IT security 101: think like a cybercriminal

Davey Winder

Many of the best fictional detectives employ a strikingly similar method when it comes to tracking down the perpetrator; they get inside the head of the bad guy. Understanding how the threat landscape is maturing, and that means getting to grips with how cybercriminals think, is equally important when it comes to the very real world of IT security. Indeed, I don't think it's overstating the case to suggest that the biggest threat to your company data as we approach 2015 is you, or rather your potential lack of knowledge concerning which threat vectors to focus on. Only by thinking the same as the bad guys can the good guys ensure that systems and data are adequately protected.

Thinking like a Cybercriminal

CybercriminalWhat do I mean by "it's time to start thinking like a cybercriminal"? Well I can use a very simple example to explain the process. Everyone knows that viruses are not a major threat to the enterprise, nor have they been for many years now. Depending on which sources you go to for your statistical information, viruses account for anything between 1% and 4% of security incidents. In my experience I'd say that the lower end of the statistical spectrum is probably nearer the actual mark. On the other hand, I'd say the upper figure when it comes to Trojans, which make up between 65% and 85% of all malware, is an accurate reflection of the threat landscape. So the bad guys are using malware to attack you, and that's that, right?

Wrong. While malware is without doubt the number one attack vector for the cybercriminal, that is far from the "be all and end all" of the motivational matrix. You have to think what the malware is being used for, what those Trojans are being planted in order to achieve. The days of establishing botnets for DDoS attack are on the decline, and although botnet usage remains a cause for concern it's not the main reason that most criminals will be breaching your network. Nor, for that matter, is the scraping of email and user data.

Nope, attackers are increasingly using malware as a vehicle for privilege escalation within the network. While a Trojan may provide access to credentials that enable a network perimeter breach, the end game is more often than not rights elevation in order to gain further access and control over more systems and data. Employing the right change management and access policy management tools is essential in order to combat this once you appreciate that's where the criminals are ultimately heading. Remember, user data is valuable but system control is priceless.

Where are they headed?

Employing this same mindset in the dark web approach to the threat landscape, you also have to start thinking about where the cybercriminals are heading when it comes to threat distribution and obfuscation. The very clear answer, given the increased awareness of the importance of encryption post-Snowden, is actually encryption itself. Or rather encrypted transactions which mean that less resources have to be spent on creating sophisticated malware code in order to evade detection. Understanding that the bad guys are using encryption in this way, exploiting the lack of visibility into SSL traffic, means that you can focus on ways of countering the tactic by distinguishing between a genuine need for SSL traffic and 'hostile' usage. Granular control over encrypted traffic is key here.

Don't think that all the emphasis is on the new though, as proven old-school approaches continue to be de rigueur. Approaches such as web application attacks like SQL injection and cross-site scripting, for example; what is changing is the target. These days we are more likely to see criminals actively aiming at content management systems (CMS) and specifically CMS plugins. Equally, the old 'smoke and mirrors' routine continues to be used, whereby a DDoS attack or maybe a DNS poisoning threat is launched in order to tie up system resources and focus while the real target, most often a financial database, is penetrated.

What is your weakness?

Finally, I'd recommend taking a sideways logic look at the threat landscape, and ask what would a cybercriminal like you to do to make life easier for them? Identifying your weaknesses in this way can be a real eye-opener for many IT admin teams. Take, for example, the small matter of maintaining network performance levels. Yep, I know, it's at the core of what you do. It can also be at the expense of your enterprise security posture and quite literally open the door to increased breach opportunity as well. How so? Well, according to recent research from McAfee a third of IT admins admitted to disabling firewall functionality to increase performance; functionality such as deep packet inspection which can help detect malicious activity across your network traffic.

Don't make things a lot easier for the bad guys just in order to make things a little easier for yourself. Take the time to regularly read the IT security news feeds, educate yourself about changes to the threatscape and act accordingly.


Want to know more about security? Then check out the video series by our security lead, Ian Trump…