A Day in the Life of a Threat Actor – ILTA 2014 session
After several sessions discussing the risks firms may face from cyber security threats, it was a welcome change of pace to hear more about how these threats are orchestrated and what organizations are doing to stay ahead of “threat actors.”
Barry Hensley, executive director of the Counter Threat Unit at Dell SecureWorks, offered a forensic breakdown of how “adversaries,” as he referred to them, identify, prepare and execute cyber attacks. His unique expertise extends beyond the private sector as well, with years of cyber security experience with the Department of Defense.
As you might expect, adversaries begin with reconnaissance to determine weak spots and determine the most effective way to disrupt an organization. Social and business networking sites have become a key target for bad actors looking to identify a person to leverage in a scam, but they also become a convenient way to identify additional targets by reviewing “friends” or “connections” features.
Most sobering of all, tradeshow badge scans – something many ILTA attendees have done without giving a second glance – can be exploited as a connection to a potential target.
From there, adversaries deploy ready-made malware via attachments and links, which are often delivered by masked emails. As Hensley noted, organizations must be prepared for these threats. In his discussion, he also offered an analysis of the global “Heartbleed” disruption, which was felt on a global scale and sent many organizations reeling.
In a serious, yet humorous moment, Hensley asked if anyone in the room was willing to identify if they were an adversary. It was a moment that demonstrated the inherent “cat and mouse” game that is cyber security. In this sense, Hensley noted that organizations are not powerless.
“We try to reduce the attack surface,” he described, noting that security controls, like sandbox technology, are one method. It’s not fool proof, however, as adversaries can work-around these countermeasures when they encrypt software to prepare for an attack.
While Hensley explained that while most adversaries want to gain access to system data, oftentimes, their intent is much more nefarious.
“It makes you [consider] a new thought, what if the adversary’s intent is not to exploit data, but destroy data?” he asked. A key consideration for all businesses and firms, but perhaps even more so for financial and IP-oriented organizations where any operational setback can be fatal to an organization.
Among the best defenses you can deploy now, Hensley noted, is updating your device software regularly.
“Most attacks are built on software that is six months old,” he said.
For IT professionals, there is some hope to defend your organization.