From left to right are: Alan Paller, SANS Institute director of research, Johannes Ullrich, SANS chief research officer, and Ed Skoudis, CEO of Counterhack. (Zachary Fryer-Biggs)
By ZACHARY FRYER-BIGGS
SAN FRANCISCO — Offensive cyber operators, both nation-states and individuals, are catching on to some of the improved cyber defense techniques and are getting better at covering their tracks while targeting the most important data.
Speaking as part of a panel Wednesday, “The Five Most Dangerous New Attack Techniques and What’s Coming Next,” Ed Skoudis, CEO of Counter Hack, described a trio of major trends in offensive operations: offensive forensics, misattribution and kinetic effects.
The ability to enter a network and remove data has existed for quite some time, but in the past, attackers exfiltrated large quantities of data hoping they would find something worthwhile in the mass.
Attackers are now using forensics tools to help target the data they actual want.
“With offensive forensics, you can focus on exactly the data elements that you need so that you can extract those without getting noticed,” Skoudis said. “Offensive forensics is taking forensics techniques [and] analyzing in-depth file systems and memory and combing through it, looking for the needle in the haystack. It’s forensics, but you’re using it to pull something back.”
Because attackers are removing much smaller quantities of data, their activities are far less likely to be noticed. They’re also learning to leave misleading tracks within the code for their hacks to distract defenders.
“It becomes quite interesting and quite useful for a nation-state actor who does not want to get noticed to build into their malware assets or other attacks stuff that will throw you off,” Skoudis said.
Coders in different regions of the world tend to have distinctive styles and use distinctive techniques. By including code that mimics the techniques of others, or even including non-essential tools that don’t work to give the impression that the attacker is less skilled than he might actually be, attackers can send defenders on a wild goose chase of attribution, Skoudis said.
Lastly, and possibly most troubling, attackers are no longer content to target virtual worlds alone, but are actively hitting critical infrastructure and producing kinetic effects.
(See this morning’s article on Verizon’s findings, which details the explosive growth of this attack type.)