Aaron Higbee, CTO at PhishMe, is proposing a Sophistication Rating System that can be used for all attacks. “What do nearly all of the recent high-profile data breaches have in common?” he asks? “They have all been traced to sophisticated threats,” he answers. “All of this has created the impression that we are constantly under attack by some spooky, mysterious, sophisticated adversary.”
But using the recent Mandiant report on the APT1 threat from China, he points out that the archetypal APT threat is not that advanced, and that sophisticated attacks are not that sophisticated. “When it comes to their tactics, their level of sophistication is more cheap yellow mustard than Grey Poupon,” he suggests, noting that APT1 was using tools right out of Hacking Exposed books.
The problem is that it suits both the security industry and the breached victim to big-up the threat. “First,” he says, “technology vendors need attackers to be super sophisticated, because simple tactics couldn’t circumvent their products, right? For victims of a breach, it is advantageous for it to seem as though it took a sophisticated actor to penetrate its network. And from the incident response standpoint, it behooves IR consultants to describe these breaches as ultra-sophisticated to help their customers save face.”
Au contraire, he claims; the tactics employed by these attackers are not sophisticated, and the malware they use tends not to be advanced. The majority of APT attacks are delivered by spear-phishing emails with malicious attachments containing well-known malware. But “even the best zero day in an email or booby trapped URL can be avoided by an educated user base,” he suggests.
To solve this problem, to bring honesty back to breach disclosures and objectivity to breach analysis, Higbee is proposing a new Sophistication Rating System, ranging from ‘a simple unpacked Trojan’ (1) to ‘new – custom stuff with zero-days’ (10).
The reality, of course, is that this is an interesting idea that will never happen without regulatory insistence – and governments are just as keen to ‘big-up’ the threat as is the security industry. Any company fighting off loss of reputation and the potential of regulatory fines is unlikely to admit that the sophisticated APT that breached its security was actually ‘1 – a simple unpacked trojan.’