Threat Level ‘DNA Immunity’: Mapping and Prioritising Controls through Threat Modelling
Category : Views
Everyone is at risk of being hacked, in fact, the last few years have seen some of the biggest high-end data breaches of large companies to date. The trend signifies a large increase in attacks from ‘trusted insiders’ or threat actors, aided by the increased availability of underground offensive security technology. Malicious actors can now utilise attack toolkits of sorts to create a new threat, rather than developing their own, drastically reducing the cost of their endeavours. It appears that cost reduction is a central driving force in the overall growth in cybercrime. It is easy to see why when Trustwave estimate a 1,425 per cent return on investment for a single malware campaign.
The challenge: landscape of Trojan shortcuts for targeted attacks and insider threats
Today it is common for malicious actors to concentrate their efforts on infiltrating organisations rather than focusing on developing new malicious code. Taking existing malicious code and altering it to evade detection or shopping for ‘fully undetectable’ threats in the underground markets creates a ‘lower entry barrier’ to instigate an attack. Reducing the skills required to launch an assault and combined with targeted execution increases the probability of a threat succeeding and resulting in a data breach. On the other hand, a ‘trusted insider’ ,that already has authorised access to business data, can produce as much damage by causing a breach deliberately or accidently.
The lure: low cost ‘basic attacks’ precursors for ‘main ingredient’ attacks
Many attacks will target the ‘low hanging fruit’ first, for e.g.: a basic email assault, loaded with a modified malware component. Despite a malware type being identifiable, this doesn’t actually mean it can be detected. Recent research by CERT-UK shows that ‘older’ threats (think the Conficker worm or the Zeus Trojan) still remain a huge problem for most companies. Initial email-based, basic attacks are not only easy and cheap to implement but can be deployed broadly and repeated as often as required. An attack like this often takes the form of a phishing email, utilising a broad set of social engineering tricks that encourage the target to click on a link or open a file. A 2015 Verizon report highlights that 23 per cent of employees will open phishing emails, with a further 11 per cent actually opening an attachment.
The ‘DNA’ of an attack is always the same
Cyber attacks or any sequence of actions that may result in a breach can be encapsulated to a number of principal steps the adversary or a ‘trusted insider’ can take to compromise data. These are the steps:
- Network Access – utilising network access (pre-condition to the attack)
- Reconnaissance – gathering information on potential targets on the network
- Delivery – delivering a malicious payload to the target
- Exploitation & Install – exploiting and installing a malicious component on the target
- Remote Control – getting the payload to commence in desired action
- Data – impact data confidentiality, availability or and/or integrity
The ‘DNA’ of an attack is in essence the offensive path taken by the attacker to compromise data. It is important to note that although the chain of events is typical for the ‘adversarial’ type of threat, it also applies to a trusted insider; the reason is that although all steps above form the ‘DNA’ of attacks, some attacks may not utilise all steps but only a set or even one, in the case of a ‘trusted insider’ holding access to the data, only the last and final ‘Data’ step in the kill chain will apply since previous steps are not required by the trusted insider to gain access to data they have authorised access to.
One critical question stemming from prototyping attacks like above: ‘if the ‘DNA’ of an attack is well known and discussed then how come data breaches still occur? how can we stop attacks utilising this crucial information?’
The trend: security teams to adopt offensive security skills and approach
The ability to recognise threats that penetrate the network and aligning threat information to the kill chain is crucial to increase the security posture of the organisation. It allows security teams to prioritise and invest their time in improving control to weaker areas of protection, alongside, focusing in confidence on areas that they know can produce high severity security incidents. A hands on ‘offensive security’ approach that works on mapping real attack information to the attack kill chain ‘DNA’ has proven very popular as it is parallel to the way threats in effect work.
Controlling your security destiny through a model mapped to the way threats work
Cyber attacks and data loss, occur all the time, you can imagine ‘kill chains’ of offensive security bursting into space and disappearing when they are either complete or broken. One effective way to combat and create visibility to these constantly occurring ‘kill chains’ is through utilising the ‘Threat Modelling’ approach.
Threat modelling breaks all attacks to a principal number of stages that threats have to traverse to reach their goal, it then allows to measure the efficacy of business controls against each stage. Whether the source of an attack is an adversary or an internal trusted employee, the stages in sequence, i.e. the ‘DNA’ of a threat will always be constructed of the same building blocks and attempt to result in the compromise of data.
The application and measure of controls per each stage per the kill chain reduces risk and increases the overall resilience levels against all threat types; constantly improving and perfecting the model can help a business reach ‘Threat level DNA immunity’ where different type of threats, from complex to advanced, can be stopped in their tracks. Threat modelling supplies the business with visibility on strengths and weaknesses of their security controls. This visibility is mapped to the ‘DNA’ of all potential paths to a data breach, this allows the business to control ‘their own destiny’ and prioritise which type of security controls need focus to increase the overall resilience levels for all type of threats.
There is a prevailing trend that “the advanced threat of today will be the ‘basic’ attack of tomorrow”. The threshold to conduct successful attacks is constantly decreasing and threats always manage to keep one step ahead of ever-evolving prevention technology. Companies must shift their thinking to accept that although breaches can occur, adopting the ‘Threat Modelling’ approach can protect their assets from basic to advanced threats alike and can offer resilience for years to come . If this new mind set is harnessed to deploy new technology and process that adapts to this trend of protection that is built on the way threats actually work, the increase in potential breaches could be turned into a source of positive momentum for security policies for years to come.