Combating attacks with collaborative threat intelligence
Advanced Persistent Attacks (APTs) get most of the attention from the cyber security community because, as defenders, we want to be vigilant against the most insidious techniques. And let’s face it, it’s far more interesting to analyze and discuss sophisticated attack tools, techniques, and profiles. However, this unilateral mindset ignores a much broader reality. Generally, cyber criminals are as lazy as criminals in the “real world.”
What do I mean by lazy? Attackers will often use the “lowest common denominator” method against the widest range of IP addresses from the same source set of IP addresses. Even advanced attackers will use a “recycled attack platform” when doing initial reconnaissance against a target or set of targets. This approach results in attackers using:
- The same type of attacks against a wide surface area
- The same toolset (exploits and malware)
- The same set of command-and-control servers (source IPs).
And as long as this approach remains effective and profitable, attackers will continue to be lazy. Unfortunately, the cost to attack and exploit a system is dramatically less than the cost to defend.
The economics of broad-based attacks
Putting aside the incremental costs of exploit kits and the potential legal risk, there is no significant cost to launching an attack. With easy-to-use and readily available exploit kits, an attacker can use a single machine to attack thousands of targets searching for one with susceptible defenses. The cost of acquiring a new target is merely the cost of generating a new random number.
On the other side, each new attack vector requires additional effort on the part of the defender. They must deploy and maintain numerous security controls while also keeping all of their systems updated with the latest security patches. This is a substantial cost that is all too familiar to anyone in the industry.
At this point in time, the advantage is completely on the side of the attacker. While each defender must incur substantial cost to defend their organizations, the attackers can easily find targets that have not paid that price. The question becomes how can we increase the cost that an attacker must pay for each target that they attack? Clearly, the risk of criminal prosecution is a “cost” the attacker incurs. However, the technical difficulty of attribution and the ease of crossing geo-political boundaries complicate prosecution efforts and as a result, this risk remains in the abstract.
Even those attackers who are deploying more targeted, advanced attacks against a specific industry or organization will reuse the same techniques and exploit code in targeted attacks against similar organizations in the same industry. Good examples include “Sykipot” and “Red October” – both of which primarily target defense agencies and governmental organizations. In each of these cases, the original exploit code was developed years ago. And over the years, the code has “evolved” as it’s been reused and repurposed against new victims.
The need for collaborative threat intelligence
Another tool in the attacker’s arsenal is that they are highly adept at sharing information with each other. On hacker forums and other “underground” communities, attack tools and techniques are widely shared, discussed, vetted and promoted. As with any community, there are active rivalries and controversies. However, ultimately, this sharing gives attackers additional resources to be more effective in their efforts.
Clearly, the same collaborative approach is needed for defenders. Remember that “recycled attack platform” used by attackers? Why wouldn’t defenders likewise collaborate on the source, tools and techniques used for these attacks and reap the tremendous benefits of threat sharing? Not to mention that such collaboration among defenders can also increase the costs associated with executing these attacks.
Once an attacker has targeted any member of a collaborative platform, command-and-control servers are easily identified by their IP addresses throughout the network. This means that attackers can no longer benefit from the isolation of their targets; they must use a new IP for each attack that they launch. Instead of being able to launch thousands of attacks from a single IP, they have to pay the cost of acquiring a number of IPs that is proportional to the number of attacks they wish to mount.
Additionally, an attacker’s tools and tactics become much less effective when defenders collaborate to protect themselves from the attacker. A “Neighborhood Watch” for the Internet makes sense from an economic perspective as well as from an operational one.