Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives //

Carbon Black

6/13/2016
10:32 AM
Ben Johnson
Ben Johnson
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

Patterns Of Attack Offer Exponentially More Insight Than ‘Indicators’

In the cyberworld, patterns of attack provide investigators with context and the precise sequence of events as a cybercrime unfolds.

When investigating a crime in the physical world, successful detectives are able to put together individual pieces of evidence to unveil a criminal’s pattern of behavior. A single footprint is interesting; it gives you the size of the bad guy’s foot and what type of shoes he wore. The bad guy can change his shoes between crimes, of course, but he probably won’t come up with a new technique for breaking into individual houses. An understanding of a criminal’s behavior – his patterns, if you will -- can give investigators a level of insight that will help them catch that criminal the next time he attempts to do something bad, new shoes or not.

This way of approaching the problem can also tie together multiple incidents that were previously thought unrelated, perhaps because the weapons or descriptions of the individuals performing the crimes weren’t exactly the same.

In the cybersecurity world, we call these behavior patterns “patterns of attack,” and they are revolutionizing the way breach detection and incident response is being conducted around the world.

You’ve no doubt heard the term “indicators of compromise.” IOCs are -- in the way the security community typically thinks about them -- atomic pieces of information or singular attributes. Examples of IOCs are IP addresses, domain names, URLs, file hashes, and similar metadata around tools or actions that occurred during an attack. But context matters -- a lot -- and it’s hard to know context when all you have is an IP address or file hash.

Context Is Critical

Solving cybercrimes (or any crime, really) requires context, and to get context you have to look at relationships. Relationships between IOCs and other events are often patterns of behavior, and that’s why the shift beyond IOCs is occurring.

When your company’s intellectual property and reputation are on the line, the CEO wants to hear something a lot more confident than: “We have an indication of how we might have been attacked.” Instead, she wants to hear: “We have a precise record of what this attacker tried to do. We know exactly what they actually did. We’ve closed the gap. They cannot attack us this same way again.”

Patterns of attack provide investigators with the precise sequence of events as a cybercrime unfolds. There is clear cause-and-effect insight into where an attacker gained access, what he tried to do, how he attempted exfiltration, and ultimately what the exact root cause of the attack was. If an investigator does not understand the root cause of the attack, he’s provided no additional insight into how an organization can be better protected in the future.

Patterns reveal exponentially more relevant information about attempted malfeasance than singular indicators of an attack ever could. Context, relationships, and the sequence of events all matter. If you’re just looking for one item in the sequence of events, that’s when issues such as too many tips -- or in the cyberworld, false positives -- start becoming a bigger issue than the malicious behavior itself. After all, if you cannot respond to a tip or an alert, it’s just noise. 

Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Abandun
50%
50%
Abandun,
User Rank: Apprentice
6/14/2016 | 10:41:34 AM
Are we attempting to change terms now?
I liked this article better the first time when "patterns of attack" were called TTPs. thanks for the new information?>
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.