Cybersecurity Threats,Malware Trends,and Strategies
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Understanding the difference between the attacker's motivations and tactics

One of the reasons I've found so many organizations lack focus and competency around the cybersecurity fundamentals is the way big data breaches have been reported in the news over the last decade. Stories that claim an attack was the "most advanced attack seen to date" or the work of "a nation state" seem to be common. But when you take a closer look at these attacks, the victim organization was always initially compromised by attackers using one or more of the five ways I outlined in this chapter.

There are attackers that operate in the open because they don't believe there are consequences for their illicit activities, based on their location and legal jurisdiction. But this is the exception to the rule that they will obfuscate their true personal identities. Claims that an attack was the work of a nation state or an APT group are typically based on circumstantial evidence. Rapidly changing networks of social media accounts and news outlets spreading false information exasperate the challenge of attribution.

Attributing an attack to an individual or group can be extremely hard. This is because the internet is based on a suite of protocols that was developed over 35 years ago.

The engineers that developed these immensely scalable and sophisticated protocols never envisioned a future world where an entire multi-billion-dollar-a-year industry would be based on the discoveries of new security vulnerabilities, malware research, social engineering protection, and nation state actors. TCP/IP version 4, the basis of the internet, was never designed to help investigators perform attribution for attacks that leverage vast networks of compromised distributed systems around the world. Comparing code fragments from two malware samples to determine if the same attackers developed both is not a reliable way to perform attribution, especially when the attackers know this is a common technique. Finding "patient zero," where the compromise started, in large environments that have been compromised for months or years, using data from compromised systems, can't be done with complete confidence.

But still, many cybersecurity professionals use this type of data to surmise the attackers' motivations and identities. Attacker motivations include:

  • Notoriety: The attacker wants to prove they are smarter than the big high-tech companies and their victims.
  • Profit: As I'll discuss in Chapter 3, The Evolution of the Threat Landscape – Malware, after the successful worm attacks in 2003, malware began to evolve to support a profit motive that continues to the present day.
  • Economic espionage: For example, alleged activities by groups in China to steal valuable intellectual property from western nations to give their own industries a competitive and economic advantage.
  • Military espionage: A motivation as old as governments themselves, where governments want to understand the military capabilities of their adversaries.
  • Hacktavism: Attacks against organizations and institutions based on disagreements on political or philosophical issues.
  • Influencing elections: Using cultural manipulation and information warfare to help nations achieve foreign policy objectives.
  • Many others: Watch any James Bond movie where the Special Executive for Counterintelligence, Terrorism, Revenge, and Extortion (SPECTRE) is part of the plot.

If most organizations can't really know who is attacking them, then they can't really understand what the attacker's motivation is. If CISOs don't know what's motivating the attacker, how do they know what a proportional response is? Who should help the victim organization with the response to the attack – local authorities, the military, an international coalition?

Still, I have talked to organizations whose cybersecurity strategies rely heavily on attribution. After performing hundreds of incident response investigations for Microsoft's customers, I find the assumption that timely attribution can be done with any confidence to be overly optimistic. For most organizations, relying on accurate attribution to inform their cybersecurity strategy or to help make incident response decisions is pure fantasy. But I believe you can, with 99.9% certainty, predict the tactics the attackers will use when they try to initially compromise an IT environment. This is what organizations should invest in – the cybersecurity fundamentals.

Having a cybersecurity strategy is a great step in the right direction. But by itself, it represents good intentions, not a commitment by the organization. In the next section, we'll take a look at what else needs to be done in order to successfully implement an effective cybersecurity strategy.

上一章目录下一章