers can use the web interface to read and write data to any file on disk (as long as rlm.exe has access to it) via /goform/edit_lf_process with file content in the lfdata parameter and a pathname in the lf...
CVE-2018-15574
PUBLISHED: 2018-08-20
** DISPUTED ** An issue was discovered in the license editor in Reprise License Manager (RLM) through 12.2BL2. It is a cross-site scripting vulnerability in the /goform/edit_lf_get_data lf parameter via GET or POST. NOTE: the vendor has stated "We do not consider this a vulnerability."