How to Understand Your Attacker’s Mindset

See Threat Stack in Action

Threat Stack secures your cloud infrastructure workloads. See how.

Book Your DemoDemo

In this post we’ll try to develop an understanding of a typical attacker’s mindset and then show you how companies like yours can use this knowledge to enhance their security posture. Before we dive in, however, let’s ask a basic question: What is a cyber attacker?

A cyber attacker can be any entity — an individual, a group of individuals, a company, etc. — that tries to harm another entity via their cyber infrastructure. Attackers are often portrayed as ruthless entities that go to great lengths and use elaborate resources to attack state-of-the-art company defenses. Defending companies and individuals frequently view these entities as advanced attackers that challenge themselves by trying to break through fortified security controls by attacking them head on. That may be true in a few cases, but most attackers — especially the most seasoned (i.e., the smartest and most successful) — will try to find the path of least resistance and will also try to use the smallest number of resources when attacking. In other words, they use brains rather than brute force to achieve the biggest gain with the least effort. Let’s explore this in more detail below.

How Does An Attacker Think?

To better understand this, consider the following scenario. Suppose an attacker wants to gain access to a company server. Any attacker would prefer to leverage human error or weaknesses instead of trying to SSH brute force a server that may use public key infrastructure for authentication. For example, they could try to gain control over a system that a developer uses when working remotely from his home. Let’s assume that the developer may, when working from home, not be using a VPN and is using WEP. Since the attacker can choose between attacking the company network head on (even though it uses a well-developed defense-in-depth architecture) or attacking the user’s much weaker (or non-existent) home defenses, any logical person (read “smart attacker”) would choose the latter. Put plainly, the attacker is going to identify avenues of attack that reduce the cost and effort required, but still yield up the prize. In this case, that means ultimately gaining ownership of a server or infiltrating a company’s infrastructure.

A sophisticated attacker will not waste a zero day exploit, if they have one, if they can accomplish their goal using an existing exploit for a service (say telnet) that has already been accidentally, or intentionally, exposed to the public. A sophisticated attacker will only choose avenues that he knows he can exploit successfully. [1]

The majority of successful attacks leverage known vulnerabilities such as misconfigurations, human error, etc., or use social engineering. In light of this, it’s easy to understand why it’s important for defenders to implement battle tested and appropriate security controls, like firewalls and Access Control Lists, to achieve traditional levels of security. Any attacker would prefer to exploit a company’s weak points — whether they be technical and non-technical (and this includes using social engineering tactics) — rather than attack head on.

By identifying and implementing controls targeted at more routine threats and vulnerabilities like misconfigurations and social engineering, we, as defenders, can reduce the risk of attack drastically. To help with this, visualize the sophistication of attackers as a pyramid where the base consists of script kiddies and the apex consists of elite attackers who have access to Zero day exploits (whether they use them or not). Attackers at the base level rely heavily on misconfigurations and small flaws that can go unnoticed in large companies. As we go up the pyramid, the number of attackers decreases, but their resources, skills, and potency increase. But remember: Even though these attackers have more resources, they will usually try to exploit the base flaws first — just like the base-level attackers in the pyramid. As defenders, if we reduce the vulnerabilities available to these attackers, we can thereby exponentially reduce the number of possible attackers (in terms of sophistication) as well as the probability of exploit.

What Attackers Use For Success

Now that we have an understanding of the basic workings of an attacker’s mindset, let’s discuss a few areas that make it possible for attackers to be successful. These areas are often overlooked by companies because they lack resources or knowledge, but what they fail to realize is that these constitute the multitude of small things that are used extensively in the wild and by all classes of attackers. You can remember these areas by using the acronym SNO: Sophistication, Noise, and Oversight.

Sophistication

The sophistication or security maturity of a company is defined in terms of the defenses that company applies. These mainly include security defaults that companies apply in their infrastructure and include firewalls, Intrusion Detection Systems, segmentation, and antiviruses, to name a few. Although these controls have the potential to be effective for a company, they may fall short in terms of how they are configured or managed. An IDS, for example, is effective for detecting anomalous activities that users are performing on a system. But if the system has default unnamed users, like ubuntu, root, ec2-user, centos, etc., and if multiple employees use the system, then it’s difficult or impossible to trace a specific user’s activities — and this, in turn, causes an attribution issue. A firewall is great at stopping unwanted traffic from entering or leaving a company’s infrastructure, but if it is misconfigured, it can allow unwanted traffic. (This problem of misconfigured security tools is especially true for AI-based security, that may use supervised learning. Depending on how such a tool is set up, it has the potential to disrupt normal business workings or overload a person with noise — which we will discuss below.) Properly implementing this type of security control requires a deep understanding of company workings, security fundamentals, and how to apply that understanding via those security tools. An incomplete or incorrect understanding, laziness, human error, or negligence can cause the controls to backfire and damage the company. Even educating non-security personnel increases a company’s sophistication, and this can cut down on the number of successful social engineering attacks.

Noise

Noise is an attacker’s best friend, and attackers have become extremely adept at using it. Consider a scenario where an attacker is inside a company network and wants to export 10 GB of company information to the internet. Knowing that this will cause an observable spike on a network analyzer, the attacker has two options for hiding the spike:

  1. They themselves can analyze the traffic and exfiltrate data during peak network periods (for example, attacking on Christmas or Thanksgiving when companies expect network spikes).
  2. They can create noise in one part of the infrastructure, using it as a diversion, and then exfiltrate their required file, using TCP, when Ops or Security is busy dealing with the diversion.

A solution for distinguishing between actionable intelligence and unactionable noise is to segregate the network and the infrastructure in such a way that certain activity is expected for one part of the infrastructure, and if an anomaly occurs, the damage can be minimized by implementing appropriate security controls as quickly as possible. Appropriate security tools must also be tuned to eliminate noise as much as possible, and if tuning them has the potential to miss false negatives, then the infrastructure must be modified to synchronize with the appropriate controls. In certain instances this may not be realistic, in which case companies must be prepared to accept the risk that comes with that decision. Say, for example, that we have a server that is running a web application under a www-data user, and it is being monitored by an IDS. If the service user spawns a shell, then it could be a sign of an attacker who has compromised the application and gained access to the system (using remote code execution). But there is also a possibility that the application was written in such a way that it is supposed to spawn a shell as a part of its normal working. We have the option of tuning our IDS to not alert on the www-data user spawning shell (or go through every alert, every day in order to find false positives), or we could write our application in such a way that the service user does not spawn a shell. The latter reduces noise and, at the same time, helps us monitor possible application compromise.

Oversight

We can have the world’s best security controls, that generate petabytes of logs and alerts, and still get compromised. This can happen if the logs or controls are not monitored properly. Oversight is an important aspect of security which, as obvious and useful as it seems, is still skipped by a lot of companies. Too many companies want a plug and play solution that they can implement and then simply forget about. Unfortunately security does not work like that. New threats, attack vectors, and malware are discovered every day in the wild. Existing TTP (tactics, techniques, and procedures) are modified and evolved regularly. Currently there exists no technical solution that can handle this changing landscape efficiently and effectively — and therefore, human oversight is a must. Logs have to be monitored and examined, and security controls have to be properly maintained and used, if these tools are to yield up their full potential.

Wrapping Up . . .

The tactics and techniques mentioned above may seem like things that companies should deem common sense, obvious, and necessary, but in reality they’re the very things that are neglected the most. Attackers, whether they are script kiddies or seasoned veterans, can identify these gaps and then construct an attack that takes the path of least resistance, uses the smallest number of resources — and ultimately enables the attackers to capture their end goal.

Final advice: Study an attacker’s mindset, learn how they work, and build that knowledge into your security strategy.

If you’re interested in learning more about how Threat Stack can help address your security requirements, take a look at our SecOps Program℠, and feel free to sign up for a demo of the Threat Stack Cloud Security Platform®.

Reference
[1] The Art of War, by Sun Tzu

See Threat Stack in Action

Threat Stack secures your cloud infrastructure workloads. See how.

Book Your DemoDemo