Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives //

Carbon Black

6/27/2016
10:00 AM
Ben Johnson
Ben Johnson
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Shifting The Economic Balance Of Cyberattacks

Our goal should be to simply make the cost of conducting a cyberattack so expensive that cybercriminals view attacking our organization as a bad return on investment.

A harsh reality for those of us working in information security is that the businesses we’ve been asked to protect are battling businesses that are built to attack. That is to say we are rarely, if ever, up against the lone-wolf attacker wearing a hoodie in a basement. We are battling crime syndicates, nation states, and cyberthieves whose main concern is simple: to earn money.

To an attacker, staying “in business” means a few things:

Being opportunistic when selecting targets: Making money means going after the softest targets first without wasting time on attacks that will not quickly result in information that can be monetized. Attackers will almost always select the path of least resistance when it comes to launching attacks.

Optimizing “attack” time: The more time attackers spend without success on a target is less time that they can be hitting softer targets. Attackers will attempt to exploit the “tried and true” vulnerabilities and use successful attack methods from the past -- the TTPs (tactics, techniques, and procedures) in their toolbox -- before inventing new ones.

“Good guy” businesses will continue to act in isolation: Research suggests that the No. 1 factor in deterring an attack is if an organization shares threat intelligence with its peers. That’s because sharing the right kind of threat intelligence means attackers can’t simply use the same attack vector over and over again. They must reinvent their tactics each and every time. That can be VERY expensive.  

The bottom line is that our goal in playing defense is not necessarily to become the hero and dramatically unmask major crime syndicates like a foiled Scooby Doo plot. Our goal is to simply make the cost of conducting a cyberattack more expensive -- so much so that cybercriminals view attacking our organization as a bad return on investment. 

We recently discussed how patterns of attack are exponentially more revealing than individual indicators of compromise and how understanding the root cause of an attack can help a security team close an original infection vector within minutes.

For attackers, finding a unique vulnerability (and effectively exploiting that root cause) can take months of research, costing them more than $1 million. It is no surprise then that attackers will use and reuse the same pattern of attack for months (if not years) on target after target after target until it is successful.

Patterns don’t necessarily have to be complicated, either. For example:

  • Outlook runs Word, which runs PowerShell
  • Notepad has a child process or makes a connection to the internet
  • Svchost is executed by a non-system user account
  • Internet Explorer runs Java, which then runs a command shell

For an attacker, changing an indicator of compromise is as simple as a physical-world criminal changing his shirt or wearing a wig. It’s a simple, economic-friendly task. It’s incredibly easy to spin up a new server, register a new domain, or recompile a payload to change its hash. But it’s very hard (read: expensive) to change how you go about fooling the user with the spear phishing attack; how you download second and third stage payloads; how you persist; and how you traverse the network. This is why patterns of attack are so valuable. The same techniques are used with different servers, different applications for exfiltrating data, etc. The overall “story” stays the same.

Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ronbo142
50%
50%
ronbo142,
User Rank: Apprentice
6/30/2016 | 9:01:48 AM
Risk to Reward Ratio
This article has great value to helping Cyber Security Professionals understand how we might better protect and defend our treasures (I.E. the information). One of my thoughts is establishing a ratio that will help management understand the financial impact and the needed investment to increase the protection to a point where the "hackers" decide to look for that softer target. The variables are for the hackers are personal risk (will I get caught), punishment (what will I be charged with), outcome of that charge (how much time will I do) and finally capital investment (how much do I need to spend in time and money) to obtain a return.

The ratio PR+P+O+I < R

Make the left side so painful that the right side is undesirable is the strategy outline in the article.

Thoughts?


COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9982
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
CVE-2020-3855
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.
CVE-2020-3863
PUBLISHED: 2020-10-27
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. An application may be able to execute arbitrary code with system privileges.
CVE-2020-3864
PUBLISHED: 2020-10-27
A logic issue was addressed with improved validation. This issue is fixed in iCloud for Windows 7.17, iTunes 12.10.4 for Windows, iCloud for Windows 10.9.2, tvOS 13.3.1, Safari 13.0.5, iOS 13.3.1 and iPadOS 13.3.1. A DOM object context may not have had a unique security origin.
CVE-2020-3880
PUBLISHED: 2020-10-27
An out-of-bounds read was addressed with improved input validation. This issue is fixed in watchOS 6.1.2, iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. Processing a maliciously crafted image may lead to arbit...