Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives //

Carbon Black

6/13/2016
10:32 AM
Ben Johnson
Ben Johnson
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

Patterns Of Attack Offer Exponentially More Insight Than ‘Indicators’

In the cyberworld, patterns of attack provide investigators with context and the precise sequence of events as a cybercrime unfolds.

When investigating a crime in the physical world, successful detectives are able to put together individual pieces of evidence to unveil a criminal’s pattern of behavior. A single footprint is interesting; it gives you the size of the bad guy’s foot and what type of shoes he wore. The bad guy can change his shoes between crimes, of course, but he probably won’t come up with a new technique for breaking into individual houses. An understanding of a criminal’s behavior – his patterns, if you will -- can give investigators a level of insight that will help them catch that criminal the next time he attempts to do something bad, new shoes or not.

This way of approaching the problem can also tie together multiple incidents that were previously thought unrelated, perhaps because the weapons or descriptions of the individuals performing the crimes weren’t exactly the same.

In the cybersecurity world, we call these behavior patterns “patterns of attack,” and they are revolutionizing the way breach detection and incident response is being conducted around the world.

You’ve no doubt heard the term “indicators of compromise.” IOCs are -- in the way the security community typically thinks about them -- atomic pieces of information or singular attributes. Examples of IOCs are IP addresses, domain names, URLs, file hashes, and similar metadata around tools or actions that occurred during an attack. But context matters -- a lot -- and it’s hard to know context when all you have is an IP address or file hash.

Context Is Critical

Solving cybercrimes (or any crime, really) requires context, and to get context you have to look at relationships. Relationships between IOCs and other events are often patterns of behavior, and that’s why the shift beyond IOCs is occurring.

When your company’s intellectual property and reputation are on the line, the CEO wants to hear something a lot more confident than: “We have an indication of how we might have been attacked.” Instead, she wants to hear: “We have a precise record of what this attacker tried to do. We know exactly what they actually did. We’ve closed the gap. They cannot attack us this same way again.”

Patterns of attack provide investigators with the precise sequence of events as a cybercrime unfolds. There is clear cause-and-effect insight into where an attacker gained access, what he tried to do, how he attempted exfiltration, and ultimately what the exact root cause of the attack was. If an investigator does not understand the root cause of the attack, he’s provided no additional insight into how an organization can be better protected in the future.

Patterns reveal exponentially more relevant information about attempted malfeasance than singular indicators of an attack ever could. Context, relationships, and the sequence of events all matter. If you’re just looking for one item in the sequence of events, that’s when issues such as too many tips -- or in the cyberworld, false positives -- start becoming a bigger issue than the malicious behavior itself. After all, if you cannot respond to a tip or an alert, it’s just noise. 

Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Abandun
50%
50%
Abandun,
User Rank: Apprentice
6/14/2016 | 10:41:34 AM
Are we attempting to change terms now?
I liked this article better the first time when "patterns of attack" were called TTPs. thanks for the new information?>
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29144
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or e...
CVE-2020-29145
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing t...
CVE-2020-29136
PUBLISHED: 2020-11-27
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
CVE-2020-29137
PUBLISHED: 2020-11-27
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
CVE-2020-29135
PUBLISHED: 2020-11-27
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).