Why hackers are more persistent than security teams

March 11, 2020
Identifying the threat actor can significantly inform the nature of the response

Companies are spending more money than ever before on cybersecurity. Since 2010, overall budgeting has ballooned by 141 percent, with worldwide spending on information security products and services reaching an estimated $124 billion. Yet, given this massive increase in spend and attention, breaches and incidents seem to be more prevalent than ever before. How could this be?

Less Than Sophisticated

Many of the threat actors launching malicious campaigns are operating through surprisingly rudimentary means. More often than not, a simple set of tools and techniques is all hackers need. Instead of developing sophisticated zero-day exploits, many such threat actors work to coordinate many less innovative attacks on lower value targets. In other words, what gets them through – and the reason they continue to be so successful – is that they are simply more persistent and creative than their victims.

By trawling exfiltrated user data already available on a variety of forums on surface, deep and dark webs, even the most modestly trained script kiddies can employ automated routines to discover vulnerabilities. When it comes to these more basic attacks, the prevailing gambit is largely a volume game – teams of cybercriminals scour the Web for the least protected networks using open source tools and try to exfiltrate anything of value. Unfortunately, basic cybersecurity hygiene remains an enormous problem for many organizations – misconfigured firewalls, misconfigured cyber toolsets, even basic email security is often lax. At scale, with enough targets, enough value is secured, and according to a Clark School study at the University of Maryland, a cyberattack occurs every 39 seconds.

Increasingly, for these threat actors even small companies that might only be guarding employee records, or a small set of customer usernames and passwords are becoming worthwhile targets because the hackers are largely employing a “smash and grab” approach.  At the same time, as a result of the frequency of these easily remediated, lower sophistication, lower impact attacks, some companies may not take each one as seriously. But that assumption is a dangerous one.

In For The Long Haul

Many more sophisticated threat actors utilize a “low-and-slow” approach, whereby operators attempt to maintain long-term access and persistence to targets. In other words, these aren’t just hit and run attacks – they’re just the first penetration. One of the most important metrics for evaluating such threats looks at mean “dwell-time,” or the amount of time during which an attack goes undetected. According to one report from Booz Allen Hamilton, cybersecurity dwell times may last between 200-250 days before discovery. Sleeper cells of bad actors may evade detection during too-cursory remediation, persist on a network for months or even years on end, and continue to silently laterally move to coveted accounts and users, spying on business activity, install malicious tools, or even exfiltrate data. The most talented groups compromise the infrastructural integrity of an organization’s security and cover their tracks cleverly to avoid detection. In many instances, extracting monetizable value is the truly difficult part and takes the most time – but breaking in is comparatively easy. In some instances, nation-state adversaries will develop destructive disk wiping code in order to completely cripple their target – see Sony and the Sands Casino in 2014.

It’s therefore not enough to simply classify an attack based on the malware deployed – it’s important to leverage other intelligence to try to determine the identity of the threat actor. It’s a much bigger deal for your organization if a sophisticated lock picker is on your network than if it’s only a script kiddie looking for an unlocked door.

In fact, the Hollywood stereotype of the lone hacker in a basement is an image that continues to undermine how businesses and corporations act and react with respect to data security. The reality is that many of these threat actors operate in highly organized groups, similar to a professional office environment. For many of these organizations, their approach to criminal activity is much like how a business would approach its lawful commercial activity. This means that a typical threat is unlikely to be the effort of a single lone hacker; many threats represent the effort of teams of individuals, working in shifts and cooperating in their attempts to exfiltrate and extort.

Threats From Nation-States

What’s worse, many of these operations function like military units under the aegis of foreign nation-states. Fancy Bear, for instance, is as famous as any of these groups, but many others operate out of countries such as China, Iran, and North Korea. As a result, these threat actors are not only driven by profit incentives but receive resources and aid far in excess of what typical criminals are able to muster. Then, to add insult to injury, businesses and corporations are shamed for being unable to guard against such actors.

There are several ways to combat such threats, ranging from investments in the most advanced endpoint protection to changes in network architecture to obfuscation techniques to deception operations like honeypot traps. However, the nature of the appropriate solution depends very much on the nature of the adversary.

Different threat actors may use the same tools and techniques, so simply identifying the vulnerability or malware used for an attack will give little indication as to the seriousness of an attack. However, if you are armed with adversary intelligence, you can more easily identify the nature of the threat, the possible attack vectors and vulnerabilities, the tools and attack methods of the adversary, and the solutions for fortifying defense. What’s more, it will help to indicate which network data is most likely to have been compromised or is most likely to be sought after by the attacker.

Know Thine Enemy

Maintaining quick access to such intelligence can allow a company to greatly reduce their response time. This is especially important due to the nature of persistent threats as, given the large mean dwell times, threat actors often have several months before they lose operability within networks. That’s a startlingly long time before a business can reliably begin their internal audit and remediation efforts. However, by knowing the adversary, threat vectors can be more quickly examined, jumpstarting the process of investigation and mitigation.

In order to better equip ourselves to guard against crippling cyberattacks, it has become increasingly important to understand our adversaries. All attacks are not equal and identifying the threat actor can significantly inform the nature of the response. Informed mitigation and response begin with truly understanding who is attacking you and how they’re doing it.

About the Author:

Amyn Gilani is the Vice President of Product at 4iQ, a Los Altos-based adversary intelligence and attribution analysis company.