To effectively defend against attacks, it is crucial for defenders to distinguish between the method of delivery and the method of intrusion. Understanding these concepts helps in creating layered and targeted defense strategies.
Definitions
- Method of Delivery: The mechanism used by an attacker to present a lure to the victim. This involves the initial contact and the transmission of malicious content or requests. Examples include phishing emails, text messages, social media direct messages, or malicious links embedded in websites. The focus here is on how the attacker places the lure in front of the victim.
- Method of Intrusion: The technique used by the attacker to gain unauthorized access to a system or resource after the victim interacts with the lure. This includes actions like exploiting software vulnerabilities, leveraging stolen passwords obtained via phishing, installing malware, or abusing legitimate remote access tools.
Discussion
Distinguishing between these two stages is critical for designing effective defenses. Let’s separate them.
Focusing on the Method of Delivery
By targeting the delivery stage, defenders can intercept and block malicious content before it reaches potential victims. This includes:
- Spam filters
- URL scanning tools
- User training programs to identify suspicious messages
However, attackers can exploit a wide variety of delivery methods. While email is the most common, there are countless other channels, such as text, voice, and video communication apps, many of which may fall outside an organization’s control. With so many delivery mechanisms in play, it is impractical to rely solely on detection and prevention at this stage.
Focusing on the Method of Intrusion
Targeting the intrusion stage involves strengthening systemic defenses, regardless of how the attacker reaches their target. Key measures include:
- Patching software vulnerabilities
- Enforcing multi-factor authentication (MFA)
- Monitoring for suspicious activity
By neutralizing intrusion methods, defenders can often thwart attacks even when delivery mechanisms succeed.
Examples
- Password Phishing Attack: A delivery-focused approach might prioritize email filters or user training, but attackers can easily switch to alternative channels like messaging apps or SMS. Instead, implementing phishing-resistant MFA, such as FIDO passkeys, directly prevents unauthorized access even if the victim complies with the attacker’s instructions.
- Business Email Compromise (BEC) Financial Scam: A delivery-focused approach might suggest, in an extreme case, tapping phone calls or using AI to analyze conversations for scams. However, a more effective and cost-efficient strategy would involve hardening the wire transfer process, ensuring no single point of failure could result in significant loss. (Human error is never the conclusion of an investigation, but only the start of an investigation!)
Key Insights
Separating delivery and intrusion allows defenders to analyze the attack chain more effectively and allocate resources to mitigate risks at each stage. While delivery defenses can be somewhat effective, they often place the burden on end-users to be infinitely vigilant. Focusing on intrusion methods, however, shifts the responsibility to IT teams and software manufacturers, enabling more resilient defenses that protect users regardless of how the attack is delivered.
By addressing both stages with tailored strategies, defenders can disrupt the attacker’s chain of success while reducing reliance on end-user vigilance.
