2013-Jul-08 - The attacker’s (and defender’s) disadvantage

A common challenge for defenders (the ones responsible for protecting networks and companies), is that the attackers just need to find one hole or one vulnerability for them to get inside.

You can do it all correctly, but if you miss one server or leave one vulnerability unpatched, that’s the one that will be abused. That’s the defenders disadvantage.

And that’s a hard spot to be on. If you read all recent cases of APT, 100% of them started with zero-days sent via very targeted phishing emails. How do you protect against that?

Seriously, think about it. A zero day vulnerability on a common application that all your users need to use (Adobe or Flash). A very sneaky and targeted email sent to only a few of the employees. No anti virus or IDS product would flag it. If just one of victims click on it, their personal computer can be compromised, giving the attackers a way into your network.

The attackers disadvantage

But at the same time, the attackers have a similar disadvantage once they breach on a network. They can do it all properly and hide their activities very well, but if they make one mistake they can be detected.

The attackers can get in via a zero day vulnerability and go undetected until they compromise the first desktop. But what happens from there?

Will they try to get admin access? Will they try to expand their access to other servers? Will they try to download and send data out? Any suspicious behavior raised after they get inside can compromise their work.

And that’s when the defenders have an advantage to detect the attacker and respond to the compromise.

The attackers luck

Unfortunately, very few companies have that level of monitoring and security enabled. Very few would be able to detect a user trying to increase their privileges or even detect any anomaly from where he is logging in from. They can have a firewall and an IDS, but nobody looks at them. They are just so noisy that it is very easy to miss the important activity.

So the attackers can afford to be sloppy, and play around without even being detected. Good for them.

Proper detection and monitoring

And that’s why, if you are a defender (with servers and networks to protect), you need to have the proper monitoring in place. It is your only hope against a more advanced attacker and the only way to catch compromises as early as possible. Because in the same way you will make mistakes, the attackers will do them as well.

And you can’t rely on an IDS (attack detection system) or an anti virus for it. Because once the attacker is in, he won’t need to use exploits and he can just levegerage the access that he already has to do his damage. So what’s the solution?

I will certainly do a full post about it, but what I learned is that you can’t really block all attacks. You can’t even detect all of them. Your software will have vulnerabilities. You will make mistakes. You will get owned one day!

What you need is a system to alert and raise red flags when that does happen, so you can respond. The “you just got owned” alerting system. And those are not hard to setup, but requires a different mindset.

In a follow up post I will talk about ways to implement those.

By Daniel B. Cid - Tags: sec - Notes index.

Quick Links


My Projects