As an example take a look at the most common response to malware on a system; pave it and reload. This sounds great, but what if the only purpose of the malware was to get someone in the door. Now the bad guy has pivoted to another system completely using a hash that was scraped from memory. Sure you paved that one system, but the bad guy is still in the works. They can wait for a day or two before responding to a call home from new (and less obtrusive) malware on another system. Most threat actors know exactly how people will respond because these things are established standards and accepted policy.
Another example of threat actors knowing how a company will respond is in response to a DDoS attack. When a DDoS attack hits the vast Majority of companies will take a site or service offline until the attack is over. Much like the response to Malware s DDoS is looked at as an annoyance and not part of a potentially larger attack. In fact most companies do not even bother to check other systems for compromise after a DDoS. It slips their minds that a DDoS is a perfect diversionary tactic and one that can be used to great effect.
Trust me when I say that there is a lot of strategy that goes into attacking a modern business. The same level of strategy must be considered and put in place to keep the bad guys out. However (as we have seen far too often) the people running the company do not want to think about the details. They just want it to go away. IT security is viewed as a hassle. The though process is “if we are complying with policy, we are good” This creates cookie cutter protections and canned responses. Just what the bad guys love. What good is a mine field if you know where all the mines are? How effective are patrols if everyone knows they only run every 30 minutes like clockwork?
Richard Kirk from AlienVault had this to say after the DDoS attack that brought down HSBC’s web servers in the UK:
“HSBC has suffered another high profile website outage that has left its customers in a very awkward position, especially given today is when most people in the UK get paid and have to settle bills. This raises many questions about liability and compensation as people are not able to access their bank accounts online. HSBC suggests that its customers call instead, however it is quite likely that the call centres will not be able to cope with the spike in calls. HSBC claims that the attack was successfully defended and this is most likely true, to the extent that if it is a distributed denial of service (DDOS) attack, then the online systems can be quickly taken offline to prevent any potential damage. However this does not help its customers. Questions that need to be asked are, is a DDOS attack a network or security concern? This is an important consideration, since it will dictate what response is triggered. But more importantly, surely it is time for cyber security risk to become a regular board level discussion. I wonder if the HSBC board, or any bank for that matter, regularly discusses how it should approach preparing and responding to cyber attacks and the growing risk to the business.”
Richard is alluding to some of the same things we are talking about. Think about it like this. After a DDoS attack could a threat actor pop-up a copy of a website to harvest usernames and passwords? What about call center numbers? What if there was a smaller attack or a probe to see what the response is? These are all things that are not being looked at by a large majority of corporations. They are never discussed at a higher level, but they really should be. Especially when you consider the fact that DDoS attacks can get up to 500Gbps these days…
The gap between the sophistication of the red team and the response from the blue will continue to grow until these conversations are escalated to the people at the top. They have to start taking an active interest in security or things will get much worse.