Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Want to Strengthen Defenses? Think like an Attacker.

The recent increase in the number and severity of cyber attacks around the world demonstrate that we’re squarely in an era referred to as the “industrialization of hacking” which has created a faster, more effective and more efficient sector profiting from attacks to our IT infrastructure.

The recent increase in the number and severity of cyber attacks around the world demonstrate that we’re squarely in an era referred to as the “industrialization of hacking” which has created a faster, more effective and more efficient sector profiting from attacks to our IT infrastructure. Driven by the desire for economic or political gain or attention to their cause, hackers are executing more sophisticated and damaging attacks that at the same time are becoming easier to launch with widely available tools.

To understand today’s array of threats and effectively defend against them, IT security professionals need to start thinking like attackers. With a deeper understanding of the methodical approach that attackers use to execute their mission, as demonstrated by the “attack chain,” you can identify ways to strengthen defenses. The attack chain, a simplified version of the “cyber kill chain,” describes the events that lead to and through the phases of an attack. Let’s take a look:

Analyzing Tactics of Cyber AttacksSurvey. Attackers first enter your infrastructure and deploy surveillance malware to look at the full picture of your environment, regardless of where it exists – network, endpoint, mobile and virtual, to understand what attack vectors are available, what security tools are deployed and what accounts they may be able to capture and use for elevated permissions. This malware uses common channels to communicate and goes unnoticed as it conducts reconnaissance.

Write. Knowing what they’re up against attackers then create targeted, context-aware malware. Examples we’ve seen include malware that detects if it is in a sandbox and acts differently than on a user system, malware that checks for language pack installation (as in the case of Flame) before execution and malware that takes different actions if it is on a corporate versus a home network. Attackers will extend surveillance activities to capture important details about where the assets are and how to get to them. They target your specific organization, applications, users, partners, processes and procedures.

Test. Then they make sure the malware works. The malware writers have deep pockets and well-developed information-sharing networks. They recreate your environment and test the malware against your technology and security tools to make sure it gets through defenses undetected, in effect following software development processes like QA testing or bench testing. This approach is so foolproof malware writers are now offering guarantees that their malware will go undetected for 6 or even 9 months. This is true industrialization of hacking.

Execute. Remember that we’re not talking about the old days where attackers were in it for the publicity. The financial incentives for secrecy are far greater than the glory. Attackers navigate through the extended network, environmentally aware, evading detection and moving laterally until reaching the target.

Accomplish the mission. Sometimes the end game is to gather data; in other cases it is simply to disrupt or destroy. Whatever it is, they have more information and a targeted plan of attack to maximize success of their mission. Once the mission is complete they will remove evidence but maintain a beachhead for future attacks.

Given the attack chain, what can defenders do to strengthen defenses? It’s pretty clear that attackers are taking advantage of three key capabilities to hone their missions. Defenders must use these very same capabilities to better protect against attacks, including:

1. Visibility: Attackers have full visibility of your IT environment, so too must you. To more effectively protect your organization you need a baseline of information across your extended network (which includes endpoints, mobile devices and virtual environments) with visibility into all assets, operating systems, applications, services, protocols, users, network behavior as well as potential threats and vulnerabilities. Seek out technologies that not only provide visibility but also offer contextual awareness by correlating extensive amounts of data related to your specific environment to enable more informed security decisions.

Advertisement. Scroll to continue reading.

2. Automation: You need to work smarter, not harder. Hackers are using automated methods to simplify and expedite attacks. Using manual processes to defend against such attacks are inadequate. You need to take advantage of technologies that combine contextual awareness with automation to optimize defenses and resolve security events more quickly. Policy and rules updates, enforcement and tuning are just a few examples of processes that can be intelligently automated to deliver real-time protection in dynamic threat and IT environments.

3. Intelligence: In an age when hackers are conducting extensive reconnaissance before launching attacks, security intelligence is critical to defeat attacks. Technologies that tap into the power of the cloud and big data analytics deliver the security intelligence you need, continuously tracking and storing information about unknown and suspicious files across a widespread community and applying big data analytics to identify, understand, and stop the latest threats. Not only can you apply this intelligence to retrospectively secure your environment, mitigating damage from threats that evade initial detection, but you can also update protections for more effective security.

In a world in which attackers seem to be gaining an advantage, defenders need to fight fire with fire. Security technologies that enable visibility, automation and intelligence can help break the attack chain and foil attacks.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.