What Are the Threats? - Crafting the Infosec Playbook (2015)

Crafting the Infosec Playbook (2015)

Chapter 3. What Are the Threats?

“By heaven, I’ll make a ghost of him that lets me.”

Hamlet, William Shakespeare

It’s 5 p.m. Friday, the last night of your on-call rotation as an incident investigator. You’ve just shut down for the weekend, and as you’re about to leave the office, your mobile buzzes with a text message: “IT-OPS: Sev5 Possible production FTP server compromise. Ongoing conf call.” You jump on the telephony bridge to learn that some sysadmins were troubleshooting a failed FTP server on one of their externally facing hosts. After remotely rebooting the server, they were unable to log into the host. A sysadmin in the datacenter connected to the local console of the host and encountered a large text box like the one shown in Figure 3-1.

The instructions detail how to wire the criminals the $5,000 ransom via Western Union, MoneyGram, or the now defunct Liberty Reserve, along with amateurish assurances that the cryptography could not be broken, and that they’ll take no mercy on your data. Immediately, thoughts start running through your head as you jump into the incident lifecycle: How did the host get infected with ransomware? Is our customer data encrypted? Are there other infected or similarly vulnerable hosts? What customer-facing services are now offline with this host out of commission? Why didn’t I leave work 10 minutes earlier?

Ransomware screenshot

Figure 3-1. Ransomware screenshot

Before finally heading out for the weekend, you have the sysadmin shut down the host (it’s already been rebooted anyway) and send you the hard disks for investigation. Later, when you receive the disks, forensics will reveal that the extortion attempt was the last in a long line of ways the attackers had abused the compromised host over the previous months. Their activities up to the ransomware installation included:

§ Stealing the local password file

§ Attacking other Internet hosts

§ Selling proxy services through the machine

§ Spamming (both email and SMS through a web service)

§ Downloading every file on the server, including customer data

§ Installing new software

§ Obtaining online retail purchases, likely with stolen credit card information

§ Applying for personal loans with stolen credentials

§ Purchasing lodging for a vacation trip in Eastern Europe

Your investigation will find that the attackers initially guessed the host’s weak FTP admin password, and incredibly, successfully reused it to authenticate and log in to the host as an administrator through the Remote Desktop Protocol (RDP).

This FTP server incident example highlights attackers acting opportunistically, exploiting a specific weakness and running wild. Defending against these threats (and others) to your organization requires understanding the attacker’s motivation and intention to profit by compromising your network, systems, or data.

In this chapter, we’ll focus on the need for understanding the nature of attacks and attackers, and why any computing resource or service is a target. We’ll explain:

The method of attackers

Constantly shifting and adapting tactics to stay profitable and resilient.

The motivation of attackers

What you have to lose that criminals and dedicated attackers want.

After you understand how an attacker’s modus operandi can cause your organization serious harm, whether financially, reputationally, or materially, you will be better prepared to develop methods to detect and prevent them. Beyond just understanding the technical details of an attack, you have to factor in situational awareness and nontechnical threats to your organization. Developing detection that’s precise, comprehensive, and up-to-date will refine your monitoring and deliver better results.

“The Criminal Is the Creative Artist; the Detective Only the Critic”

Remember the “I Love You” worm from 2000? Hundreds of thousands of email messages went out around the globe with an attachment named LOVE-LETTER-FOR-YOU.txt., most purporting to be from contacts in your address book. Who could turn down a love letter addressed directly to you from someone you know? Naturally, this was a hugely successful worm campaign, installed through a Visual Basic script (VBS) the victim executed when trying to read their “love letter.” The attack was so successful that many organizations simply (temporarily) shut down their email services to prevent further spread. In subsequent years, system administrators and software vendors have addressed some of the major problems that led to this particular worm’s success. Specifically, distrusting VBS as an email attachment type and adding additional checks in email clients to ensure that these types of files are not opened without a warning or prompt. It seemed like the attackers had been foiled—until they switched to other file formats and other effective social engineering methods.

Attackers loved Windows XP due to the operating systems’ susceptibility to buffer overflow attacks. They could easily overwrite sections of memory on a target’s system and execute code often with default administrator-level access. These problems (among other issues) led to a chain of damaging worms. In quick succession, there were SQL Slammer, Blaster, Nachi, Gaobot, and Sasser worms—all based on Microsoft vulnerabilities. This chain of worms prompted Microsoft (with Windows XP service pack 2) to reduce permissions on listening network services and turn on a firewall by default. Additionally, Microsoft hardened the OS by restricting access to system directories by normal users. Eventually, with Windows 7, Microsoft added memory overwrite protections such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) to newer versions of Windows. It seemed like the attackers had been foiled—until they switched to different methods for memory overwriting, like return-oriented programming (ROP), and continued to search for loopholes in the default security configuration to abuse as quickly as possible before they were patched.

After Microsoft had raised the bar so that almost every easy avenue of attack was eliminated, infiltrators turned to accessory plug-in software like Acrobat, Flash, and Java, which hadn’t received the same level of security development scrutiny as Windows. Oracle’s Java Runtime Environment (JRE) plug-in allows Java applications to launch from the browser and run on the local system. This plug-in seems almost ubiquitous, with millions of installations. Understanding the widespread installation base of Java, as well as recognizing a seemingly unending supply of vulnerabilities, attackers targeted Java with numerous exploits. Every time Oracle released a new version of JRE, attackers would release previously unpublished vulnerabilities. The Java vulnerability/exploit cycle proved highly profitable for many criminal enterprises, and Java attacks were a staple in all the well-respected criminal exploit kits. According to a Cisco Global Threat Report, in just one month in 2013, 95% of exploits encountered on the Web targeted Java. Oracle finally responded to the rash of Java vulnerabilities by adding in additional sandbox and other security protections, while many operating system and browser vendors decoupled or disabled the in-browser Java plug-in unless explicitly enabled by the client. Java-borne infections dropped dramatically across the globe. It seemed like the attackers had been foiled—until they switched their focus again to attacking other browser plug-ins like Adobe Flash, Adobe Reader, and Microsoft Silverlight.

Saboteurs intent upon disrupting their enemies or causing general chaos have taken to DDoS attacks to shut down their victims. Volumetric DDoS (VDDoS) attacks—where an attacker exhausts his victim’s network resources—are now the norm. User Datagram Protocol (UDP) amplification attacks are an efficient and effective method of VDDoS. The amplification occurs when a relatively small request to a particular service from a spoofed source address generates a disproportionately large response. In terms of amplification factor, a misconfigured NTP server is the most efficient. In terms of popularity, due to its prevalence and availability, attackers often abuse the domain name service (DNS) for VDDoS attacks. An attacker will masquerade as their victim (by IP address spoofing), send a relatively small request for something like a zone transfer, and generate a very large DNS response from many openly recursive DNS servers, thus flooding their victims with a deluge of UDP DNS traffic. Similar to the global call-to-action for email administrators in the 1990s shutting down spamming open-mail relays, the widespread use and effect of reflective DDoS attacks has forced a global call to action for DNS administrators to identify and fix misconfigured Internet accessible DNS servers. Administrators, in turn, strengthened their configurations, disabled recursion, and filtered access to their services. The point is that attackers will keep changing their strategy—while you are reacting to the latest campaign, they are creating their next.

Hanging Tough

Refreshingly, network defense has taken a higher priority in many organizations, and as an industry, we are getting better at stopping attacks as they happen. We have deployed network monitoring—intrusion detection, NetFlow, DNS query logs—that can tell us the hostnames and IP addresses of attackers. We can block IPs and hostnames easily—BGP Blackhole, Response Policy Zone (RPZ), ACL, and SDN. Yet a well-equipped and informed attacker maintains a resilient infrastructure to keep their services online despite blocking attempts.

As you can see, network security and defense is a never-ending arms race, with attackers exploiting anything available, and defenders attempt to head them off. As defenses evolve, so must attacks if they are to stay relevant. Incredibly, there are still plenty of relatively ancient worms probing networks worldwide, but the vulnerabilities that made the Microsoft RPC service and others such easy targets are no longer a viable option for a serious attacker. Defenses and controls have adapted, and attackers are forced to try alternative options to succeed in compromising systems. Attackers must not only avoid detection, but also keep their services up and running.

To evade mitigation, attackers have been known to use a popular and effective method called “fast flux DNS.” Fast flux involves associating a single hostname with a multitude of unique IP addresses. Each DNS record then uses a short time to live (TTL) to allow for frequent rotation of attacker IP addresses. The IP addresses are often compromised hosts configured by attackers to proxy command-and-control (C2) traffic to the actual malicious infrastructure to ensure further resiliency. All this self-preservation on the attacker’s part could be for naught if you are able to block traffic by DNS names.

In Figure 3-2, you can see the single hostname on the left has resolved for 15 unique IP addresses belonging to a total of 13 unique autonomous systems (ASN). Typically, even popular hostnames fronted by content delivery systems never have more than a few IP addresses. It’s very unusual—and suspicious—to recognize this pattern.

Fast flux diagram

Figure 3-2. Fast flux diagram

As defenders got better at blocking the attackers, the attackers simply got better at staying online. Yet another method of DNS trickery involves domain generation algorithms (DGA), which create hundreds of thousands of unpredictable (to the victim) and incomprehensible hostname records:





Attackers will register these domains, sometimes hours before they’re to be used, and stand up their C2 infrastructure on only a subset of hosts. The next day, the domains are taken down, a new set generated, and the process repeated again. The victim would need to determine and block each of the generated domains every day to completely mitigate the malware C2 channel. This is a lofty goal considering malware like Conficker generated 50,000 domains each day! Because of the increased difficulty to defend against this attack method, an attacker can maintain a smaller but more agile infrastructure, changing C2 hosts daily to further avoid detection.

To remain resilient, attackers try to stay one step ahead of security researchers. If a researcher exposes all the details and components of a malware campaign, analysts and CSIRTs can directly apply any information about infection indicators into their monitoring systems. Therefore, creative malware authors make reverse engineering a slow process using various techniques in the malware itself. Malware authors often encrypt many parts of their code. Cryptographic keys also present challenges to researchers’ attempts at reverse engineering. It’s typical for malware to encrypt C2 communication, particularly the commands and instructions sent from the controller. Attackers don’t want to expose their private keys, their application programming interface (API), or their commands and functions to researchers who can use them to thwart the malicious code, or publish details to those who can. Criminals also deploy encryption in other areas as well, like ransomware extortion where the attackers encrypt a victim’s files with a strong public key, yet retain the private key in an attempt to extort a hefty sum.

In some cases, clever attackers have used online services (besides the venerable IRC) to run their C2 infrastructure. Several malware campaigns have attempted to use customized Twitter feeds to send instructions to their bots. Other attacks have leveraged email services like Gmail or Yahoo!, services that are not typically blocked by most organizations, to control compromised hosts. There are even cases of attackers encoding command strings in files hosted in commonly accessed public sites and code repositories such as code.google.com, blog XML feeds, or even cloud storage sites such as Dropbox. The bad guys try to hijack the popularity and good reputation of these services so that outright blocking is harder for defenders to do. You can’t reasonably block all of Twitter just because one account happens to be a C2. Abusing well-known services and applications can help malware to hide in the deluge of legitimate traffic to those services.

Cash Rules Everything Around Me

There is no doubt the Internet is a noisy place. The noise is the result of automated processes (usually port or vulnerability scanning), systematically executing a set of predefined tasks. Just like with typical street crime, hosts and applications are “cased” to determine what valuables can be stolen or abused, and the best location to break in. In addition to providing a mechanism to download additional payloads, worms scan hosts for specific vulnerabilities to self-propagate to future victims. Spammers constantly scan TCP ports 25 and 587 for misconfigured or abandoned email servers that allow open mail relaying. Researchers, script kiddies, and pentesters probe networks and systems for weaknesses, looking for backdoors and vulnerabilities on any listening service. Minimal Internet searching or basic skills with a tool like NMAP and the NMAP Scripting Engine (NSE) can produce scripts to scan hosts for a myriad of vulnerabilities, including UDP amplification susceptibility, services with default credentials, or improperly configured web servers. DoS attacks have become brain-dead simple with tools like Low Orbit Ion Cannon (LOIC). The skill required to probe, compromise, and attack has reached a commoditized level. Widely focused threats should be considered the cost of accessing the Internet.

No matter what protections defenders put in place, attackers will shift to another vulnerable attack method. However, timing matters for the criminals, and the longer they maintain their infrastructure, the more likely they are to cash in when victims fall prey to their malware. Disrupting malware campaigns early limits the profit potential for the criminals, as it forces them to move to more unique approaches to avoid detection. Yet cybercrime does pay—criminals can make millions of dollars of laundered money and live lavish lifestyles in countries that turn a blind eye to prosecution or extradition. They often operate elaborate enterprises, complete with customer service, technical support, billing, and marketing departments to ensure they can compete with peers in their illicit industry. Like any successful enterprise, the criminal “business” has to adapt to the market conditions to stay profitable. While defenders have banded together to make it harder for these operations, the criminals simply shifted their emphasis to tricking the end user to run their software for them. Rather than waiting for virus-infected removable media to be passed around, attackers moved their malware to the network. Rather than spraying malware attachments in phishing email that will get dropped by corporate filters, attackers shifted to compromising Internet websites and advertising networks with malware downloaders.

The better the security protections, the more innovative and often brazen the attackers have to be. To avoid detection, rather than focus on developing complex malware, why not just steal code-signing certificates from trusted vendors and let your malicious code execute normally without inspection? Instead of cracking SSH password hashes, why not just steal the SSH private keys? Instead of malware downloading files to a system where an antivirus or host intrusion prevention system (HIPS) can inspect them, why not run it all within memory, controlled only by a registry key? If phishing attachments are getting deleted or scrubbed by mail gateways, why not send a link instead?

If attackers want to entice their victims to click a link, they simply need to make it relevant to their interests. Topics like current events, catastrophic storms, political or military conflict, celebrity gossip, easy money, ego stroking, and sex have been used in the past, and will always lure victims into clicking links.


In general, humans are ridiculously easy to trick and manipulate. Regardless of the breadth of your technological controls, end users are often the weakest link in your security posture. This is why magic, pickpockets, and lotteries work—people are willing to believe what they want to believe, are susceptible to the power of suggestion, and are not always capable of measuring risk against their hopes and preconceptions. Combine the ease of manipulation with a highly diverse and vulnerable client software ecosystem (operating systems, client applications, web browsers, and browser plug-ins), and the casual attacker’s job becomes easy.


There are many different kinds of digital criminals. Spammers, bot masters, identity thieves, money mules, account harvesters, carders, and other miscreants constantly move data and money around the world in an effort to plunder the millions of vulnerable computers on the planet for their own purposes. Although motives and methods vary, each seeks to profit from your inadequate security (whether opportunistic or targeted), and each requires an infrastructure to ply their trade. To build a capable and scalable infrastructure, a digital criminal needs assets—your assets.

Independent journalist Brian Krebs has written extensively on the subject of cybercrime, criminals, and their targets. One of his most compelling pieces, “The Scrap Value of a Hacked PC,” is a solid rebuttal to the often-heard statements “I don’t have anything valuable on my computer, so I’m not worried about attacks” or “I have nothing to lose or hide.” Most people don’t realize just how profitable a compromised host can be to an attacker.

There are dozens of ways to monetize or otherwise abuse a hacked computer:

§ Co-opting a PC with bot software to attack other organizations or make illicit purchases from your accounts/system.

§ Turning your computer into a file/web server for hosting illicit or illegal content that will get traced back to you.

§ Turning your computer into a proxy server that other attacks can bounce their attacks through.

§ Stealing your credit card information and subsequently maxing the credit limit on stolen purchases.

§ Running a Tor exit node on your computer, which can be used to implicate you in crimes such as child pornography.

§ Stealing your email credentials, harvesting your address book, and spamming them with phishing attacks or other email-based fraud and scams.

§ Using a PC to take part in a DDoS attack.

§ Stealing resources to generate cryptocurrency, solve login CAPTCHAs, and take ad revenue through click fraud.

§ Stealing other account credentials (e.g., Skype, Twitter, Gmail, Netflix, etc.) that can be sold online.

§ Stealing account credentials to siphon money or gift cards from other accounts like iTunes, Amazon, or mobile services.

§ Stealing bank account or other financial login information, and then subsequently transferring money.

§ Identify theft with your information that can be used to open new credit accounts or apply for personal loans.

§ Stealing product keys or serial numbers from software you have purchased.

§ Extortion/coercion/blackmail using any data from your computer:

§ Webcam photos

§ Surreptitiously captured audio from your microphone

§ Saved photos

§ Email

§ Financial records

§ Legal records

Incredibly, this is just a sampling of the many ways your computer can be abused by attackers. There are, of course, other ways to profit from an attack, like stealing valuable information, trade, or military secrets. As attackers become more creative, the ways in which a computer can be used for nefarious (and profitable) purposes will continue to grow.

The resources and location of the compromised host also affect the potential value a specific attacker can extract. A personal PC on a residential network may not be as valuable to a “booter” (somebody who offers DoS attacks as a service) as a host with a fast network connection hosted on a large corporate or research network. However, from handling hundreds of incidents, it’s quite interesting to see that many criminals have no idea of the value of the host they have just compromised.


When you consider the attacker’s narrow motivations, it’s easier to understand how they might not realize what they could have had.

For example, we have witnessed servers hosting sensitive and valuable information compromised with routine click fraud malware simply to generate revenue for an attacker’s advertising affiliate network. In most of these cases, the attackers set up a drive-by download attack whereby someone on the victim host (against policy) browses the Web and is inadvertently compromised. Perhaps not surprisingly, bot controllers have so many victims to manage, they don’t realize the value of their victims. In one case, click fraud software was found on a lab domain controller. If the attacker had realized this, they could have stolen login credentials for everyone in the domain, including the administrators. While the value of the domain controller is extremely high, the attacker was exclusively motivated to generate click fraud revenue, and missed a potential opportunity for further pwnage.

Another example incident involved a different open FTP server connected directly to the Internet. In this case, after the server credentials were compromised, attackers abused the site by uploading gigabytes of high-resolution images of state, national, military, and international identification templates like passports, driver’s licenses, military IDs, and other valuable documents. Anyone with these template files could simply add a photograph and adjust the content to match whatever personal information they liked. The attackers took advantage of a vulnerable server, its storage space, its fast Internet connection, and the organization’s trusted IP address space.

I Don’t Want Your Wallet, I Want Your Phone

You can put a password or PIN on your smartphone, but not everyone does that. It’s faster to access data and applications on your phone when it’s not locked, but it also leaves your data (including intimate, private details of your life) wide open to thieves. Before smartphones were pervasive and Internet use for mundane activities was commonplace, criminals had less convenient methods for stealing personal information. Dumpster diving for financial statements, fraudulent telemarketing, stealing documents from homes, offices, and mailboxes, and other low-tech methods proved to be successful, yet not trivial to accomplish. Identity theft is a huge problem for both industry and the consumer. Lives can easily be ruined, personal finances plummeted into bankruptcy, and reputations destroyed by losing private data to the wrong people. Today, a criminal needs only a reasonably effective phishing scheme or a stolen password to grab as many personal details as possible. More sophisticated criminals leverage mag stripe readers to siphon off credit and some debit card details that can be reused later. The laziest criminals can simply buy identities from carders on the black market who have already done the “hard” work of stealing, validating, and laundering the stolen info.

Beyond identity theft or impersonation, criminals can use stolen personal information for extortive purposes. One possibility would be a criminal threatening to release private conversations, documents, or images from your computer system(s) to the public or press unless they are paid a ransom. Malware sprayed to any vulnerable system might steal data or computing resources for profit. Numerous malware families have been known to use victim CPU cycles to generate bitcoins or send additional fraudulent emails.

Ultimate motivators for compromise range from crimeware, to financial attacks, to state-sponsored military or political attacks, to “hacktivist” campaigns that seek to disrupt the business of their ideological enemies. Even political sympathizers are motivated to participate in attacks against foreign governments and industries. State-sponsored groups are well funded, well trained, highly organized, and are compelled by a chain of command hierarchy. Criminal enterprises may also be well funded and trained, yet operate more like for-profit businesses. The execution of the attacks used by all groups stems from the same basic techniques, but crimeware groups often have little regard for the content of their victim’s data, unlike a state-sponsored group. Crimeware groups opportunistically use extortion, fraud, and other methods to extract profit from their victims, whereas intelligence-focused, state-sponsored groups fall into the information harvesting or system disruption categories.

Some of these threat actors will be more relevant than others to your specific industry. If you work in the financial sector, you should know all about the various banking Trojans, but you won’t necessarily be concerned with patient medical record privacy. If you work in facilities and power grid services, you may not care about click fraud and adware, but you are most certainly a desirable target for terrorists or state-sponsored groups looking to create havoc in their enemy’s homeland. In any scenario, if you have computers connected to the Internet, or open to accepting removable media, an attacker can and will abuse them for their own purposes, bringing unwanted attention and potential devastation to your network and organization.

There’s No Place Like

Risks arising from misconfiguration, operational errors, accidental data disclosures, or basic mistakes can be just as damaging and much more embarrassing than threats from the evildoers. Take, for example, an incident where a simple database patch, applied during a maintenance period, caused major problems with a billing system. This routine operation resulted in customers erroneously receiving confidential billing invoices intended for other customers. Naturally, this created massive confusion and frustration for everyone involved, not in the least because the invoices contained confidential internal data intended only for the actual customers. As a result, many days were spent performing customer notifications. However, the most significant impact to this incident was the financial reimbursement required for all affected customers. The company ended up losing money, not due to any external threat, but due to its failure to test all its processes after applying a software upgrade.

Even though this incident was not the result of external forces or threats, there was still a motivation at play here that, once understood and addressed, could prevent similar incidents in the future. In this case, and in most cases of misconfiguration or IT problems, the motivation is expediency. IT teams need to patch applications, bring up new services, and decommission old hosts all under tight timelines. Shortcuts such as not fully testing new deployments or applications can lead to problems like the billing mistakes previously mentioned that might be impossible to predict. Therefore, understanding the ramification of possible disclosure issues and having a plan ready for when it happens eases the burden for everyone involved and speeds up the response process.

Let’s Play Global Thermonuclear War

Commoditized attacks differ from committed adversaries by the effort put forth to achieve their goals and the narrowly focused scope of their attack. Incentivized organizations like nation states, penetration testers, militaries, and groups or individuals with a keen interest will methodically reconnoiter your organization, identify and exploit your vulnerabilities, identify possible targets, and achieve a foothold to complete their objective. Detecting these adversaries is far more challenging than detecting malicious and typical Internet noise like port or vulnerability scanning. Committed adversaries have the funding, skills, and desire, and put forth effort to avoid detection.

In 2013, the Mandiant company released its “APT1 report” that detailed how Chinese military–sponsored groups of attackers were tasked with breaking into major U.S. and European companies to steal confidential information and maintain a presence on these networks. The APT1 group (comprised of a few teams with various skill levels) and others like “Comment Crew” operated under military command and launched numerous successful attacks. Notably, Google was compromised by a zero-day vulnerability in Internet Explorer opened by an internal victim. The ostensible purpose of the attack was to insert code into Google’s Gmail services, which could help China keep track of purported dissidents and supposed threats to the Chinese government. Additionally, the attackers targeted Google’s internal software configuration management (SCM) applications. In other words, the attackers wanted to compromise or bug Google’s source code repositories with their own code.

The Google attack, also known as “Operation Aurora,” was a high-profile incident. But there have been countless other state-sponsored attacks that rarely make the media, yet continue to present a threat. In many cases, attackers identify their targets by trolling the Web for contact information they can exploit for phishing schemes. Attackers have been known to search through LinkedIn with fake or stolen profiles looking for email addresses or other contact details, as well as attacking victims by stealing their personal, nonwork accounts. Even conference publications where a victim may have presented or even attended can be scraped for contact information and subsequently abused.

In the Aurora example, the attackers were motivated to spy on what they perceived as possible threats to their national security. Another high-profile case of state-sponsored attacks occurred several years ago at Iranian nuclear enrichment laboratories. The so-called “Stuxnet” malware ran rampant as a worm targeting Windows and mechanical control systems through Iranian facilities, causing severe hardware malfunctions resulting in a complete shutdown. Although the origins are still not completely clear, the United States and Israel have both been implicated as possible creators of the Stuxnet worm. The presumed motivation behind the successful attacks was to disrupt Iran’s nuclear-refinement capabilities.

Another state-sponsored malware attack, likely also perpetrated by the Comment Crew under Chinese military orders, occurred between 2011 and 2012 in Israel. The Israeli Iron Dome missile defense system had been compromised by the attackers, and thousands of documents were exfiltrated out of Israeli networks. As with many of the most successful attacks, it all began with crafted phishing emails to get a foot in the door. Once inside, Comment Crew installed their own toolkits (ensuring a persistent presence), searched for the documents and research they were after, and exported everything out of the network.

Defense Against the Dark Arts

Criminals usually have a singular motive: profit. But state-sponsored attackers are following orders from their superiors and have radically different motives, typically of the political, military, or intelligence persuasion. During the Russia–Ukraine conflict in early 2013, both sides accused each other of participating in DDoS attacks against each other. As early as 2007, a large part of Estonia’s Internet presence was under DDoS attack stemming from a different regional conflict. As more critical infrastructure and sensitive networks come online, information warfare attacks will only intensify and become another tool for any capable military power. Crimeware is a major problem, and every organization needs to consider their risk posture against these types of attacks. However, depending on the industry, organizations also need to consider that they may be targets for highly sophisticated attackers targeting their sensitive information, infrastructure, or relationships with other organizations.

Whether threats come from internal problems, crimeware, or highly motivated attackers, it’s clear that you need to understand the reasons and motivations behind attacks to successfully defend against them. You don’t want to spend all your resources on a fancy castle gate when your enemy can just walk through the back door. You also don’t want to ignore basic system administration best practices to save on time or money when the outcome can be disastrous. Threat actors already know what they want when they launch attacks against your organization, and understanding this provides reasonable detail on where to invest in protections. Even though there have been diversionary incidents where attackers launch DDoS or other noisy attacks against an organization as a cover for more targeted and precise attacks, it’s important to never lose focus on what’s most valuable. Knowing what attacks are possible, along with knowing what you have to protect (and what you have to lose), builds a foundation for your incident response programs.

Without knowing how attacks work, and why they are happening, it’s difficult to develop effective and efficient ways to detect them. Understanding attack types and methods enables you to develop your own methods of incident discovery that can be tracked in your playbook. The core idea of the playbook is to catalog and regularly repeat processes to discover incidents. If you stay cognizant of attackers’ methods and motivations, your overall insight on good security improves and delivers the background details necessary to solve problems.

Chapter Summary

§ To protect your organization, you must understand the threats it faces.

§ If you don’t think you have something to lose, you haven’t thought about it enough.

§ Crime evolves with culture and society. Online crime will increase as more things of value are digitally stored and globally accessible.

§ Malicious activity can come from a number of sources, but the most common source is organized crime, followed by targeted attackers and trusted insiders.

§ Different organizations face different threats; focus your efforts on protecting the high-value assets and make sure you monitor them closely.