Are cyber attacks really as advanced as we think? [Q&A]
When organizations suffer a cyberattack it's often described by them as 'advanced'. But just how good does an attack need to be to breach defenses?
We spoke to Matt Walmsley, head of EMEA marketing at threat detection and response platform Vectra to find out about the attack landscape, how most attacks aren't all that advanced at all, and how companies can better defend themselves.
BN: Are businesses often overestimating the sophistication of breaches?
MW: when breaches are reported we often focus on the impact as opposed to how and why it occurred. Think about the most successful attacks, are they using state of the art or previously unseen techniques, procedures and tactics?
The answer's no, most are well understood. They are actually being successful not because of the novelty of the methodology they use, but because of their research and their persistence, persistence trumps novelty.
BN: But some are more sophisticated than others?
MW: If we wanted to rank offensive cyber capabilities then at the top are nation state level actors like China and Russia. But when it comes to cybercriminals they want the path of least resistance, the quickest, most effective way they can achieve their goal. Often this will be exploiting things like misconfigurations, small errors that leave system vulnerable.
This isn't to say that nobody's using zero days and stuff, but that's generally used by the nation state level in practice. I think below that the vast majority of attacks are opportunistic, just trying to get wherever these criminals are targeting. They're not necessarily using very novel techniques to do it, what we are using is very good intelligence research to identify ways through social engineering and through vulnerabilities in security hygiene and misconfigurations.
BN: Is a there a PR angle going on where people don't to admit that they've fallen victim to something stupid like a misconfiguration, they'd like to think it's an advanced attack because it makes them look better?
MW: It comes back to perspective, if it's defeated my security capabilities then it’s more advanced than they are. When we see breach notifications there's very little public communication around the 'how' it's more about the impact of the attack.
If you think back to the Equifax breach which was subject of a US Senate investigation, forensic analysis of attacks can be a rich source of learning. There are repositories of knowledge like the MITRE ATT&CK framework where people can report details of how attacks have played out so that you can share those common details, and now those kinds of knowledge bases are important.
Organizations security teams should be thinking about how attacks could play out and asking the question, "With these unknown techniques, how will we spot them today?" Use a tabletop exercise where you hypothesize how it might play out and then how would you have the ability to detect and respond.
BN: Is there a case then for better disclosures, for actually making companies reveal more details of a breach?
MW: There's definitely, learning to be had on healthy best practice and helping the profession do it. Again it's painful sometimes to actually stand there, to look at what happened, particularly if you've been the victim. But there is merit in finding ways to share the learning from that, so we can all improve practice. Because it's a tough job right now the attackers only have to get it right once, but defenders are expected to be able to get it right every single time.
BN: Isn't this made more difficult by the shift to remote working?
MW: Yes, people are using different devices, they're using VPNs and Remote Desktop. If you're familiar with Shodan you can find that there are, for example, lots of exposed Remote Desktop hosts.
The very rapid pivot to remote working has also made it more difficult for security teams. I've heard of security team members who've actually been pulled out of database security jobs to go and support IT operations.
BN: What can organizations do to be better prepared?
MW: We've heard a lot in the last few years about threat hunting. This is actually an attempt by security teams to get on the front foot. In the past you put up defensive controls and then you attempted to do your best of your ability to respond to things that bypass them to get inside, you're reacting to somebody else.
Threat hunting is taking it to the next level which is actually hypothesizing who may attack you, how they may launch that attack and actually look forward. This is not trying to take the attackers out, but it's trying to be proactive inside your own organization.
It's also useful to get information from organizations that do external research and some you might hear from your industry peers. Combined with the things that you know about your organization, you bring all those things together to try to build up a hypothesis, and then use that to do your threat hunting. Most times you won't find anything that's not a waste of time because at least you can come away with a better understanding of your systems and networks.
We can learn from that. We can build capabilities that will stop and defend against these techniques. We can build capabilities to detect attackers as they carry out attacks and help security teams surface the things that really need their attention, give them the contacts and help them quickly come to a conclusion on whether something is malicious.