JP Morgan Targeted Attack: Not a Drone Strike, Hand-to-Hand Combat!
The bigger they are, the harder to hack? Not so, at least based on the (apparently successful) attack on JP Morgan, just revealed last week by the Wall Street Journal. With the FBI and the Secret Service investigating “possible” breaches in other major financial institutions, perhaps it’s time to rethink the way we relate to targeted attacks?
It’s Hand-to-Hand Combat, NOT a Drone Strike
A targeted attack is the cyber equivalent of hand-to-hand combat – a back-and-forth battle between two skilled adversaries, in which reactions need to be in sync with actions in order to have effect. It’s definitively not a one-sided, remotely-detonated drone strike – and it is imperative that we as an industry stop relating to these attacks as such. Targeted attackers see the countermeasures security teams deploy, and change tactics to evade them – often successfully.
Stop Underestimating the Enemy
Attackers that go after a bank like JP Morgan are highly determined and highly skilled. They may have state sanction and backing, or not. But either way, these are not kids sitting in their parents’ garage looking for excitement during summer break. These are professionals, working in multidisciplinary teams, who have the discipline to persevere, the resources to devote, and the determination to work hard to get to quality loot.
Not Opportunistic – Focused and Targeted
The choice of JP Morgan (and the others) as a target may have been opportunistic – meaning that a specific vulnerability was initially identified as exploitable. However, once the target was chosen, the attackers stayed focused.
Why is this important? Because the millions of dollars that financial and other organizations spend on security is currently directed toward technologies that try to predict specific attack tactics or tools. This renders them ineffective against targeted attacks. In virtual hand-to-hand combat, targeted attackers learn the specific technologies deployed in the target, and simply use different maneuvers or tools to evade them.
These technologies, tightly bound to specific tactics or tools, represent the lion’s share of today’s cyber security countermeasures offerings. Thus, almost all of today’s cyber security spending is aimed at defending against opportunistic attackers, not targeted attackers. We are just now witnessing the emergence of companies and technologies that do not presume to predict a specific attack vector – but it is still not widespread.
An Attack, Not an Open-Ended Siege
So where does this leave us? Once commenced, a targeted attack has but three eventualities:
- The attacker is neutralized and is unable to carry on the attack;
- The attacker succeeds in obtaining some or all the loot;
- The attacker decides to forego the battle and move on.
We can agree that the first eventuality is preferable. Unfortunately, this is as rare as it is tempting. The second eventuality is the one we are trying to avoid. This leaves us with the third eventuality – neutralize the attacker’s will to pursue the attack.
This is not an unrealistic goal. Although some attackers may have vast resources at their disposal, no targeted attacker has absolutely unlimited resources. Professional attackers adhere to cost-benefit effort allocation laws like any other organization.
In medieval warfare terms – if the city can’t be sacked, the attackers are unlikely to lay a never-ending siege. Instead, they’re more likely to move on to the next, hopefully more lucrative, city.
Indeed, even after starting to target an organizations, attackers may decide to abandon the attack if the target is resilient, the cost estimation is increasing and the achievements are meager. So banks, and any other organization concerned with targeted attacks, should aim to make attackers expend as much effort as possible.
There are two specific concepts that are emerging and aim to help organizations in this type of war of attrition:
1. Make the attacker’s life tougher every step of the way
Defensive technologies which adapt themselves to the specific network, make it impossible for attackers to effectively prepare their assault. When attackers have knowledge of and access to defensive technologies, they can model their attacks in the comfort of their own lab, using trial-and-error until they’re 100% sure that the attack will succeed and go undetected. This modelling cannot be done with technologies which adapt, and hence behave differently in the real network than in the attacker’s model.
2. Force attackers to give back ground
Post-intrusion detection controls allow defenders to respond to and contain a specific event. Each such detection is very costly to attackers, as they now need to battle to regain lost footholds, credentials, and knowledge.
In an ideal world, targeted attackers would be rooted out and eliminated. But the best bet for defenders against targeted attacks is a classic example of realpolitik: hold off the attack until attackers exert themselves and move on to the next, easier, target. This is the most realistic and most favorable eventuality.
Organizations smart and fast enough to deploy technologies like those above will become harder and harder targets. This might not stop the most determined attacker forever – but in the real world, this is not the goal. What it will do is serve to divert attackers’ efforts, and that sure is a win.