Envisioning a Future of Prevention
By Megan Berkowitz
Though it was not disclosed for roughly a year, ride-share company Uber was the victim of a 2016 cyber-attack that led to the exposure of sensitive information of about 57 million users. The attack was orchestrated by accessing data stored by the company on a third-party cloud-based storage platform. The attackers then asked for a $100,000 ransom, which the leadership at Uber paid without reporting the attack or their payment to the relevant governmental authorities. The company reported later, once the details of the attack became public, that the attackers had provided proof that the data was destroyed in exchange for the money; cyber-security experts, however, discourage these kinds of payments.
Earlier, in 2013, the enormous online and brick-and-mortar retailer Target experienced a massive data breach. This hack was executed through the use of a HVAC company’s login credentials, which provided access to the company’s point of sale system thanks to poor separation of sensitive data like payment information from the rest of the company’s network. As a result of this hack, roughly 40 million customers across several different countries had their payment card information jeopardized.
The stories of the Uber and Target cyber-attacks are just some of many in the retail market. Retail companies are, of course, a primary target for cyber-attacks. Adversaries are looking to profit from their attacks, and so hacking organizations – like retail firms – with access to customers’ financial data is a common goal. Especially as increasing focus on Internet of Things (IoT) technology and innovative sales platforms takes hold in the retail sector, the vulnerability to attack is increasing. With increased vulnerability has come increased attempt at exploitation, and some successes that have been very expensive to their victims.
As a result, cyber-security has become an essential part of doing business in the retail industry. Across the industry firms are stepping up their game when it comes to cyber-security. These companies are deploying more and more resources towards cutting-edge technologies like machine learning, artificial intelligence, and orchestration.
An important question to consider, though, is to what strategic ends are these cutting-edge technologies being put. Are they simply bolstering traditional methods of cyber-security, or are they being used for methods of cyber-security that are new and innovative, instead of simply faster or more efficient versions of the same product?
The Incident Response Approach to Cybersecurity
Traditional cyber-security approaches are focused on reporting about intrusions after the fact, in what is known as an “incident response.” What this means is that an adversary – commonly referred to as a “hacker” – finds some way to gain access to a target and compromises it. The target can be accessed through vulnerabilities in web frameworks, internet browsers, or internet infrastructure such as routers and modems. Regardless of how they gain access, once an attacker is discovered, the forensics about the attack, including basic information known as Indicators of Compromise (IOCs) like IP addresses, domain names, or malware hashes, are shared across the cyber-security community. These IOCs are then used broadly to thwart future attacks.
The problems with this approach are twofold: like a canary in a coalmine, someone has to be a victim first so that IOCs can be derived and shared with others; additionally, blocking IOCs has a very short half-life. Most adversaries subscribe to the very feeds that companies subscribe to in order to quickly learn if they have been exposed. All an adversary has to do is come from a new IP address or recompile their malware so that it has a new hash value (both of which are extremely trivial) and their attacks will sail through defenses that depend on IOCs. This after-the-fact methodology consumes a lot of resources and generates a lot of seemingly valuable metrics, but it is ultimately flawed.
Cyber-security teams and adversaries are trapped in an endless loop where the adversary always has the advantage. As hackers repeatedly gain access to valuable systems and data using the same methods, cyber-security teams continue to chase after them to secure compromised systems. While a great deal of effort is put towards understanding as much as possible about the adversary and his methods, only a small amount of that understanding is used, and only to perform the very basic actions described above. Adversaries continue to play chess, strategizing about how to slip past cyber-security teams unnoticed, while those same teams act as though the game is more like tic-tac-toe. Very little cyber-security effort is put towards addressing the methods used by adversaries; instead, security teams are locked in a pattern of waiting for inevitable attacks, trying to minimize the damage they cause, ensuring that remediation occurs as quickly as possible, and blocking only exactly identical attacks.
Planning for the Future of Cybersecurity
As is readily apparent, these current, standard methods of cyber-security are fundamentally flawed. Incident response only helps prevent attacks that exactly replicate past ones. To stem the flow of cyber-attacks and to truly protect against them, the cyber-security industry needs to embrace a paradigm shift. Rather than rely solely on the incident response and recovery methods that have been used for many years, a more proactive, sophisticated approach is needed. It will need to be designed to successfully recognize adversary methodology (and all the manners in which an adversary attempts to obfuscate their methodology) before attacks occur and at a meaningful scale. This kind of approach, when paired with incident response tactics, could provide true security to vulnerable, critical networks.
If the cyber-security world wants to halt dangerous, costly attacks, there is a great need to shift attention towards prevention. Instead of seeking discrete, static IoCs based solely on what has already occurred, proactive cyber-security analysts can instead use the intelligence they have derived about adversaries’ methodologies – commonly referred to as tactics, techniques, and procedures (TTP). From these TTPs, analysts can identify the general form and components of an adversary campaign. In addition, they can determine abstract indicators like how the adversary is attempting to hide his actions. A proactive cyber-security tool would be able to recognize possible adversary TTPs and indicators that describe a threat (or threatening behavior) in general terms. The system would then act on any traffic which met this pattern before it reaches inside a network, as the attack occurs, and do so in a way invisible to adversaries. Using this basic model, a cyber-security tool could truly prevent common exploits before they were executed, and could even predict and protect against future, not yet seen exploits. In addition, this prevention plus response method of cyber-security enables teams to truly take advantage of new, cutting-edge technologies in ways that change the game, instead of simply adding speed (and cost).
A TTP-based cyber-security tool would work in concert with existing incident response, internally-focused cyber-security efforts, adding a layer of prevention over the top of this vital but flawed process.
With these two methods employed hand-in-hand, cyber-security teams can make headway in reducing the number of attacks, and can more quickly and productively respond to attacks that do prove effective.
About the Author