How to shift the economic balance of cyber attacks

By Kane Lightowler, Managing Director Asia Pacific + Japan, Carbon Black

A harsh reality for the information security sector is that the businesses we are asked to protect are battling businesses that are built to attack.

We are rarely, if ever, up against the lone-wolf attacker wearing a hoodie. We are battling crime syndicates, nation-states and cyber thieves whose main concern is simple: earn money. According to a 2016 Ponemon Survey, more than half of attackers are motivated exclusively by economics.

To an attacker, staying in business means:

  • Being opportunistic in selecting targets. Making money means going after the softest targets first without wasting time on attacks that will not quickly yield information that can be monetised. Attackers almost always select the path of least resistance in launching attacks. During the reconnaissance phase of the cyber kill chain, attackers ask a simple question: “How difficult is it going to be for me to monetise this victim?”
  • Optimising attack time – the more time an attacker spends without success on a target, the less time he/she can be hitting softer targets. According to the Ponemon survey, even a technically proficient attacker will quit an attack and move to another target after about a week without success. An attacker will attempt to exploit the tried and true vulnerabilities and use successful attack methods from the past - the tactics, techniques and procedures in their toolbox (TTPs) - before inventing new ones.

Worldwide, businesses will continue to act in isolation. According to the Ponemon survey, the number-one factor in deterring an attack is threat intelligence shared between an organisation and its peers. Sharing the right kind of threat intelligence means that an attacker cannot simply use the same attack vector over and over again. He/she must reinvent tactics every time, which can be extremely expensive.

The bottom line is that our goal in playing defence is not necessarily to become the hero and dramatically unmask major crime syndicates. Our objective is to make the cost of conducting a cyber attack more expensive – so much so that a cyber criminal views attacking an organisation as a bad return on investment.

Shifting the Economic Balance

Patterns of attack (POA) are exponentially more revealing than individual indicators of compromise (IOC), and understanding the root cause of an attack can help a security team to close an original infection vector within minutes. Such indicators offer hope, and patterns deliver confidence.

For attackers, finding a unique vulnerability and effectively exploiting that root cause can take months of research costing more than $1 million. It is no surprise that attackers will use and reuse the same pattern of attack for months, if not years, on target after target until they are successful. According to the Verizon DBIR, the most exploited vulnerabilities are more than a year old.

Usually patterns of attack are not complicated. For example:

  • Outlook runs Word, which runs PowerShell
  • Notepad has a child process or makes a connection to the internet
  • Svchost is executed by a non-system user account
  • Internet Explorer runs Java, which then runs a command shell

For an attacker, changing an indicator of compromise is as easy as a physical-world criminal changing a shirt, or wearing a wig. It is a very simple, economically friendly task. While investigators are looking for a man with the blue shirt and short blonde hair, that same criminal is committing exactly the same crime wearing a red shirt and a shoulder-length black wig.

This is why cyber defence has often been referred to as a game of cat-and-mouse, or an arms race. ‘Shirts’ (IOCs) can be changed easily as they are cheap and simple. Too often we are trying to detect an outdated shirt.

But what if we didn’t care so much about shirt colour or hair length and instead focused on the way that same criminal walked, or something truly inherent to their natural behaviour while attempting an attack. Those patterns are far more expensive to change.

In the cyber world, it’s incredibly easy to spin up a new server, register a new domain or re-compile a payload to change its hash. But it’s very difficult (and expensive) to change your method of fooling the user with the spear-phishing attack, how you download second- and third-stage payloads, how you persist, and how you traverse the network. This is why patterns of attack are so valuable. The same techniques are used with different servers, different applications for exfiltrating data, etc. The overall ‘story’ stays the same.

As we consider the way patterns play into collective defence, and uniting the cyber-security community, think how difficult it would be for attackers to change tactics or techniques if we shared their inherent behaviours with every store or bank in the world.

That network effect would make it exponentially more difficult (and expensive) for the attacker to attempt making even the slightest change before being caught almost immediately. There are only so many entry vectors into an environment, and then only so many ways to traverse the environment to the crown jewels. The more we look for these, the better off we are.

Read more: SAP appoints ex-Yahoo security boss in new CSO role

Traditional security companies and their products tend to look at singular events only. They consider the IOCs with no link to understand the cause-and-effect relationships among the events, and complete blindness to migration patterns. The security industry has often accepted IOCs as the default currency for threat discovery.

In identifying an attacker’s patterns of attack, Carbon Black offers a significantly improved detection rate and, more importantly, the root cause of the attack. This level of insight prevents an attacker from using the same entry mechanism twice. When we share that pattern with our entire community, everyone becomes stronger and better protected.

In his book ‘Good to Great’, Jim Collins writes: “People are not your most important asset. - the right people are.” Threat intelligence is the same. It’s not about sharing: it’s about sharing the right information, and in doing so we can shift the economic balance of cyber attacks.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attacksoutlookpowershellNotepadjavaPonemon InstitutePatterns of attackTTPsInternet Explorer

More about Carbon BlackIOCVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kane Lightowler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place