Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/31/2012
06:32 PM
50%
50%

Companies See Business In 'Doxing' The Adversary

It's not a malware problem -- it's an adversary problem: More security firms are focusing on the people behind the keyboards in order to stymie attacks

While advanced persistent threats (APTs) have been relegated to buzzword status, the adversaries that make up the core of such threats are still around. And now, companies are focusing on selling services to analyze and identify the attackers so companies can determine the level of risk they represent.

Security firm CrowdStrike, which launched earlier this year, has made adversary assessment a core part of its services. The goal is to give defenders a better idea of what threats they need to worry about, says George Kurtz, president and CEO of security start-up CrowdStrike. With information on the adversaries and their intent, not just the programs used to attack, defenders with limited resources can deploy their defenses in much more effective ways, he says.

"Adversary assessment is not about finding some guy in China," Kurtz says. "It is linking all the [threat] information together with the end goal of being able to marshal the limited resources that you have to face the adversary coming at you, rather than sitting in the center of your castle, putting up a bigger wall, and not knowing what side the attackers are going to come from."

While perhaps 70 or 80 percent of attackers are cybercriminals, espionage is a greater worry for many companies. For those firms, finding out more about the motivations and capabilities of the groups attacking their networks and systems is important. Stopping any individual attack is meaningless because the attackers will keep trying, says Greg Hoglund, chief technology officer for ManTech CSI, a forensics and incident response firm.

"They never go away because they are the 'P' in APT," he says. "There are technical things that you can do to block them today that won't work tomorrow. The more you know about them, the more you can do to prevent their next attacks."

[ As security researchers dig deeper into the Flame targeted attack, they find that off-the-shelf techniques helped it evade detection and defenses. See How Flame Hid In Plain Sight For Years. ]

Attackers seem to have the run of companies in certain industries. When Mandiant does a threat assessment in a company, it always find that an attacker has taken control of one or more systems.

"We may go in and the company thinks they have a Chinese problem, and they don't," says Richard Bejtlich, chief security officer for Mandiant. "But we always find something."

Different firms have different ways of measuring the groups that are targeting corporate intellectual property: Mandiant, for example, divides its known groups into 20 different profiles, while ManTech CSI identifies 18 different groups. Each group has different techniques, methods of operation, or industry targets. In both cases, the threats tracked by the companies overwhelmingly appear to be Chinese.

Yet adversary assessment is not about identifying the people behind attacks, but their motivations and their capabilities, ManTech CSI's Hoglund says.

"We have pictures of the attackers hanging on our wall; we know their names. We know were they live, and they are in China," he says. "We have a picture of the guy and there is nothing anyone can do to go get him. ... Does it really add anything to your defense? Not really."

Once a group is identified, companies can respond in different ways. The most important goal is to make the cost of attacking your company more expensive, says Dmitri Alperovitch, co-founder and chief technology officer with CrowdStrike. Companies can take legal action, pursue takedowns of the attackers' infrastructure, approach the government in the attacker's country, and -- if the adversary is working for a competitor in another country -- report the incident to the World Trade Organization.

"Once you identify the threat, then you can think about how do I raise the cost to the adversary and bring pain to the adversary," Alperovitch says.

Knowing the adversary can inform technical defenses as well, ManTech CSI's Hoglund says. The best information to have is how they are infiltrating your network, what the best intrusion-detection signatures are to detect them next time, and how to prevent them from succeeding, he says.

"You cannot think of the threat as an MD5 checksum," Hoglund says. "[CIOs] have to stop thinking of the threat as an object that they can swat away. The threat is the person making those objects."

In the end, security firms that know the rogues gallery of adversaries will be best-situated to help defend the customers, CrowdStrike's Kurtz says.

"I believe that adversary assessment is going to be the next vulnerability assessment or penetration test," he says. "People today say, 'Of course I need a pen test.' Yeah, it's fine to know all your vulnerabilities, but what you really want to know is who's in your network, what are they doing, and how do I get them out?"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
MFMSTR
50%
50%
MFMSTR,
User Rank: Apprentice
6/1/2012 | 6:42:16 AM
re: Companies See Business In 'Doxing' The Adversary
Good article about an emerging space. I don't know much about crowdstrike because they are new, but HBGary and Mandiant have been in the game for years. BTW, Hoglund was HBGary - I noticed you kept calling it Mantech CSI but I assume that is because of the recent merger. Crowdstrike has some big names, but TBH I don't know what they are actually doing or selling yet :-/ I'm sure all three companies are good at this. Mandiant has the widest IR coverage - something that helps them track APT groups using statistics from their services work. HBGary is probably the most hardcore - hacking the CNC servers and dropping rootkits on Chinese hackers. God knows what kind of information they have. It's good that security companies are willing to fight back. It's about time that hackers don't get a free lunch and walk over our networks here in the U.S. G we all know the US Government won't fix it so I say yeah for private enterprise. Screw the hackers, they donGt get to own the Internet anymore.--
-MFM
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/9/2012 | 11:45:28 PM
re: Companies See Business In 'Doxing' The Adversary
Very interesting. Having this kind of intelligence on attackers could be useful in particular for critical infrastructure companies.-
Brian Prince, InformationWeek/Dark Reading Comment Moderator-
LucasZa
50%
50%
LucasZa,
User Rank: Moderator
6/14/2012 | 4:59:10 PM
re: Companies See Business In 'Doxing' The Adversary
It's great to see increased adoption of the bigger picture. Greg is absolutely right when he says, "The best information to have is how they are infiltrating your network, what the best intrusion-detection signatures are to detect them next time, and how to prevent them from succeeding."

It's not really about doxing. As human beings, the attackers display patterns.The value is in cataloging the methodologies, habits, and tools each attacker (or group) uses so you can hunt for Indicators of Compromise. Identify a breach in progress early on and kick them out before they achieve their goals.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.
CVE-2020-13404
PUBLISHED: 2020-08-05
The ATOS/Sips (aka Atos-Magento) community module 3.0.0 to 3.0.5 for Magento allows command injection.
CVE-2020-15112
PUBLISHED: 2020-08-05
In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime pa...