Wednesday 5 October 12:00 - 12:30, Green roomGadi Evron (Cymmetria)
Inbar Raz (Perimeter X)With the advancement of defensive cyber security practices and the regular release of reports exposing toolsets used in APT attacks, advanced threat actors have had to adapt. However, while APT reports should have threat actors scrambling to keep up, in reality they are providing APT actors with the information they need to implement new operational security practices and technologies that have defenders working as hard as ever to protect their networks. Not only are attackers adapting; they are evolving at a faster rate than defenders. So what are we, as defenders, doing wrong?The fact is, many public APT reports suck. Even though they tend to be long and technical, they are often not full reports, but rather a commentary on the attack platform(s) and deployment technique(s) used, intended for PR purposes. This results in an asymmetry — an information gap — that benefits the attacker. Current APT reports basically act as free Q&A for APT actors, providing them with valuable information about defenders' insights into their tools and actions. As a result, APT actors are able to adapt their OPSEC practices and technology in order to stay one step ahead of defenders. APT reports in their current state are more beneficial to attackers than defenders.Currently, most APT reports provide abundant information on indicators of compromise (IOC), C&C set-up and malware used. This talk examines actual techniques that can be used to re-engineer the entire attack process, including how attackers decide what information is valuable to target, where that information can be found, creating a target report and then attack plan, and the ongoing concerns of an attacker during lateral movement (i.e. OPSEC, intelligence gathering, keeping their identity hidden). Based on these techniques, we discuss specific defensive counter-measures that can be used. If APT reports included more actionable intelligence that defenders could use to create better defence practices, their value would then be greater to defenders than to attackers. The talk discusses how intelligence on the attack vector of an APT or what information was compromised is actually more valuable to a defender than what currently dominates APT reports (malware analysis, IOCs). APT reports with more actionable intelligence would allow us the ability to publicly re-engineer specific attacks, consequently rendering useless certain attack techniques that are currently not available for public knowledge.The cybersecurity sector needs to demand earlier reporting of breaches (or at least a heads up to the security community), actionable public information sharing, and a move away from our current fixation on attribution. We need to make hackers spend significantly more time, effort, and resources in order to succeed. By producing better APT reports, not only can the security community increase attackers' costs and cause them to be constantly on guard, but also significantly disrupt the attacker's operations and make it difficult for them to rebuild their attack infrastructure after being compromised and exposed.The bottom line: in order to counter the evolution of APTs, we need APT reports that provide a more wholesome view of an attacker's motivations and chosen vector in addition to an analysis of his techniques. This shift in focus can give security professionals more tools to successfully re-engineer an attacker's methodology.Click here for more details about the conference.