When we plan and implement a cybersecurity strategy, are we taking enough time to think about how hackers are actually plotting their attacks? Probably we don’t do it enough, considering how the cybersecurity panorama looks right now.
Understanding the enemy’s criteria when he is laying the groundwork is key for us, cybersecurity professionals, to be one step ahead and choose the most adequate tools and methodologies for protecting our clients.
Let’s not underestimate the adversary: dedicated hackers invest time and resources in analyzing the visible assets of a company before attacking. A cyberattack is not something that occurs with spontaneity. No, it is a well-thought process that aims to maximize the actor’s profit. This is the right time to think like the enemy.
Valuable Information Previously Available
One of the first things a hacker observes in the visible assets is how much information is available to him without trying too hard. Time is money, so smart criminals aren’t that interested in digging too much for the information that may not be there.
If they detect valuable information on the surface, information that will be of help when planning and executing their attack, that asset becomes more attractive.
Let’s imagine one of your security assets, a vulnerable firewall, get hacked. How that breach is going to impact the entire infrastructure? Would penetrating this asset allow the hacker to reach other assets within?
Understanding the real impact of exploiting an asset is key for the hacker planning his attack. Cybercriminals want to know beforehand how their actions are going to play in the big picture, how a minor exploit can get them closer to their major goal. Getting to credentials, for example, is a good example of this.
As we mentioned before, time is money, so hackers aren’t that interested in well-protected assets or vulnerabilities that are too costly to exploit. Indeed, there are many vulnerabilities that are widely-known but they don’t get exploited because hackers consider them too difficult, too much of a waste of time.
Understanding this is also important because it doesn’t directly means that the hacker is simply going to drop this asset. No, it may represent a change of plans. Maybe he is now going to buy a previously-built exploit. The difficulty could simply alter the plans but keep the malicious party on the same road.
Once an asset has been exploited and the hacker gets in, how reliable is that channel in terms of detectability? Cybersecurity systems in place may detect the breach and therefore shut the malicious agent down. If that’s the case, it could be time and work utterly wasted for the criminal.
That’s why host hospitability is so important during this thought process. The likeliness of the detection plays a key role when choosing an asset, naturally leading the hacker to choose those that are less likely to trigger the alarms. Visibly ignored, abandoned channels are a good example of this.
So let’s say that the exploit is conducted successfully. According to its unique characteristics and circumstances, is it easy and convenient to replicate? Is the cost of the exploit lesser than its benefit?
To understand this paradigm better, we should think of widely-used technologies. Exploits will always be more profitable if they belong to highly commercial technologies. It’s like widening the operative market from a hacker’s perspective, creating abundant “business opportunities”. On the other hand and using this same way of thinking, working to hack and replicate an exploit in an unusual device used in low-ticket activities, just to give an example, would be absurd.
We need to take a dip in the hacker logic to understand which truly are our priorities in security. The exponential use of the cloud has multiplied the number of assets that an organization uses during daily operations. The more assets we have, the more targets malicious agents have to attack.
It’s the criteria used by malicious agents that allows them to smartly choose where to hit. They don’t have the time to be overwhelmed by thousands of enterprise assets with the potential to be exploited. By the same rule, we must use these criteria to devise our cybersecurity strategies and be a step ahead.