Security Professionals Must Know the Categories of Threats an Enterprise Faces and How to Respond to Each
On an early spring morning, a consultant steps off a 5 a.m. flight and stumbles down the terminal into a waiting car. The short drive to the offices of a company 18 months post-breach is punctuated by the crisp air and bright sunshine. Walking across the lobby, he can’t help but notice the two security guards sitting behind their wall of monitors and the badge-enabled turnstiles that funnel employees into the building. One such employee gets to the turnstile and yells over to the guards that she forgot her badge and will get it over lunch, and much to no one’s surprise the guards simply let her through telling her to remember her badge next time. What appears as a hardened exterior perimeter at first glance is actually a slightly-less-than-Swiss-cheese faux security posture. Coincidentally, this is the perfect backdrop for this post.
On multiple occasions during the last three years I’ve been asked to talk with an organization about their security program, specifically focusing on high-level adversaries. The three-letter term “APT” comes up regularly, and those who ask want to know whether they are prepared adequately against these emergent and advanced adversaries through the things they’ve done with their security program. If you’ve ever found yourself in the situation with a client or your own organization, you’ll likely nod along as I tell you that from experience about three quarters of the groups who ask about advanced adversaries are asking the wrong questions. I think this adequately describes the state of enterprise security, when painted with a broad stroke.
One thing that I think drives many of the security professionals I know crazy is the tendency by some to over-focus on the wrong type of threat. While any enterprise can face an advanced adversary such as a nation-state sponsored attacker, focusing on an advanced level of adversary at the expense of others is not the best use of resources. Yet, this happens every day.
It’s easy to get lost in the hype, with various media outlets reporting ever-more sensationalized stories about big scary hackers. State-sponsored attackers are real, but if that’s where you focus your security program—at the expense of protecting against other threats—you’re likely opening yourself up to bigger problems. In reality organizations face three different types of threats: generic, targeted and invasive. In my research I’ve found that these three are being addressed disproportionately and, often, in the wrong order.
Generic threats are essentially non-targeted, non-persistent, opportunistic threat types. In fact, they shouldn’t even be called attackers since much of the compromise is accidental. Think of all the drive-by credential thieves and hard-drive encryption bugs. All these are incidental and infect your employees and the other passers-by of some compromised website or application equally. They don’t particularly care who you are or what you do. They want your CPU cycles to join their DDoS botnet, or your $300 to decrypt your valuable files (which you’ve never backed up offline), or something else you may or may not have. They won’t be particularly stealthy and have little intent on staying long — you’re a target of opportunity.
Targeted threats are a little different in that they actually target your company, your department, or you directly. The malware may be generic, or it may be custom-written to bypass the defenses in that ancient Internet Explorer 7 browser your employees are forced to use to access their payroll and timecard applications. The point is that your organization has something someone wants. A database of clients, a top-secret blueprint, or the quarterly earnings a day ahead of release — these are all worthy attack targets to someone properly motivated. Targeted attacks are designed for your organization, your department or you individually, but they aren’t necessarily designed to be stealthy. We say they are targeted but non-persistent because they are the equivalent of the smash-and-grab. Run a truck through the front window and then dash in and take as much as you can before the police show up is the name of the game. In the cyber realm it’s break in and exfiltrate as much of the targeted data as possible before the security team figures it out and stops you. Sadly, this stopping part happens much less often than we’d like to tell ourselves.
Invasive threats are the ones you really need to think carefully about. They are targeted at your organization, department or you individually, and they are meant to be stealthy and resident for some time. They make themselves resident inside your systems and can float around collecting and exfiltrating sensitive information for days, weeks, months or even years. Much of the time these attackers are well-funded, well-resourced, and have specific goals they need to achieve. Financial motivation can be strong, so they likely will try many different tricks when they are discovered to keep the attack going. Blocking one means of entry such as a missing patch on a web server may be a short-lived victory as the attackers tend to find another way in quickly. If your strategy is to play eternal cat and mouse, you will lose.
Real threats, perceived threats, and why it matters
Many organizations simply choose to build their defenses against the scariest, most damaging type of threat. While this seems like a sound approach, it quickly fails to provide adequate defense as you find yourself focused on stopping Chinese APTs and your organization is over-run by opportunistic malware. Yes, the things that make the headlines are scary and often get the board-level attention; but they aren’t likely the first step in building intelligent defenses. As an organization you need to do two things that will help set the directional compass in the right direction. First, you need to perform a realistic threat assessment. Figure out your organization’s exposures and work hard to define the biggest risks to your business. What types of failures could damage your organization’s operational capability the most? Would it be the theft of credit card data, or the corruption of your retail database or ERP system? Think about this in terms of business continuity, and suddenly threat assessments take on a whole new meaning. The second thing that goes hand-in-hand with the first is an effective threat modeling exercise.
Start with an asset-centric approach. Identify the things that are business-mission-critical, and identify all the ways they are inter-connected with everything else inside and outside your organization. Then work on identifying the different ways their various components can be attacked and abused. It’s shocking what you’ll find. For most organizations the next step is to take a software-centric approach and understand how the software that is the lifeblood of their organization is inter-connected and can be attacked/exploited. One of the key lessons learned here is that you’ll quickly find all the legacy applications that don’t have source code anymore, have no real owners, and have no chance of being modernized/updated to fix security bugs. These brittle systems litter the enterprise landscape but very often are identified by security and IT professionals as a risk. Lastly, for those organizations which truly have understood and addressed the other threat models, you can move on to attacker-centric. Starting with the most basic attackers and moving up the chain we can determine how they will likely attack, their goals and methods, and likely outcomes.
All these help to sharpen our defensive capabilities and make security teams more aware and focused on the real and not just the front-page threats. While your nearest competitor may have gotten hacked by China, your biggest threat may be from a third-party supplier who has direct and unfiltered VPN access into your core network to perform maintenance on those three networked shop-floor pieces of equipment.
Why the difference matters
The reason security organizations must know their adversaries — the real and not just the perceived — is that resources, capital and tools are finite and limited. In general more advanced adversaries require more advanced tools and technologies to address them, but this comes with a proportionally larger price tag. If an organization has a million dollars to spend on upgrading their defenses, and they spend $750,000 of that on advanced tools to catch APTs, they may run out of capital and implementation resources for the run-of-the-mill malware. But advanced security tools should be effective against less advanced attacks and attackers — right? While this is theoretically true, I think that when the focus is on the boogeyman, the less advanced threats tend to be left to someone else.
The reason you must know the difference is that security isn’t a game to secure everything, perfectly. Rather, it’s a game to provide the most adequate defenses against the most relevant threats in the most effective manner. Sometimes the answer is as scary as outsourcing management of your assets to a third party. And if/when they become compromised they are simply quickly rebuilt and placed back into service. Recovery counts for something. In fact, it counts for quite a lot.
As a security professional you must know the three categories of threats your organization faces, and how to respond to each — and how to expend your resources. This quite literally is the difference between being breached and quickly identifying and recovering and finding out about it six months later from a partner company. Know your business. Know your enemies. Act accordingly.
Good luck out there.