It Takes A Thief To Catch A Thief

Data Thief

The cost of cyber security breaches against British businesses amounts to billions of pounds. This cost has tripled over the past year as attacks on intellectual property and customer data appear unstoppable. According to a recent report by the Department for Business, Innovation and Skills, 87 per cent of small businesses and 93 per cent of large organisations experienced at least one kind of security breach in the past year.

This increase in the number and severity of cyber-attacks underlines that hackers have created a fast, effective and efficient sector profiting from attacks to our IT infrastructure. Today’s hackers are executing more sophisticated and damaging attacks than ever before, that at the same time are becoming easier to deploy with widely available tools.

To understand today’s array of threats and effectively defend against them, IT security professionals need to switch their thinking from a defensive position to an attack stance. With a deeper understanding of the way attackers think, you can identify your weaknesses and strengthen defences.

Here’s the chain of attack that an attacker would deploy. We call this the “cyber kill chain”. Let’s take a look at how this plays out:

1. Survey

Attackers first enter your infrastructure and deploy surveillance malware to look at the full picture of your environment – network, endpoint, mobile and virtual – to understand what attack vectors are available, what security tools are deployed and what accounts they may be able to capture and use for elevated permissions. This malware uses common channels to communicate and goes unnoticed as it conducts reconnaissance.

2. Write

Now they know what they’re up again, attackers then create targeted, context-aware malware. Examples we’ve seen include malware that detects if it is in a sandbox and acts differently than on a user system, malware that checks for language pack installation (as in the case of Flame) before execution and malware that takes different actions if it is on a corporate versus a home network. Attackers will extend surveillance activities to capture important details about where the assets are and how to get to them. They target your specific organisation, applications, users, partners, processes and procedures.

3. Test

Then they make sure the malware works. Malware writers have deep pockets and well-developed information-sharing networks. They recreate your environment and test the malware against your technology and security tools to make sure it gets through defences undetected – in effect following software development processes like QA testing or bench testing. This approach is so foolproof malware writers are now offering guarantees that their malware will go undetected for 6 or even 9 months.

4. Execute

Attackers navigate through the extended network, environmentally aware, evading detection and moving laterally until reaching the target.

5. Mission accomplished

Sometimes the end game is to gather data; in other cases it is simply to disrupt or destroy. Whatever it is, they have more information and a targeted plan of attack to maximize success of their mission. Once the mission is complete they will remove evidence but maintain a beachhead for future attacks.

Strengthen your defences

Taking into account the attack chain, what can defenders do to strengthen their defences? It’s pretty clear that attackers are taking advantage of three key capabilities to hone their missions – visibility, automation and intelligence. Defenders must use these very same capabilities to better protect against attacks.

Attackers have full visibility of your IT environment, so too must you. To more effectively protect your organisation you need a baseline of information across your extended network (which includes endpoints, mobile devices and virtual environments) with visibility into all assets, operating systems, applications, services, protocols, users, network behaviour as well as potential threats and vulnerabilities. Seek out technologies that not only provide visibility but also offer contextual awareness by correlating extensive amounts of data related to your specific environment to enable more informed security decisions.

You need to work smarter, not harder. Hackers are using automated methods to simplify and expedite attacks. Using manual processes to defend against such attacks are inadequate. You need to take advantage of technologies that combine contextual awareness with automation to optimise defences and resolve security events more quickly. Policy and rules updates, enforcement and tuning are just a few examples of processes that can be intelligently automated to deliver real-time protection in dynamic threat and IT environments.

In an age when hackers are conducting extensive reconnaissance before launching attacks, security intelligence is critical to defeat attacks. Technologies that tap into the power of the cloud and big data analytics deliver the security intelligence you need, continuously tracking and storing information about unknown and suspicious files across a widespread community and applying big data analytics to identify, understand, and stop the latest threats. Not only can you apply this intelligence to retrospectively secure your environment, mitigating damage from threats that evade initial detection, but you can also update protections for more effective security.

In a world in which attackers seem to be gaining an advantage, defenders need to fight fire with fire. Security technologies that enable visibility, automation and intelligence can help break the attack chain and foil attacks.

Leon Ward

Leon is a field product manager for Sourcefire. Prior to joining Sourcefire, Leon was involved in the design and development of open source (OSS) Intrusion Prevention Systems. Leon applies his strong background in UNIX security and protocol analysis to overcome the challenges of network security monitoring in the enterprise, specifically in the areas of network intrusion detection, threat mitigation, event analysis and vulnerability assessment. In the little spare time Leon finds, he is the lead contributor to the open source network traffic forensics project OpenFPC (Open Full Packet Capture).