Defining Defense in 2013

The Knight Fork: Defining  Defense in 2013 Download the full research paper: The Knight Fork: Defining Defense in 2013

A knight’s fork is defined as: “an attack by one chess piece (as a knight) on two pieces simultaneously.” (Merriam-Webster Dictionary)

When was the last time you played chess? If you are responsible for cyber security you are unwittingly playing it every day. We must appreciate the ancient sport of chess in order to reorganize our defense in 2013.

To begin, we must pay homage to strategies and tactics being employed by the elite hacker community. Spin the chess board: the elite hacker of 2012 has evolved their stages of cyberintrusion. This now includes a maintenance stage as it is their goal to maintain the colony they built within your ecosystem. These colonies are built to cover tracks via:
  • Company website
  • Articles by the press and media
  • Company employees’ social networking and social media accounts
The malware is innovative: RATs have all capabilities hard-coded internally; encrypted traffic, dynamic drop zones, complex command and control. The infrastructure is internal to the operation, or bulletproof hosts are carefully selected.

In 2012 we have observed significant tactical trends. There is a high degree of modularization in more advanced malware; there is an increased sophistication via the use of Traffic Direction Systems (TDS); Man-in-the-Browser attacks are becoming mainstream as is exploitation via HTML5 and finally, mobile malware is flourishing as proximity attacks can now be realized.

To improve our defense in depth we must appreciate that APTs are consistent and part of ongoing campaigns; that targeted attacks do not always use zero-day exploits as they generally use older exploits and simpler malware; and finally that targeted campaigns are a series of failed and successful attempts over time to establish a covert presence which can be tracked in due course. Advanced detection techniques can be used to identify the adversary once we appreciate the challenges of maintaining a persistent presence within a network.

We must spin the chess board and value the nuance of becoming overextended. From a hacker’s perspective, changing C&C protocols requires considerable effort. Thus, network traffic can be correlated with other indicators to provide proactive detection. Unknown threats may be detected by extrapolating methods and characteristics from known threat communication behaviors. If we can accomplish this then we can achieve advanced situational awareness in real time so as to manifest custom defense. Risk management in 2013 will be defined by the following set of defensive tactics:
  • Does a log inspection program exist?
  • Does file integrity monitoring exist?
  • Can vulnerabilities be virtually patched?
  • Do you utilize a DLP?
  • Do you maintain multi-level rule-based event correlation? Is there custom sandbox analysis?
If you can answer yes to these risk management questions we can begin to customize defense. The goal of custom defense is to increase the level of discomfort of hackers to a point wherein they become resource constrained in order to maintain a clandestine persistent presence within our systems.

“People do not care to play chess on the edge of a precipice.” -- Madame Suzanne Necker, Mother of Germaine de Stael

The “precipice” is a manifestation of greater situational awareness - situational awareness via multi-level, rule-based event correlation and custom sandbox analysis. Deep Discovery can endow you - the defender - with a cyber knight’s fork.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.