Page 51 - index
P. 51
Since these types of attacks are based on availability and numbers, they occur quite frequently.
In our honeypot network, we see over 100 thousand scan attempts in a 24-hour period. To
assume that scanning and opportunistic exploitation of services doesn't happen would be naïve.
To thwart opportunistic attacks, defenders should make sure to “block and tackle” by keeping
client and server software up to date, establishing good endpoint and network level visibility,
and using mitigating controls (e.g., web proxies, firewalls). Adding hunting to discover incidents
that may be missed by traditional technologies is also becoming increasingly important.
Targeted Attacks
When an organization is targeted for a specific reason (financial gain, intellectual property, etc.)
it’s a mission, and therefore the level of attack sophistication can vary. The methods of the initial
attack, and follow-on activity, can help understand the group (or groups) involved.
Since the initial foothold is generally not the source of information desired in the incident,
attackers will move throughout the environment. During this movement user accounts will be
compromised and privileges escalated, which is the lateral movement many organizations are
concerned with.
After an initial attack is successful, it’s not uncommon for attackers to use various persistence
methods in order to get back into the organization with the desired access to make future
ingresses easier.
While attacks of opportunity generally have smaller reconnaissance to targeted attacks, both will
pass through the various stages of the “Cyber Kill Chain.” This process is important in
understanding where risk lies as well as the size of the attack surface.
While the same technologies can be used to cover both opportunistic and targeted attacks, the
vast majority of technologies are weak in detecting targeted activity. Hunting and response play
a much larger role in targeted attacks. Visibility is of the utmost importance.
Getting-high fidelity information from endpoints, network devices, and various server and
application logs is crucial to minimizing the time to detection and response.
Breach Planning
Organizational maturity goes a long way in closing security gaps that may exist on an enterprise
network. Examples of having a mature security organization include focused leadership,
increased monitoring, targeted technology investments and effective policies and procedures.
Leadership should understand the various dynamics of the threat landscape to set direction and
create policies and procedures to handle technology purchases and incident response
51 Cyber Warnings E-Magazine – May 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
