For many companies, the first step is to get a clue.


The MAD magazine cartoon, Spy vs Spy, is 54 years old this year. In it, the blackhat spy and the whitehat spy both tussle, each trying to get the upper hand on the other with simplistic, comical gags. In the cartoon, the spies are evenly matched, and neither can get a long-term advantage over the other. Their advantages could be called symmetrical, which is why they’ve been at it for over half a century.

In cybersecurity, things aren’t so evenly matched. In many cases, the advantages are asymmetrical, favouring the attacker, which is why they are winning. A case in point is the OPM hack that cost around 7% of the US population their private information. Another are the more general economic cybercrime figures. Finding surveys highlighting the growing cost and incidence of cybercrime are like shooting fish in a barrel, spotting angst-ridden teenagers or finding CVE entries for anything made by Adobe. Look, here’s one now.

Last year, William Peteroy gave a talk at SecTor about this asymmetry, and how defenders could try to redress the balance. Peteroy, who has worked cybersecurity at both Microsoft and the NSA, now heads security consulting firm Icebrg, which scored $2.5m in seed funding last year.

Advantage blackhat

The most obvious advantage that an attacker has is the fact that they only have to succeed once to achieve their goals, whereas the defender must keep succeeding. Breaching a system and getting access is the only win they need. If their target stops an attack, it’s one of a series of perpetual wins that the whitehat must keep making, in some cases thousands of times each day.

The problem for defenders is that the barrier to entry is constantly lowering for attackers, explained Peteroy, adding that process is a big driver.

The process of compromising a system used to be long and painstaking. These days, thanks to technology developments, it’s practically a push-button job in many cases, he warned. There are still many sophisticated, targeted attacks in which process plays an important part, of course. But in many attacks where the focus is to scale efforts across a large group of targets, a script kiddie can do it.

“You have tools like Metasploit making leaps and bounds, and you have crimeware as a service – so the barrier to entry is lower and the process is disappearing,” he said. Crimeware as a service takes malware, botnets, bulletproof hosting and any other necessary parts of the infrastructure, and turns it into an easily-accessible online package. It’s like SaaS for douchebags.

Now, ransomware is the latest category of malware to be packaged up and offered as a service. That’s why attacks will continue to grow. They’ll use everything from social engineering through to unpatched software.

Back to basics

A large proportion of people will remain vulnerable to those exploits, because they won’t have patched their systems. That’s one of the biggest advantages for attackers, warned Peteroy: the fact that so many companies aren’t following even basic security practices.

He points to the Australian Defence Signals Directorate’s list of top 35 cyber-intrusion mitigation strategies. The top four of these are application whitelisting, patching applications, patching operating systems, and restricting administrative privileges. The DSD says that companies could eliminate 85% of intrusions by following these four. But they don’t.

“I have yet to be in a major corporation where they don’t have admin privileges at least on their local machines, if not on their machines at large,” lamented Peteroy.

It’s easy to lambast IT departments for being reactive and lethargic, but often, these security issues are more complex than people might think.

“In these areas where people have privileged accounts, the reason sometimes is that the IT department doesn’t take care of users’ needs,” he said. “So the users ask for privileges themselves so that they can solve their own problems.”

Solving problems like that involves thinking about complex, scary stuff like IT service management and business engagement. Many IT departments take the easy route and buy a sexy appliance or piece of software, instead. Writing cheques is easy, but joined-up thinking is more effective.

“Marry people, process, and technology, rather than just focusing on technology,” Peteroy said.

What defenders can do

So other than taking a mature approach to basic operational security issues, what else can defenders do to redress the imbalance, if not gain an advantage? One University of Memphis paper, that proposes a game theory-driven architecture for cybersecurity, suggests using honeypots to guide attackers into areas where their attacks can be monitored and quantified. From there, it makes decisions about the best course of action over time.

That’s a nice idea, but difficult in practice. For honeypot-style traps to work in corporate networks, you have to assume that you aren’t breached already and that the attackers don’t know they’re in a trap, Peteroy warned.

“Most of them are baseline based. If a user is compromised, doing something that they shouldn’t be doing, they will baseline straight into that system,” he said. “So it’s a scenario where academics or contractors have jumped the shark into the commercial space and I don’t know that it’s very effective.”

Think like an attacker

A simpler step is to think like your attacker, and then model those attacks for practice, he suggests. This involves more than just penetration testing, which is a bit like systematic door-rattling. Instead it involves understanding your attacker and their motivations, and then having the red team act specifically like them. What are they after? Where are they likely to find it? How will they come at you?

One way to model attackers for your particular type of industry and company is to see what others in that group have experienced. Sharing information on their attackers can be highly beneficial, but it depends on a level of maturity.

On the one hand, sharing security incident can protect the herd. On the other, more aggressive, competitive companies may enjoy seeing their industry competitors suffer while trying to avoid similar incidents on their own. Are industries mature enough to accept it? And would they ever share their security incident data with government, as the White House is encouraging south of the border?

Until companies think more strategically, many of them will continue to operate at a disadvantage to a blackhat community which is fast, smart, and knows how to play dirty. Perhaps the most optimistic thing to say about many defenders right now is that the only way out of their current mess is up. That’s a questionable kind of advantage though, isn’t it?

See the slides for Peteroy’s October 2014 SecTor talk here, and watch the video here.

Interested in finding out more? Register at SecTor, which takes place at Metro Toronto Convention Centre in downtown Toronto on October 20-21, with a training day on October 19.

Photo courtesy Paul van de Velde