Cyber Attack vs Defence

To find out about the intricacies of attacking someone in cyber space, we spoke to two experts from digital specialists ANS, pitting the two of them against each other in a mock scenario. We talked about how you would commence or defend from a cyber attack on a system…

Robert - Between our two experts is our battleground: a fictional online store called Mrs. Miggins' violin shop. Chris Folkerd will be trying to attack it and Steven Crow will be trying to thwart him and protect Mrs. Miggins and her stringed instruments. I'll be your commentator, but it's Chris who has the first move.

Chris - There's something called the cyber kill chain, which is a step by step approach that people will take when they're doing a planned attack. The first thing to do is a little bit of reconnaissance, like you would do in any other operation, so I can get a good idea of what I'm going to try and attack. The next step is trying to gain entry. Normally, as much as the movies like to portray that it's always the technology you attack first, humans are often the weakest link when it comes to the security chain. So, what you'll try and do around that is first look at some social engineering, and that can take the form of me phoning in and pretending to be IT support or their service provider, or me sending them a phishing email.

Robert - Already, Stephen has his work cut out for him. How does one protect the system from the humans up?

Stephen - The best way to try and defend against social engineering and attacks against a human is through rigorous amounts of security training. What might be a "phishy" email? What is a dodgy application that you shouldn't be downloading from the internet?

Robert - But in our fictional scenario, perhaps this hasn't worked and Mrs. Miggins has clicked on a link and revealed her passwords or credentials. What does Chris do with the foothold?

Chris - It depends what's happened. If it has worked, I can move on. If it doesn't, then I need to go into a technological scanning section, and that's where we start looking for vulnerabilities in the system.

Robert - Most often, these vulnerabilities come in the form of bugs in the code; pieces of software that aren't working quite as they're supposed to. The databases are long lists of these bugs found by other people. They're given serial numbers like CVE-2014-0160, more commonly known by the moniker "heartbleed."

Chris - There's databases of thousands and thousands of known vulnerabilities. If I can't find one of those, if I have a big enough development team, you can go in with one known as a zero-day. It's called zero-day because it's been used before, it's been declared to the wider internet, which is one that you found you own, and you can go in without as much risk of being detected.

Robert - So, Stephen has his work cut out, not only against these vulnerabilities published on the internet, but also against the zero-day attacks.

Stephen - Unfortunately, against zero-days, you're completely on the back foot from a defensive point of view, and there's not much you can do about that. But, from a vulnerable application point of view, having a vigorous vulnerability management program in place is the best way to stop that.

Robert - Both sides now watching those lists like hawks, either to exploit the vulnerabilities or patch them up as fast as they can. But, often the defence is a step behind, as with zero-days. What happens when the line is broken?

Chris - It depends really on what the person attacking your website is trying to do. If I'm there to take the website offline, you will have an immediate, very observable cause that something's gone offline. If I'm there because I'm wanting to steal people's bank details, or I want to get day to day intelligence on what's going on in the business, I may have installed my own software inside there to make the system behave differently or ship information out to me very subtly in the background.

Robert - Two very different situations there. What happens in the first case when the site is taken down?

Stephen - The alarm bells go off. What we do there is, if it was due to an exploit that we knew about, we'd have to work out how that's been taken down, work out how we can fix the exploit, and then bring the website back up in a secure manner. If a malicious actor has gained access to our infrastructure, this is where we rely heavily on our technology. We rely on the software to say, hang on a minute, something fishys happening over here.

Chris - That's really where it turns into a game of cat and mouse, especially when you're moving outside of say, Mrs. Miggins' violin shop and into a large corporate network. A lot of the aims behind those sort of attacks it's looking at, can you navigate around the network? Can you start looking at other systems you can get into now you've got this initial foothold into the network, or is there an end goal that you're looking for a bigger target somewhere inside the network? So, it becomes a cat and mouse game there of trying to lay low whilst they're looking for you. There's a number of techniques that you can take to do that, and there's a number of behavioural traits you can do as well around disguising the mass transit of data that Stephen was talking about. Do you reduce it to a trickle and extricate it over a long period of time? Do you disguise that traffic to look like routine traffic inside the organisation?

Robert - So, now we have a game of spy vs spy. Attackers trying to sneak in and around stealing secrets while the defence team have to notice, find and neutralise them. But, if the attackers are being subtle, is there anything the defenders can do?

Stephen - Yes, definitely. This comes back to the term that we use in the industry of defence in depth and thinking of cybersecurity as a bit like an onion; you need to have a lot of layers in there, architecting your infrastructure in a secure manner.

Robert - Much like medieval castles, which had walls within walls to protect your computers, you set up firewalls between them, layering your defences one over the other.

Stephen - You should really put in some blocking or firewalls in between each of those devices to make sure that, if one of them's compromised, there's no lateral movement in your network to stop an actor getting from one to the other.

Chris - It's always one team being on the back foot and then there's always new vulnerabilities being discovered. I don't think there will ever be a point where software is perfect but, equally, as part of that arms race, there's always better and better detection technologies coming out as well.

Stephen - From my perspective, we go by the philosophy of it's not "if" it's going to happen, it's "when" it's going to happen.

Robert - And it's happening, right now, all around the world, in every data centre and server farm. No clear winner and a continual game of cat and mouse. The verdict: so far, a draw, and the audience goes... well, the audience doesn't even know the fight has started.