22 November 2024

What do hackers target and why?

Knowing what to target is crucial both for attackers and defenders. Attackers need to know what to attack to achieve their goals – this is why they conduct reconnaissance during an attack.

Defenders need to know where their crown jewels lie – their most valuable and high-risk IT assets and data – so they know where to concentrate their security spend and efforts. For pentesters and SOC analysts alike, knowing what attackers will target and why is central to helping the companies we work with improve their security posture. 

As part of any Endpoint Detection and Response or Managed Detection and Response contract, SOC analysts should work with you to deploy a SIEM (Security Information and Event Monitoring). However, a SIEM cannot work effectively to detect the potential threats that might signal a cyberattack unless it is properly configured. To do so, we must first know what IT assets attackers will target and how they are most likely to go about it. 

Because this is different for each client, configuring a SIEM requires a collaborative process that relies as much on SOC analysts’ expertise in knowing the changing trends in attack techniques, as it does on the client’s insider knowledge of their IT estate and user behaviours.

What’s the word on the street?

This collaborative process relies heavily on threat intelligence. Threat intelligence includes detailed, actionable information describing the motives, targets, and attack behaviours of threat actors. More importantly, it is constantly updating and thus plays a crucial role in the arms race between attackers and defenders. 

The cyber threats your business faces will be determined (in part) by your industry. A global bank processing millions of transactions daily, across multiple complex, interconnected networks will face different attack techniques and attackers than a family-run bakery. This is due to the size and complexity of their IT estates, and the value of the data they store. 

But these attack techniques don’t stand still. Just take ransomware for example: once the preserve of the most sophisticated attackers using it to target blue-chip companies for millions at a minimum, it became available to less savvy attackers as the tools used to perpetrate ransomware attacks became more automated and more widely available. Because the time, effort and cost required to stage a ransomware attack was reduced, more ransomware groups appeared, they could focus their attentions on smaller victims, yielding lesser, but still sizable, sums, but at greater scale. This evolved into Ransomware-as-a-Service (RaaS) where ransomware groups contracted their services on the dark web for a fraction of the total sum. 

This shift, along with many others, has dramatically changed the risks facing many businesses, who are now subject to very different kinds of attack. These changes in trends over time show where SOC analysts can use their expertise and experience - backed up by credible threat intelligence - to help clients respond correctly to the threats they face now and will face tomorrow.

Where are your crown jewels?

The next step is to look at how your organisation’s IT estate is structured and how it is used. This will enable you (as well as the SOC analyst) to understand what you are trying to protect and why. To do this, first ask yourself:

  1. Which IT assets and data are of highest value to you?
  2. Which assets present the greatest risk to your organisation?

There are a number of ways to determine this: 

  • Consider where your sensitive personal data and/or financial data is stored. How do users and user groups access this?
  • Consider which assets will cause the greatest disruption to business continuity if they are compromised e.g., key services and systems that employees require to complete their daily work.
  • Consider which assets will cause the greatest financial risk and cost to your organisation if they are compromised e.g., key services and products that customers use.
  • Consider any compliance obligations, such GDPR, or industry-specific regulations such as HIPAA or PCI DSS, and the consequences you will face if you are found to be noncompliant, or are subject to a data breach.

Remember that your highest priority assets and your highest risk assets are not always the same. Again, collaborating with your chosen security partner is best practice here: your knowledge of your IT estate is like a map of the territory, while a SOC analyst’s expertise will outline where an attacker will go, and how they will traverse it.

You let them do what?

As well as considering the nature of the asset itself, you must also consider how it is used, to determine whether it will be a likely target for attackers. Even if two companies have identical IT estates, they will likely have different user behaviours, because some companies have more strict or more lax security policies. This is unique to every organisation: we must strike a balance between what is considered to be best practice for cybersecurity, and the practical usability or design of IT systems for their user base. 

Consider what the average user in your IT estate can access and modify, and what admin-level users can access and modify. Also, consider if there are applications within your IT estate, that allow users to access files and databases that contain useful potentially useful information for attackers. This will help you understand which user groups are the highest risk of being target (as part of a phishing campaign for example) as well as where attackers will go to escalate their privileges.

Finding common denominators

No one is special: ultimately there are common denominators that unite attacker behaviours across cyberattacks. This is why the MITRE ATT&CK Matrix exists; it creates a common framework for mapping out the attack techniques used, the assets targeted and the mitigations you can implement to secure those vulnerabilities. Attackers will leverage any number of the tactics, techniques and procedures outlined in the MITRE ATT&CK Matrix to reach their goal. But more specifically, we know that there are certain security controls they must bypass and system processes they must use or hack when they attempt to escalate their access privileges. Doing so can raise suspicions, as certain actions will trigger events picked up by your SIEM that are considered suspicious. (Again, threat intelligence tells us that such attack techniques are constantly updating, as attackers find new ways to avoid arousing suspicion.) 

Which brings us to the most important task underpinning all of this.

Logs, alerts and fine-tuning detection rules

Your SIEM will correlate patterns from data to determine whether events generated by user behaviours and system processes can be deemed suspicious. In order to do so, The SIEM must capture and analyse log data from your endpoints or your network as a whole. Deciding what events to log, and from which IT assets, is an essential part of deploying a SIEM. 

In an effort to be as thorough as possible and not miss any potential risks, some clients claim they want to log everything. However, this is a common mistake. It creates two problems:

  1. It raises the cost of running the SIEM
  2. It floods the SOC team with many false positive alerts

Alerts can be generated by perfectly normal user activity such as a user getting a new laptop, or someone updating their web browser. These “suspicious activities” don’t always signal a cyberattack. The flipside is that not every attack creates a suspicious event. The aim of attackers is to remain as stealthy as possible for as long as possible, especially when they try to escalate their access privileges as they get closer to their objective. When deploying your SIEM, working closely with your chosen security partner will enable you to go through a methodical process to decide which logs you need and why. 

But this activity is not simply a one-off during the initial SIEM configuration. At the beginning of the SIEM deployment, there will inevitably be a slew of false positive alerts generated by innocent user behaviours. However, when expert SOC analysts receive false positive alerts, they should work with you to understand why it’s a valid alert or why it’s not a valid alert – that’s the crux of optimising of a SIEM. This brings two benefits:

  1. SOC analysts can fine-tune detection rules to reduce the number of false positive alerts, and therefore create a more accurate detection capability, built around your IT estate and its users
  2. Security experts can work with you to understand what actions you can take to make sure that those false positive alerts don’t come through again. This might mean tightening up IT security policies and procedures internally.

Ultimately, this act of fine-tuning leads to incremental improvements in security policies and controls.

Incremental improvement is the name of the game

The trouble with the “buy it vs. build it in-house” dilemma is that “buying it” sounds like your problem will be solved immediately. At least, it may seem that way to those of us who don’t work in cybersecurity, IT or risk management. Particularly where senior leadership teams are concerned, they are about clear results, not competing probabilities and the frustrating, ubiquitous answer “it depends”. The solution to this is a mindset shift away from strict binaries to a world of gradual, incremental improvement. 

At Claranet, we work with you, through our monthly reports and quarterly service reviews, to help you refine your detection and response capability, and implement tighter security controls that are specific to your business and its data. These incremental improvements ultimately reduce the risk and impact of cyberattacks, enabling you to improve your security posture over time, at a pace that works for you. 

To find out more about how you can improve your security posture and your ability to respond to a cyber-attack, get in touch about our Endpoint Detection & Response and Managed Detection and Response services.