Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives //

Carbon Black

6/13/2016
10:32 AM
Ben Johnson
Ben Johnson
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

Patterns Of Attack Offer Exponentially More Insight Than ‘Indicators’

In the cyberworld, patterns of attack provide investigators with context and the precise sequence of events as a cybercrime unfolds.

When investigating a crime in the physical world, successful detectives are able to put together individual pieces of evidence to unveil a criminal’s pattern of behavior. A single footprint is interesting; it gives you the size of the bad guy’s foot and what type of shoes he wore. The bad guy can change his shoes between crimes, of course, but he probably won’t come up with a new technique for breaking into individual houses. An understanding of a criminal’s behavior – his patterns, if you will -- can give investigators a level of insight that will help them catch that criminal the next time he attempts to do something bad, new shoes or not.

This way of approaching the problem can also tie together multiple incidents that were previously thought unrelated, perhaps because the weapons or descriptions of the individuals performing the crimes weren’t exactly the same.

In the cybersecurity world, we call these behavior patterns “patterns of attack,” and they are revolutionizing the way breach detection and incident response is being conducted around the world.

You’ve no doubt heard the term “indicators of compromise.” IOCs are -- in the way the security community typically thinks about them -- atomic pieces of information or singular attributes. Examples of IOCs are IP addresses, domain names, URLs, file hashes, and similar metadata around tools or actions that occurred during an attack. But context matters -- a lot -- and it’s hard to know context when all you have is an IP address or file hash.

Context Is Critical

Solving cybercrimes (or any crime, really) requires context, and to get context you have to look at relationships. Relationships between IOCs and other events are often patterns of behavior, and that’s why the shift beyond IOCs is occurring.

When your company’s intellectual property and reputation are on the line, the CEO wants to hear something a lot more confident than: “We have an indication of how we might have been attacked.” Instead, she wants to hear: “We have a precise record of what this attacker tried to do. We know exactly what they actually did. We’ve closed the gap. They cannot attack us this same way again.”

Patterns of attack provide investigators with the precise sequence of events as a cybercrime unfolds. There is clear cause-and-effect insight into where an attacker gained access, what he tried to do, how he attempted exfiltration, and ultimately what the exact root cause of the attack was. If an investigator does not understand the root cause of the attack, he’s provided no additional insight into how an organization can be better protected in the future.

Patterns reveal exponentially more relevant information about attempted malfeasance than singular indicators of an attack ever could. Context, relationships, and the sequence of events all matter. If you’re just looking for one item in the sequence of events, that’s when issues such as too many tips -- or in the cyberworld, false positives -- start becoming a bigger issue than the malicious behavior itself. After all, if you cannot respond to a tip or an alert, it’s just noise. 

Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Abandun
50%
50%
Abandun,
User Rank: Apprentice
6/14/2016 | 10:41:34 AM
Are we attempting to change terms now?
I liked this article better the first time when "patterns of attack" were called TTPs. thanks for the new information?>
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-5271
PUBLISHED: 2019-11-12
Pacemaker before 1.1.6 configure script creates temporary files insecurely
CVE-2014-3599
PUBLISHED: 2019-11-12
HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy
CVE-2014-7143
PUBLISHED: 2019-11-12
Python Twisted 14.0 trustRoot is not respected in HTTP client
CVE-2018-18819
PUBLISHED: 2019-11-12
A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creat...
CVE-2019-18658
PUBLISHED: 2019-11-12
In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlin...