Combatting Hybrid Attacks

A new “hybrid” threat has surfaced in the cyber world and has recently helped hackers steal £30 million from a series of banks in post-Soviet states. These attacks show a great deal of sophistication so what are they, and how can we stop them?

Hybrid attacks are used, in most cases, to multiply the noticeable attack vectors. When this happens, it is most often a Distributed Denial of Service (DDoS) within the network. This is effective because while the finely tuned alerting systems are saying ‘Door #1’ an attacker can be hiding behind ‘Door 1,438’.

During a hybrid attack, the criminal can create any number of alerts based on the activity of a given resource, (e.g. endpoint, host, network devices). These alerts misdirect the response teams, while also delivering additional denials to keep response teams for getting to the originating source. In large, complex networks this creates chaos for incident response – your reliance on defense systems is being used against you.

So how can this be avoided?

Have a good understanding of the critical components of the assets under management. Often, this comes in the form of a Configuration Management Database (CMDB), which serves as a directory for all the IT assets within the organization. Just as directories like Active Directory and LDAP have essential details about users, a CMDB is our single-source-of-truth for IT assets. This has two critical functions 1) it establishes the ‘nature’ of a given asset to help remediation steps, 2) gives risk analysts the required details to stage attack path possibilities.

Run regular vulnerability scans. With evolving infrastructure and dynamic networks becoming the norm, it is imperative to regularly inspect potential risks. However, this is only part of the picture. This is the what can be exploited of risk management.

Assess these vulnerabilities in the context of attack paths. By knowing where vulnerabilities are, and simulating attack paths using network configuration data, organizations can receive the wake-up call needed to honestly assess the possible war paths an attacker could take – then ranking risks to prioritize patching. This is the how it could happen of risk management.

Hunt for threats. Scanning within the system will show the assets’ vulnerabilities. Risk analysis will turn that scan data into attack path simulations, and threat hunting confirms/disconfirms actual exploitation. This serial process of identifying weaknesses, empathic simulation of an attacker’s likely path, and then seeking direct evidence of the threat is the best way to curtail the risk of hybrid attacks. This is the where it is happening of risk management.

Hybrid attacks are on the rise, because organizations continue to purchase products that virtualize their networks, have stacks of alerting systems and network policies that multiply faster than fruit flies. This complexity is where security management can add value to give much needed visibility and help organizations prioritize risks.

Attackers are making the most of the landscape they are given, and in this context, one can only imagine that organizations will continue to see their own systems used to divert their attention and slow down incident response.

But the method is applicable to all organizations, irrespective of market sector or perceived target-worthiness. The attack may be underway right now. Are you looking for it?