What do Targeted Attacks and Texas Hold‘em Have in Common?
In both, maintaining a poker face is the winning strategy
In previous posts, we compared targeted attacks to hand-to-hand combat (as opposed to a remote drone strike). The idea was that we, as security professionals, need to relate to attackers as individuals that respond to our actions. They punch, we respond, and they react to this response.
As we drill further down into the psychology of targeted attacks, and consider more in-depth the strategy of dealing with them, another analogy suggests itself.
Without going too far into the subtleties of the game, the widely-popular poker variation called Texas Hold‘em is an excellent analogy for the complex relationship that should (but does not always) exist between attacker and defender.
No to Knee-Jerk, Yes to Poker Face
When it comes to responding to security issues in our network, our first inclination is knee-jerk. It’s understandable – as natural as the reflex to swat a mosquito that’s just landed on your arm. There’s a threat, you eliminate the threat. Solved.
But in Texas Hold‘em, it’s all about what signals you give your opponents – or more importantly, what signals you conceal. You may really want to raise, because you have a great hand, but by raising you give away information to your opponents. Seasoned players are aware of this, and plan their actions to confuse, or at least to minimize certainty. There’s no room for knee-jerk reactions in Texas Hold’em.
As you’ve probably guessed by now, in the realm of targeted attacks, we’re contending that we should all be playing Texas Hold‘em. And that’s because, without a shadow of a doubt, our opponents already are.
Identifying Attacks: Overcoming Poker Face
Texas Hold‘em professionals (yes, there are people like this) are massively keen observers of behavior. They watch other players very closely during a game, watching for tell-tale signs that indicate distress or weakness. And when you get two professionals paying against each other, these signs can be quite subtle – nearly impossible to detect.
Targeted attacks are no different. One of the biggest problems with APTs is that the tell-tales are sparse, and often indistinguishable from the regular run-of-the-mill attacks at first sight. This is the attacker’s poker face – and it’s our challenge to call him out.
It is not uncommon for an organizational security team to be aware of different facades of an attack, but fail to grasp that the different indications they see stem from an orchestrated campaign. These indications can take the form of sporadic alerts fired by legacy intrusion detection technologies like FW, Malware Sandbox, and others regarding specific tools or actions which take part in the campaign.
In their defense, these legacy technologies can at times discriminate between opportunistic and targeted attackers: phishing emails whose content is tailor-made; a malware infection in a non-internet-facing host; anomalies in the behavior of production-line components like databases, POS machines, controllers; a new and previously unreported malware type. However, as evidenced by recent evidence such as FireEye’s failure to detect the Target breach – these technologies are one-shot and lack the context to separate the targeted attacks from the opportunistic ones.
In Texas Hold’em terms – legacy tools can’t see past the poker face, and uncover the attacker’s true intention.
So What? Why Not Just Respond to the Threat at Hand?
This is a fair question. It could (and has) been argued by security professionals comparing cyber defense technologies that a sound policy simply dictates an instantaneous and vigorous response to each and every incident. Period.
It’s probably no surprise that we disagree with this approach. Building a security breach response protocol is Texas Hold’em par excellence. While our instincts may demand that we remove or disconnect infections the moment we learn of them – rationally, there is little guarantee of the impact of those actions on the attacker’s campaign, at least until we know the full extent of the attacker’s control of the network.
Thus, a cautious and considered response will always be preferable to a knee-jerk response. Non-routine defensive actions can tip the attacker off about the chase, prompting him to cover his tracks, create backup control channels, etc. Even worse, by making a move in immediate response to a specific alert, the attacker gains valuable knowledge about what he did to trip the wire.
In targeted attacks, as in poker and other games, each side makes moves and counter-moves. Texas Hold’em thinking favors confusing the attacker by waiting some time before taking any defensive action, and using that time to monitor the attack using out-of-band monitoring tools. Only when a reasonable picture of the full extent of the attack is formed should a removal plan be initiated.
Texas Hold’em-Style – Three Quick Tips
1. Targeted attack response protocols should not be triggered when an APT is found, but rather much earlier, when the first suspicion arises.
2. Don’t rely on the severity score provided by threat analysis alone. The context, activity and timing are just as relevant to establish severity as the “maliciousness” of the file itself.
3. Collect relevant forensics before deciding how to act.
The Right Tool for the Job
It has been argued that the time and effort involved in understanding the context of each network threat, and in collecting relevant forensics, is prohibitive. Better, this argument goes, to simply prioritize which threats to address and which to ignore.
However, at the origin of this argument is the incorrect assumption that today’s mainstream intrusion detection tools can provide reasonable protection from targeted attacks. News flash: they can’t.
Modern targeted attacks need to be mitigated with tools built for active breach detection. These tools collect forensics, then take context into account – producing high-quality alerts that help security teams see past the attacker’s poker face and address the actual threat at hand.