Computer Threats Evolve Towards Focused, Nimble Tactics

Modern intrusions increasingly use well-planned, nimble, focused strategies rather than brute-force attacks alone. Attackers study business inner-workings to locate valuable data—scraping card numbers from memory, recompiling payment applications with backdoors, or compromising board communication systems like Directors Desk.

As the role that computer-based systems play in our lives continues to evolve, so do the tactics and strategies of computer attackers. While early data breaches seemed to be mostly motivated by curiosity, fun, fame and poor judgement, modern intrusions are dominated by premeditated financial and, sometimes, political goals. The manner in which attackers execute their campaigns is changing accordingly.

Knowing Where to Strike

Computer attackers now place a greater emphasis on their targets’ business inner-workings, deriving long-term benefits from knowing where and how to locate the data they seek. For instance:

We’ve seen targeted attacks, such as the APT incidents described in Mandiant’s M-Trends report, where attackers obtained a clear understanding of the organizational and technological aspects of the company to maintain persistent presence there.
We’ve seen credit card breaches where attackers learned enough about the flow of payment data to find the best way to capture it. This involved scraping credit card numbers from memory, as Verizon discussed in its 2009 Data Breach Investigations Report. Intruders have also been known to recompile and deploying a payment-processing application to include a back door.
We’ve seen attackers gain access to messaging systems that process sensitive communications. One example of this was the NASDAQ breach, where a private communications application for Board management needs Directors Desk was compromised. Presumably, such access provided intruders with insider details about publicly-traded companies.

Focused, Nimble Attacks vs. Large-Scale, Heavy Tactics

A documentary I watched on the History Channel discussed the extent to which naval warfare has changed from World War I to World War II. While earlier naval victories were mostly the function of battleship size and firepower, World War II victories were mostly attributed to smaller ships being used strategically to disrupt the enemy’s logistics and supply operations. According to Dr. Cliff Welborn,

“Allied navies waged a tonnage war to limit the volume of supplies reaching military operations. A tonnage war is a naval strategy designed to disrupt the enemy’s economic supply chain by destroying merchant shipping.”

We’re seeing a similar trend in computer intrusions. Large-scale, brute-force attacks still work, and will be part of the threat landscape for a long time. At the same time, the more advanced threat agents are using well-planned, nimble, focused strategies to strike at the heart of their target to derive the maximum benefit.

About the Author

Lenny Zeltser is a cybersecurity leader with deep technical roots and product management experience. He created REMnux, an open-source malware analysis toolkit, and the reverse-engineering course at SANS Institute. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He writes this blog to think out loud and share resources with the community.

Learn more →