Fact or Fiction? 5 of the Most Common Cyberattack Myths

In a recent Forbes article, author Lior Div does some myth-busting. Here are the five most common cyberattack myths according to Div.

1) Security solutions protect against penetration

Div says actually, penetration is inevitable.

“Hackers often claim that penetration is a ‘no brainer.’ In the fight between attackers and defenders, the attacker’s task is to find or develop a single vulnerability, while the defenders must ensure they protect against any weakness, known or unknown, technological or user-driven. Hackers know that no organization is perfect and that their persistence will eventually pay off. This phase is carried out by a very dedicated penetration team that will only be paid when their attempts are successful,” writes Div.

2) Cyberattackers target the most vulnerable organizations

On the contrary, Div says attackers pick their targets based on goals, not vulnerabilities.

“While the common belief is that attacks are opportunistic — prioritizing the most vulnerable, unprotected, easy to penetrate organizations — in reality, attackers target even the most protected companies. The attackers set a clear strategy based on their goals for an operation. Their goals may vary whether it is financial reward, getting a hold of private data, damaging a company’s network or reputation, stealing IP and know-how, or a combination of the above. Based on their agenda, the attackers carefully choose the best fitting target. Interestingly, in some cases, the attacked company is not the attacker’s ultimate target but rather a bridge leading them into another organization. For example, in the Target breach, the initial targeted organization was Target’s HVAC system provider, which ultimately led to the penetration into Target’s system,” says Div.

3) Attackers gather intelligence about IT and security systems of their target

Div says actually, attackers gather any available data to help anticipate the defenders’ response.

“A hacking operation’s success is based on the ability to predict the company’s response to the attack. Therefore, hacking teams spend a long time gathering intel to build a complete picture of their targets beyond the IT systems in place. For example, attackers collect organization charts, employees’ data, salaries, work habits and after-work habits, business connections, business and leisure travel calendars, office locations, vendors and any other information that could be helpful to craft a true, comprehensive view of the company’s day-to-day operations. To help the attackers anticipate the defender’s response and understand their weaknesses, the attackers focus their efforts on building the profiles of the security personnel, e.g. their personal background, education, compensation, promotion plans, motivations, reporting lines, etc.” Div says.

4) Attackers rush to get in an leave

The fact of the matter is, they use “low and slow” techniques, according to Div.

“While one would expect attackers to move as fast as possible and gain as much information as possible, the actual operation is usually dictated by the attackers’ motivation to go undetected. Therefore, they deploy a ‘low and slow’ approach: performing a limited number of actions every day and avoiding ‘noisy’ activities.”

5) Effective response equals fast response

Div says attackers will carry out several decoy operations in order to distract response teams.

“Most security teams have a strong incentive to close an incident as soon as it is detected as they are measured by the amount of time it takes them to close a case. This leads to rushed decision-making and often a fake sense of success. While we all agree that detection and response should be fast, security teams must face a more complex reality. In most cases, attackers prepare at least one decoy operation to mask the ‘real’ operation, whether it’s flooding you with malware or DDoS attacks. A separate hacking team usually conducts the decoy attack(s) aimed to desensitize the defenders and distract their attention while providing them with a sense of achievement for detecting and closing an incident. This is while the ‘real’ operation goes undetected,” says Div.


For Div’s suggested approaches to these situations, see the article here: http://www.forbes.com/sites/frontline/2014/09/11/the-five-most-common-cyberattack-myths-revealed/