electricfork

Threat advantage

Posted Jul 12, 09:15 AM by ben

The biggest advantage that is often attributed to the threat (aka bad guys) is time. If they have patience then they have all the time in the world to find your weak spots and abuse them.

I think that’s changing.

We’re obviously no longer dealing with the hobbyist threat. We’re dealing with professionals who are in it for the money. Time is indeed money, which I submit makes the average bad guy use his structured attacks as seemingly fast as he can. They use the majority of their time on the front end and then execute their recon/attack as fast as they can risk.

That doesn’t mean that a particular targeted operation does not take time, but it is an interesting item to keep in mind. With that said, I suspect a bigger advantage they have is the playing field. It’s too easy to not see a targeted attack as the Signal:Noise ratio is spectacularly skewed and too hard to make sense of.

Phishing is a key example: Do we have an automated way of seeing a phish vs a targeted phish vs spam vs ham? We’re getting there but that is a tall order.


// :: /

Comment

  1. I still think the attackers have all the time in the world. To a saavy attacker, that’s a week, maybe a month. With zero knowledge of the market, it is very hard to say one way or the other. Are hosts compromised by the dozen by an attacker equivalent of a 12-games-at-a-time internet poker player and then sold off? Are specific targets selected and then contracted to be compromised? I’m sure there are examples of both cases.

    The big advantage on the attacker side is that all of the existing countermeasers were designed for other threats and do not transfer well.

    Grant · Jul 18, 11:49 AM · #

Commenting is closed for this article.

Creative Commons License
This work by http://electricfork.com is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.

archive

about

charmsec

I lead an information security ops and response team. This site is a collection of interesting notes and brainstorms on the protecting from, detecting of, and responding to badness. You can read more about me or my site here.

You can subscribe to my blog via rss , or if you're looking for older items check out my archive of previous posts.

I organize a small infosec meetup in baltimore called charmsec. If you are looking for charmsec details you probably want to go here.

 

RSS

:: © 2002-2008