Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives //

Carbon Black

6/20/2016
01:30 PM
Ben Johnson
Ben Johnson
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

A Real World Analogy For Patterns of Attack

Patterns reveal exponentially more relevant information about attempted malfeasance than singular indicators of an attack ever could.

In last week’s post, we talked about the important differences between indicators of compromise (IOCs) and patterns of attack (POAs).  To better understand why patterns of attack are exponentially better, consider this physical-world analogy.

Convenience Store Robbery

Investigating Using IOCs: Investigators come to find that during this robbery, the criminal used a crowbar to break the glass on the front door; wore a blue shirt; had short, light-colored hair; and used a hiking backpack to stash the cash from the register.

What exactly have the investigators learned, if anything? 

  • Crowbars are sometimes used in smash-and-grab robberies. 

“Ok, let’s make sure to look out for anyone carrying a crowbar in plain sight.”

  • Sometimes, people wearing blue shirts with short, light-colored hair may commit crimes. 

“Ok, let’s look out for anyone wearing a blue shirt that has light-colored hair.”

  • Hiking backpacks are sometimes a tool used during burglaries.

“Ok, let’s try to monitor hiking backpack sales in this area moving forward.”

That’s not a lot of substance to go on for this investigation. We have an incomplete picture.

Investigating the Same Crime Using POAs: Investigators come to find that for the past two weeks, someone has been parked in the store parking lot at night noting what time the clerk locks up for the night and what time the rent-a-cop security detail passes by the store. The burglar drives to the store at precisely the right time of night to break in. He knows there’s an archaic alarm system on the door so he successfully cuts power to the building prior to entering to deactivate the alarm. Once inside, he approaches the register, opens the register drawer, takes the cash and exits the store.

What patterns has the burglar exhibited here?

  • In order to get to the store, the burglar needs to drive to (or close to) the store’s location.
  • He has to deactivate the alarm.
  • He has to enter the building before getting access to the real goal, the cash register.
  • He has to open the register drawer.
  • He needs to leave the premises with the cash in hand.

Individually, these single indicators of an attack tell an incomplete picture. Driving to, or near, a store doesn’t reveal a whole lot to investigators. Thousands of people do that every single day. What about entering the store? Same idea. Thousands of people. And while deactivating an alarm or opening a register drawer appear to be a lot closer to “burglary-type” activity, there are numerous instances where both are done on a regular basis. These are simply indications that a crime might be committed.

It’s only when this sequence, or pattern, of attack behaviors shows up do we really start to see what is happening from an investigation standpoint.

When someone drives near the store late at night THEN attempts to enter the building THEN attempts to deactivate the alarm THEN opens the register drawer, we almost CERTAINLY have an attempted burglary on our hands.

Also notice how none of the behavior patterns exhibited can be changed. Failure to do any one of the steps will result in a failed mission for the robber. It’s ripe for disruption-in-depth, but we’ll leave that for another day.

Patterns reveal exponentially more relevant information about attempted malfeasance than singular indicators of an attack ever could. Context, relationships, and the sequence of events all matter. If you’re just looking for one item in the sequence of events, that’s when issues like too many tips or -- in the cyberworld -- false positives start becoming a bigger issue than the malicious behavior itself.  After all, if you cannot respond to a tip or an alert, it’s just noise.  

Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13458
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
CVE-2020-13459
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.
CVE-2020-13442
PUBLISHED: 2020-05-25
A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 through 2.7.1402870. An attacker can upload a PHP file via dext5handler.jsp handler because the uploaded file is stored under dext5uploadeddata/.
CVE-2020-5537
PUBLISHED: 2020-05-25
Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.
CVE-2020-13438
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.