Don’t Look for the Known Known, Find the Known Unknown!
The recently-released report from the US Department of Homeland Security and others regarding the Backoff Point of Sale Malware is more important in what it does not address than in what it does.
In this report, two high-powered government agencies (DHS and the Secret Service) and one prestigious industry partnership (FS-ISAC) laudably come together to bring a serious threat to the attention of worldwide retailers.
The problem is, in Donald Rumsfeld’s recently-quoted words, that this report addresses a “known known” – i.e. a threat that’s already been identified. And because it has been identified, and for the most part neutralized by inclusion in anti-malware databases, it’s really no longer a threat.
The threat that should really be under discussion, again in Rumsfeld’s words, is the “known unknowns” – i.e the attack about which we know we don’t know. In simpler terms: I’m talking about the next attack to be discovered, the one that is currently underway, and that may have already breached your or someone else’s network. We know it’s out there, but we haven’t yet found it.
The problem is, this report – and in essence our industry as a whole – is not focused on finding these “known unknowns.”
Searching for What Already Happened Doesn’t Help
Much of today’s security industry is focused on analyzing malware – classifying it, tracing its evolution over time, and documenting its variants.
This treats the exploration and elimination of network threats like a meticulously-executed biological research project. We classify the disease, we find the cure, problem solved.
This line of reasoning – completely valid in medical or biological research – has a major flaw in the context of network threats. It assumes that the development of virus variants is natural or evolutionary, and that understanding the forensics of one attack will further the ultimate goal of preventing the next.
But malware is not evolutionary. It is constantly recreated, retested, retweaked, and redirected by authors not constrained by natural forces or timeframes. One attack may bear no resemblance to a predecessor, and even if it does – as we learned above – finding this out ex post facto is pointless.
And what’s more – malware isn’t really what we should be looking for.
Malware is the Means, Not the End
It is true that recent mega-breaches like that of retail giant Target’s network started with an attacker compromising a single computer in the network. And malware, in this case, was involved in the initial infection. But in many other cases, attackers find malware-free breach points – via insiders, social engineering, remote access tools, and more.
The point is that our research – not to mention common industry knowledge – has shown that secure corporate networks are breached and secure endpoints compromised every week – regardless of the preventative technology used.
Given the resources available to attackers and the infinite malicious permutations they can create, the real question is not if or how exactly the attacker will manage to breach your network, but whether your company can detect this breach in time before the attacker gains access to sensitive data.
So, What’s the Real Threat?
The Backoff report essentially encourages vendors to treat targeted attacks like generic malware campaigns. It suggests simplistic mitigation steps such as keeping AV signatures updated or checking for specific IOCs. To me, this reflects a very basic misunderstanding of the actual threat.
There is no question that sophisticated malware plays a very specific role in attacks. But there is also no question that malware built for a specific case by experts will almost always evade detection. And, as relates to Backoff and similar threats, by the time a POS is compromised, significant time has passed since the initial breach – often months – and significant damage has been done.
So, the real threat is the targeted attacker (a person or organization with motivation and a plan), not the malware. It’s the known unknown, not the known known.
The targeted attacker plans a long-term operation against a specific network. His goals are intrusion, extending a foothold, gaining access to sensitive assets such as POS, and extraction of sensitive information like credit card numbers.
In order to detect this type of attack before damage is done, the focus should be on changes of behavior in the network and in the endpoint that can indicate a breach. If we will keep trying to detect known malware and its variants, expecting to detect the next breach, we will never succeed as an industry.
Instead of analyzing old malware, organizations need to deploy breach detection systems that automatically detect and analyze the changes in user and computer behavior that indicate a breach. These subtle changes are usually low-key and slow, and affect only a small number of computers – but the right analysis and context can flag them as malicious.
In the Target case, for example, the communication between the points of sale and an internal computer in the network which the attacker selected as a staging area to aggregate credit card information was a significant change in behavior. Hundreds of such changes happen in a data breach, which takes months to develop. With the right breach detection technology, companies can consistently detect these known unknowns early in the attack lifecycle, before the damage is done.Learn more about LightCyber or contact us for a quick demo