Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/31/2012
06:32 PM
50%
50%

Companies See Business In 'Doxing' The Adversary

It's not a malware problem -- it's an adversary problem: More security firms are focusing on the people behind the keyboards in order to stymie attacks

While advanced persistent threats (APTs) have been relegated to buzzword status, the adversaries that make up the core of such threats are still around. And now, companies are focusing on selling services to analyze and identify the attackers so companies can determine the level of risk they represent.

Security firm CrowdStrike, which launched earlier this year, has made adversary assessment a core part of its services. The goal is to give defenders a better idea of what threats they need to worry about, says George Kurtz, president and CEO of security start-up CrowdStrike. With information on the adversaries and their intent, not just the programs used to attack, defenders with limited resources can deploy their defenses in much more effective ways, he says.

"Adversary assessment is not about finding some guy in China," Kurtz says. "It is linking all the [threat] information together with the end goal of being able to marshal the limited resources that you have to face the adversary coming at you, rather than sitting in the center of your castle, putting up a bigger wall, and not knowing what side the attackers are going to come from."

While perhaps 70 or 80 percent of attackers are cybercriminals, espionage is a greater worry for many companies. For those firms, finding out more about the motivations and capabilities of the groups attacking their networks and systems is important. Stopping any individual attack is meaningless because the attackers will keep trying, says Greg Hoglund, chief technology officer for ManTech CSI, a forensics and incident response firm.

"They never go away because they are the 'P' in APT," he says. "There are technical things that you can do to block them today that won't work tomorrow. The more you know about them, the more you can do to prevent their next attacks."

[ As security researchers dig deeper into the Flame targeted attack, they find that off-the-shelf techniques helped it evade detection and defenses. See How Flame Hid In Plain Sight For Years. ]

Attackers seem to have the run of companies in certain industries. When Mandiant does a threat assessment in a company, it always find that an attacker has taken control of one or more systems.

"We may go in and the company thinks they have a Chinese problem, and they don't," says Richard Bejtlich, chief security officer for Mandiant. "But we always find something."

Different firms have different ways of measuring the groups that are targeting corporate intellectual property: Mandiant, for example, divides its known groups into 20 different profiles, while ManTech CSI identifies 18 different groups. Each group has different techniques, methods of operation, or industry targets. In both cases, the threats tracked by the companies overwhelmingly appear to be Chinese.

Yet adversary assessment is not about identifying the people behind attacks, but their motivations and their capabilities, ManTech CSI's Hoglund says.

"We have pictures of the attackers hanging on our wall; we know their names. We know were they live, and they are in China," he says. "We have a picture of the guy and there is nothing anyone can do to go get him. ... Does it really add anything to your defense? Not really."

Once a group is identified, companies can respond in different ways. The most important goal is to make the cost of attacking your company more expensive, says Dmitri Alperovitch, co-founder and chief technology officer with CrowdStrike. Companies can take legal action, pursue takedowns of the attackers' infrastructure, approach the government in the attacker's country, and -- if the adversary is working for a competitor in another country -- report the incident to the World Trade Organization.

"Once you identify the threat, then you can think about how do I raise the cost to the adversary and bring pain to the adversary," Alperovitch says.

Knowing the adversary can inform technical defenses as well, ManTech CSI's Hoglund says. The best information to have is how they are infiltrating your network, what the best intrusion-detection signatures are to detect them next time, and how to prevent them from succeeding, he says.

"You cannot think of the threat as an MD5 checksum," Hoglund says. "[CIOs] have to stop thinking of the threat as an object that they can swat away. The threat is the person making those objects."

In the end, security firms that know the rogues gallery of adversaries will be best-situated to help defend the customers, CrowdStrike's Kurtz says.

"I believe that adversary assessment is going to be the next vulnerability assessment or penetration test," he says. "People today say, 'Of course I need a pen test.' Yeah, it's fine to know all your vulnerabilities, but what you really want to know is who's in your network, what are they doing, and how do I get them out?"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LucasZa
50%
50%
LucasZa,
User Rank: Moderator
6/14/2012 | 4:59:10 PM
re: Companies See Business In 'Doxing' The Adversary
It's great to see increased adoption of the bigger picture. Greg is absolutely right when he says, "The best information to have is how they are infiltrating your network, what the best intrusion-detection signatures are to detect them next time, and how to prevent them from succeeding."

It's not really about doxing. As human beings, the attackers display patterns.The value is in cataloging the methodologies, habits, and tools each attacker (or group) uses so you can hunt for Indicators of Compromise. Identify a breach in progress early on and kick them out before they achieve their goals.
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/9/2012 | 11:45:28 PM
re: Companies See Business In 'Doxing' The Adversary
Very interesting. Having this kind of intelligence on attackers could be useful in particular for critical infrastructure companies.-
Brian Prince, InformationWeek/Dark Reading Comment Moderator-
MFMSTR
50%
50%
MFMSTR,
User Rank: Apprentice
6/1/2012 | 6:42:16 AM
re: Companies See Business In 'Doxing' The Adversary
Good article about an emerging space. I don't know much about crowdstrike because they are new, but HBGary and Mandiant have been in the game for years. BTW, Hoglund was HBGary - I noticed you kept calling it Mantech CSI but I assume that is because of the recent merger. Crowdstrike has some big names, but TBH I don't know what they are actually doing or selling yet :-/ I'm sure all three companies are good at this. Mandiant has the widest IR coverage - something that helps them track APT groups using statistics from their services work. HBGary is probably the most hardcore - hacking the CNC servers and dropping rootkits on Chinese hackers. God knows what kind of information they have. It's good that security companies are willing to fight back. It's about time that hackers don't get a free lunch and walk over our networks here in the U.S. G we all know the US Government won't fix it so I say yeah for private enterprise. Screw the hackers, they donGt get to own the Internet anymore.--
-MFM
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14300
PUBLISHED: 2020-07-13
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
CVE-2020-14298
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
CVE-2020-15050
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
CVE-2020-10987
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
CVE-2020-10988
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device.