The recent increase in the number and severity of cyber attacks around the world demonstrate that we’re squarely in an era referred to as the “industrialization of hacking” which has created a faster, more effective and more efficient sector profiting from attacks to our IT infrastructure. Driven by the desire for economic or political gain or attention to their cause, hackers are executing more sophisticated and damaging attacks that at the same time are becoming easier to launch with widely available tools.
To understand today’s array of threats and effectively defend against them, IT security professionals need to start thinking like attackers. With a deeper understanding of the methodical approach that attackers use to execute their mission, as demonstrated by the “attack chain,” you can identify ways to strengthen defenses. The attack chain, a simplified version of the “cyber kill chain,” describes the events that lead to and through the phases of an attack. Let’s take a look:
Survey. Attackers first enter your infrastructure and deploy surveillance malware to look at the full picture of your environment, regardless of where it exists – network, endpoint, mobile and virtual, to understand what attack vectors are available, what security tools are deployed and what accounts they may be able to capture and use for elevated permissions. This malware uses common channels to communicate and goes unnoticed as it conducts reconnaissance.
Write. Knowing what they’re up against attackers then create targeted, context-aware malware. Examples we’ve seen include malware that detects if it is in a sandbox and acts differently than on a user system, malware that checks for language pack installation (as in the case of Flame) before execution and malware that takes different actions if it is on a corporate versus a home network. Attackers will extend surveillance activities to capture important details about where the assets are and how to get to them. They target your specific organization, applications, users, partners, processes and procedures.
Test. Then they make sure the malware works. The malware writers have deep pockets and well-developed information-sharing networks. They recreate your environment and test the malware against your technology and security tools to make sure it gets through defenses undetected, in effect following software development processes like QA testing or bench testing. This approach is so foolproof malware writers are now offering guarantees that their malware will go undetected for 6 or even 9 months. This is true industrialization of hacking.
Execute. Remember that we’re not talking about the old days where attackers were in it for the publicity. The financial incentives for secrecy are far greater than the glory. Attackers navigate through the extended network, environmentally aware, evading detection and moving laterally until reaching the target.
Accomplish the mission. Sometimes the end game is to gather data; in other cases it is simply to disrupt or destroy. Whatever it is, they have more information and a targeted plan of attack to maximize success of their mission. Once the mission is complete they will remove evidence but maintain a beachhead for future attacks.
Given the attack chain, what can defenders do to strengthen defenses? It’s pretty clear that attackers are taking advantage of three key capabilities to hone their missions. Defenders must use these very same capabilities to better protect against attacks, including:
1. Visibility: Attackers have full visibility of your IT environment, so too must you. To more effectively protect your organization you need a baseline of information across your extended network (which includes endpoints, mobile devices and virtual environments) with visibility into all assets, operating systems, applications, services, protocols, users, network behavior as well as potential threats and vulnerabilities. Seek out technologies that not only provide visibility but also offer contextual awareness by correlating extensive amounts of data related to your specific environment to enable more informed security decisions.
2. Automation: You need to work smarter, not harder. Hackers are using automated methods to simplify and expedite attacks. Using manual processes to defend against such attacks are inadequate. You need to take advantage of technologies that combine contextual awareness with automation to optimize defenses and resolve security events more quickly. Policy and rules updates, enforcement and tuning are just a few examples of processes that can be intelligently automated to deliver real-time protection in dynamic threat and IT environments.
3. Intelligence: In an age when hackers are conducting extensive reconnaissance before launching attacks, security intelligence is critical to defeat attacks. Technologies that tap into the power of the cloud and big data analytics deliver the security intelligence you need, continuously tracking and storing information about unknown and suspicious files across a widespread community and applying big data analytics to identify, understand, and stop the latest threats. Not only can you apply this intelligence to retrospectively secure your environment, mitigating damage from threats that evade initial detection, but you can also update protections for more effective security.
In a world in which attackers seem to be gaining an advantage, defenders need to fight fire with fire. Security technologies that enable visibility, automation and intelligence can help break the attack chain and foil attacks.