Hackers gonna hack. That's what they do.
But that does not mean they run in heedless of the defenses arrayed against them. Sometimes attackers will see something in a target that forces them to stop and think before proceeding. If they proceed at all.
So, what gives an attacker pause?
The answer falls into three distinct buckets:
The possibility of being detected.
An experienced and knowledgeable team of defenders.
A simple and hygienic system architecture.
Over the next weeks we will show you how to give attackers pause, breaking down these concepts in-depth.
Detection: Intrusion and Response
Sophisticated and nation-state level attackers are patient. They will sit outside your network for weeks and months, scanning and fingerprinting your perimeter while waiting for a nice target to pop up. Sometimes that target is non-intuitive. The attacker takes one step which leads to another which leads to another. These initial steps of a hack can be fragile. The last thing the attacker wants is to be detected and kicked off the network.
Once the security team is alerted to malicious presence, they go into hyper vigilance mode and be alert for any unusual activity or packets on the network.
In a survey of 127 hackers by Nuix at DefCon 2018, 32% said that some form of detection was, “the greatest challenge during a penetration test.” That includes 14% who cited endpoint detection and response (EDR like CarbonBlack or FireEye) and 18% who said intrusion detection and prevention systems.
Eric “McGyver” McIntyre, director of research and development at Randori, pays special attention to detection when executing an attack.
“The biggest thing that makes me hesitate before I launch an attack is what are going to be the consequences of doing this and what is the likelihood that this is going to kick me out. There are many stages and endpoints during the attack when the environment is pretty fragile. It is not until we have our teeth sunk in that we have multi-layers of persistence and it is really hard to evict us.”
Defenders Who Know What They Are Doing
Evan “Syn” Anderson, director of red team operations at Randori, is going think twice about hacking a company who has suffered a recent breach. That means they have gone through the full audit and have a much greater level of understanding about what happened and how to combat it.
It’s not about the latest expensive security tools, it is who is using them.
“Antivirus and all these tools are great if you know how to use them. I like to say that experience is the best defense,” said Syn. “You need your people to know how to use this stuff in your environment and what it looks like when things are compromised.”
Attackers will look to see if a target has a dedicated security operations staff who on trained on the tools that will give intruders fits. If a company has a clear Security Operations Center (SOC) which practices defense-in-depth and has a clear understanding of success, that makes the attackers jobs all the more difficult.
Sometimes an attacker will know the experience and capabilities of the adversary going into a hack. You don’t attempt to breach something like DARPA without knowing there is a dedicated adversary on the other end. Other times, the attacker can find clues to the dedication and experience of the defenders along the way.
“In a typical attack, I probably won't learn enough to know if the defenders are experienced or good,” said David “Moose” Wolpoff, cofounder of Randori, “but you get a kind of vibe based on lots of little factors.”
Once an attacker gets that vibe, they may think twice about what they are doing.
A Simple, Hardened and Hygienic Defense
Attackers love modern organizations. They often have a lot of surface area mixed with lackadaisical or misguided security procedures.
“Complexity is bad. Simplicity is good,” said Moose, summing up the difference between system architectures that are hard or easier to attack. “The thing I love about modern corporations is that there is no person in modern corporations that knows what normal is supposed to look like in terms of network traffic or computer configuration. The systems are so complicated that it gives me a lot of space that I can play in.”
In the Nuix survey of attackers, 34% said that a hardened system poses the biggest challenge for penetration testers. As it turns out, one of the best ways to make an attacker pause is to reduce the surface area of vulnerability. This could include keeping up to date with the latest security patches in a timely manner, closing certain open ports to the outside world, encrypting everything reasonable and employing logical tools like endpoint security, firewalls in the right places and proper antivirus software.
Signs of a simple and hygienic system architecture go hand-in-hand with the other factors which make attackers pause.
“If I see a really small surface area, I'm more inclined to assume at the outset that they're paying attention,” said Moose. The attacker not only finds a network more difficult to penetrate, but also gets an idea of the defenders’ capabilities at the same time.
To understand and hinder attackers, you have to know what makes them pause and think before starting and attack. What gives them trouble, even if they are confident they will ultimately succeed.