Want to strengthen cyber defences? Think like an attacker

Sourcefire mirrors the mindset of the cyber threat

Tags: Cyber crimeSourcefire (www.sourcefire.com)
  • E-Mail
Want to strengthen cyber defences? Think like an attacker Anthony Perridge, channel director EMEA, Sourcefire.
By  Anthony Perridge Published  June 3, 2013

The recent increase in the number and severity of cyber attacks around the world demonstrate that we're squarely in an era referred to as the "industrialisation of hacking", which has created a faster, more effective and more efficient sector profiting from attacks to our IT infrastructure.

Driven by the desire for economic or political gain or attention to their cause, hackers are executing more sophisticated and damaging attacks that at the same time are becoming easier to launch with widely available tools.

To understand today's array of threats and effectively defend against them, IT security professionals need to start thinking like attackers. With a deeper understanding of the methodical approach that attackers use to execute their mission, as demonstrated by the "attack chain", you can identify ways to strengthen defences. The attack chain, a simplified version of the "cyber kill chain", describes the events that lead to and through the phases of an attack. Let's take a look.

Survey

Attackers first enter your infrastructure and deploy surveillance malware to look at the full picture of your environment, regardless of where it exists - network, endpoint, mobile and virtual, to understand what attack vectors are available, what security tools are deployed and what accounts they may be able to capture and use for elevated permissions. This malware uses common channels to communicate and goes unnoticed as it conducts reconnaissance.

Write

Knowing what they're up against attackers then create targeted, context-aware malware. Examples we've seen include malware that detects if it is in a sandbox and acts differently than on a user system; malware that checks for language pack installation (as in the case of Flame) before execution; and malware that takes different actions if it is on a corporate versus a home network.

Attackers will extend surveillance activities to capture important details about where the assets are and how to get to them. They target your specific organisation, applications, users, partners, processes and procedures.

Test

Then they make sure the malware works. The malware writers have deep pockets and well-developed information-sharing networks. They recreate your environment and test the malware against your technology and security tools to make sure it gets through defences undetected, in effect following software development processes like QA testing or bench testing. This approach is so foolproof malware writers are now offering guarantees that their malware will go undetected for six or even nine months. This is true industrialisation of hacking.

Execute

Remember that we're not talking about the old days where attackers were in it for the publicity. The financial incentives for secrecy are far greater than the glory. Attackers navigate through the extended network, environmentally aware, evading detection and moving laterally until reaching the target.

538 days ago
Vinod Mehra

when you park your car, you siwtch off the engine and lock the car. Beyond that youentrust public authorities and insurace to cover you for the loss. I believe digital security is such area whereby busineses can install securites measures for internal and external customes. And beyond that you need a common force that is local and global to protect businesses from attackers. You can never succeed thinking like an attacker becasue you are expected to defend and not attack.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code