Cb Connect 2018 | Power of You | Register Now


Patterns of Attack: Shifting the Economic Balance of Cyber Attacks

May 17, 2016 / Ben Johnson

Stop me if you’ve heard any of these before.  Actually, stop me if you haven’t heard these before.

“There’s not enough talent in cyber security right now.”

“There’s been no slowdown in security breaches in (insert vertical).”

hacker“We’re losing the cyber war.”

A harsh reality for those of us working in information security is that the businesses we’ve been asked protect are battling businesses that are built to attack. That is to say we are rarely, if ever, up against the lone-wolf attacker wearing a hoodie in the basement. We are battling crime syndicates, nation states and cyber thieves whose main concern is simple: earn money. According to a 2016 Ponemon Survey, more than half of attackers are motivated exclusively by economics.

To an attacker, staying “in business” means a few things:

  • Being opportunistic in selecting targets – making money means going after the softest targets first without wasting time on attacks that will not quickly result in information that can be monetized. Attackers will almost always select the path of least resistance when it comes to launching attacks. During the reconnaissance phase of the cyber kill chain, attackers are asking a simple question: “How hard is it going to be for me to monetize this victim?”  
  • Optimizing “attack” time – the more time an attacker spends without success on a target is less time that he/she can be hitting softer targets. According to the Ponemon survey, even a technically proficient attacker will quit an attack and move to another target after about a week without success. An attacker will attempt to exploit the “tried and true” vulnerabilities and use successful attack methods from the past, the TTPs (Tactics, Techniques and Procedures) in their toolbox, before inventing new ones.
  • “Good guy” businesses will continue to act in isolation – According to the Ponemon survey, the number one factor in deterring an attack is if an organization shares threat intelligence with its peers. That’s because sharing the right kind of threat intelligence means an attacker can’t simply use the same attack vector over and over again. He must reinvent his tactics each and every time. That can be VERY expensive.  

The bottom line is that our goal in playing defense is not necessarily to become the hero and dramatically unmask major crime syndicates, like a foiled Scooby Doo plot. Our goal is to simply make the cost of conducting a cyber attack more expensive – so much so that an attacker views attacking our organization as a bad return on investment.  

Shifting the Economic Balance of Cyber Attacks

Last week, we talked about how Patterns of Attack (POAs) are exponentially more revealing than individual Indicators of Compromise (IOCs) and how understanding the root cause of an attack can help a security team close an original infection vector within minutes. After all, indicators offer hope, patterns deliver confidence.

For attackers, finding a “unique” vulnerability (and effectively exploiting that root cause) can take months of research costing more than $1 million. It is no surprise, then, that attackers will use and reuse the same Pattern of Attack for months (if not years) on target after target after target until it is successful. According to the Verizon DBIR, the most exploited vulnerabilities are more than a year old! It’s all about the economics.

POA11Patterns don’t usually have to be complicated, either. For example:

  • Outlook runs Word, which runs PowerShell
  • Notepad has a child process or makes a connection to the Internet
  • Svchost is executed by a non-system user account
  • Internet Explorer runs Java, which then runs a command shell

For an attacker, changing an IOC is as simple as a physical-world criminal changing his shirt, or wearing a wig. It’s a very simple, economic-friendly task. While investigators are out looking for the man with the blue shirt and short blonde hair, that same criminal is committing the same exact crime wearing a red shirt and a shoulder-length black wig. That’s why cyber defense has often been referred to as a game of cat-and-mouse, or really, an arms race. “Shirts” (IOCs) can be easily changed. Too often, we are trying to “detect” an outdated shirt. Changing IOCs is cheap and simple.

But what if we didn’t care so much about shirt color or hair length and instead focused on the way that same criminal walked or something truly inherent to their natural behavior while attempting an attack. Those “patterns” are a whole lot more expensive to change.

In the cyber world, it’s incredibly easy to spin up a new server, register a new domain, or re-compile a payload to change its hash. But it’s very hard (read: expensive) to change how you go about fooling the user with the spear phishing attack, how you download second and third stage payloads, how you persist, and how you traverse the network. This is why “Patterns of Attack” are so valuable The same techniques are used with different servers, different applications for exfiltrating  data, etc. The overall “story” stays the same.


As we consider how patterns play into Collective Defense and uniting the cyber security community, think about how hard it would be for an attacker to change their tactics or techniques if we shared their inherent behaviors with every store or bank in the world that they would consider robbing. That network effect would make it exponentially more difficult (and expensive) for the attacker to attempt making even the slightest change before being caught almost immediately. There are only so many entry vectors into an environment, and then only so many ways to traverse the environment to the crown jewels. The more we look for these, the better off we are.

Traditional security companies and their products tend to look at singular events only – the “IOCs” with no link to understand the cause-and-effect relationships among the events, and complete blindness to migration patterns. In connectedfact, largely due to how the security industry has approached intelligence, the security community (those in the trenches fighting the fight) have often accepted IOCs as the default currency for threat discovery.

In identifying an attacker’s “Patterns of Attack,” Carbon Black offers a significantly improved detection rate and, more importantly, the root cause of the attack. This level of insight prevents an attacker from using the same entry mechanism twice. And, when we share that pattern with our entire community, every single one of us becomes stronger and better protected as a result.

In the book, “Good to Great,” Jim Collins says, “People are not your most important asset. The right people are.” Threat intelligence is the same. It’s not about sharing. It’s about sharing the right information. This is how we shift the economic balance of cyber attacks.

So what is the right kind of threat intelligence? Tune in next week to find out!


What is “Collective Defense?” Click here to learn more. 

TAGS: Ben Johnson / Carbon Black / IOCs / Patterns of Attack