Saturday04 February 2023

Strategy, Tactics, and Logistics. How They Fit into the Threat Landscape

Reading time is around minutes.

The Threat Landscape is an interesting topic of discussion. It is a constantly changing thing and even the best predictions can often fall short of the actual threat. This is because in most cases, the attackers are a step ahead of the defenders. They have the advantage, to coin a D&D phrase, they won the initiative roll. Defenders are always waiting to see what might happen, they plan without really knowing what the attackers are going to do which means they have to be secure everywhere (not really a possibility). To help them put their resources in the right places, most security teams rely on threat intelligence feeds and an understanding of the Threat Landscape.

Here is the rub though, the Attackers rely on it too. From monitoring attacker habits and behaviors, we do know that they use common networking tool and vulnerability scanners during their intelligence collection phase of an attack. They also gather a significant amount of data through other methods including monitoring the web for likely targets, social-engineering opportunities, and even the release of new vulnerabilities and attack type predictions.

The latter are important as it lets an attacker know their time window for certain vulnerabilities and attack surfaces. As an example, Microsoft’s recent announcement that they are going to block Macros with the Mark of the Web tag in June(ish) lets attackers know that they have between now and then to leverage existing attacks that use this method or identify new ways to get around the potential patch.

The same came be said for new vulnerability announcements. When there is information in the news that a new vulnerability is out there it usually comes on the heels of a patch not only being ready, but available to install. This is the pattern that happens as good security researchers will work with the company in question to ensure they have a chance to patch the security issue before making any announcements. Attackers also know this, so they understand that from the date of announcement they have a certain window of opportunity to leverage this vulnerability to gain access through it. Even if they have already been using it, they now know they must change that attack toolset.

This type of behavior is like the chicken and the egg. An announcement of a vulnerability with a patch and/or mitigation techniques increases the likelihood of an attack using that vector. We saw this recently in vivid detail during the response to the Log4J vulnerability. We also see similar responses when predictions about increases in attack types come in. They are almost self-fulfilling in how common it is to see a spike after CISA, or HSISAC makes a prediction. Would there have been an increase if there was no prediction made? You could go slightly insane trying to logic that one out.

Attackers like military units rely on information. Without it they are blindly throwing shit at the wall to see what might stick. Instead, they build profiles on their targets and make both strategic and tactical decisions as they prepare for their attacks. Smaller organizations may be more tactical and nimbler in their movements and even attack patterns while larger and better funded will have larger strategic and logistical goals that factor into how they operate. At the State-Sponsored level strategic and political goals will be a major factor in their movements. They have more time and usually more resources to gather intelligence and analyze it for their long-term plans.

This information should factor into your response to vulnerability, patch, and attack pattern predictions. Know that a remote code execution vulnerability has been announced along with a patch should be a indication that an attack along that vector is likely. It is the military equivalent of hearing that an enemy is resupply or knowing that you are getting resupply. Both sides are going to be eager to take advantage of the situation before the resupply happens. Those supplies represent a strengthening of the party receiving them. Attacking before the arrive makes your chance of victory a little better. This is the same for a patch. If you can leverage the RCE bug before it is fixed you gain entry and a foothold in the environment. From there, even if the RCE is patched you have achieved your tactical goal of getting into the target company. As a defender you are going to want to use your existing resources to prevent the attack while you await the resupply. In the case of the RCE bug, you want to understand where it is, what the vector used is and either patch now, if possible, or put-up new defenses against the attack to mitigate the risk of it being in your environment while you wait for your maintenance window to pully patch the flaw.

To make this all work you need to track the same things that the attackers are so you can keep ahead of the shifting threat landscape. You also need a coordinated effort inside your organization so that when the new intelligence is presented the proper contingency plans can be executed to reduce the risk of an attack. This latter piece if one that far too many companies lack, and it leaves them open to exploit and compromise.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.