Subscribe

Understanding the attacker's 'kill chain'

Any enterprise can become a victim of attack at any time, for any reason, and without being necessarily targeted, says NSS Labs.

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 08 May 2013

In a world where almost everyone has access to and can afford the latest weapon system technology, it is of paramount importance to first look at the changing threat environment, then examine the attacker's 'kill chain'.

So said Francisco Artes, research director at NSS Labs, in a keynote address during the ITWeb Security Summit, in Johannesburg, yesterday.

According to Artes, before the digital age, only nation states could afford to develop, buy, and operate the sophisticated weapons.

He noted that the threat environment has changed, from attackers being 'script kiddies' before they became 'hobbyist hackers', and now they have turned into experts. Even the motivation behind the attacks has changed, he added, as attackers have moved from being motivated by curiosity and personal fame, to personal gain.

"In recent years, and motivated by profits, experts created an array of advanced commercial off-the-shelf malware tools to automate their jobs," said Artes. "This evolution, paired with stiff competition within the cyber crime industry, has resulted in the general availability of sophisticated malware at low prices."

For example, he said, malware is offered for $249, with a service level agreement and replacement warranty if the creation is detected by any anti-virus within nine months.

He also pointed out the availability of such malware tools results in a high degree of attack automation from systematic identification of targets to fully automated exploitation, and leads to an increase in opportunistic attacks, as the attacker no longer needs expertise or special skills.

Thus, he noted, any enterprise can become a victim of attack at any time, for any reason, and without being necessarily targeted.

To successfully compromise a target, Artes explained an attacker first prepares attack tools or methods; deploys detection evasion techniques; and exploits the target before extracting value. On the other hand, the defender first tries to prevent the attack or detect the breach if the prevention failed.

To be successful at penetrating a typical perimeter firewall, Artes said, an attacker must bypass several layers of defensive mechanisms, like network firewalls, intrusion prevention systems, endpoint protection (anti-virus) and Web protection systems.

Nonetheless, he said the implementation of multi-layers of defence technologies can be a complex process, with multiple factors affecting the overall security effectiveness of the system.

Therefore, understanding the capability and motivation of the enemy is a crucial step in planning and executing any kind of defence, he concluded.

Share