Combating attacks with collaborative threat intelligence
by Jaime Blasco - Director of Research, AlienVault Labs - Monday, 1 July 2013.
Advanced Persistent Attacks (APTs) get most of the attention from the cyber security community because, as defenders, we want to be vigilant against the most insidious techniques. And let’s face it, it’s far more interesting to analyze and discuss sophisticated attack tools, techniques, and profiles. However, this unilateral mindset ignores a much broader reality. Generally, cyber criminals are as lazy as criminals in the “real world.”

What do I mean by lazy? Attackers will often use the “lowest common denominator” method against the widest range of IP addresses from the same source set of IP addresses. Even advanced attackers will use a “recycled attack platform” when doing initial reconnaissance against a target or set of targets. This approach results in attackers using:
  • The same type of attacks against a wide surface area
  • The same toolset (exploits and malware)
  • The same set of command-and-control servers (source IPs).
And as long as this approach remains effective and profitable, attackers will continue to be lazy. Unfortunately, the cost to attack and exploit a system is dramatically less than the cost to defend.

The economics of broad-based attacks

Putting aside the incremental costs of exploit kits and the potential legal risk, there is no significant cost to launching an attack. With easy-to-use and readily available exploit kits, an attacker can use a single machine to attack thousands of targets searching for one with susceptible defenses. The cost of acquiring a new target is merely the cost of generating a new random number.

On the other side, each new attack vector requires additional effort on the part of the defender. They must deploy and maintain numerous security controls while also keeping all of their systems updated with the latest security patches. This is a substantial cost that is all too familiar to anyone in the industry.

At this point in time, the advantage is completely on the side of the attacker. While each defender must incur substantial cost to defend their organizations, the attackers can easily find targets that have not paid that price. The question becomes how can we increase the cost that an attacker must pay for each target that they attack? Clearly, the risk of criminal prosecution is a “cost” the attacker incurs. However, the technical difficulty of attribution and the ease of crossing geo-political boundaries complicate prosecution efforts and as a result, this risk remains in the abstract.

Even those attackers who are deploying more targeted, advanced attacks against a specific industry or organization will reuse the same techniques and exploit code in targeted attacks against similar organizations in the same industry. Good examples include “Sykipot” and “Red October” – both of which primarily target defense agencies and governmental organizations. In each of these cases, the original exploit code was developed years ago. And over the years, the code has “evolved” as it’s been reused and repurposed against new victims.

The need for collaborative threat intelligence

Another tool in the attacker’s arsenal is that they are highly adept at sharing information with each other. On hacker forums and other “underground” communities, attack tools and techniques are widely shared, discussed, vetted and promoted. As with any community, there are active rivalries and controversies. However, ultimately, this sharing gives attackers additional resources to be more effective in their efforts.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th