Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives //

Carbon Black

6/20/2016
01:30 PM
Ben Johnson
Ben Johnson
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

A Real World Analogy For Patterns of Attack

Patterns reveal exponentially more relevant information about attempted malfeasance than singular indicators of an attack ever could.

In last week’s post, we talked about the important differences between indicators of compromise (IOCs) and patterns of attack (POAs).  To better understand why patterns of attack are exponentially better, consider this physical-world analogy.

Convenience Store Robbery

Investigating Using IOCs: Investigators come to find that during this robbery, the criminal used a crowbar to break the glass on the front door; wore a blue shirt; had short, light-colored hair; and used a hiking backpack to stash the cash from the register.

What exactly have the investigators learned, if anything? 

  • Crowbars are sometimes used in smash-and-grab robberies. 

“Ok, let’s make sure to look out for anyone carrying a crowbar in plain sight.”

  • Sometimes, people wearing blue shirts with short, light-colored hair may commit crimes. 

“Ok, let’s look out for anyone wearing a blue shirt that has light-colored hair.”

  • Hiking backpacks are sometimes a tool used during burglaries.

“Ok, let’s try to monitor hiking backpack sales in this area moving forward.”

That’s not a lot of substance to go on for this investigation. We have an incomplete picture.

Investigating the Same Crime Using POAs: Investigators come to find that for the past two weeks, someone has been parked in the store parking lot at night noting what time the clerk locks up for the night and what time the rent-a-cop security detail passes by the store. The burglar drives to the store at precisely the right time of night to break in. He knows there’s an archaic alarm system on the door so he successfully cuts power to the building prior to entering to deactivate the alarm. Once inside, he approaches the register, opens the register drawer, takes the cash and exits the store.

What patterns has the burglar exhibited here?

  • In order to get to the store, the burglar needs to drive to (or close to) the store’s location.
  • He has to deactivate the alarm.
  • He has to enter the building before getting access to the real goal, the cash register.
  • He has to open the register drawer.
  • He needs to leave the premises with the cash in hand.

Individually, these single indicators of an attack tell an incomplete picture. Driving to, or near, a store doesn’t reveal a whole lot to investigators. Thousands of people do that every single day. What about entering the store? Same idea. Thousands of people. And while deactivating an alarm or opening a register drawer appear to be a lot closer to “burglary-type” activity, there are numerous instances where both are done on a regular basis. These are simply indications that a crime might be committed.

It’s only when this sequence, or pattern, of attack behaviors shows up do we really start to see what is happening from an investigation standpoint.

When someone drives near the store late at night THEN attempts to enter the building THEN attempts to deactivate the alarm THEN opens the register drawer, we almost CERTAINLY have an attempted burglary on our hands.

Also notice how none of the behavior patterns exhibited can be changed. Failure to do any one of the steps will result in a failed mission for the robber. It’s ripe for disruption-in-depth, but we’ll leave that for another day.

Patterns reveal exponentially more relevant information about attempted malfeasance than singular indicators of an attack ever could. Context, relationships, and the sequence of events all matter. If you’re just looking for one item in the sequence of events, that’s when issues like too many tips or -- in the cyberworld -- false positives start becoming a bigger issue than the malicious behavior itself.  After all, if you cannot respond to a tip or an alert, it’s just noise.  

Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20828
PUBLISHED: 2021-09-17
Cross-site scripting vulnerability in Order Status Batch Change Plug-in (for EC-CUBE 3.0 series) all versions allows a remote attacker to inject an arbitrary script via unspecified vectors.
CVE-2021-20790
PUBLISHED: 2021-09-17
Improper control of program execution vulnerability in RevoWorks Browser 2.1.230 and earlier allows an attacker to execute an arbitrary command or code via unspecified vectors.
CVE-2021-20791
PUBLISHED: 2021-09-17
Improper access control vulnerability in RevoWorks Browser 2.1.230 and earlier allows an attacker to bypass access restriction and to exchange unauthorized files between the local environment and the isolated environment or settings of the web browser via unspecified vectors.
CVE-2021-20825
PUBLISHED: 2021-09-17
Cross-site scripting vulnerability in List (order management) item change plug-in (for EC-CUBE 3.0 series) Ver.1.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.
CVE-2020-21602
PUBLISHED: 2021-09-16
libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bipred_16_fallback function, which can be exploited via a crafted a file.