Cyberattacks are clearly mushrooming. Lately, even the best-protected financial institutions were the victims of complex hacking operations despite the millions of dollars spent on security solutions and talent. We find that too often security teams believe in myths that prevent them from building effective security programs to defend against complex cyber-attacks.
Myth 1: Security solutions protect from penetration
Fact: Penetration is inevitable.
Hackers often claim that penetration is a “no brainer.” In the fight between attackers and defenders, the attacker’s task is to find or develop a single vulnerability, while the defenders must ensure they protect against any weakness, known or unknown, technological or user-driven. Hackers know that no organization is perfect and that their persistence will eventually pay off. This phase is carried out by a very dedicated penetration team that will only be paid when their attempts are successful.
Suggested approach: While setting up an effective perimeter defense is important, organizations should build their security architecture under the assumption that they will be breached.
Myth 2: Cyberattackers target the most vulnerable organizations
Fact: Attackers choose targets based on goals, not vulnerabilities
While the common belief is that attacks are opportunistic — prioritizing the most vulnerable, unprotected, easy to penetrate organizations — in reality, attackers target even the most protected companies. The attackers set a clear strategy based on their goals for an operation. Their goals may vary whether it is financial reward, getting a hold of private data, damaging a company’s network or reputation, stealing IP and know-how, or a combination of the above. Based on their agenda, the attackers carefully choose the best fitting target.
Interestingly, in some cases, the attacked company is not the attacker’s ultimate target but rather a bridge leading them into another organization. For example, in the Target breach, the initial targeted organization was Target’s HVAC system provider, which ultimately led to the penetration into Target’s system.
Suggested approach: Consider your organization from the hacker’s perspective: What would they look for in your organization? Obtaining personal information and credit card data is an obvious goal, but also think about the business ecosystem connected to you and your customers.
Myth 3: Attackers gather intelligence about IT and security systems of their target
Fact: Attackers gather any available data to help anticipate the defenders’ response
A hacking operation’s success is based on the ability to predict the company’s response to the attack. Therefore, hacking teams spend a long time gathering intel to build a complete picture of their targets beyond the IT systems in place. For example, attackers collect organization charts, employees’ data, salaries, work habits and after-work habits, business connections, business and leisure travel calendars, office locations, vendors and any other information that could be helpful to craft a true, comprehensive view of the company’s day-to-day operations.
To help the attackers anticipate the defender’s response and understand their weaknesses, the attackers focus their efforts on building the profiles of the security personnel, e.g. their personal background, education, compensation, promotion plans, motivations, reporting lines, etc.
Suggested approach: Minimize social media presence, especially of security team members, in order to minimize information exposure. Change work routines and switch vendors if possible to make your organization less predictable.
Myth 4: Attackers rush to get in and leave
Fact: Attackers deploy “low and slow” techniques
While one would expect attackers to move as fast as possible and gain as much information as possible, the actual operation is usually dictated by the attackers’ motivation to go undetected. Therefore, they deploy a “low and slow” approach: performing a limited number of actions every day and avoiding “noisy” activities.
Suggested approach: Deployment of “low and slow” is great news for security, providing a long enough time frame to stop the attackers before the damage is done. Even though most detection systems cannot identify such operations, advanced behavioral solutions can identify otherwise hard to detect, faint evidence from the normal noise and stop these attacks.
Myth 5: Effective response equals fast response
Fact: Attackers perform several decoy operations aimed to distract response teams
Most security teams have a strong incentive to close an incident as soon as it is detected as they are measured by the amount of time it takes them to close a case. This leads to rushed decision-making and often a fake sense of success.
While we all agree that detection and response should be fast, security teams must face a more complex reality. In most cases, attackers prepare at least one decoy operation to mask the “real” operation, whether it’s flooding you with malware or DDoS attacks. A separate hacking team usually conducts the decoy attack(s) aimed to desensitize the defenders and distract their attention while providing them with a sense of achievement for detecting and closing an incident. This is while the “real” operation goes undetected.
Suggested approach: Always plan to be deceived. What seems to be a contained attack may be a decoy operation that was created to distract security teams from the main event. When closing incident tickets, always have a doubt, and make sure that the incident is indeed fully contained and remediated.