Page 78 - 网络防御Emagazine - 2017年9月
This means we fail to recognize the scale at which these attacks can unfold. Within each attacker group, individual people have extremely specific jobs. Typically, some are assigned the task of acquiring infrastructure, while others work to develop a target database—that list of people or organizations which they plan to attack. Still others analyze the data they pull from the victim to find key usernames, passwords, and other details that can fuel further attacks. Each of these occupations maps well to Lockheed Martin’s Cyber Killchain, which outlines the 7 stages of a typical cyber attack: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Action on Objectives. While the security industry focuses significant resources on attribution, true attribution often remains elusive. It’s human nature to seek understanding of who is behind a cyber attack. However, attribution is not even necessary in order to adequately protect yourself or your organization from a successful attack. In fact, “assembly line” cyber attacks actually provide preemption opportunities for defenders at a point in time when it is possible to change outcomes. While a nation-state actor might focus heavily on intelligence gathering; a financial actor such as Carbanak turns its attention to financial gain. Nevertheless, each actor utilizes similar Tactics, Techniques, and Procedures (TTPs) to conduct their attacks. TTPs offer a way for cyber defenders to think about attacks in a unified, cohesive manner, in order to develop an effective risk-based approach to cyber security. In fact, TTP overlap has become so common, that the MITRE Corporation has released its MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework, which outlines TTPs used in attacks as “a threat model… for describing adversary behavior within different computing environments.” Developing a Risk-Based Cyber Security Approach The Lockheed Martin Killchain and MITRE’s ATT&CK constitute an effective model for constructing a risk-based approach to cyber security. This is because, regardless of their differing end-goals, attackers target individuals and organizations in only a few specific ways. For instance, Russian information warfare and Russian espionage actors both employ phishing to gain access to their targets. Email-borne phishing attacks represent 90 percent of all sophisticated nation-state attacks. Social media-based attacks rely on the social engineering component of phishing in order to coerce a target into clicking on a link. Over the last several years, multiple actors have utilized fake Facebook profiles of attractive women to coerce men into accepting their friendship requests. This new wave of targeting provides yet another vector to phish users. 78 Cyber Defense eMagazine – September 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide.