Insights Into Attack Strategies, Planning and Execution
High pay, low labour and no patience; the characteristics of most attack campaigns as the options for cyber-criminals to monetize attacks becomes broader, less complex and less risky than ever. Cyber criminals know the value in simply capturing and holding critical data for ransom; techniques to trick the finance department have been honed and the anonymity of Tor and Bitcoin simplify payroll and reduce exposure significantly.
Thinking that a business does not have anything an attacker would want is not the right attitude. Even the least risk-averse business has money in the bank that could be stolen and essential assets that could be captured, ransomed, stolen or sold.
This is why IT needs to know the attackers’ rulebook for success – reuse, recycle and reinfect.
Key attacker strategies
- Reuse – Malware samples which match Stuxnet’s sophistication and exploit the same zero-day vulnerabilities are still in common use six years after development. What should now be simple attacks still work and the vast majority of malware is automatically generated. Attack campaigns rarely start from scratch and long compromised systems and malware code are frequently reused. It’s rare for an entirely new piece of malware to be built from scratch. Most malware reuses code and functions, and even infrastructure that has already been built. Phishing, ransomware and DDoS attacks are still sure bets for attackers.
- Recycle – In the age of cloud storage, the keys attackers need to infiltrate a network may already be sitting somewhere on the internet, indexed by Google. Recycling the use of AWS and SSH keys posted online by naïve administrators means attackers already have an in to the network before defenders even have a chance to detect them.
- Reinfect – Attackers are only as stealthy as they need to be and usually follow the path that has the least resistance. Studies of large, well-known breaches show that attackers are not only noisy but often get detected by security tools. The problem is one of alert fatigue. Security systems see so many false positives; the simple attacks are often buried too deep in the noise.
Defensive tools must shift to focus on tactics, techniques and procedures to stop attackers in their path. A small number tend to resurface again and again, many of which can be addressed through simple configuration changes that cost the defender nothing. So how can organisations thwart an attack?
Beating attackers at their own game
A defensive strategy should firstly start with Open Source Intelligence (OSINT) searches. These should look for the same errors that attackers are looking for – private keys and cloud credentials in GitHub or other public code repositories. This is low-hanging fruit for attackers, so the sooner this is rectified, the better.
Secondly, organisations should improve visibility in their blind spots, whether that is at the end point, in the data or in the cloud. Usually an effective defence doesn’t deter an attacker, but just forces them a different path. Having better awareness across the business’ vulnerabilities means that organisations can predict an attacker’s next move before it happens. Businesses should also use this process to identify five to ten software products responsible for the vast majority of infections and disable or mitigate the threat they pose. This will allow organisations to cut the risk of an attack massively.
Finally, employee education is key to prevention. The most critical point for an attacker to evade is the perimeter and with the majority of budgets focused on protecting the internal corporate network from the public internet, attackers target employees to get through. Emails with malicious attachments and links still get through and still work. Because of this, organisations must educate employees from the board-level down to ensure everyone is aware of different types of threats and what to do if they spot something malicious in the network.
The only way organisations can protect their businesses is by beating the attackers at their own game which involves being smart, identifying the weak links and educating staff appropriately.
To learn more about attacker innovation and defensive strategies, industry analyst firm 451 Research interviewed several white-hats experienced in dealing with the black-hat side of things. Together, these individuals have over 100 years of security experience, have investigated hundreds of incidents and given hundreds of talks on the subject.
The result is a provocative new paper titled Tech Industry Doppelgangers: Campaign Innovation in the World of Cybercrime.