The CISO’s Guide to Advanced Attackers: Sizing up the Adversary [New Series]By Mike Rothman
Every year there seems to be a new shiny object that works security marketeers into a frenzy. The Advanced Persistent Threat hype continues to run amok 3 years in, and doesn’t seem to be abating at all. Of course there is still lot of confusion about what the APT is, and Rich’s post from early 2010 does a good job explaining our view.
That said, most security vendors are predictable animals and they adhere to the classic maxim “If all you have is a hammer, everything looks like an APT.” So it makes no difference what the security product or service does – they are all positioned as the answer to APT. Of course this isn’t useful to security professionals who actually need to protect important things. And it’s definitely not helpful to Chief Information Security Officers (CISOs) who have to communicate their organization’s security program and set realistic objectives, and manage expectations accordingly.
So, as usual, your friends at Securosis will help you focus on what’s important and enable you to wade through the hyperbole to understand what’s hype and what’s real, in our new series: The CISO’s Guide to Advanced Attackers. This series will provide a high-level view of these “advanced attacks”, designed to help a CISO-level audience understand what they need to know, and map out a clear 4-step process for dealing with advanced attackers and their techniques.
Before we get started I want to thank Dell SecureWorks for agreeing to potentially license the content at the end of the project. As with all our research, we will produce The CISO’s Guide to Advanced Attackers independently and objectively, and tell you what you need to know. Not what any vendor wants you to hear.
Defining Advanced Attacks
First let’s dismiss the common belief that advanced attackers always use “advanced attacks”. That’s just not the case. Of course there are innovative attacks like Stuxnet, stealing the RSA token seeds to attack US Defense sector organizations, and compromising Windows Update using stolen Certificate Authority signing keys. But those attacks are exceptions, not the rule. These attackers are very business-like in their operations. They don’t waste a fancy advanced attack unless they need to. They would just as soon get an unsuspecting office worker to click a phishing email and subsequently use a known Adobe Reader exploit to provide the attacker with a presence in your environment. There is no award for unique attacks.
This understanding necessarily changes the way you think about adversaries. The attacks you see will vary greatly depending on the attacker’s mission and their assessment of the most likely means to compromise your environment. A better way to get your arms around potential advanced attacks is to first understand the potential targets and missions. Then profile specific attackers, based on their likelihood of be interested in the target. This can give you a feel for the tactics you are likely to face, and enables you evaluate controls that may be able to deter them – or at least slow them down.
The security industry would have you believe that implementing a magic malware detection box on your perimeter or locking down your endpoints will block advanced attackers. Of course you cannot afford to believe everything you hear at a security conference, so let’s break down exactly how to determine what kind of threat you are facing.
Evaluate the Mission
Having the senior security role in an organization (yes, Mr./Ms. CISO, we’re talking to you) means accepting that the job is less about doing stuff and more about defining the security program and evangelizing the need for security with senior management and peers. A key first part of this process is to learn what’s important in your environment, which would be an interesting target for an advanced attacker. Since you have neither unlimited resources nor the capabilities to protect against every attack, you need to prioritize your defenses.
Prioritize by focusing on protecting your valuables. The first order of business in dealing with advanced attackers is to understand what they are likely to look for. That is most likely to your:
- Intellectual property
- Customer data (protected)
- Business operations (proposals, logistics, etc.)
- Everything else
It is unlikely that you can really understand what’s important to your organization by sitting in your office. So a big part of this learning requires talking to senior management and your peers to get a feel for what’s important to them. After a few of these conversations it should be pretty clear what’s really important (meaning people will get fired if it’s compromised) and what’s less important. Once you understand what the likely targets of an advanced attacker (the important stuff), you can take a reasonably educated guess at the adversaries you’ll face.
Profile the Adversary
We know it seems a bit simplistic to make generic assumptions about the kinds of attackers you will face, depending on what you are trying to protect. And it is simplistic, but you need to start somewhere. So let’s quickly describe a very high-level view of the adversaries you could face. Keep in mind that many security researchers (and research organizations) have assembled dossiers on potential attackers, which we will discuss with threat intelligence in the next post.
- Unsophisticated: These folks tend to smash and grab attacks, where they use a publicly available exploit (perhaps leveraging tools like Metasploit) or some kind of packaged attack kit. They are opportunistic and will take what they can get.
- Organized Crime: A clear step up the food chain is organized crime attackers. They invest in security research, test their exploits, and have a plan to exfiltrate and monetize what they find. They are still opportunistic, but can be quite sophisticated in attacking payment processors and large-scale retailers. They tend to be most interested financial data, but have also been known to steal intellectual property if they can sell it and/or use brute force approaches like DDoS threats to extort victims.
- Competitor: At times competitors use unsavory means to gain advantages in product development, or when seeking information on competitive bids. These folks tend to be most interested in intellectual property and business operations.
- State-sponsored: Of course we are all hearing the most familiar about alleged Chinese military attackers, but you can bet that every large nation-state has a team of attackers practicing offensive tactics. As Rich described, the Chinese are a bit different in that they use military resources for economic advantage, but all these folks are interested in pretty much everything. And some of them just don’t care much about concealing their presence.
Of course there are many other kinds of adversaries. The value of broader or deeper profiling depends entirely on your situation. But the process is the same, and the list above offers a decent start at the kinds of folks you will see trying to get into your stuff.
The Dangers of Assuming
You know the old saying about assuming anything, right? So we will go through the initial process to identify your most likely targets, and back into the kinds of adversaries you are likely to face. Then you need to plan to be wrong. In security it’s a fools errand to think you have the answers.
Once you have done what you can to protect yourself you need to ensure you have sufficient monitoring to detect something that isn’t part of your general battle plan. You cannot eliminate surprises in this business, but you can lessen the impact of an unexpected attack from a different adversary targeting a lower-value (in your thinking, anyway) target. We are focusing on advanced attackers in this series, but everything you do is also applicable to the unsophisticated.
The Process for Advanced Attacks
At Securosis we tend to be process centric. So let’s establish a high-level process to deal with these kinds of attacks and attackers. Thoughout the rest of this series we will dig into each of these steps with specifics about what you need to do.
- Threat Intelligence/Information Sharing: A key defensive capability for dealing with advanced attackers is knowing who they are, where they are coming from, and what attacks they are using. This entails leveraging external threat intelligence to learn from the misfortunes of others.
- Data Collection and Data Mining: The next step is to implement a comprehensive monitoring initiative instrumenting networks, systems, applications and data, with sensors to look for indications of imminent attack (as defined by threat intelligence).
- Verification: When you believe you are being targeted you will need to do an initial damage assessment and kick your incident response process into gear. This involves verifying, validating, and ultimately figuring out the root cause, the degree of compromise, and any damage resulting from the attack.
- Breaking the Kill Chain: Once the attack has been verified and the root cause has been identified, you need to decide how to “break the kill chain”, or remediate the issue. This is a non-trivial decision requiring feedback from senior management, legal counsel, and likely law enforcement and government.
Ultimately all these functions need to become systematic as part of your security program. We will wrap up by talking about how your program needs to handle these advanced attacks, while paying attention to other stuff (hygiene, everyday attacks, and compliance). So strap in – we will start up tomorrow by delving into the kinds of security threat intelligence you need to understand when and how you are likely to be attacked.