Argus - Fotolia

RSAC16: Cyber attackers still after low-hanging fruit, dark web study shows

Tracking a cyber adversary that is recruiting and the skills they desire can improve the overall maturity of an organisation’s security programme, according to Digital Shadows

Cyber attackers are battling just as much as defenders to attract people with the right skills, but the skills in greatest demand are key indicators of attackers’ intentions, according to Digital Shadows.

Analysis of dark web and open web data by the security firm, released at the RSA Conference 2016 in San Francisco, reveals that attackers are struggling to recruit people with the skills they need to expand their operations.

Typically, cyber criminals need an ecosystem of malware writers, exploit developers, botnet operators and mules, but finding individuals who can be trusted is difficult and requires a rigorous application procedure.

The research shows many cyber criminal and hacktivist groups have adopted traditional, real-world recruitment techniques to identify top talent to meet their needs, such as job ads and forums.

However, hackers face the challenge of script kids, who possess no legitimate technical skill and can waste limited resources, so due diligence is required to ensure the proper candidates come through the process, with some groups even requiring a probationary period, similar to a corporate IT environment.

“But recruiting is a double-edged sword because although top cyber criminals want to stay under the radar, their recruitment operations give us insight into their plans and motivations,” said Rick Holland, vice-president of strategy at Digital Shadows.

“It is interesting to note that the cyber criminals and even hacktivists are not going after specific, cutting-edge skills, but the ability to use well-established, tried-and-tested attack methods such as cross-site scripting (XSS), SQL injection (SQLi), ” he told Computer Weekly.

This means that adversaries are still going after low-hanging fruit and taking advantage of the fact that many organisations are still vulnerable to the likes of SQLi, even though they have been around for decades and there are effective tools and strategies for defending against them.

“Tracking an adversary that is recruiting and the skills they desire can improve the overall maturity of an organisation’s security programme,” said Holland.

Other well-known attack methods that adversaries are recruiting for, and that defenders should ensure they are protected against, include distributed denial of service (DDoS) attacks and social engineering methods to trick people into helping cyber attackers.

“Based on our findings, instead of CISOs being enthralled by the ‘next-generation silver bullets’ that we are bound to see on the RSA Expo floor, they should review their cyber security defence strategy to ensure all the basic principles and well-known threats are really taken care of,” said Holland.

Read more about threat intelligence

  • UK firms have identified cyber threat intelligence as an investment priority for 2016, says IDC.
  • Threat intelligence tools are a growing market and enterprises need to be able to see through the hype to get the best product for them.
  • Learn how threat intelligence services benefit enterprise security and how to subscribe to the right threat intelligence service.
  • Threat intelligence is quickly becoming an essential ingredient for protecting corporate systems and data.

In particular, he said CISOs should look at whether they are in a good position regarding application security and network visibility, so if an attacker is trying use things like cross-site scripting and SQL injection, they can identify and shut down that activity and their applications are hardened to defend against it.

“The big takeaway from this research is that fundamental components of any organisation’s cyber security strategy should be the top priority,” he said.

“Organisations should not get distracted by, or move on to, newer, more advanced defence technologies until they have a solid foundation, otherwise it is like building a house in an earthquake zone or floodplain.”

Holland said defenders should also bear in mind that not only do cyber criminals face similar challenges in recruiting people with the right skills, they are also limited by the amount of operational security they can implement before it interferes with the efficiency of their criminal business operations.

“Cyber criminals are going to make operational security trade-offs, which creates an opportunity for defenders to detect them and learn more about them by using search tools to identify some of the infrastructure they have and looking at the tell-tale traces left by attackers in the corporate environment, which defenders can use to build resilience into their security plans,” he said.

Just as legitimate organisations have “digital shadows”, so too do cyber criminal organisations, which can be used to construct profiles of adversaries, including their tactics, techniques and procedures, he added.

“The combination of knowing your own digital footprint and details of what the adversary is doing can be useful,” said Holland.

“If organisations do not get better visibility into their risk, they are never going to be able to make the right decisions on what to invest in to drive their security strategy.”

Read more on IT for small and medium-sized enterprises (SME)