Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives //

Carbon Black

6/27/2016
10:00 AM
Ben Johnson
Ben Johnson
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Shifting The Economic Balance Of Cyberattacks

Our goal should be to simply make the cost of conducting a cyberattack so expensive that cybercriminals view attacking our organization as a bad return on investment.

A harsh reality for those of us working in information security is that the businesses we’ve been asked to protect are battling businesses that are built to attack. That is to say we are rarely, if ever, up against the lone-wolf attacker wearing a hoodie in a basement. We are battling crime syndicates, nation states, and cyberthieves whose main concern is simple: to earn money.

To an attacker, staying “in business” means a few things:

Being opportunistic when selecting targets: Making money means going after the softest targets first without wasting time on attacks that will not quickly result in information that can be monetized. Attackers will almost always select the path of least resistance when it comes to launching attacks.

Optimizing “attack” time: The more time attackers spend without success on a target is less time that they can be hitting softer targets. Attackers will attempt to exploit the “tried and true” vulnerabilities and use successful attack methods from the past -- the TTPs (tactics, techniques, and procedures) in their toolbox -- before inventing new ones.

“Good guy” businesses will continue to act in isolation: Research suggests that the No. 1 factor in deterring an attack is if an organization shares threat intelligence with its peers. That’s because sharing the right kind of threat intelligence means attackers can’t simply use the same attack vector over and over again. They must reinvent their tactics each and every time. That can be VERY expensive.  

The bottom line is that our goal in playing defense is not necessarily to become the hero and dramatically unmask major crime syndicates like a foiled Scooby Doo plot. Our goal is to simply make the cost of conducting a cyberattack more expensive -- so much so that cybercriminals view attacking our organization as a bad return on investment. 

We recently discussed how patterns of attack are exponentially more revealing than individual indicators of compromise and how understanding the root cause of an attack can help a security team close an original infection vector within minutes.

For attackers, finding a unique vulnerability (and effectively exploiting that root cause) can take months of research, costing them more than $1 million. It is no surprise then that attackers will use and reuse the same pattern of attack for months (if not years) on target after target after target until it is successful.

Patterns don’t necessarily have to be complicated, either. For example:

  • Outlook runs Word, which runs PowerShell
  • Notepad has a child process or makes a connection to the internet
  • Svchost is executed by a non-system user account
  • Internet Explorer runs Java, which then runs a command shell

For an attacker, changing an indicator of compromise is as simple as a physical-world criminal changing his shirt or wearing a wig. It’s a simple, economic-friendly task. It’s incredibly easy to spin up a new server, register a new domain, or recompile a payload to change its hash. But it’s very hard (read: expensive) to change how you go about fooling the user with the spear phishing attack; how you download second and third stage payloads; how you persist; and how you traverse the network. This is why patterns of attack are so valuable. The same techniques are used with different servers, different applications for exfiltrating data, etc. The overall “story” stays the same.

Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ronbo142
50%
50%
ronbo142,
User Rank: Apprentice
6/30/2016 | 9:01:48 AM
Risk to Reward Ratio
This article has great value to helping Cyber Security Professionals understand how we might better protect and defend our treasures (I.E. the information). One of my thoughts is establishing a ratio that will help management understand the financial impact and the needed investment to increase the protection to a point where the "hackers" decide to look for that softer target. The variables are for the hackers are personal risk (will I get caught), punishment (what will I be charged with), outcome of that charge (how much time will I do) and finally capital investment (how much do I need to spend in time and money) to obtain a return.

The ratio PR+P+O+I < R

Make the left side so painful that the right side is undesirable is the strategy outline in the article.

Thoughts?


COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.