Q&A: The Increasing Complexity of Network Attacks
Attacks are getting increasingly complicated -- not just in the technology they use but in the number of parties involved in a single attack.
As any security administrator knows, it's not just the volume of attacks that are frustrating. Detection is complicated, and attackers often use a series of service providers to carry out their attacks. What's an enterprise to do?
For answers we turned to Gunter Ollmann, vice president of research at Damballa. Damballa's network security solution automatically detects and terminates the command-and-control required for the criminals to operate the malware or bot agents on breached assets.
Enterprise Strategies: Why is the term "targeted attacks" often a misconception?
Gunter Ollmann: First of all, it's not personal -- it's business. The folks that are attacking your organization are increasingly professional and financially motivated. Your organization is just one line on a long list they've constructed, and that list probably wasn't even hand-selected. Your organization just happened to appear in the results from some Google search that the attackers ran.
What is the nature of today's cybercrime ecosystem that makes "targeted attacks" less likely to be the norm?
In today's federated cybercrime ecosystem, the "attacker" selects and manages relationships with multiple external entities that specialize in the delivery of specific components of an attack. Each specialization is independent of the attacker -- and will more than likely be servicing multiple "attackers" simultaneously. More importantly, most of the service providers are so removed from the actual attack (and attacker) that the "victim" is unimportant and irrelevant to their contribution.
What is the profile of an "attacker" today?
Depending upon the criminal service delivery components we choose to isolate and label as the "attacker," we'll end up with completely different definitions of what constitutes a targeted attack. Even if you shrink this down to just the entity that assembled and coordinated the first rung of building blocks, what's the process in which they selected your particular organization for the attack? You may feel that you were singled out as the victim for a targeted attack, but you may want to remember that to practically all the cybercrime service operators within this federated ecosystem, it's just business and that the specifics of who you are is meaningless in the context of the services they provision and to those who'll be paying them.
What are the biggest mistakes IT makes in trying to secure the enterprise from such attacks?
One of the biggest mistakes is making the assumption that the attacker is basically an individual or self-contained unit. Unfortunately, this hasn't really been the case for many years. The over simplification of what constitutes an attacker continues to raise problems and drive confusion when it comes to countering threats and recovering from a successful breach.
What do organizations struggle to understand about the nature of these attacks?
Organizations tend to believe the simplistic view of the threat and that the entity conducting the attack contains, manages, and orchestrates all the components necessary to perform the attack and that the format, the delivery, malware, and fraud components are defined as being core components of the "attacker," when that couldn't be further from the truth.
How can an enterprise determine who or what is attacking their networks?
What you label an "attacker" is going to be heavily dependent upon which aspects of the federated operation you were capable of observing and the evidence you managed to collect. For example, the delivery of the original malware component may have been orchestrated through a pay-per-install (PPI) affiliate program that earned $17 per 1000 computers they managed to install the attackers malware on. Those running the program, in turn, sub-contracted the delivery of the malware that breached your organization to an operator that specializes in drive-by-downloads to Mac platforms in North America.
Meanwhile, the actual theft of your organizations source code was conducted by a pay-per-hour SAP hacking specialist in Romania who used the installed malware as a beachhead into a critical server -- only after the "original" attackers had performed a reconnaissance of your organization (and the other 25 organizations that "they" breached that particular day), uncovered the SAP administrative access credentials, and thought there may be something saleable in there.
Without mentioning specific products, what best practices or technology solutions would you recommend to help enterprises defend their assets from these attacks?
The existing portfolio of protection technologies do a fair job at keeping the bulk of known threats being launched at the enterprise today at bay. Unfortunately, the stats are skewed in the attackers' favor given the sheer volume and diversity of attacks they can automatically throw at an organization.
Perimeter defenses such as Intrusion Prevention Systems help filter out the well-known and stoppable attacks, and content filtering technologies will aid against previously encountered malicious sites and content. However, the cybercriminals have continued to invest in increasingly dynamic and agile attack delivery platforms -- meaning that, despite best efforts, the attackers will always be able to breach corporate defenses.
The paradigm has changed. Organizations need to build out systems and response strategies that assume that breaches will continue to occur (and with increased regularity) and optimize their containment and remediation processes. It's no longer about if you're breached, it's about how quickly you realize you have been breached and how quickly you are able to contain the damage.