Digital Sleight of Hand
April 13, 2015
It’s a good sign that attackers find themselves having to become more sophisticated and creative to beat corporate defenses. That being said, there is still no shortage of low hanging fruit out there, but let’s focus on the high-bar for a moment. In the never-ending stream of security solutions providers’ reports, Corero Network Security, Inc. recently released a report that puts into perspective some interesting metrics on Distributed Denial of Service (DDoS) attacks. While many think of DDoS as an elephant being stuffed into a doggy door to clog the pipeline, there are many more subtle nuances to DDoS that don’t get talked about much.
There are several interesting tidbits in the report worth noting. An important takeaway, for me anyway, is that attackers are adapting to their target’s defenses – this is huge. This isn’t your grandfather’s SYN flood anymore. What’s even more interesting is the move to what I’m starting to call digital sleight of hand. You’ve heard this before a year or so ago when a certain bank was attacked by a massive DDoS while at the same time a near-perfectly timed and executed fraud scheme was run, essentially cleaning out millions of dollars from their worldwide ATM (automated teller machine) network.
If you’ve ever seen a magician work their “magic,” you probably didn’t notice all the things going on outside your narrow field of focus. A television show called Brain Games focused an entire episode on figuring out why sleight of hand works so well, and it turns out it’s all in the way the human brain is wired. We as humans are simply incapable of multitasking. Your brain cannot focus on more than a single task at any given time, and what we perceive as multitasking is in fact time-slicing…and we’re terrible at it. As you’re looking at the magician shuffling cards and talking to you about what he’s doing, your brain focuses. What you are extremely unlikely to notice is that everything else about the scene has changed. While you focus on the cards being moved around, you are missing the fact that the person is now wearing glasses, a hat and several other people are standing around you. You are also unlikely to notice that someone has lifted your wallet, taken your cell phone from your pocket and tied your shoe laces together. Yes, it’s that bad, try it some time.
So what does this all have to do with each other, you may be asking yourself? Everything.
Let’s focus on the digital world for a moment. Security organizations that aren’t uniform in vision, developed processes and understanding of threats are prone to this type of digital sleight of hand quite easily. This is where the DDoS comes in. What better time to execute a buffer overflow attack to gain a root shell on one of your ancillary servers than when your entire organization is consumed in a massive DDoS against your e-commerce environment? At that point when there is an army trying to break down your front door, you are unlikely to notice your wallet being lifted from your pocket, or someone picking the back door lock and quietly walking out with your safe. It’s just the way the human brain operates, and it’s potentially catastrophic for security teams. This type of sleight of hand isn’t limited to the digital world alone, digital attacks are used to mask physical attacks and vice versa with some regularity as well.
Okay, it’s clear that as humans we’re vulnerable. It’s also clear that humans are at the focus point for security – does this mean that we’re lost? I don’t believe so. Here’s why.
I believe with a structured program and focus, security teams can do a relatively good job to avoid becoming yet another victim and statistic. Here are my three keys to avoid being a victim of digital sleight of hand:
- Know your critical assets. If you don’t know what’s most important to you, you’re forced to try to protect everything. An intelligent adversary counts on this and will seek to distract you and draw your attention away from their actual target by focusing your energy and resources to something meaningless, then strike while you’re stretched too thin to notice. We say this over and over again, and it is a far from trivial task, but there is nothing in your job description that is more important than knowing your enterprise’s critical assets.
- Think beyond discrete events. Many security professionals still fail to look beyond discrete events. This is one of the key reasons threat intelligence is so critical to a mature security organization. A phishing attack, a DDoS and a physical break-in may not seem like they’re connected until you pull the lens back and look at the bigger picture. You may actually be facing a determined, tasked adversary with multiple resources at their disposal. Some of their attacks are designed to be loud and simply keep you busy, while others are designed to be stealthy and not draw your attention at all. Having insight into adversary objectives, profiles and other necessary intelligence is crucial to good defense.
- Think strategic, execute tactical. Having a security strategy is important, but many still think a strategy is a set of policies that were written down at some point and looked at every once in a while. Nothing could be further from the truth. A strategy defines how your security organization behaves, its operating principles and goals. A strategy defines what you will protect, how you will protect it and what you will do when your plans fail. The minute-to-minute execution of security strategy is tactics. Tactics is the manifestation of the what into the how. If your strategy calls for a continual analysis of logs from all endpoints and security devices, then tactics describe exactly how you’ll do that. Your strategy likely figures in DDoS, but your tactical operations shouldn’t allow you to hyper-focus solely on the DDoS and ignore all the other strategic components of your security.
In this manner, security organizations stand a fighting chance against falling victim to a targeted, sleight of hand style attack. This is far from simple, and the human mind leads us astray with its inability to effectively multitask. I believe that an organized approach that compensates for the shortcomings of our own human tendencies can be effective.
Watch your wallet and be careful not to get distracted!