Changes in Attack Strategy

Last week I was lucky enough to have the opportunity to present at the 5th International Conference on Information Warfare (ICIW) at the Air Force Institute of Technology, Wright-Patterson Air Force Base, Ohio.

As conferences go, it was fairly small but had a great mix of academic and operational security topics. I presented on the topic “Asymmetric Warfare: Challenges and Strategies for Countering Botnets” to a packed room (with much of the folks attending in military uniform). I’ll make the presentation material available shortly on the Damballa Research web site.

While I covered many different aspects of the threat, one particular aspect of the threat resulted in many follow-on questions that evening after my presentation – in particular, the concept encapsulated in the following slide:

The threat landscape has been changing at an accelerating pace. Access to botnet technologies (i.e. the ability to entice and corral thousands of victim computers under a single command and control infrastructure) has had a growing effect on attack tactics – in particular the “targeted” attack vector.

As the presentation slide tries to illustrate, in the old days a criminal would subtly reconnaissance a neighborhood -  looking for houses with the poorest lighting, the lowest fences, the most obscured backyard, mail stacking in the mailbox, etc. – before shortlisting the target homes. Next the criminal would pick an appropriate date and time of night to inspect the target house – checking for open windows, unlocked doors, keys under mats, unset alarm systems, etc. – looking for exploitable vulnerabilities, before finally breaking in to the home. In essence, the criminal was singling out the “lowest hanging fruit”.

Whether it’s a burglar trying to break in to a home, or a hacker trying to break in to the database of a global business, the same principles apply around reconnaissance and soft targets.

However, the “new way” is different. Consider the same neighborhood as above. This time the “criminal” is actually a mob of criminals (say, 2 or 3 per household in the neighborhood) and, instead of doing a reconnaissance phase, they simply choose a date and time convenient to themselves and attack all the houses at precisely the same time. Not only that, but they have an optimized list of tools and tactics for speed and efficiency. For example, instead of seeking out the one window that may have been left unlocked, they simply walk up to the front door with a couple of sledgehammers and smash the door down – making entry faster, and making it easier to remove the stolen goods.

In this case, there’s no prior warning of an attack – it’s more akin to a Blitzkrieg. Organizational efficiencies and a certain level of fearlessness means that they can conduct their crime rapidly and with high-levels of success. Precisely the things that botnets provide for organized cyber criminals.

Now, don’t get me wrong. This isn’t suddenly the default tactic for cyber-crime, but it is proving to be a very successful strategy for criminals that arm themselves with botnets to target an organization.

– Gunter Ollmann, VP Research

Tags: , ,