July 15, 2013
The lazy attacker
The lazy attacker
Most cyber attackers are likely to use the easiest route in. They're lazy and no different from your run-of-the-mill hijacker who will gladly steal the car of someone who leaves the keys in it.
In the case of the cyber criminal, he will of course test the 'lowest common denominator' method against the widest range of IP addresses from the same source set of IP addresses.
Even advanced attackers will use a 'recycled attack platform' upon identifying and inspecting a target. Inevitably, this results in attackers using the same type of attack against a wide surface area, the same toolsets and the same set of source IPs or command-and-control (CnC) servers.
This is a cyber criminal's 'bread and butter' and as long as it remains effective and lucrative, attackers will continue this languid approach. The sad truth is that the cost to attack and exploit a system is dramatically less than the cost to defend it.
Take, for instance, advanced persistent threats (APTs). These get most of the attention from the cyber security community because, as defenders, we want to be vigilant against the most sinister techniques. Also, it is far more interesting to analyse and discuss sophisticated attack tools, techniques and profiles, but this unilateral mindset ignores a much wider reality: Cyber criminals are just as lazy as criminals in the real world.
Let's first consider the costs of broad-based (lazy) attacks: Setting aside the incremental costs of exploit kits and the potential legal risk, there are no significant costs to launching an attack.
With easy-to-use and readily available exploit kits, an attacker can use a single machine to attack thousands of targets searching for one with susceptible defences. The cost of acquiring a new target is merely the cost of generating a new random number.
On the reverse side, each new attack vector requires additional effort on the part of the defender. They must deploy and maintain numerous security controls while also keeping all of their systems updated with the latest security patches. This is a substantial cost that is all too familiar to anyone in the industry.
So, the advantage is completely with the attacker. While each defender must incur substantial cost to protect their organisations, the attackers can easily find targets that have not paid that price.
The question becomes: How can we increase the cost that an attacker must pay for each target? Clearly, the risk of criminal prosecution is a cost risk the attacker incurs. However, the technical difficulty of attributing attacks and the ease of crossing geo-political boundaries complicate prosecution efforts; and as a result, this risk is negligible.
Even those attackers who are deploying more targeted, advanced attacks against a specific industry or organisation will reuse the same techniques and exploit code in targeted attacks against similar organisations in the same industry. Good examples include ‘Sykipot' and ‘Red October' – both of which primarily targeted defence agencies and governmental organisations. In each of these cases, the original exploit code was developed years ago and over the years, the code has ‘evolved' as it has been reused and repurposed against new victims.
The way they do this is that cyber criminals are highly adept at sharing information with each other. On hacker forums and other underground communities, attack tools and techniques are widely shared, discussed, vetted and promoted. This sharing gives attackers additional resources to be more effective in their efforts and adds plenty of weaponry to their arsenals.
Clearly, the same collaborative approach is needed for defenders. Remember that recycled attack platform used by attackers. Why wouldn't defenders likewise collaborate on the source, tools and techniques used for these attacks and reap the tremendous benefits of threat sharing? Not to mention that such collaboration among defenders can also increase the costs associated with executing these attacks.
Once an attacker has targeted any member of a collaborative platform, such as AlienVault's Open Threat Exchange, command-and-control servers are easily identified by their IP addresses throughout the network. This means that attackers can no longer benefit from the isolation of their targets; they must use a new IP for each attack that they launch.
Instead of being able to launch thousands of attacks from a single IP, they have to pay the cost of acquiring a number of IPs that is proportional to the number of attacks they wish to mount. Additionally, an attacker's tools and tactics become much less effective when defenders collaborate to protect themselves from the attacker. A ‘neighbourhood watch' for the internet makes sense from an economic perspective as well as from an operational one.
So, next time you get focused on the ‘shiny object' of APTs, remember there are cyber criminals out there still using easily defendable broad-based threats to compromise your systems. Sharing information about attack methods with others - especially those in the information security industry - is an essential first step to combating the widest amount of threats.
Jaime Blasco is director of research at AlienVault Labs