The news covers a major breach seemingly daily. What quickly becomes apparent from these breaches, is that attackers are more likely to draw upon a common arsenal of attacks rather than create a new zero day.
In fact, while the victims and the damage vary widely, at the core of attacks are many identical, tried-and-true, tools and techniques. Malware developers, just like software developers, reuse several different pieces of code. There are several reasons why:
- Quicker time to market - Reusing malware allows attackers to work on other parts of the attack without wasting time developing new zero days.
- Better efficiency - Reusing malware that has been tested and has been verified to “function correctly” means better efficiency and less “testing” on the part of the attacker.
- Inexpensive and readily available - Why reinvent the wheel if malware is available at very little cost?
Shadow Brokers, the mysterious hacking group that claimed to have breached the operations of the NSA Equation Group, offered a plethora of stolen NSA tools. One of them, a Windows vulnerability code named Eternal Blue, resulted in a massive ransomware infection worldwide called WannaCry. A month after that, another wave of ransomware infections used a modified version of EternalBlue and another SMB exploit called EternalRomance to infect systems.
The financial community has also been beset with attackers that reuse malware. The father of all financial malware is probably Zeus. Dating back to its original creation in 2007, every year, attackers continue to spawn new variants. In 2013, the Zeus code was used to construct Citadel malware, known for its cunning ability to steal personal, banking and financial information. Dyre in 2014 was used by cybercriminals for corporate espionage instead of harvesting banking credentials, while the Neutrino exploit was created in 2015 to collect credit card information from point-of-sale systems.
Now that we feel we understand attacker techniques, what do we do to shore up defenses? Where do we start? How do we take adversarial intelligence and apply it across organizational defenses?
One way is by (loosely) applying the principles of game theory. If you’ve watched the Academy Award winning movie, “A Beautiful Mind,” you might be familiar with the concept of game theory. Defined by John Nash when he was a graduate student at Princeton University, it deals with problems where multiple players with contradictory objectives compete with each other. There’s a lot more to game theory than we could elaborate in this article -- but some of the principles are important to consider for cybersecurity. Game theory is about understanding the players in the “game” (in our case defenders and attackers), their goals, what they can achieve, and the impact of their actions.
We often spend too much time thinking about security products and policies that we’re missing the big picture of our objectives -- to stop the attacker. Applying game theory principles to cybersecurity, we should focus on understanding attacker techniques, what they can achieve with these techniques and the impact of these techniques in our environment. There are various ways to do this -- some of which you probably are executing today, and others that you may just be considering:
- “Purple team” drills: Security red teams were initially created in sophisticated, mature, security organizations in order to identify breach scenarios. Organizations have begun to realize that just using these elite teams to trigger controls and procedures within an environment (essentially making the blue team look bad) wasn’t a good thing. In recent years, “purple” teams have been formed combining red and blue teams to create a more realistic picture of the security readiness – i.e. the red teams work closely with the blue team to make defenses stronger.
- Breach and attack simulation: This emerging technology is gaining in popularity as a safe way for security teams to simulate the adversary to better understand organizational exposure and improve defense. The primary difference (versus validation by specialized ethical hackers or red teams above) is that this takes advantage of automation to execute a complete suite of attacker techniques (including variants) to persistently and continuously validate controls, just like attackers are doing. Automation enables this to be done in an efficient manner. More importantly, simulations are safe because simulators only “attack” each other, yet can challenge security controls to quantify how well defenses are doing.
- Table-top incident preparedness: Finally, table-top exercises are discussion-based sessions where security team members and additional parties meet in an informal setting to discuss their roles and appropriate responses to a cyber-emergency situation. This is critical to ensure organizational stakeholders like legal and communications teams are aligned with security teams, and know what to expect.
Ultimately, the goal is that instead of just focusing on zero days, we should develop a new mindset guided by game theory to better understand the hacker and defender perspective. From automated breach and attack simulation, and red/blue team drills, to table-top incident preparedness exercises, playing the right war games will help us implement smarter defenses to stay a step ahead of attackers.