A harsh reality for those of us working in information security is that the businesses we’ve been asked to protect are battling businesses that are built to attack. That is to say we are rarely, if ever, up against the lone-wolf attacker wearing a hoodie in a basement. We are battling crime syndicates, nation states, and cyberthieves whose main concern is simple: to earn money.
To an attacker, staying “in business” means a few things:
Being opportunistic when selecting targets: Making money means going after the softest targets first without wasting time on attacks that will not quickly result in information that can be monetized. Attackers will almost always select the path of least resistance when it comes to launching attacks.
Optimizing “attack” time: The more time attackers spend without success on a target is less time that they can be hitting softer targets. Attackers will attempt to exploit the “tried and true” vulnerabilities and use successful attack methods from the past -- the TTPs (tactics, techniques, and procedures) in their toolbox -- before inventing new ones.
“Good guy” businesses will continue to act in isolation: Research suggests that the No. 1 factor in deterring an attack is if an organization shares threat intelligence with its peers. That’s because sharing the right kind of threat intelligence means attackers can’t simply use the same attack vector over and over again. They must reinvent their tactics each and every time. That can be VERY expensive.
The bottom line is that our goal in playing defense is not necessarily to become the hero and dramatically unmask major crime syndicates like a foiled Scooby Doo plot. Our goal is to simply make the cost of conducting a cyberattack more expensive -- so much so that cybercriminals view attacking our organization as a bad return on investment.
We recently discussed how patterns of attack are exponentially more revealing than individual indicators of compromise and how understanding the root cause of an attack can help a security team close an original infection vector within minutes.
For attackers, finding a unique vulnerability (and effectively exploiting that root cause) can take months of research, costing them more than $1 million. It is no surprise then that attackers will use and reuse the same pattern of attack for months (if not years) on target after target after target until it is successful.
Patterns don’t necessarily have to be complicated, either. For example:
- Outlook runs Word, which runs PowerShell
- Notepad has a child process or makes a connection to the internet
- Svchost is executed by a non-system user account
- Internet Explorer runs Java, which then runs a command shell
For an attacker, changing an indicator of compromise is as simple as a physical-world criminal changing his shirt or wearing a wig. It’s a simple, economic-friendly task. It’s incredibly easy to spin up a new server, register a new domain, or recompile a payload to change its hash. But it’s very hard (read: expensive) to change how you go about fooling the user with the spear phishing attack; how you download second and third stage payloads; how you persist; and how you traverse the network. This is why patterns of attack are so valuable. The same techniques are used with different servers, different applications for exfiltrating data, etc. The overall “story” stays the same.