Let’s arbitrarily divide the bad guys into two camps: opportunistic and targeted. The opportunistic guys are the ones who don’t really care what they break into, but the more computers they break into the more opportunities open up. The targeted guys care greatly about what computers they get into, because they’ve got a pretty specific intent.
The problem is, regardless of whether the technology you’re buying is designed to stop opportunistic or targeted attacks, it will eventually fail. In fact, the more blocking or prevention is built into the tech, the faster it will fail. Of course, security companies can certainly update or redesign their security solutions… but the larger the company the longer it takes for them to do so.
While security technology vendors adapt over the course of years or months, attackers adapt over the course of days or hours.
So, the need for smart people to adapt to the changing attacker is a forever need. To understand why, let’s look a bit more closely at these two camps.
Opportunistic Bad Guys
Let’s say I’m a bad guy. I’ve got certain nefarious objectives but I don’t really care that much how I achieve them.
Maybe I just need a boatload of systems for computing power. Because I’m going to use them all to generate email and spam the world. Even if 0.0001% of recipients fall prey, I’m making a lot of money.
Or, I know of an underground marketplace where folks need processing power. Some folks are trying to break through into encrypted data that the DOJ hasn’t mandated have a backdoor yet. As a bad guy, I can’t wait until they do… but I digress. There are other folks who are trying to guess passwords so they can get into a bank account. More computing resources would help them out. But whatever. I can build a botnet with my victim machines and sell time on portions of them. Again, moolah.
Actually, some of the guys I sell to are interested in just onesey-twosie machines. They don’t really care WHERE they are, as long as they’re pretty diverse. They’re going to use them as part of a series of jumps they’ll take before even attempting to attack their real target. It’ll make them much more difficult to trace back or to block. Their Command and Control (C&C or C2) infrastructure.
Whatever. The more machines I can get, the more moolah I can make.
So here’s my challenge. Computers out there are SUPER diverse. There are umpteen different versions of operating system software, application software, security software, etc. Nevermind the variety of security technologies out there, no-two-setups-alike. Well, I’m going to play a numbers game then. I’m going to write software that takes advantages of vulnerabilities (usually recent) in software that has a widespread install base. I’ll also use the machines I already have to send out spam with attachments and links for folks to click on.
Then I’ll iterate.
I’ll try out my software here & there, and when I see it’s getting dropped or blocked, I’ll make changes so that it gets through. Once I’ve got a good success rate I’ll blast it out. So that’s my plan. And it’ll work. Because it’s worked before.
Targeted Bad Guys
Let’s say I’m a bad guy. Still. I’ve got certain nefarious objectives and they’re quite specific.
For instance, I’m very interested right now in the lighting market. Incandescents and compact fluorescents are out the door. The more I can learn about effective and cheap LED fabrication techniques, the better off I’ll be when I sell what I’ve learned to my sponsors. Then they can skip all the R&D, do it with cheaper labor, and undercut the silly Americans & Europeans.
Or perhaps it’s a money pure play. I’m in the market for some bank routing numbers and associated checking account numbers. With that, I can start siphoning money out. Love me some ACH fraud. Granted, most of it goes to my sponsors, but I get my cut too.
I’ve got another job coming up next month. Turns out there are these bozos who are speaking out against my country’s infallible leadership. That really ticks me off. There are a few organizations out there that are trying to keep their personal information a secret. Well, I want it. And out of a sense of patriotic duty, I will turn that over to my government and be well rewarded.
Fortunately for me, the list of organizations that I want to break into in each of these cases is pretty small. And they all do a decent job at keeping their infrastructure homogeneous. Those financial guys are great too because it always takes them 9 months to patch anything. You know my favorite time of the year? Christmas. It’s when nothing changes in the environment (moratorium!), nobody’s around looking for me (vacations!), and I have free reign. It’s like, well… Christmas!
Those LED companies? They’re all small so they can’t even afford to keep me out. And if they get lucky I’m sure they filed all the interesting stuff through their lawyers so I can get the information there. Humanitarian companies are the same deal — small, understaffed, underfunded, delightful.
It’s a lot easier for me to build software that can get in because my targets are so well defined. I don’t have to account for ALL the different versions of security software out there… just the kind that my targets are using. I also don’t need to figure out how to evade ALL network security controls — just the ones they picked. Worst case I’ll test against other companies using the same security tech. Once I can get past their defenses I’ll attack my real target. Besides, I can always fall back to good ‘ol spearphishing.
Evading Tech Isn’t That Hard
As you can see, for opportunistic and targeted attackers, evading tech is just a little bit of work. It’s not hard. When an attacker can test your security and observe what you detect (because it got blocked), you’ve got a testable security surface. It might keep out some riff raff, but targeted attackers get around it easily. If you’re doing the same blocking everyone else is doing, the opportunistic attackers will take the time to work around it as well.
The better funded the attacker the more investments they can make into evading tech. Imagine an attacker with access to all the security suites out there. With all the network security gear installed in their lab. How convenient! Now they can go beyond what’s blocked into what’s detected and evade that too! Takes more work, but in certain cases is well worth the effort to avoid detection.
Though frankly, security teams are so overwhelmed by signal-to-noise-ratios that even detection by technology alone won’t necessarily keep the attacker out.
It’s Not Hopeless?
This doesn’t seem like a recipe for success. Attackers can adapt to technology pretty quickly and it’s hard for engineering teams to keep up. This puts on the onus on security practitioners who, as a rule, are either in short supply or overwhelmed.
To effectively combat both opportunistic and targeted attackers, companies need security practitioners with their eye on the ball. This means first and foremost being able to rapidly, and with high fidelity, detect attackers that have bypassed your deterrence measures. Second, streamlining these individuals’ time to investigate & respond. Only then will practitioners begin to consistently stop the attackers before they’re able to complete their mission.
With companies desperate to solve this problem, security technology vendors for years have promised they’ll “prevent breaches.” We’ve seen how that’s worked out. With a glut of technologies that all sound roughly the same, the industry has turned to intelligence and orchestration.
To their credit, these organizations don’t purport to stop anything. They do in fact aim to accelerate detection & response via context and automation. Given the talent gap, this leaves the question of insourcing and outsourcing open. Nevertheless, a mental step in the right direction.
Meanwhile it’s vital that security buyers understand that there remains no silver bullet for the information security challenges that we face today. Likewise, for security technology vendors, it does buyers and the information security community a disservice to purport that your tech stops the bad guys. Instead, let’s take a cue from the intel and orchestration companies. Build tech that enables practitioners rather than tech that gives customers the false sense that they don’t need them.
If you found this worth your time, consider following @reefhack on Twitter, RT, and recommend this article by clicking the heart below.
