Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/30/2020
10:00 AM
Todd Graham
Todd Graham
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Using the Attack Cycle to Up Your Security Game

Like the universe, the attack surface is always expanding. Here's how to keep up and even get ahead.

Most criminal activity is designed to elicit a payoff for the perpetrator, and crime on the Internet is no different. As new surfaces emerge, previous attacks are reconstituted and applied. Cybersecurity tends to follow a cycle, once you know when and what to look for. To (poorly) paraphrase Bob Dylan: You don't need a weatherman to know which way the wind blows. You just need the experience of being around for a few of these cycles.

The New-New Thing
When we think about cybersecurity threats and associated mitigations, there are three key factors to consider:

  • Attack Surface: The thing that an attacker attempts to compromise, such as a laptop, smartphone, or cloud compute instance.
  • Attack Sophistication: The methods and attack types, including persistence, zero-days, phishing, and spear phishing.
  • Threat Actors: Who the attackers are and their implied motivations, like nation-states seeking intellectual property or organized crime engaged in ransomware.

The attack surface is like the universe: in a perpetual state of expansion. While your laptop is (hopefully) running a recent operating system version with (kind of) timely patches, there's a good chance that your bank's ATMs are running Windows XP. But after Microsoft retired XP support in 2014, 95% of ATMs were still running the operating system. That number hadn't improved much four years later and hackers were gleefully demonstrating these machines spewing cash. This means an IT security team must live in the past and the future.

A solution to a modern problem can introduce a new set of challenges: a new console to learn and new alerts to integrate. However, this presents an excellent, and often necessary, opportunity to repurpose existing budgeted spending. Examples of this include the erosion of traditional antivirus by endpoint detection and response (ERD) and the move from physical Web application firewalls (WAF) to software-based NG-WAFs.

Attack sophistication is directly proportional to the goals of the attackers and the defensive posture of the target. A ransomware ring will target the least-well-defended and the most likely to pay (ironically, cyber insurance can create a perverse incentive in some situations.) because there is an opportunity cost and return on investment calculation for every attack. A nation-state actor seeking breakthrough biotech intellectual property will be patient and well-capitalized, developing new zero-day exploits as they launch a concerted effort to penetrate a network's secrets. 

One of the most famous of these attacks, Stuxnet, exploited vulnerabilities in SCADA systems to cripple Iran's nuclear program. The attack was thought to have penetrated the air gap network via infected USB thumb drives. As awareness of these complex, multi-stage attacks has risen, startups have increased innovation - such as the behavior analytics space where complex machine-learning algorithms determine "normal" behaviors and look for that one bad actor.

Threat actors are the individuals and organizations engaged in the actual attack. In the broadest sense of the term, they are not always malicious. I have seen companies hobbled by an adverse audit finding or a compliance lapse. When I was early in the data loss prevention (DLP) market, solutions were sold to detect insider threats stealing intellectual property. This was (and still is) a hard use case to sell against, and it wasn't until regulations and legislation emerged that required companies to notify if they'd been breached and lost personally identifiable information that the DLP market became a must-have security solution.

It is possible for solutions to advance independently of new threats, actors, or surfaces, frequently when there is a breakthrough in underlying computational capabilities. Examples of this include the use of machine learning to identify file content in order to prevent data loss without rigid rulesets or machine vision to read text from an image-based spear-phishing attack. 

It's All Been Done
In my experience, a new market for cybersecurity solutions is triggered by an expansion of the attack surface. This could be something as seismic as AWS or the iPhone, or as localized as a code framework like Struts or React. With a new attack surface comes new management requirements and new attackers, exploiting vulnerabilities and flaws in human interactions. The ensuing data, financial, and reputational losses cause new cybersecurity solutions to emerge.

Typically these solutions will also improve on previous generations, whose limitations become obvious when deployed on a new attack surface. Examples are plentiful. IT system compliance and vulnerability management was confined to inside the enterprise, scanning with agents and crawlers (Qualys, Tenable). With the emergence of public cloud, startups (such as Evident.io and Lacework) appeared to scan for vulnerabilities through native APIs provided by cloud environments.

For its part, antivirus started as relatively simple signature-based protection; if an agent detects a specific executable or behavior, prevent it. But as the attack sophistication increased, next-generation endpoint protection emerged with specialization for file-less attacks, in-memory exploits, etc.

Data loss prevention began with simple detection of structured content (Social Security numbers, credit card numbers) in email, Web posts, and end-user devices. There is now a new breed of vendors focused on data leakage from cloud-based services (outside the enterprise datacenter) such as Slack, Box, and Github, offerings that didn't exist when the previous generation of solutions came to market.

The Next Thing
Security practitioners must consider the cybersecurity requirements when new surfaces are deployed or business models change. They should ask four questions to help clarify risks:

  • Has your business changed in a way that increases the likelihood that you will be attacked and/or the attacker sophistication will change?
  • What baseline data have you historically collected, and how will you get the same information from this new surface?
  • What of value is contained with, or generated by, this new surface?
  • How could this new surface be exploited and defended, and does it impact existing surfaces?

The initial question should be asked on a routine basis. COVID-19 changed attacker interest for many small biotech companies in a way their security posture did not anticipate, resulting in an uptick in attacks by nation states seeking an edge in new treatments and a potential vaccine. The second question is often the one that solution providers initially race to address because it is the most obvious. If there's an enterprise compliance policy requiring potential vulnerabilities to be remediated, security organizations still must identify those vulnerabilities regardless of where the underlying system is running. 

The third question is often the one that gets forgotten. Many data breaches have occurred because a new surface is deployed and it gives attackers an expanded attack surface that allows for access to an existing, previously "secured" platform. The Target breach is the most well-known example of this, but countless other breaches have happened because of something as trivial as a mis-configured network setting on an Amazon Web Service's Virtual Private Cloud.

The recent, near-universal move to remote work will no doubt result in new attacks against home networking infrastructure. It's important to remember that attackers are not interested in doing more work than is necessary (the ROI calculation), the attack surface will shift the "weakest link" to exploit. Asking these questions and anticipating possible vulnerabilities is critical to getting ahead of the next ransomware attack or zero day-driven intellectual property robbery.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Todd Graham is an investor at Venrock, focused on enterprise infrastructure and cybersecurity. His main areas of interest include digital transformation, human-based threats, disruptive go-to-market, and the consumerization of the user experience. Previously he led Corporate ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.