[BreachExchange] Decoding The Minds Of Hackers

Mon Mar 20 19:17:35 EDT 2017

http://www.huffingtonpost.co.uk/chris-pogue/decoding-the-
minds-of-hac_b_15421486.html

When I became an officer with the US Army, I was expected to give orders.
Ensuring I gave the right ones meant that I needed to question everything,
and gather as much information as I could in order to come up with the best
possible solution based on the information I had. This was the only way I
could make decisions that would provide the greatest likelihood of success,
while minimising the potential for adverse impact. This way of thinking is
something that stuck with me throughout the remainder of my military
career, and carried over into my career as a civilian, always questioning:
Is there a better way?

In my current life, as a CISO, that means looking at cyber security. Are we
gathering the right information to develop the right solution?

My team and I asked ourselves this question about a year ago, when we
decided that we wanted to put out a cyber threat report.

In looking at existing reports, we discovered most were restricted to
analysing available client data, and therefore only looked at the threat
landscape from the perspective of the victim. So we decided to write
something that was substantively different, focusing our research on
professional hackers and penetration testers - the attackers - thereby
providing a virtually unexplored, yet critical perspective.

What we found was quite contrary to the conventional understanding of
cybersecurity. We learned which security countermeasures actually prevent
breaches, and how organisations identify their presence during an attack.
Some countermeasures that you think will stop an attacker won't even slow
them down. Other defensive techniques that you think are totally arbitrary
actually have a tremendous impact on your defensive posture.

What hackers do

On July 1, 2010, President Barack Obama stated that Cyberspace was the
fifth dimension of warfare (the other four being; land, sea, air, and
space). What makes this so interesting and unique is that unlike the other
dimensions which are dominated by trained members of the armed forces,
cyberspace is dominated by civilians with little to no training on how to
combat highly trained, motivated, and experienced adversaries.

As a result, year after year we learn that offensive capabilities have far
outpaced defensive capabilities; data breaches are more frequent; and
attacks are growing increasingly complicated. Detection and response are
critically important, yet only marginally effective. So it would seem the
industry's approach to cybersecurity over the past two decades leaves
something to be desired.

According to our report, the majority of professional hackers (88%) said
they could compromise systems in less than 12 hours, and a similar number
(81%) said they could identify and take valuable data within another 12
hours, even though the breach may not be discovered for hundreds of days -
if they're detected at all.

What's more, half of respondents change their attack methodologies every
time they're engaged to compromise a target. Over 70% of respondents to
this survey said they spent more than 11 hours a week bypassing security.
On top of that, 30% spent 6-10 hours a week researching, and a further 22%
spent more than 10 hours a week keeping up with the latest attack trends
and methods, including direct server attacks (favoured by 43%), phishing
(40%), and drive-by and watering-hole attacks (9%).

This means it's pretty much guaranteed that an organisation will suffer a
successful cyberattack, no matter how well-kept the preventative controls
are.

Responding to today's security challenges

If you can't prevent a breach, you must be prepared to survive it. The
number one most effective countermeasure, according to 36% of professional
hackers, was endpoint security. This was followed by intrusion detection
and prevention systems (29%), and firewalls (10%). Only 2% of respondents
were troubled by antivirus. Interestingly, 22% of professional hackers
boasted that no security countermeasures could stop them and that a full
compromise was only a matter of time.
For security decision-makers, this result clearly demonstrates the
importance of defence in depth rather than relying on any single control.
Any individual security control can be defeated by an attacker with enough
time and motivation. However, when an organisation uses a combination of
controls along with security training, education, and processes, the
failure of any single control does not automatically lead to data
compromise.

Know your enemy - and know you're secure

In the 6th century BC, General Sun Tzu wrote: "If you know the enemy and
know yourself, you need not fear the result of a hundred battles. If you
know yourself but not the enemy, for every victory gained you will also
suffer a defeat. If you know neither the enemy nor yourself, you will
succumb in every battle."

In order to protect sensitive data, organisations need to know and
understand their adversary, be trained by experts, and given the proper
tools to allow them the greatest chance of success. They need to understand
that security is more than just a policy on a piece of paper, an antivirus
programme, or a group of professionals sitting in a room scanning log
events.

It's all of the above, and it's piecing everything together in a way that
makes sense. It's their duty to understand the real-life threat landscape.
Without this critical feedback loop, there's no way they'll be able to
address real-life use cases, protect against the latest threats, or adapt
to the latest attack techniques.

Decoding the minds of hackers means we're developing the best solution to
real life circumstances.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170320/99ed6f5c/attachment.html>