Partner Perspectives //

Carbon Black

6/27/2016
10:00 AM
Ben Johnson
Ben Johnson
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Shifting The Economic Balance Of Cyberattacks

Our goal should be to simply make the cost of conducting a cyberattack so expensive that cybercriminals view attacking our organization as a bad return on investment.

A harsh reality for those of us working in information security is that the businesses we’ve been asked to protect are battling businesses that are built to attack. That is to say we are rarely, if ever, up against the lone-wolf attacker wearing a hoodie in a basement. We are battling crime syndicates, nation states, and cyberthieves whose main concern is simple: to earn money.

To an attacker, staying “in business” means a few things:

Being opportunistic when selecting targets: Making money means going after the softest targets first without wasting time on attacks that will not quickly result in information that can be monetized. Attackers will almost always select the path of least resistance when it comes to launching attacks.

Optimizing “attack” time: The more time attackers spend without success on a target is less time that they can be hitting softer targets. Attackers will attempt to exploit the “tried and true” vulnerabilities and use successful attack methods from the past -- the TTPs (tactics, techniques, and procedures) in their toolbox -- before inventing new ones.

“Good guy” businesses will continue to act in isolation: Research suggests that the No. 1 factor in deterring an attack is if an organization shares threat intelligence with its peers. That’s because sharing the right kind of threat intelligence means attackers can’t simply use the same attack vector over and over again. They must reinvent their tactics each and every time. That can be VERY expensive.  

The bottom line is that our goal in playing defense is not necessarily to become the hero and dramatically unmask major crime syndicates like a foiled Scooby Doo plot. Our goal is to simply make the cost of conducting a cyberattack more expensive -- so much so that cybercriminals view attacking our organization as a bad return on investment. 

We recently discussed how patterns of attack are exponentially more revealing than individual indicators of compromise and how understanding the root cause of an attack can help a security team close an original infection vector within minutes.

For attackers, finding a unique vulnerability (and effectively exploiting that root cause) can take months of research, costing them more than $1 million. It is no surprise then that attackers will use and reuse the same pattern of attack for months (if not years) on target after target after target until it is successful.

Patterns don’t necessarily have to be complicated, either. For example:

  • Outlook runs Word, which runs PowerShell
  • Notepad has a child process or makes a connection to the internet
  • Svchost is executed by a non-system user account
  • Internet Explorer runs Java, which then runs a command shell

For an attacker, changing an indicator of compromise is as simple as a physical-world criminal changing his shirt or wearing a wig. It’s a simple, economic-friendly task. It’s incredibly easy to spin up a new server, register a new domain, or recompile a payload to change its hash. But it’s very hard (read: expensive) to change how you go about fooling the user with the spear phishing attack; how you download second and third stage payloads; how you persist; and how you traverse the network. This is why patterns of attack are so valuable. The same techniques are used with different servers, different applications for exfiltrating data, etc. The overall “story” stays the same.

Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ronbo142
50%
50%
ronbo142,
User Rank: Apprentice
6/30/2016 | 9:01:48 AM
Risk to Reward Ratio
This article has great value to helping Cyber Security Professionals understand how we might better protect and defend our treasures (I.E. the information). One of my thoughts is establishing a ratio that will help management understand the financial impact and the needed investment to increase the protection to a point where the "hackers" decide to look for that softer target. The variables are for the hackers are personal risk (will I get caught), punishment (what will I be charged with), outcome of that charge (how much time will I do) and finally capital investment (how much do I need to spend in time and money) to obtain a return.

The ratio PR+P+O+I < R

Make the left side so painful that the right side is undesirable is the strategy outline in the article.

Thoughts?


Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/22/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.