White hats share insights on modern attack campaign strategies
White hats share insights on modern attack campaign strategies

“They don't rely on malware, custom or commodity. They don't attack from the outside in. They work from the inside out. They use common IT tools to access and escalate through internal systems,” Scott Crawford, director for the Information Security Channel at 451 Research said as he introduced new research into the hacker mentality.

451 Research interviewed white-hats who are experienced with the black-hat side of things from various roles including incident responders, malware researchers, penetration testers and all-around cyber-security veterans.

A typical campaign is put into effect long before a victim is targeted. Attackers will figure out how to monetise an attack based on the tools and resources available by the time the victim is aware of the attack, the damage is done and attackers have made off with the loot.

Criminals and other adversaries have seen the value in capturing and holding critical data or entire systems and data centres for ransom.

Attackers win and defenders fail for a number of reasons. As long as it works, attackers will use whatever is cheap, free or available. They are brutally practical and will quite happily move beyond hackneyed cons like identity fraud to strategies with less risk but more profit. They seek to get rid of complexity wherever possible and follow the path of least resistance.  

The experts have pointed out key defensive strategies. We need to comprehend that an effective defence usually doesn't deter an attacker, it just forces them down a different path. Defenders should look for potential attacker TTPs, not only tools or threat indicators. Defenders must disable or mitigate the key software products responsible for most infections, thereby cutting off their attack channels.

Most businesses and some tools haven't even made it a priority to assess third-party software. Over 90 percent of the malware causing headaches targets less than 10 products: Microsoft Office (on Windows), Oracle Java (typically, the browser plugin), Adobe Flash, Microsoft Silverlight, Microsoft Internet Explorer and Adobe Reader/Acrobat.

Attackers want the highest return for the smallest effort, which results in a high payoff, low labor and little patience when it comes to building campaigns.  

It is, for example, rare to see attacker campaigns start from scratch. Most malware reuses code and functions, and even infrastructure that was previously built.

Attackers are moving away from stealing payment and identity data as it has become almost worthless since the supply of stolen credit cards has far exceeded the black-market demand. The availability of Bitcoin allows attackers to go from campaign planning to money in the bank in days as opposed to weeks or months.

Attackers are more likely to see a broader landscape; the target chosen depends on the likelihood of success as opposed to defenders who tend to see potential targets in terms of lists of corporate-owned assets.

“As an industry, we need to think more like the adversary with less emphasis on tools and more on attacker strategy,” Crawford concluded.