Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Knowing Your Cyber Enemy: New Services Open Up Possibilities, But Experts Differ On Techniques, Value

As commercial capabilities for identifying online attackers improve, experts, service providers debate methods, costs

How much would you pay to know who your organization's online attackers are? And what would you want to know about them?

These two questions are at the heart of a burgeoning market for sophisticated threat intelligence services that promise to improve enterprise cyberdefenses by identifying attackers -- and helping customers to develop a tailored defense against them. Such services, sometimes called "attribution services" or "active defense," promise to change the face of IT security by re-focusing defensive strategies on protecting data against human adversaries, rather than just the malware they create.

"Today's defense-in-depth strategies are not working well, because to build a defense against malware, you have to be right 100% of the time, but the attacker only has to be right once," says Dmitri Alperovitch, CTO of CrowdStrike, the company that coined the term active defense and a leading voice behind "offensive security," which advocates hunting for attackers as well as passively building walls against them. "But if you focus on attribution -- on defending against the adversary -- then the reverse is true: The attacker has to be good all of the time, and you only have to find one instance where they make a mistake and give themselves away."

The idea of identifying the organization's attackers and building a tailored defense against them is enticing -- perhaps game-changing -- in a market full of arms-race-weary IT organizations, which for decades have been buying new technologies and developing new defense strategies -- only to watch the bad guys develop newer, better exploits that often elude currently-available technology designed to stop known attacks.

"There's a saying in security that if you're trying to stop everything, you're probably stopping nothing," says Ned Moran, a senior malware researcher at next-generation security tool vendor FireEye. "But if you know the source of your attacks, you understand better what they are trying to acquire, and that may change your defense. You can pinpoint your defensive measures in a way that creates lower costs and a better payoff."

But Moran and other experts point out that there are a variety of methods of attribution -- and some of them may be prohibitively expensive and resource-intensive for some enterprises.

"You can pursue the direction of identifying the actual people who are writing the code -- their names and where they are sitting, and who's launching the attacks that they write," Moran says. "Or you can focus on a defense around 'indicators of compromise,' which means you're not so worried about the attacker's personal identity, but you want to identify their tools and techniques and develop a 'fingerprint' that will help you create a defense against them. Identifying the attacker personally is possible, but the cost is very high -- in general, focusing on indicators of compromise gives you better bang for the buck."

While analyzing a malware developer's "fingerprint" can be accomplished through deep data analysis, connecting the malware to a specific attacker requires data and threat intelligence that goes well beyond most enterprises' internal resources, experts say. Gaining that level of knowledge may require full-time, skilled staffing and/or outside services that may cost tens of thousands of dollars, or even more.

Stuart McClure, CEO, president and co-founder of advanced threat detection vendor Cylance, questions the value of identifying the attacker, particularly at the seat level. "As humans, we all want to know why we're being attacked -- why do they hate me? But on a security level, there isn't much value in identifying the butt in that seat, because there isn't much you can do about it unless you're going to try to disrupt them personally -- which is difficult, and sometimes illegal. And at a business level, that sort of attribution requires a ton of resources, and there's not much payoff."

The debate over attribution's value is fundamental to the broader debate over the growth of digital forensics and threat intelligence services and technologies, which have become the darling of the IT security industry. Over the past two years, the proliferation of sophisticated attacks has created a cottage industry for technology and skilled enterprise staffers capable of analyzing the earmarks and components of an advanced cybercampaign -- and stop it before it can infiltrate enterprise defenses. But such technology and skills come at a high cost, leaving some enterprises wondering how deeply to invest in them.

CrowdStrike, which monitors and tracks the techniques and behaviors of some 50 groups of threat actors worldwide, believes that its threat intelligence -- combined with big data analysis that enables enterprises to determine if they are under attack by a specific adversary -- is driving a sea change in digital defense. Knowledge of the attacker can not only pave the way for a more efficient defensive strategy, Alperovitch argues, but it also opens up the possibility of disrupting or frustrating a specific attacker, a capability that CrowdStrike offers.

"In the end, the adversary is human, and their objectives tend to be very specific," Alperovitch says. "If you understand who they are and what they want, you have a much better chance of stopping them."

While few vendors so far offer the ability to identify -- much less disrupt -- a specific attacker, experts say that enterprises' increased focus on detection and analysis of threats and attacks is having a calculable effect on enterprise defenses.

"In our 2012 trends report, we found that only about 6% of our clients had discovered their security breaches using their own means of detection -- most of them found out about their breaches through law enforcement or a third party," says Charles Carmakal, director of the services department at Mandiant, one of the security industry's best known digital forensics and incident response service providers, which is often called in by clients to investigate the cause of a major breach. "But in our 2013 report, we found that 37% of organizations had detected their own compromises. What that says is that organizations are getting better at doing their own detection and analysis."

But McClure argues that enterprises' improved success centers around better detection of attackers' methods, not their identities. Cylance, for example, has built technology that features mathematical algorithms which help users quarantine potentially malicious code based on its characteristics and behavior.

"There is a lot of new malware out there, but there really aren't many new methods -- attackers basically are using the same techniques that they've used for years," McClure says. "Historically, enterprises have bought products and trusted the vendors to tell them what's bad. Now, enterprises are being told to do their own analysis and forensics, and trust themselves to determine what's bad. What we're saying is trust the math to isolate potential problems and do your own analysis from there."

While the value of discovering the attacker's identity remains a matter of some debate, most experts agree that understanding an adversary's motivation may be helpful in developing an effective defense.

"Most of our customers are not too worried about identifying the specific attacker, because most of them are not interested in attacking back," says Dean De Beer, co-founder and CTO at ThreatGRID, which does deep malware analysis to detect and remediate malicious code. "What they want to know are the motivations of the attacker -- what were they after? That's the type of data they can use to escalate or de-escalate a potential threat, and to assign criticality to it."

Mandiant's Carmakal agrees. "The one thing about the more sophisticated attackers is that they are very determined," he says. "Even if you succeed in kicking them out the first time, they often come back, so it's good to know a little bit about them and what indicators there might be that you are dealing with the same threat actors."

Analyzing an attacker's "indicators of compromise" may enable enterprises to recognize a persistent threat actor -- not by name, but by the tools, techniques, and procedures they use, notes FireEye's Moran. "The code and techniques used by some [malware] developers are often re-used by other attackers, so if you understand the developer, you can sometimes knock out a whole swath of attacks that come downstream."

CrowdStrike takes this idea a step further by identifying and naming groups of malware developers and tracking their habits and targets on an ongoing basis. "We've identified about 30 different groups in China alone," Alperovitch says. "There's one group, which we call Anchor Panda, which primarily targets maritime transportation. There are others which focus on the oil and gas industry, or on financial systems, or on government. What we're doing is focusing on understanding what those groups are doing, so that we're not dealing with a piece of malware, but with a real adversary."

Most of today's malware -- such as worms and viruses -- is still automated, attacking computers randomly according to their configurations and vulnerabilities, experts agree. But while such broad-based attacks can typically be handled by off-the-shelf tools, a sophisticated, targeted attack may require more knowledge about who's attacking, or at least what their motivations and methods are.

"What we see is that the enterprise may not be so interested in identifying their specific attacker, but there's a lot more demand for context -- they want to know not only the domain that the attacker is coming from, but what are the characteristics of that domain," says ThreatGRID's De Beer. Just learning the source IP address is not enough anymore -- they want to know more about the specifics."

Alperovitch agrees. "There are two types of organizations: those that know they've been attacked, and those that don't," he says. "Giving them an IP address is not attribution. They need to know who the threat actors are, and what's the likelihood that they will attack again."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.
PUBLISHED: 2019-11-17
MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.