Are Conventional Cybersecurity Tactics Leading You to Defeat?

Originally published by CXO REvolutionaries here.

Written by Daniel Ballmer, Senior Transformation Analyst, Zscaler.

Today’s organizations are fighting cyberattacks using strategies that have historically failed in a combat environment. While there are many differences between conventional warfare and cybersecurity, there are also enlightening similarities. One example is the concept of asymmetrical warfare

Asymmetric Warfare: Unconventional strategies and tactics adopted by a force when the military capabilities of belligerent powers are not simply unequal but are so significantly different that they cannot make the same sorts of attacks on each other.

- Encyclopedia Britannica

Consider the amount of effort and resources an organization spends on cybersecurity. A recent Deloitte report found cybersecurity costs businesses between $1,984 and $4,375 each year, per full-time employee (FTE). These numbers translate to an average of $2,885.33 per FTE across the business sectors surveyed. Using this rough estimate, an organization with 35 FTEs is spending over $100,000 on cybersecurity every year. These numbers are broad generalizations, but accurate enough to demonstrate how typical cybersecurity expenditures can ultimately be used to damage organizations.

How do organizations spend their cybersecurity dollars? According to a Gartner survey, cybersecurity expenditures are divided among the following categories:

Organizations spend money on a vast array of tools, infrastructure, and security services to fortify themselves against attacks. Larger ones have a security operations center (SOC), staffed by trained professionals who perform ‘round-the-clock monitoring of the environment. Similar to a standing army, businesses have formidable cyber “weapons,” they remain on high alert, and operate according to extensively documented procedures.

Now, let’s look at the capabilities of their opponents, who have neither the numbers nor the means to “fight fair” against fortified organizations.

Guerilla Hacking 101

For the sake of discussion, let us imagine the hypothetical journey of a disgruntled young adult who wants to hack an organization. They have a limited budget (let’s say, $1000), considerable free time, and some amount of technical acuity. They know nothing about hacking, so they begin by performing a few YouTube searches where they stumble across Network Chuck.

Seventeen minutes later, they’ve learned about Kali Linux and the network-scanning nmap command. With this single command they can:

• Discover every endpoint on a network
• Search for open ports on each endpoint (using stealth-enabled scans)
• Enumerate the operating system each endpoint is using
• Add decoy traffic to network scans to hinder detection
• Use automated scripts to discover vulnerabilities in the environment

Launching a cyberattack from their old PC, a machine imprinted with years of their digital fingerprints, seems like a bad idea. This soon-to-be attacker needs a new computer that can run Kali Linux. Searching the internet, they find an affordable Mini PC for $479 that can handle the job. The operating system is absolutely free. The attacker-in-training has spent less than an hour watching videos, under $500, and already poses a small threat to the target organization.

Of course, our blossoming adversary realizes that they don’t know much about cybercrime – and they fear being caught. They search for other YouTube videos and soon run across one about using proxychains. It is everything they need, a thirteen-minute crash course on hiding malicious network traffic with a single Kali Linux command. By the end of the video, they have learned to:

• Route their activity through multiple proxy servers
• Proxy DNS requests to conceal their origin
• Run nmap commands through proxies
• Configure nmap to communicate with hosts that ignore ping traffic
• Find lists of free proxy servers located around the world

Our budding threat actor can now anonymously scan network infrastructure and public-facing resources. They can see specific software versions running on organizational hardware. They can search databases of known vulnerabilities and identify opportunities to exploit. They can route their attacks through servers around the world and duplicate their nmap requests using fake IP addresses. Trying to discover who or where they are is difficult and cost prohibitive. They have also spent less than half of their budget.

Outsourcing the hard work

Simply knowing that an organization is running specific software containing known vulnerabilities is only half of the battle. Our neophyte hacker has to exploit a vulnerability before they can cause serious harm. Learning to stage an effective cyberattack campaign is considerably more difficult than simply discovering your opponent’s weaknesses. Fortunately (for the attacker), there are several malicious services available on the dark web.

Our attacker may want to lease a suite of ransomware services that include obfuscation, malware droppers, and customer support for as little as $120 a month. If the threat actor wants to gamble on finding an easier path into the organization, they may rent a phishing kit for $20 or more. If they want to experiment on their own, perhaps they’ll pay $59 for PureCrypter, the fully functional malware loader and distribution platform. There is no rush, our attacker has vulnerability information on the target, numerous cyberattack options, and plenty of time.

Fight smarter, not harder

The economics behind this hypothetical demonstrates how typical cybersecurity expenditures expose organizations to asymmetrical warfare. Organizations are like an over-extended and entrenched military. They shelter behind expensive layers of security and employ professionals to run continuous cybersecurity operations. Their costs are staggering. The human and monetary resources involved in their security effort is considerable. They are highly visible, stationary, and slow to react.

These organizations' enemies cannot match their funding, technology, or human capability. Instead, they cautiously study their opponent, wisely select their “weapons,” and strike at a time of their choosing. Our hypothetical hacker can train and arm themselves in a few weeks for under $1000. Meanwhile, the target organization is paying over $2885 per year to protect one employee. With these numbers, how long can the organization afford to engage in a protracted cyber war?

The solution is to fight smarter, not harder. One way to completely shut down attacks like the one described is to simply hide organizational infrastructure from sight. Limiting infrastructure visibility and authenticating users to specific apps, not to the network, is an effective way to camouflage business resources.

Following good security hygiene also goes a long way towards preventing attacks, especially from inexperienced threat actors. Keeping hardware and software updated reduces their known vulnerabilities and shrinks the attack surface. Strong password enforcement, multifactor authentication, and following the principle of least privileged access can keep hackers out, and limit their ability to inflict damage.