What do I mean by lazy? Attackers will often use the “lowest common denominator” method against the widest range of IP addresses from the same source set of IP addresses. Even advanced attackers will use a “recycled attack platform” when doing initial reconnaissance against a target or set of targets. This approach results in attackers using:
- The same type of attacks against a wide surface area
- The same toolset (exploits and malware)
- The same set of command-and-control servers (source IPs).
The economics of broad-based attacks
Putting aside the incremental costs of exploit kits and the potential legal risk, there is no significant cost to launching an attack. With easy-to-use and readily available exploit kits, an attacker can use a single machine to attack thousands of targets searching for one with susceptible defenses. The cost of acquiring a new target is merely the cost of generating a new random number.
On the other side, each new attack vector requires additional effort on the part of the defender. They must deploy and maintain numerous security controls while also keeping all of their systems updated with the latest security patches. This is a substantial cost that is all too familiar to anyone in the industry.
At this point in time, the advantage is completely on the side of the attacker. While each defender must incur substantial cost to defend their organizations, the attackers can easily find targets that have not paid that price. The question becomes how can we increase the cost that an attacker must pay for each target that they attack? Clearly, the risk of criminal prosecution is a “cost” the attacker incurs. However, the technical difficulty of attribution and the ease of crossing geo-political boundaries complicate prosecution efforts and as a result, this risk remains in the abstract.
Even those attackers who are deploying more targeted, advanced attacks against a specific industry or organization will reuse the same techniques and exploit code in targeted attacks against similar organizations in the same industry. Good examples include “Sykipot” and “Red October” – both of which primarily target defense agencies and governmental organizations. In each of these cases, the original exploit code was developed years ago. And over the years, the code has “evolved” as it’s been reused and repurposed against new victims.
The need for collaborative threat intelligence
Another tool in the attacker’s arsenal is that they are highly adept at sharing information with each other. On hacker forums and other “underground” communities, attack tools and techniques are widely shared, discussed, vetted and promoted. As with any community, there are active rivalries and controversies. However, ultimately, this sharing gives attackers additional resources to be more effective in their efforts.