Defining a Sophisticated Attack

What do nearly all of the recent high-profile data breaches have in common? They have all been traced to sophisticated threats and cyber criminals. While there are many disagreements in the security industry, after every significant breach nearly everyone agrees that it was sophisticated (Twitter, Apple, and the Department of Energy are some of the unfortunate organizations to be compromised by a sophisticated attack recently).

On the surface, it isn’t hard to see why. First, technology vendors need attackers to be super sophisticated, because simple tactics couldn’t circumvent their products, right? For victims of a breach, it is advantageous for it to seem as though it took a sophisticated actor to penetrate its network. And from the incident response standpoint, it behooves IR consultants to describe these breaches as ultra-sophisticated to help their customers save face.

All of this has created the impression that we are constantly under attack by some spooky, mysterious, sophisticated adversary. And while everyone seems to agree that the attacks are sophisticated, we still don’t have a real definition of what it actually means to be sophisticated.

The recent APT1 report from Mandiant® provided us with a wealth of information to process (discussed in our blog post here) and it could help us pin a definition on the elusive meaning of sophisticated.

According to the report, APT1 is a well-organized group that has most likely operated with significant financial backing from the Chinese government. The scale of APT1’s operations, Mandiant said, would require the backing of a sophisticated organization. Suffice it to say that being backed by the government of the most populous country in the world means there is a pretty high level of sophistication in the organization of APT1, but when it comes to their tactics, their level of sophistication is more cheap yellow mustard than Grey Poupon. (Anybody else notice that APT1 was using tools right out of Hacking Exposed books? You have to wonder…) Mandiant has been clear on this position, APT1 wasn’t the most capable in terms of technical showmanship. And they didn’t have to be.

First, as the Mandiant report noted, APT1 (and most cyber criminals and nation states) uses spear phishing as its preferred method of entry. Carrying out the phishing tactics described in the report doesn’t require a CS degree from MIT. Packed executable malware in zip files? Not Sriracha, but total Weak Sauce. Would anyone consider registering a free webmail account under the name of a company’s executive and sending out fake emails to be sophisticated? Furthermore, this has been a common tactic for years, so even if it were highly sophisticated, users should be made aware of it.

The conversational phishing tactics discussed by APT1 and in our previous blog posts is another effective, yet minimally sophisticated tactic. Is it highly sophisticated to respond, “It’s legit” when a recipient questions the email’s authenticity? It would be pretty difficult to craft a more simplistic response than that. In this case, it’s not difficult to educate employees to verify an email via phone or in-person rather than through email if they question the authenticity.

Phishing tactics are constantly evolving, but there are ever-present characteristics that identify them. A user base that questions unexpected emails, verifies suspicious emails through alternate means, is wary of attachments and links in emails, and knows to avoid giving out login credentials is going to be resilient to the attack vector preferred by the “sophisticated” adversaries we keep hearing about.

All phishing emails, regardless of the techniques they employ, are trying to exploit human nature, meaning a continually educating a user base that is vigilant can prevent a majority of attacks from succeeding. Technology may change, but human nature has remained constant. This is why so many phishing emails appeal to greed or fear.

So maybe phishing itself isn’t highly sophisticated, but shouldn’t anti-virus protect against the simple threats? Not necessarily. With the current state of AV, a hacker merely needs to mildly tweak their code packer to avoid detection. These aren’t ultra-complicated techniques, as AV will only protect you against yesterday’s threat.

One thing I have always wondered is why is the “sophisticated” malware linked to a public breach isn’t released to the public? If this stuff is indeed so complex and difficult to defend against, shouldn’t we share it with the best and brightest in the industry, so they can analyze the malware? Could the payloads be less sophisticated than we’ve all been made to believe? It would be very instructive for the security community if we could have access to the malware and decide for ourselves what constitutes a sophisticated capability.

In summary, these sophisticated threats are sophisticated in the sense that they are highly organized and have significant resources at their disposal, but the tactics they employ to breach networks are not anything mysterious or too hard for us to defend against. Sure, a zero day exploit might be scary, but, even the best zero day in an email or booby trapped URL can be avoided by an educated user base.

I’m not sure how long organizations are going to be able to wave the “way-too-Sophisticated” flag and get a pass. Maybe one day we will have an open review and create a Sophistication Rating System.

I propose a Sophistication Rating System… the SRS

Scale from 1 to 10:

10: New,-custom stuff with zero days

5-6: Average well known Trojan packed with new packing method

3: Just your average Zeus Trojan packed easily or with known packing tools

1: a simple unpacked Trojan…

I wasn’t sure if I even wanted to blog about this. Shouldn’t I just be grateful that these breached organizations are brave enough to publicly disclose? Am I nitpicking about the use of the word sophisticated or are others feeling the same way?

–Aaron Higbee @higbee

p.s. I’m a big fan of the Contgio Malware Dump. Thank you for the good work you do.

Phishing and Brand Reputation: What’s the Damage?
The Double Barrel: PhishMe trains users to avoid conversational phishing