Want to Strengthen Defences? Think Like an Attacker
- 08 July, 2013 16:18
The recent hike in the number and severity of cyber attacks around the world demonstrate that we are squarely in an era referred to as the “industrialisation of hacking” which has created a faster, more effective and more efficient sector profiting from attacks to our IT infrastructure. Driven by the desire for economic or political gain or attention to their cause, hackers are executing more sophisticated and damaging attacks that at the same time are becoming easier to launch with widely available tools.
According to the ‘Efficacy of Emerging Network Security Technologies study’ from Ponemon Institute, organisations in Asia Pacific are witnessing a growing number of sophisticated cyber attacks and a changing threat landscape. Furthermore, 47 per cent of organisations agreed that emerging network security technologies are not effective in minimising attacks that aim to bring down web applications or block unwarranted Internet traffic.
Despite the rise of external attacks that call for more comprehensive and holistic security technology investments, the study shows that 55 per cent of the companies surveyed still continue to focus on the inside-out threat. These challenges are forcing companies to rethink their security defence strategies.
No technology is 100 per cent effective in blocking today’s sophisticated attacks at a single point-in-time. Outbreaks will happen and organisations need solutions that span the full attack continuum – before, during and after an attack.
Even the most security diligent organisations are realising that breaches are no longer an ‘if’ but a ‘when.’ Detection and blocking technologies only address part of the problem at a specific point in time and lack the decisive insight to find, analyse and remediate compromised systems on an ongoing basis.
To understand today’s array of threats and effectively defend against them, organisations need to start thinking like attackers. The task of going beyond point-in-time detection to confirm an infection, trace its path, analyse its behaviour, remediate its targets and report on its impact is much needed. With a deeper understanding of the methodical approach that attackers use to execute their mission, as demonstrated by the “attack chain,” IT professionals within organisations can identify ways to strengthen defences. The attack chain is a simplified version of the “cyber kill chain,” which describes the events that lead to, and occur during the various phases of a cyber attack.
The following outlines the methodology used by attackers during the cyber kill chain.
Cyber Kill Chain
Survey: Attackers first enter a company’s infrastructure and deploy surveillance malware to look at the full picture of its environment, regardless of where it exists – network, endpoint, mobile and virtual, to understand what attack vectors are available, what security tools are deployed and what accounts they may be able to capture and use for elevated permissions. This malware uses common channels to communicate and goes unnoticed as it conducts reconnaissance.
Write: Once these intruders have surveyed the organisation’s infrastructure, the attackers then create targeted, context-aware malware. Examples we have seen include malware that detects if it is in a sandbox and acts differently than on a user system, malware that checks for language pack installation (as in the case of Flame) before execution and malware that takes different actions if it is on a corporate versus a home network. Attackers will extend surveillance activities to capture important details about where the assets are and how to get to them. Specific organisation, applications, users, partners, processes and procedures are targeted.
Test: In the process, the workings of malware are checked. Malware writers have deep pockets and well-developed information-sharing networks. These skillful malware writers recreate an environment and test the malware against the organisation’s technology and security tools to make sure it gets through defences undetected, in effect following software development processes like QA testing or bench testing. This approach is so foolproof malware writers are now offering guarantees that their malware will go undetected for six or even nine months. This is true industrialisation of hacking.
Execute: Remember that we are not talking about the old days where attackers were in it for the publicity. The financial incentives for secrecy are far greater than the glory. Attackers navigate through the extended network, environmentally aware, evading detection and moving laterally until reaching the target.
Accomplish the mission: Sometimes the end game is to gather data; in other cases it is simply to disrupt or destroy. Whatever it is, attackers have more information and a targeted plan of attack to maximise success of their mission. Once the mission is complete these skilled intruders will remove evidence but maintain a beachhead for future attacks.
When in Rome, do as the Romans – In this case, think like an attacker.
Given the attack chain, what can defenders do to strengthen defences? It’s pretty clear that attackers are taking advantage of three key capabilities to hone their missions. Defenders must use these very same capabilities to better protect against attacks, including:
1. Visibility: Attackers have full visibility of the IT environment, so too must organisations. To more effectively protect your organisation you need a baseline of information across your extended network (which includes endpoints, mobile devices and virtual environments) with visibility into all assets, operating systems, applications, services, protocols, users, network behavior as well as potential threats and vulnerabilities. Seek out technologies that not only provide visibility but also offer contextual awareness by correlating extensive amounts of data related to your specific environment to enable more informed security decisions.
2. Automation: Companies need to work smarter, not harder. Hackers are using automated methods to simplify and expedite attacks. Using manual processes to defend against such attacks are inadequate. Technologies that combine contextual awareness with automation to optimise defences and resolve security events more quickly need to be made use of. Policy and rules updates, enforcement and tuning are just a few examples of processes that can be intelligently automated to deliver real-time protection in dynamic threat and IT environments.
3. Intelligence: In an age when hackers are conducting extensive reconnaissance before launching attacks, security intelligence is critical to defeat attacks. Technologies that tap into the power of the cloud and big data analytics deliver the security intelligence organisations need, continuously tracking and storing information about unknown and suspicious files across a widespread community and applying big data analytics to identify, understand and stop the latest threats. Not only can this intelligence be applied to retrospectively secure a company’s environment, mitigating damage from threats that evade initial detection, but it can also update protections for more effective security.
In a world in which attackers seem to be gaining an advantage, defenders need to fight fire with fire. Security technologies that enable visibility, automation and intelligence can help break the attack chain and foil attacks.
Chris Wood is Regional Director, ANZ at Sourcefire