Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/31/2012
06:32 PM
50%
50%

Companies See Business In 'Doxing' The Adversary

It's not a malware problem -- it's an adversary problem: More security firms are focusing on the people behind the keyboards in order to stymie attacks

While advanced persistent threats (APTs) have been relegated to buzzword status, the adversaries that make up the core of such threats are still around. And now, companies are focusing on selling services to analyze and identify the attackers so companies can determine the level of risk they represent.

Security firm CrowdStrike, which launched earlier this year, has made adversary assessment a core part of its services. The goal is to give defenders a better idea of what threats they need to worry about, says George Kurtz, president and CEO of security start-up CrowdStrike. With information on the adversaries and their intent, not just the programs used to attack, defenders with limited resources can deploy their defenses in much more effective ways, he says.

"Adversary assessment is not about finding some guy in China," Kurtz says. "It is linking all the [threat] information together with the end goal of being able to marshal the limited resources that you have to face the adversary coming at you, rather than sitting in the center of your castle, putting up a bigger wall, and not knowing what side the attackers are going to come from."

While perhaps 70 or 80 percent of attackers are cybercriminals, espionage is a greater worry for many companies. For those firms, finding out more about the motivations and capabilities of the groups attacking their networks and systems is important. Stopping any individual attack is meaningless because the attackers will keep trying, says Greg Hoglund, chief technology officer for ManTech CSI, a forensics and incident response firm.

"They never go away because they are the 'P' in APT," he says. "There are technical things that you can do to block them today that won't work tomorrow. The more you know about them, the more you can do to prevent their next attacks."

[ As security researchers dig deeper into the Flame targeted attack, they find that off-the-shelf techniques helped it evade detection and defenses. See How Flame Hid In Plain Sight For Years. ]

Attackers seem to have the run of companies in certain industries. When Mandiant does a threat assessment in a company, it always find that an attacker has taken control of one or more systems.

"We may go in and the company thinks they have a Chinese problem, and they don't," says Richard Bejtlich, chief security officer for Mandiant. "But we always find something."

Different firms have different ways of measuring the groups that are targeting corporate intellectual property: Mandiant, for example, divides its known groups into 20 different profiles, while ManTech CSI identifies 18 different groups. Each group has different techniques, methods of operation, or industry targets. In both cases, the threats tracked by the companies overwhelmingly appear to be Chinese.

Yet adversary assessment is not about identifying the people behind attacks, but their motivations and their capabilities, ManTech CSI's Hoglund says.

"We have pictures of the attackers hanging on our wall; we know their names. We know were they live, and they are in China," he says. "We have a picture of the guy and there is nothing anyone can do to go get him. ... Does it really add anything to your defense? Not really."

Once a group is identified, companies can respond in different ways. The most important goal is to make the cost of attacking your company more expensive, says Dmitri Alperovitch, co-founder and chief technology officer with CrowdStrike. Companies can take legal action, pursue takedowns of the attackers' infrastructure, approach the government in the attacker's country, and -- if the adversary is working for a competitor in another country -- report the incident to the World Trade Organization.

"Once you identify the threat, then you can think about how do I raise the cost to the adversary and bring pain to the adversary," Alperovitch says.

Knowing the adversary can inform technical defenses as well, ManTech CSI's Hoglund says. The best information to have is how they are infiltrating your network, what the best intrusion-detection signatures are to detect them next time, and how to prevent them from succeeding, he says.

"You cannot think of the threat as an MD5 checksum," Hoglund says. "[CIOs] have to stop thinking of the threat as an object that they can swat away. The threat is the person making those objects."

In the end, security firms that know the rogues gallery of adversaries will be best-situated to help defend the customers, CrowdStrike's Kurtz says.

"I believe that adversary assessment is going to be the next vulnerability assessment or penetration test," he says. "People today say, 'Of course I need a pen test.' Yeah, it's fine to know all your vulnerabilities, but what you really want to know is who's in your network, what are they doing, and how do I get them out?"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
MFMSTR
50%
50%
MFMSTR,
User Rank: Apprentice
6/1/2012 | 6:42:16 AM
re: Companies See Business In 'Doxing' The Adversary
Good article about an emerging space. I don't know much about crowdstrike because they are new, but HBGary and Mandiant have been in the game for years. BTW, Hoglund was HBGary - I noticed you kept calling it Mantech CSI but I assume that is because of the recent merger. Crowdstrike has some big names, but TBH I don't know what they are actually doing or selling yet :-/ I'm sure all three companies are good at this. Mandiant has the widest IR coverage - something that helps them track APT groups using statistics from their services work. HBGary is probably the most hardcore - hacking the CNC servers and dropping rootkits on Chinese hackers. God knows what kind of information they have. It's good that security companies are willing to fight back. It's about time that hackers don't get a free lunch and walk over our networks here in the U.S. G we all know the US Government won't fix it so I say yeah for private enterprise. Screw the hackers, they donGt get to own the Internet anymore.--
-MFM
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/9/2012 | 11:45:28 PM
re: Companies See Business In 'Doxing' The Adversary
Very interesting. Having this kind of intelligence on attackers could be useful in particular for critical infrastructure companies.-
Brian Prince, InformationWeek/Dark Reading Comment Moderator-
LucasZa
50%
50%
LucasZa,
User Rank: Moderator
6/14/2012 | 4:59:10 PM
re: Companies See Business In 'Doxing' The Adversary
It's great to see increased adoption of the bigger picture. Greg is absolutely right when he says, "The best information to have is how they are infiltrating your network, what the best intrusion-detection signatures are to detect them next time, and how to prevent them from succeeding."

It's not really about doxing. As human beings, the attackers display patterns.The value is in cataloging the methodologies, habits, and tools each attacker (or group) uses so you can hunt for Indicators of Compromise. Identify a breach in progress early on and kick them out before they achieve their goals.
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
CVE-2021-27363
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...
CVE-2021-26294
PUBLISHED: 2021-03-07
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_...