The threats against enterprise networks continue to multiply. So if IT is going to effectively reduce the risks to its most valuable assets it needs to learn to prioritize. Otherwise it is never going to keep up with the threat actors.
"You can’t really try to protect everything against everyone," says Dmitri Alperovitch, CTO of CrowdStrike. "That’s just not sustainable. No one has the resources or capabilities to do that."
This week Alperovitch is taking his message to Interop, where he'll lead the talk "Understand Your Attackers" A long-time security veteran and proponent of leveraging actionable threat intelligence, Alperovitch regularly advocates for CIOs, CSOs and other IT leaders to do a better job understanding the motivations and standard techniques of attackers most likely to target their organizations in order to tailor their defenses to these likely suspects.
"If you don’t understand the attackers who may be coming after you, if you don’t know their tradecraft, you really have very little chance of tailoring your defenses to the threat that’s out there that you’re going to need to meet," he explains.
As organizations begin to understand the motivations and working conditions of attackers, they'll also start to get a better grasp of how persistent the adversary will be, even after having been thwarted from their first incursion into the network.
"People tend to think of breaches as a discrete event. A company gets hacked, they clean up, they announce to the world that everything is great again and the CEO writes a heartfelt apology to the customer," he says. "The reality is the adversaries don't give up when they've been detected and kicked out. They're launching long-term campaigns against us. Because if it's a nation-state operation, you've got a soldier or an intelligence officer who has a job to do and he's got a general knocking on his door saying 'Where's my data from this company?' and you don't just give up because you got kicked out."
When his firm deals with customers, he sees adversaries literally coming back within an hour of being discovered and booted from the network, trying again with a new line of attack. As he explains, being attacked is a continuum rather than a discrete event.
"If they don't come back, you should worry because it means they've already taken everything," he warns.
He explains one success that his team recently had, in which they discovered a Chinese attacker going after one of its customers. After initial clean-up, the attacker tried multiple venues over the course of four months, breaking in and failing to get traction, breaking in and failing again, rinse and repeat.
"So they brought in the 'A' team that brought a Windows kernel zero-day, which we detected and reported to Microsoft, effectively burning that zero-day," he says, explaining that the continuous work is what eventually got the attacker to give up because "we were able to raise the costs high enough where they decided those victims weren't worth it."