Write. Once these intruders have surveyed the organisation's infrastructure, the attackers then create targeted, context-aware malware. Examples we have seen include malware that detects if it is in a sandbox and acts differently than on a user system, malware that checks for language pack installation (as in the case of Flame) before execution and malware that takes different actions if it is on a corporate versus a home network. Attackers will extend surveillance activities to capture important details about where the assets are and how to get to them. Specific organisation, applications, users, partners, processes and procedures are targeted.
Test. In the process, the workings of malware are checked. Malware writers have deep pockets and well-developed information-sharing networks. These skillful malware writers recreate an environment and test the malware against the organisation's technology and security tools to make sure it gets through defences undetected, in effect following software development processes like QA testing or bench testing. This approach is so foolproof malware writers are now offering guarantees that their malware will go undetected for six or even nine months. This is true industrialisation of hacking.
Execute. Remember that we are not talking about the old days where attackers were in it for the publicity. The financial incentives for secrecy are far greater than the glory. Attackers navigate through the extended network, environmentally aware, evading detection and moving laterally until reaching the target.
Accomplish the mission. Sometimes the end game is to gather data; in other cases it is simply to disrupt or destroy. Whatever it is, attackers have more information and a targeted plan of attack to maximise success of their mission. Once the mission is complete, these skilled intruders will remove evidence but maintain a beachhead for future attacks.
When in Rome, do as the Romans - In this case, think like an attacker.
Given the attack chain, what can defenders do to strengthen defences? It's pretty clear that attackers are taking advantage of three key capabilities to hone their missions. Defenders must use these very same capabilities to better protect against attacks, including:
1. Visibility: Attackers have full visibility of the IT environment, so too must organisations. To more effectively protect your organisation you need a baseline of information across your extended network (which includes endpoints, mobile devices and virtual environments) with visibility into all assets, operating systems, applications, services, protocols, users, network behaviour as well as potential threats and vulnerabilities. Seek out technologies that not only provide visibility but also offer contextual awareness by correlating extensive amounts of data related to your specific environment to enable more informed security decisions.
2. Automation: Companies need to work smarter, not harder. Hackers are using automated methods to simplify and expedite attacks. Using manual processes to defend against such attacks are inadequate. Technologies that combine contextual awareness with automation to optimise defences and resolve security events more quickly need to be made use of. Policy and rules updates, enforcement and tuning are just a few examples of processes that can be intelligently automated to deliver real-time protection in dynamic threat and IT environments.
Sign up for Computerworld eNewsletters.