The hype around advanced persistent threats (APTs) is as high as ever. Post-breach, hacked organizations sing the praises of their adversaries' skills. Practitioners are bombarded by industry marketing touting the latest APT detecting and killing technologies. You would think the number of advanced persistent threats were climbing dramatically, and that the majority of breaches were near impossible to prevent given the endless resources of bad guys.
I'm here to tell you the data tells a different story. Even if the threat targeting your organization is both advanced and persistent, it's unlikely they'll need to be either. According to the Verizon Data Breach Investigation Report (DBIR), the number of breaches as a result of opportunistic attacks has continuously exceeded 70%. Kenna's own data shows that over 95% of successful attacks come from automated, weaponized exploits.
<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">Old, well-known vulnerabilities are low hanging fruit most targeted by automated malware tools. |Tripwire| <a href="http://t.co/44vEl4ezIV">http://t.co/44vEl4ezIV</a> <a href="https://twitter.com/hashtag/DBIR?src=hash">#DBIR</a></p>— Sydney (@Sydney843) <a href="https://twitter.com/Sydney843/status/591198380782538752">April 23, 2015</a></blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
Put differently, the vast majority of breaches start as someone shaking and rattling doors and windows looking for the same vulnerability or misconfiguration that they know how to exploit. These are often highly automated and can be categorized as "spray and pray."
Want to know why despite all the hype around APTs, we are still seeing so many hacks via low-hanging fruit? It's simple--low-hanging fruit works! Now, this isn't to say that there aren't advanced threats out there targeting your organization--it's just more often than not, there is no real requirement for them to call upon these advanced skills. Why would someone burn a zero-day vulnerability when Metasploit works just as well? There's no real reason for an attacker to use a Mission Impossible cable drop from the rafters attack when you left the garage door wide open. Even the NSA's own Tailored Access Operations admitted recently that their most commonly used and go-to attacks are Metasploit and SQL injection.
<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">The NSA tires known CVEs and SQLi first. Rob Joyce, NSA TAO <a href="https://twitter.com/hashtag/enigma2016?src=hash">#enigma2016</a></p>— Michael Roytman (@mroytman) <a href="https://twitter.com/mroytman/status/692516279568064512">January 28, 2016</a></blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
Don't get me wrong, I'm not ranting about the state of security defense. I spent the first twenty years of my career as a practitioner playing defense, and it's hard. There's plenty of old security adages to go around...
"Defense has to be right every time, offense only needs to be right once."
"Attackers aren't limited by time, laws, etc."
...you've heard them all. While there is some truth to these, I would argue there are observations and data we can pay attention to in order to significantly increase our defensive odds. After all, there's an equally old adage in security that holds true here...
"A young attacker will try to break the encryption, an old attacker will steal the keys."
You Must Be This Tall
One of the most well-known observations I've come across directly supports HD Moore's Law. The simple existence of a Metasploit module that exploits a vulnerability materially increases the likelihood of these attacks in the wild. This is often compounded when the exploit exists in multiple public sources or in other weaponized exploit kits. The problem is this: keeping up with exploit kit development is hard. In fact, our published research shows a significant remediation gap. Forty to sixty days after a vulnerability is published, the likelihood of a weaponized vulnerability being exploited in the wild exceeds 90 percent. Compare this to an average time of remediation of 100-120 days for these same vulnerabilities, and you have a gap that heavily favors the attacker.
This is just one of several data points to which defenders should pay attention. There are a number of attributes and metadata about your assets, your organization, and your controls that are early indicators for ripe targets of opportunity.
I will cover many of these data points at InfoSec World 2016 this April, and demonstrate how these can be used to make decisions that will prevent you from becoming a target of opportunity. Perhaps once we have this mastered, we really can start spending some time preventing those nasty APTs.
About the author: Ed Bellis is the CTO of Kenna a vulnerability intelligence Software as a Service that centralizes, correlates and automates the entire stack of security vulnerabilities and remediation workflow. Ed has over 20 years of security experience. Prior to Kenna, Ed served as the Chief Information Security Officer for Orbitz, the well-known online travel agency where he built and led the information security program and personnel for over 6 years. Ed will present "Amateur Hour: Why APTs are the Least of Your Worries" on Monday, April 4 at InfoSec World 2016
