"What’s scary about ransomware, is not only the applicability to ransom but more importantly the utility of it to conduct counter incident response."
Speaking to Infosecurity Tom Kellermann, chief cybersecurity officer at Carbon Black, said that cyber-attacks have “moved from burglary to home invasion in the last two years” and as with a physical crime, the attacker may choose to burn the evidence as the next step from the victim would to be get law enforcement to find the culprit.
He claimed that if a burglar were detected you could shout out ‘we know you’re here and I’ve got a gun’, but what you don't know is whether it's a one-man job or if there is someone outside who will set fire to your house.
“It is the equivalent of one burglar leaving and another taking over,” he said. "The other may set your house on fire to punish you, there are more and more destructive attacks.”
Kellermann said that often the secondary action is the greater threat, so the goal of a defender should be to decrease the dwell time of how long the attacker is in their environment, increase visibility to their lateral movement and hunt the adversary in what he called “a quiet and clandestine fashion.”
He claimed that the way to better defend is to “give us as much as we can in closed forums,” but also to advise partners that it is not in the best interest to immediately terminate command and control connections, as hunters should have all the historical data from across their endpoints to ensure that they know all of the data so they are not leaving anything behind.
Kellermann added that hacker crews move a certain way and all that changes is what they deliver and the technical means of what they exfiltrate, and this has led to a new stage in the cyber kill chain – the maintenance stage – where attackers maintain a footprint in the system as there is no need for them to ever leave.
He pointed to instances in the past where an attacker would patch a vulnerability after exploiting it, effectively locking the door after they have come in.
“Between application attacks and fileless malware, more often than not they are going to get past the endpoint and move freely and laterally in your infrastructure as they will use your encryption to run through your tunnels, or use trusted protocols that you would usually never monitor and once inside they will compromise credentials of super users. How are you going to see all of that if you do not have visibility on every endpoint? Most people don’t.”
So are we doing enough defense against this increasing offense? Kellermann said no, and said that we live in very hostile environments and we have to realize that success is based in decreasing dwell time, reacting faster and quieter to an adversary and inhibiting their capacity to move laterally. “If we can just do that, that is success – as sad as that is to say.”