Businesses have the home field advantage over attackers

Read time 3min 00sec
Sam Linford, regional director at Carbon Black.
Sam Linford, regional director at Carbon Black.

Attackers are fast and sophisticated and, according to the latest Carbon Black Threat Report, half of all incident response engagements now involve instances of counter incident response.

Five stages of a hack

1. Reconnaissance - this is the primary phase where the Hacker tries to collect as much information as possible about the target. It includes identifying the target, finding out the target's IP address range, network, DNS records, and suchlike.

2. Scanning - involves taking the information discovered during reconnaissance and using it to examine the network. Tools that a hacker may employ during the scanning phase can include diallers, port scanners, network mappers, sweepers, and vulnerability scanners. Hackers are seeking any information that can help them perpetrate attack such as computer names, IP addresses, and user accounts.

3. Gaining access - after scanning, the hacker designs the blueprint of the network of the target with the help of data collected during the first two phases. This is the phase where the real hacking takes place. Vulnerabilities discovered during the reconnaissance and scanning phase are now exploited to gain access. The method of connection the hacker uses for an exploit can be a local area network (LAN, either wired or wireless), local access to a PC, the Internet, or offline. Examples include stack based buffer overflows, denial of service (DOS), and session hijacking.

4. Maintaining access - once a hacker has gained access, they want to keep that access for future exploitation and attacks. Sometimes, hackers harden the system from other hackers or security personnel by securing their exclusive access with backdoors, rootkits, and Trojans. Once the hacker owns the system, they can use it as a base to launch additional attacks. In this case, the owned system is sometimes referred to as a zombie system.

5. Covering Tracks - once hackers have been able to gain and maintain access, they cover their tracks to avoid detection by security personnel, to continue to use the owned system, to remove evidence of hacking, or to avoid legal action. Hackers try to remove all traces of the attack, such as log files or intrusion detection system (IDS) alarms. Examples of activities during this phase of the attack include steganography, the use of tunnelling protocols, and altering log files.

So how do you defend yourself against cyber criminals? Sam Linford, regional director at Carbon Black in the UK, speaking at the recent ITWeb Security Summit 2019, said key is picking the right tools to defend yourself within your own environment. “It’s about creating a security ecosystem and not relying on just standalone tools.”

Home field advantage

“We have the home field advantage which I think many fail to act upon. We should know our assets better than our adversary,” says Linford. “Key here is doing the basics well, as it’s critical in building and maintaining our home field advantage.”

He cites a number of techniques which can be used in preventing cyber attacks. Namely having a good cyber hygiene, patching, application control, firewalls and a two-factor authentication login system.

“Layering your controls can prevent many an attack,” adds Linford, “but having said that some attackers will figure out where your vulnerable areas are and then you need to be agile enough to counter them.”

Detect what you can’t prevent

“You will never stop 100% of all threats, however you can set yourself up to have the visibility and data needed to detect what is missed by your stack,” says Linford.

“At the same time also plan for your stack to fail in preventing an attack. You do this by switching your mind-set to that of an attacker already being in your environment. How differently would you build your home field defences if you know they were inside you system?”

He says some modern attackers know how to live off the land and evade prevention and detection capabilities. “So by changing your mind-set you need to be able to disrupt the attackers before they take off with your data.”

Disrupt early in the kill chain

“Most technologies begin at the end of the chain, and there are so many other steps that attackers have to go through to get there. So why can’t we drive visibility up the kill chain to see and disrupt the attackers sooner? We must deploy technologies with the right visibility into each one of these areas to see the signs of attack sooner,” he says.

In addition, he says to remember to make it difficult for attackers, frustrating them at every possible turn, to make them work harder at breaking in. “If it’s too painful most of them will move on.”

Being one step ahead is enough

“You only need to be one step ahead of the attackers so be prepared,” adds Linford, “do you have backups and have you tested your restored files ensuring they operate efficiently. This is solely in our realm of control. An attacker only has to be successful once, but the defender has to stop 100% of these attacks all of the time.”

It’s about creating a security ecosystem and not relying on just standalone tools.

Rather than buying off the shelf products, a more strategic view would be to look at each point along the kill chain and align technologies to disrupt at each and every stage rather than trying to simply rely on prevention models that prove not to work in reality, he concludes.
See also