How paradigms shifting can alter the goals of attackers and defenders
The use of disruptive technology is altering the way attackers and defenders set goals for network security. Learn more about the shifting field with Matt Pascucci.
Security is never stagnant; it's always in flux with the constant ebb and flow of either trying to stay one step ahead of attackers or running to catch up.
This will never change, and as security managers, architects and engineers, we must get used to the constant cat-and-mouse game with attackers. This is especially true when developing new products or techniques that can successfully disrupt attackers. When this happens, everyone takes notice, including the attackers themselves.
However, this is not the time to trust in one product or technique alone; it's time to go on the offensive and start implementing even more controls. These disruptive defensive technologies are solving a problem for the moment, and they're forcing attackers to find ways around them. We don't have a paradigm shift here, we have paradigms shifting.
Paradigms shifting on endpoints
One area where we constantly see paradigms shifting is on endpoints.
Attackers are still gunning for the endpoint, and that's where the battle is raging and will continue to be fought for the foreseeable future. As an industry, we were doing a poor job keeping up with attacks with the traditional signature-based antivirus tools.
Due to this weakness, the industry shifted to develop new technology that solved a known pain point with machine learning techniques. Now, most antimalware companies are focusing on integrating machine learning into their products to catch malicious executables that don't have malware signatures.
This was an example of paradigms shifting, and attackers are put on the defensive to adjust their techniques to bypass these solutions. In my opinion, the disruptive way machine learning is integrated into antivirus tools has forced the hands of attackers to start developing more fileless and macro-based malware, which enables attackers to bypass parts of these defenses. We shifted, they shifted and it's back on us again to supplement and defend our assets.
Exploiting disruptive technology
We also see attackers changing their techniques based on our recommendations to the information security community.
For years, we've preached the importance of securing and encrypting data in transit and at rest to protect it from attackers. As a result, attackers applied encryption in transit to protect their communications within malware or when transferring data from a target. They also used encryption at rest to their advantage, but ended up calling it ransomware.
Attackers have also used encryption to secure their assets, which are usually malicious; however, they took to heart the mantra of securing data in transit and at rest and used it for their own gain. You can't blame them for listening to us if we don't follow our own rules.
We also see attackers changing their techniques based on our recommendations to the information security community.
Using sandboxing for malware analysis is another disruptive technology that puts attackers on their heels. These systems made a big splash in the industry, and they help defend networks by adding another layer of protection inline before malicious attachments even make it to an endpoint.
As attackers adjusted to this technology, they found ways around it by hiding malicious code within password-protected attachments, delaying the execution of their malicious code, going silent if it was found to be in a sandbox or sending large files with code injected into them, as many sandboxes don't read an entire file.
These are all particular situations in which attackers shifted when they noticed their techniques were no longer successful. While these evasive techniques don't work every time, they illustrate how a new disruptive technology is introduced and what attackers do to continue their campaigns in a creative manner.
These use cases are just a few examples of the game we play with attackers when adopting new technology and techniques for defense. When new technology that solves a problem in the industry is released, it is almost a guarantee that attackers will actively look for ways around it; they're in the business to compromise our data.
Don't be fooled into thinking that they're not taking this just as seriously as we are. We're developing new technology to defend against them and they're developing new countermeasures to combat our defensives. We can never rely on one particular area of technology for defense, and we need to integrate these tools and techniques on a continual basis to defend against these changes.
The best time to start adding more defensive measures is after you've adopted a disruptive technology. Once that new disruptive technology is in place, attackers will start changing their game, meaning they will attack you in new ways.
Don't get a false sense of security after closing one door; attackers will stroll in from another entrance.
When implementing something new to solve a problem, part of the solution should be monitoring for the same threat or determining how attackers can accomplish their goal in a different way. This is where a firm foundation of security and sticking to the fundamentals really doubles down your investment in these technologies. Once you leave the attacker dizzy for a moment, you should continue securing your environment before they regain their footing, as your adversary can get creative.
