At the Armed Forces Communications and Electronics Association’s Defensive Cyber Operations Symposium last year, DISA Director LTG Alan R. Lynn described a shift in attackers’ operations. Lynn stated that it’s become “snatch and grab” rather than following traditional intelligence techniques of using good tradecraft (the set of an attacker’s operational techniques and tools) to compromise, monitor, and accomplish the mission while avoiding detection.
In essence, while an attacker might have evaded detection in the past by operating in a way that avoids triggering network security sensors, a modern attacker is more likely to throw caution to the wind and hope to accomplish their mission quickly and decisively before your IT staff has a chance to react.
While I can see the tactical benefits of each (and we make use of both sets of tactics on our penetration tests), I would hesitate to say that the game has changed. Attackers vary in sophistication, motivation, and targeting. An attacker that is targeting a large number of companies, for the purposes of direct profit, and with a common attack technique is more likely to choose the path of “smash and grab”.
The truly dangerous attackers, however, that have specifically targeted you, have the goal of stealing your data or impacting your operations. They will dedicate the resources and time needed to do so, and will not throw that mission away with quick and easily detected action. Time is on their side, and they will patiently take advantage of it.
When your organization becomes the target, the attackers are likely to realize the benefits of not showing their cards too soon. Knowing that breaches, on average, aren’t detected for months (if they are detected at all), the attacker will have time to make the most of their access and will not invite trouble by operating quickly or loudly. More likely, they will operate at the pace of your business. By watching you via your workstations, email, scanned documents, voice-over-IP phones and other communications, they could accomplish their goals without attacking your more closely-watched systems.
Another statement made by Lynn: “they’re going after senior leaders at their offices and at home”, leading up to the point “it’s a different world”. This brings the message back around to a very real and uncomfortable truth I’ve been putting in front of IT leaders for some time. Your attackers will take advantage of you or your employees in truly detestable and unfair ways.
When performing our penetration tests, our ethical standards and legal boundaries prevent us from blackmailing staff to gain access, entrapping them into a course of action we define. A malicious attacker has no such limitation and will manipulate and attack your associates and families directly, in their homes, outside the scope of your company. At this point, an otherwise trustworthy employee becomes, unwillingly but silently, the “compromised node”. Launching the rest of their attack through access gained in this way, the attacker’s mission of stealing intellectual property, disrupting operations, or publicly leaking embarrassing information becomes much easier. This is the critical conversation we have with clients when describing the significance and importance of internal penetration tests. We know that malicious attackers will gain access to your network. We must quickly identify, respond, mitigate, and remediate cybersecurity threats and incidents.
A common misconception is that a cyberattack will “light up” the sensors, alerts, and level of traffic that network security staff spends so much time observing. In reality, your most dangerous cyberattackers are likely to be operating under your radar. Does your organization have the resources, capability, and mandate to identify advanced attackers operating on their own terms and timeline?