The past decade has seen a significant shift to the cloud for many businesses and organizations. With increasing numbers of assets being migrated to the cloud, security specialists have more work to safeguard them from attacks. The challenge has become even more prominent with businesses adopting remote work arrangements following the onset of the COVID-19 pandemic.
Remote work has accelerated the movement of businesses to the cloud. Security teams must adapt to offer support to cloud-based systems and become agile in protecting their assets across different attack surfaces. In the last year, attacks targeting cloud-based systems have more than doubled, increasing by 250 percent.
With more assets found on the cloud, security experts have a big challenge in protecting businesses from adversaries. That is not to mean that adversaries have it easier due to the move to the cloud. The attackers will not have much needed time to scrutinize each asset in depth. Remember that some large enterprises may have as many as tens of thousands of supporters in the cloud. Attackers are similarly constrained in budgets, time, and technical capabilities, just like security teams. Security teams are severely strained with an inability to find the security alerts/signals amongst the noise and numerous security applications, checklists, and strategies to manage and execute. First and foremost, they must understand the adversary’s mindset to close the gap between defenders and attackers and to decoding essential signals.
The following are some of the questions attackers will ask before identifying assets to compromise and exploit. Understanding the attacker’s perspective will help in designing a security strategy that is both effective and efficient.
- Enumerability: What useful information about a target can be seen from outside?
A targeted asset in any attack surface has information that it broadcasts to the outside. Some purchases will disclose some information in more detail compared to others. Attackers will be looking to gather as much information as possible about an asset or other piece of technology that is in use in an organization. The report helps them confidently build a plan on invading a network and accomplishing their goals. The ability to unravel the details about a target precisely describes enumerability — an attacker’s power to detail a target from the outside. Attackers can see the exact version of a service being used and its configuration will choose their exploits and attack methods to reduce the risk of detection and increase their chances of success.
- Criticality: How valuable is the asset?
Keep in mind that attackers will choose their next steps dependent on evaluations of time, money, and risk involved. Their actions are not random acts, but they choose targets that will lead to something or somewhere. Attackers will assess criticality to focus on targets that quickly help them achieve their objectives. Attackers make use of tools that allow for the best positioning and access to networks.
- Weakness: Is an asset generally exploitable.
Attackers will look for proof of concept as an indicator of usefulness — not all targets are of interest. Some bugs and vulnerabilities are not exploitable — no known efforts have been put into exploiting them. That means that an attacker has no known weakness or way to use it. Attackers will not have any interest where the cost and likelihood of successfully exploiting an asset are unknown. Attackers will think of the investments of time and money and the tools available to the public to build or must buy before committing to exploit a target.
- Post-Exploitation Potential: How hospitable is the asset once exploited?
A hospitable environment helps an attacker to travel through and live in without detection. The environment will have few defenses while malware and other tools the attacker deploys can work. Attackers will know that they can operate without the fear of detection in such an environment. Endpoints that are secured and monitored are not hospitable. On the other hand, VPNs and desktop devices directly plugged into a network but are unprotected make good hosts and have high post-exploitation potential.
- Research Potential: How much time does it take to develop an exploit?
Attackers will assess their probability of success when they are looking for a target. They will need to develop a new exploit by committing time and monetary resources for a specific target. Keep in mind that knowing that you have a target to attack and exploit is not the same thing. Vulnerability research on targets is meant to identify the easiest to exploit. The cost of research, testing, and polishing tools is a big consideration when assessing a target to attack and exploit. Attackers will tend to obtain and use well-documented and well-researched open source tools to control targeted assets. On the other hand, expensive and esoteric platforms such as VoIP systems and security applications require sophisticated tools, superior skills, and considerable resources. Such targets make attackers hesitant even though they may be attractive due to the value of data stored and access levels granted. The greater the barrier to access/entry, the more the deterrent to attackers.
- Applicability: Will there be a repeatable ROI from a created exploit?
As a defender, you must understand the attacker’s mindset and business model. Attackers are also seeking the highest possible ROI for time and resources spent in creating exploits and required tools. Exploits are designed for repeated use on widely-used technologies such as Windows to maximize earning potential.
In conclusion, attackers will consider many factors before deciding to attack a target. The severity of a bug is not a straightforward case. A lot of planning is undertaken by attackers to manage meager resources but ensure their objectives are met, and an adopted business model can be sustained across many targets. Understanding the attacker’s mindset will help organizations prioritize the best ways of managing risk and optimizing business outcomes.
Author: Alessandro Civati