Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/13/2013
11:09 PM
Dark Reading
Dark Reading
Quick Hits
50%
50%

How Cybercriminals Choose Their Targets And Tactics

Targeted attacks are becoming pervasive. Here's a look at how those targets are chosen -- and how your organization might avoid being one of them

[Excerpted from "How Cybercriminals Choose Their Targets and Tactics," a new, free report posted this week on Dark Reading's Advanced Threats Tech Center.]

When police officers go undercover, they must successfully blend into an environment that few of us would ever willingly choose to live in. Good undercover officers know the tactics of traditional criminals because they live in the criminals' world. They study the criminals' tactics, tools and psyches, and can thus anticipate certain behaviors because they understand the end goals.

In some respects, staying a step ahead of cybercriminals is much more difficult than staying ahead of your average street criminal. You won't catch black-hat hackers with traditional surveillance, because they can inflict as much damage in their pajamas as they could if they got dressed and robbed a bank.

Cybercriminals often fit no specific profile. They can effectively hide their tracks through proxies and spoofing. They change their tactics often, and they are adept at hiding tools and other malicious code through obfuscation. Good cybercriminals understand the digital trails they leave, and how easy or hard it is for big-business security tools to detect those activities.

And unlike many security pros, good cybercriminals can code. Talented black hats enjoy decompiling a piece of commercial software for fun,or coding a new botnet with a feature set that is a security admin's worst nightmare.

So how do you defend yourself against an ever-evolving, nameless, faceless enemy that adapts to your defenses as quickly as you can deploy them? The unfortunate reality is that you can never fully defend yourself against a truly skilled cybercriminal, but you can certainly make your organization a more difficult target by deploying the right tools and implementing the right best practices.

A security pro's best defense is to act like an undercover cop, gaining intimate knowledge of how the bad guys operate. Attackers care about advanced cryptography, decompilers and reverse-engineering methods. They know about APIs and SQL. Indeed, as a security pro, you won't necessarily get the knowledge you need to protect your organization by studying for a CISSP all day long -- you need to spend time living in the world that cybercriminals inhabit.

Before motivated attackers can launch a strike, they need to target a victim. The choice of target depends largely on the motive for an attack, but it also depends on organizations' vulnerability to attack.

While some cybercriminals focus their efforts on spreading damage far and wide through malware development, others are content to troll the Internet for sites that are vulnerable to a more direct attack. A black hat who is trolling around for a victim generally uses a simple methodology to set up an attack, but step one of that process always requires the discovery of a target.

The most effective way to select a target is to use a vulnerability scanner. Every organization has exposed public-facing services that could be used as a conduit for attack, and vulnerability scanners and bots can make quick work of finding potential targets for attacks.

Some black hats prefer to exploit network-centric vulnerabilities, so they will unleash scanners on your externally facing IP block, looking to attack hosts listening for SSH, FTP, HTTP, Telnet and RDP (to name a few). Other attackers will use vulnerability scanners to look for externally facing sites that are vulnerable to SQL injection, cross-site scripting attacks or local or remote file include attacks. If an attacker is motivated to hit a specific application or database, then multiple vulnerabilities may be exploited to set up an attack.

To read more about cybercriminals' methods of choosing a target and an attack -- and what you can do to reduce your chances of being a victim -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
1/21/2013 | 11:23:32 PM
re: How Cybercriminals Choose Their Targets And Tactics




Great article and
very informative for anyone. -Think about
a bank robber and how long they stake out a target bank before actually committing
the robbery. The criminals gather everything from delivery times, to employees
break scheduling. Why wouldnGt a cybercriminal do the same thing with a target they
were planning on attacking? Information on these topics is the best defense to
avoid finding you a victim.

Paul Sprague

InformationWeek Contributor
-

MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
1/18/2013 | 2:26:40 PM
re: How Cybercriminals Choose Their Targets And Tactics
In my opinion, a Security Tester,
or hacker, has one of the most exciting and creative jobs in the industry. They
are asked to find as many critical security vulnerabilities in complex software
systems with limited resources - before the application is released or shipped.
They have the challenge of knowing more about the system in the first couple of
days than the developers who wrote the system. They have to find every
vulnerability in the system, while the attacker effectively has all the time
and resources in the world to find only one issue. ThatGs why, I truly believe
that to be effective, they have to get in the attackers mindset, think like the
enemy, if I may say. Also, we have to keep in mind that it takes dedication,
practice and a laser-like focus for years to become the best. Actually, hereGs
a great article on this matter: http://blog.securityinnovation....-
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11809
PUBLISHED: 2019-05-20
An issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector.
CVE-2019-12198
PUBLISHED: 2019-05-20
In GoHttp through 2017-07-25, there is a stack-based buffer over-read via a long User-Agent header.
CVE-2019-12185
PUBLISHED: 2019-05-20
eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web r...
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.