How advanced are advanced attacks?

www.jwgoerlich.us J Wolfgang Goerlich's thoughts on Information Security
	Home Blog Archive Contact Subscribe

<< How sophisticated are sophisticated attacks? | Remediating IT vulnerabilities >>

By wolfgang. 14 October 2011 10:14

Let's put politics aside for the moment and focus in on why so many organization's label their attacks as being sophisticated. What makes an attack appear to be advanced and persistent?

It truly is all about appearances. We have years of data now from threat reports such as Microsoft's and Verizon's. The reports continue, year after year, to show the same basic truth. Most attacks were due to relatively simple things, like misconfigurations or missing patches. Most attacks are not discovered for weeks to months. When discovered, they are cleaned up in a relatively straightforward process. If that is the case, then why would an attack appear advanced?

It is the law of uphill analysis and downhill invention. Valentino Braitenberg coined the phrase in his book Vehicles. The law is one of the reasons an attacker has an asymmetrical advantage over a defender. Like going downhill versus going uphill, it is much easier to implement something in technology than it is to figure out what happened based on the result.

Things generally seem more complicated at first. Think of any recent troubleshooting incident. Pick a particularly stressful situation. Your team is calling you with updates. Your management is calling you for updates. Other business units are calling you to stress the importance of a quick resolution. Your management's management is calling you to check in. With all that distraction, you are trying to piece together what has happened.

Did it seem particularly challenging event? Did it seem almost insurmountable? And yet, I wager, the root cause was something simple. When all was said and done, when the fog cleared, when all the facts were at hand, the problems turned out to be sequence of simple events. Such problems usually are.

The law of uphill analysis and downhill invention is at work in security incidents. More so, too, because here the attacker is actively working to subvert your investigation. Sure, it was just a spearphishing email that planted a backdoor on the network. But at the time, to the people inside, all they knew was that the attacker was seemingly everywhere inside the perimeter at once. It takes quite a bit of time, training, and effort to work backwards.

What do I hear when someone says it was an advanced persistent threat? It was persistent because it took the organization a long time to detect the attack. It was advanced because it took the security team a lot of effort to figure out what the attacker did. The threat is in over exaggerating what it take to defend a network.

86df0ed7-3faa-465a-a44e-ab6e2cf194b4|4|2.0

Tags:

Security

How sophisticated are sophisticated attacks?Whenever a breach occurs these days, the organization’s management is quick to call it a sophi...2008 Security ChallengesHappy new year's! Here is a quick look at what the top 3 security issues to watch for in 2008. The ...A look at Q1 Labs' QRadarInformation security can be fundamentally described in terms of protection, detection, and response....

Month List

Twitter

Category list

Month List

Twitter

Blogroll