Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/31/2012
06:32 PM
50%
50%

Companies See Business In 'Doxing' The Adversary

It's not a malware problem -- it's an adversary problem: More security firms are focusing on the people behind the keyboards in order to stymie attacks

While advanced persistent threats (APTs) have been relegated to buzzword status, the adversaries that make up the core of such threats are still around. And now, companies are focusing on selling services to analyze and identify the attackers so companies can determine the level of risk they represent.

Security firm CrowdStrike, which launched earlier this year, has made adversary assessment a core part of its services. The goal is to give defenders a better idea of what threats they need to worry about, says George Kurtz, president and CEO of security start-up CrowdStrike. With information on the adversaries and their intent, not just the programs used to attack, defenders with limited resources can deploy their defenses in much more effective ways, he says.

"Adversary assessment is not about finding some guy in China," Kurtz says. "It is linking all the [threat] information together with the end goal of being able to marshal the limited resources that you have to face the adversary coming at you, rather than sitting in the center of your castle, putting up a bigger wall, and not knowing what side the attackers are going to come from."

While perhaps 70 or 80 percent of attackers are cybercriminals, espionage is a greater worry for many companies. For those firms, finding out more about the motivations and capabilities of the groups attacking their networks and systems is important. Stopping any individual attack is meaningless because the attackers will keep trying, says Greg Hoglund, chief technology officer for ManTech CSI, a forensics and incident response firm.

"They never go away because they are the 'P' in APT," he says. "There are technical things that you can do to block them today that won't work tomorrow. The more you know about them, the more you can do to prevent their next attacks."

[ As security researchers dig deeper into the Flame targeted attack, they find that off-the-shelf techniques helped it evade detection and defenses. See How Flame Hid In Plain Sight For Years. ]

Attackers seem to have the run of companies in certain industries. When Mandiant does a threat assessment in a company, it always find that an attacker has taken control of one or more systems.

"We may go in and the company thinks they have a Chinese problem, and they don't," says Richard Bejtlich, chief security officer for Mandiant. "But we always find something."

Different firms have different ways of measuring the groups that are targeting corporate intellectual property: Mandiant, for example, divides its known groups into 20 different profiles, while ManTech CSI identifies 18 different groups. Each group has different techniques, methods of operation, or industry targets. In both cases, the threats tracked by the companies overwhelmingly appear to be Chinese.

Yet adversary assessment is not about identifying the people behind attacks, but their motivations and their capabilities, ManTech CSI's Hoglund says.

"We have pictures of the attackers hanging on our wall; we know their names. We know were they live, and they are in China," he says. "We have a picture of the guy and there is nothing anyone can do to go get him. ... Does it really add anything to your defense? Not really."

Once a group is identified, companies can respond in different ways. The most important goal is to make the cost of attacking your company more expensive, says Dmitri Alperovitch, co-founder and chief technology officer with CrowdStrike. Companies can take legal action, pursue takedowns of the attackers' infrastructure, approach the government in the attacker's country, and -- if the adversary is working for a competitor in another country -- report the incident to the World Trade Organization.

"Once you identify the threat, then you can think about how do I raise the cost to the adversary and bring pain to the adversary," Alperovitch says.

Knowing the adversary can inform technical defenses as well, ManTech CSI's Hoglund says. The best information to have is how they are infiltrating your network, what the best intrusion-detection signatures are to detect them next time, and how to prevent them from succeeding, he says.

"You cannot think of the threat as an MD5 checksum," Hoglund says. "[CIOs] have to stop thinking of the threat as an object that they can swat away. The threat is the person making those objects."

In the end, security firms that know the rogues gallery of adversaries will be best-situated to help defend the customers, CrowdStrike's Kurtz says.

"I believe that adversary assessment is going to be the next vulnerability assessment or penetration test," he says. "People today say, 'Of course I need a pen test.' Yeah, it's fine to know all your vulnerabilities, but what you really want to know is who's in your network, what are they doing, and how do I get them out?"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LucasZa
50%
50%
LucasZa,
User Rank: Moderator
6/14/2012 | 4:59:10 PM
re: Companies See Business In 'Doxing' The Adversary
It's great to see increased adoption of the bigger picture. Greg is absolutely right when he says, "The best information to have is how they are infiltrating your network, what the best intrusion-detection signatures are to detect them next time, and how to prevent them from succeeding."

It's not really about doxing. As human beings, the attackers display patterns.The value is in cataloging the methodologies, habits, and tools each attacker (or group) uses so you can hunt for Indicators of Compromise. Identify a breach in progress early on and kick them out before they achieve their goals.
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/9/2012 | 11:45:28 PM
re: Companies See Business In 'Doxing' The Adversary
Very interesting. Having this kind of intelligence on attackers could be useful in particular for critical infrastructure companies.-
Brian Prince, InformationWeek/Dark Reading Comment Moderator-
MFMSTR
50%
50%
MFMSTR,
User Rank: Apprentice
6/1/2012 | 6:42:16 AM
re: Companies See Business In 'Doxing' The Adversary
Good article about an emerging space. I don't know much about crowdstrike because they are new, but HBGary and Mandiant have been in the game for years. BTW, Hoglund was HBGary - I noticed you kept calling it Mantech CSI but I assume that is because of the recent merger. Crowdstrike has some big names, but TBH I don't know what they are actually doing or selling yet :-/ I'm sure all three companies are good at this. Mandiant has the widest IR coverage - something that helps them track APT groups using statistics from their services work. HBGary is probably the most hardcore - hacking the CNC servers and dropping rootkits on Chinese hackers. God knows what kind of information they have. It's good that security companies are willing to fight back. It's about time that hackers don't get a free lunch and walk over our networks here in the U.S. G we all know the US Government won't fix it so I say yeah for private enterprise. Screw the hackers, they donGt get to own the Internet anymore.--
-MFM
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19807
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.