Partner Perspectives //

Carbon Black

6/27/2016
10:00 AM
Ben Johnson
Ben Johnson
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Shifting The Economic Balance Of Cyberattacks

Our goal should be to simply make the cost of conducting a cyberattack so expensive that cybercriminals view attacking our organization as a bad return on investment.

A harsh reality for those of us working in information security is that the businesses we’ve been asked to protect are battling businesses that are built to attack. That is to say we are rarely, if ever, up against the lone-wolf attacker wearing a hoodie in a basement. We are battling crime syndicates, nation states, and cyberthieves whose main concern is simple: to earn money.

To an attacker, staying “in business” means a few things:

Being opportunistic when selecting targets: Making money means going after the softest targets first without wasting time on attacks that will not quickly result in information that can be monetized. Attackers will almost always select the path of least resistance when it comes to launching attacks.

Optimizing “attack” time: The more time attackers spend without success on a target is less time that they can be hitting softer targets. Attackers will attempt to exploit the “tried and true” vulnerabilities and use successful attack methods from the past -- the TTPs (tactics, techniques, and procedures) in their toolbox -- before inventing new ones.

“Good guy” businesses will continue to act in isolation: Research suggests that the No. 1 factor in deterring an attack is if an organization shares threat intelligence with its peers. That’s because sharing the right kind of threat intelligence means attackers can’t simply use the same attack vector over and over again. They must reinvent their tactics each and every time. That can be VERY expensive.  

The bottom line is that our goal in playing defense is not necessarily to become the hero and dramatically unmask major crime syndicates like a foiled Scooby Doo plot. Our goal is to simply make the cost of conducting a cyberattack more expensive -- so much so that cybercriminals view attacking our organization as a bad return on investment. 

We recently discussed how patterns of attack are exponentially more revealing than individual indicators of compromise and how understanding the root cause of an attack can help a security team close an original infection vector within minutes.

For attackers, finding a unique vulnerability (and effectively exploiting that root cause) can take months of research, costing them more than $1 million. It is no surprise then that attackers will use and reuse the same pattern of attack for months (if not years) on target after target after target until it is successful.

Patterns don’t necessarily have to be complicated, either. For example:

  • Outlook runs Word, which runs PowerShell
  • Notepad has a child process or makes a connection to the internet
  • Svchost is executed by a non-system user account
  • Internet Explorer runs Java, which then runs a command shell

For an attacker, changing an indicator of compromise is as simple as a physical-world criminal changing his shirt or wearing a wig. It’s a simple, economic-friendly task. It’s incredibly easy to spin up a new server, register a new domain, or recompile a payload to change its hash. But it’s very hard (read: expensive) to change how you go about fooling the user with the spear phishing attack; how you download second and third stage payloads; how you persist; and how you traverse the network. This is why patterns of attack are so valuable. The same techniques are used with different servers, different applications for exfiltrating data, etc. The overall “story” stays the same.

Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ronbo142
50%
50%
ronbo142,
User Rank: Apprentice
6/30/2016 | 9:01:48 AM
Risk to Reward Ratio
This article has great value to helping Cyber Security Professionals understand how we might better protect and defend our treasures (I.E. the information). One of my thoughts is establishing a ratio that will help management understand the financial impact and the needed investment to increase the protection to a point where the "hackers" decide to look for that softer target. The variables are for the hackers are personal risk (will I get caught), punishment (what will I be charged with), outcome of that charge (how much time will I do) and finally capital investment (how much do I need to spend in time and money) to obtain a return.

The ratio PR+P+O+I < R

Make the left side so painful that the right side is undesirable is the strategy outline in the article.

Thoughts?


Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16470
PUBLISHED: 2018-11-13
There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.
CVE-2018-16471
PUBLISHED: 2018-11-13
There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to a...
CVE-2018-6980
PUBLISHED: 2018-11-13
VMware vRealize Log Insight (4.7.x before 4.7.1 and 4.6.x before 4.6.2) contains a vulnerability due to improper authorization in the user registration method. Successful exploitation of this issue may allow Admin users with view only permission to perform certain administrative functions which they...
CVE-2018-17614
PUBLISHED: 2018-11-13
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Losant Arduino MQTT Client prior to V2.7. User interaction is not required to exploit this vulnerability. The specific flaw exists within the parsing of MQTT PUBLISH packets. The issue results from th...
CVE-2018-8009
PUBLISHED: 2018-11-13
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.