Modern cyberattacks and APTs (advanced persistent threats) have quickly become a top priority for both security practitioners and C-level executives, and for good reason.
Attackers, whether motivated by national interests, cyberespionage, cybercrime (or organized crime), have all turned to patient, long-term attacks as the default method for compromising an organization and stealing sensitive information. Unfortunately in many circles, the concept of controlling APTs has become synonymous with detecting new or otherwise unknown malware. This is a potentially harmful oversimplification that focuses our security on an attack technique, while potentially ignoring the more resilient attack strategy.
To say that modern attacks are multi-faceted and coordinated is an understatement. They employ a variety of vectors, malicious payloads, hacking tools, evasion tools and an ever-expanding set of techniques to secretly communicate both internally and externally. But again, the attack strategy is more than the sum of the tools. An attack will go through multiple stages, with each stage providing an opportunity for the attacker to further investigate the target and adapt to the environment. The iterative and adaptive nature of these attacks is actually far more important than any one particular technique.
Once an attacker establishes a beachhead in the target network, they will often footprint the local network looking for ways to spread within the network or ways to escalate their privileges. They will enumerate users and services to know what additional exploits can be applied to the environment. The attacker will install proxies, encrypted tunnels, peer-to-peer clients, remote desktop, or use customized protocols to ensure they can communicate and persist in the network without detection. The cyberattack includes all of these components, and security teams need to be able to identify and block an attack in all phases.
Asymmetric Attacks Require Us To Break Traditional Silos
It’s important we remember that IT security is essentially an asymmetric struggle. Networks and their users present a massive attack surface of potential exposures and vulnerabilities that attackers can target. IT security teams can secure 99.9% of their attack surface and repel thousands of attacks, but an attacker needs only to succeed once in order to carry out a successful attack. This what we refer to as asymmetry in the attack model, and it something that we see regularly in both the physical world as well as in IT security.
In the physical world, terrorist organizations are a prime example of an asymmetric threat. Terrorists have a virtually unlimited number of potential targets, and any successful attack would represent a failure of security. To respond to these sorts of threats law enforcement needed to re-evaluate their strategies. Correlation and context between previously separate law enforcement agencies and perspectives have become standard practice. The focus has expanded beyond simply understanding bullets and bombs to also understanding how a terrorist organization is coordinated, how they communicate and operate.
Many of these lessons will apply to IT security as well. Just as a terrorist attack is about more than the bullets and bombs, a modern cyberattack is about more than the exploits and malware. We need to establish context that spans the entire lifecycle of an attack. Infection vectors, exploits, malware, persistence tools, evasion tools, reconnaissance tools, malicious domains, and a near infinite supply of applications and protocols used for command and control are all critical components of the attack.
Our security must be able to understand all of these facets natively and to correlate them in order to identify and stop a real attack. Furthermore we need to understand that any of those components can and regularly are customized to avoid pre-existing patterns and signatures. The challenge of stopping the unknown isn’t limited to just malware, and we need to be thinking broadly about how we proactively identify, test, and respond to unknowns throughout the lifecycle of an attack. An unknown file, a new domain, and a strange customized protocol on your network all demand attention. The risk may be different for each, but any or all can be the sign of a coordinated attack and security teams need to be prepared to deal with them.
These are the changes that I think we will need to make in order to respond to the realities of modern attacks. It’s always easier to focus on the quick fixes as opposed to changing our engrained habits and assumptions. But while it may be uncomfortable, these sorts of re-evaluations are necessary for our success, and ultimately our survival. If we don’t adapt, we simply play into the hands of those who want to attack us.