From DDoS to bots and everything in between: Preparing for the new and improved attacker toolbox
A quick glance at global headlines shows a new breach, ransomware, DDoS, or bot attack on a near-daily basis. Orchestrating these attacks and selling hacking tools has become a lucrative business strategy for those on the dark side. Much of the increased success of attacks can be attributed to how threat actors and cybercriminals have industrialized their toolboxes to remain one step ahead of defenses and stay off radar.
As defenses improve, attackers have also found a way to always remain at least one step ahead of their targets. Much like sappers getting behind enemy lines to attack and destroy critical infrastructure, threat actors know how to avoid tripwires and stay below the threshold of detection while initiating an attack. Low and slow attacks are now the name of the game, and as a result, cybercriminals are more successful and productive than ever before.
To counter those efforts, organizations need to gain a better understanding of the new attacker toolbox and employ solutions that take a more holistic view of defense.
A blended attack approach is proving successful
A common thread is evident in modern attacks: attackers increasingly rely on a blended approach of tools and techniques that aren’t immediately – or easily – recognized by traditional and/or point perimeter defenses. A few examples of what these blended attacks could look like:
Militarized attack patterns
Companies or organizations within the same vertical (e.g., credit unions) are at risk of getting caught in the crosshairs of a single APT. In this instance, attackers will profile one credit union and use that knowledge to attack other credit unions with a similar tech stack. This is possible because so many organizations use the same software and are thus susceptible to the same vulnerabilities.
Low and slow
Attackers play the long game. They understand how much pressure a tripwire can sustain before it trips. Attackers often spend a significant amount of time (months or even more) poking around the edges of an organization to see what the thresholds are. As a second phase, they will meter their attack to come in under that threshold and go after high-profile assets.
This is becoming more common in DDoS attacks and ransomware attacks. Attackers occupy the attention of an organization’s security team with a DDoS attack, and then they interleave the “real” attack against other assets.
These blended, mixed mode attacks are difficult for organizations to get a handle on, which is one of the reasons these methods often succeed. Organizations are left feeling like they are playing a never-ending game of whack-a-mole while trying to proactively shore up their security.
Making matters more difficult is that many organizations rely on outdated defense strategies and point products that focus on blocking a single variant of an automated attack. These tools were developed to do one thing and aren’t cutting it anymore. It is time for organizations to take a new approach or suffer the consequences of outdated defense strategies.
A new era of threats requires a new era of solutions
To protect themselves, organizations need to take a step back to gain a wide-angle view of their defenses against cyberthreats. Defenses that only alert or stop one method will leave organizations exposed to others. Understanding the context behind attacks gives security teams the insight to monitor and block suspicious behavior and mount a more holistic defense.
Further, it is important to take an attacker-centric approach to defense. This mindset shift is more proactive than reactive and ensures attackers are both identified and tracked, even if their IP or identifying traits morph. This approach allows for adaptive enforcement and action in which attackers, both human and non-human, are systematically confronted to understand their intent. These actions could include blocking entities, interrogating, and mitigating, or tarpitting suspicious traffic.
The good news is that while the nature of cyberthreats has evolved over the years, so have cybersecurity defenses. It is imperative that organizations choose defense techniques that provide solutions for the modern problems they face. The best way to remain an easy target is to remain static by using outdated defense techniques.
How will you prepare for the new and improved attacker toolbox?