Partner Perspectives: The Target Strikes Back – Predicting the Persistent Attacker

Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Idan Bellayev is the head of security research for Empow Networks.

Predicting cyber-attacks has long been an elusive goal in the cyber-security industry. Methods such as Lockheed Martin’s Cyber Kill Chain evangelized the idea that staying one step ahead of your adversary is the way to defeat advanced, persistent threats. Key components to staying one step ahead include Indicators of Compromise (IOC) and Indicators of Attack (IOA), which are both valid methods that use the lessons learned from past encounters to protect against future ones. However, these indicators are not being fully utilized, which reduces their effectiveness against new attack methods. There is a better way to predict and prevent attacks. But before we reveal the “big surprise,” let’s take a dive into the current state of IOCs and IOAs …

Indicators of Compromise (IOCs)

IOCs are defined as “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.” Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files, or URLs or domain names of botnet command-and-control servers. IOCs, by nature, are reactive. We can think of them as still pictures, capturing specific points in time – representing pieces of evidence that provide clues to the narrative of what has occurred. They might even give us a glimpse into the players and techniques involved in the attack – but at the end of the day, they do not give us the whole story – they only give us clues.

Indicators of Attack (IOAs)

To get the whole story we turn to IOAs, which are defined as “a unique construction of unknown attributes, IOCs, and contextual information (including organizational intelligence and risk) into a dynamic, situational picture that guides response”. If IOCs are “still pictures,” then IOAs are movies. They take all the pictures and evidence we collect, contextualize it, and apply it to a timeline, providing a full cinematic experience of the attack.

Making Better Predictions

This movie should be a valuable tool for identifying and disrupting future attacks before they can cause damage. There is only one problem: attackers rarely play the same movie twice. We should not assume that attempted intrusions will look exactly the same every time, because they probably won’t. There may be some similarities, just like in a sequel to a movie – we may see some of the same actors and settings, but the movie will also include new scenes, new characters and new dialogues. In a similar way, intrusion attempts are usually a newer version of a previous attempt. The attackers might use some of the same tools from the last round, or re-use techniques they developed, or attack at the same time of day, but they will probably change some of their C2 servers. Attackers, just like the rest of us, are limited in time and resources and understand the value of re-use. Creating a new attack from scratch to target the same victim is pricey and time-consuming, so they often borrow pieces of previous attacks. Therefore, looking for patterns of attack from previous incidents might seem like a reasonable approach, but searching for the same patterns of attack makes no sense because they almost certainly will not be the same.

So how can we make better use of IOAs? By rearranging them into multiple variations, we are no longer looking for one movie. Instead, we are writing different scripts with different plots, without committing to one story line. By creating varied attack patterns containing valid evidence of the adversary’s characteristics but do not force them into a specific pattern that most likely won’t happen again, we open the door to a new, much more efficient way of hitting back at our attackers.

This method gives us the opportunity to predict how attacks will occur long before they happen. We can proactively identify a persistent adversary or other adversaries that share attacking characteristics. This method can even be used to identify and disrupt live attacks. Creating modular IOAs by collecting indicators during the early stages of an attack enables a proactive search of compromised assets even before they realize they are under attack. This kind of real-time hunting allows new IOCs to emerge with existing IOAs, creating new dynamic patterns that can be used not only during the attack itself, but also afterwards for proactive detection in different networks.

Think about all the movie sequels you’ve seen over the years. Chances are you could have taken the previous movie and come up with multiple variations for how the sequel might play out. The odds are very good that you’d come up with at least one variation that mapped pretty closely to the actual sequel. (We all could predict Luke Skywalker would come out of exile to save the galaxy in “The Last Jedi,” for example.) Attackers give us the same tools for predicting the sequel as movies do – we just have to start using them.

The post Partner Perspectives: The Target Strikes Back – Predicting the Persistent Attacker appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?