Attacks and countermeasures typically focus on techniques, vulnerabilities, systems and tools. There is another angle of the cat-and-mouse fight between attackers and victims — the economical aspect of this cyber war.
Many wars eventually end due to simple economics. It costs money to wage war, and once that money is depleted, one side has no choice but to surrender. The battlefield of war is no different than the cyber battlefield taking place between enterprises and hackers. Businesses need to fund their protection while battling on multiple fronts, sometimes against multiple concurrent attacks. The “hacking ecosystem” is a term I use to describe the equilibrium between attackers and defenders, attacks and protection tools.
Employing a protracted attack that forces one combatant to risk depletion of his resources is one strategy behind cyber attacks. Years ago, hackers’ motivation was publicity and vandalism. Today, we see an evolution of attacks that are financially motivated, are criminal in nature, or are offshoots of political and social activism. The techniques, however, are the same. They still seek for vulnerabilities that can be exploited and design weaknesses that can be misused. Yet they have one thing in common: today’s hackers have methodology. They start with information gathering on their potential victim (intelligence), perform analysis of the data, select the right approach and prepare the tools for attack. Then they launch the attacks, and afterwards, the smart ones at least, will hide the evidence.
The firewall was born to provide basic access control measures for online businesses, which were exposed to the rest of the world once connected to the internet. Then came the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS), which look for specific application vulnerability exploits. Additional protection layers include antivirus software or gateways, web security, web application firewall (WAF), network behavioral analysis (NBA), DoS Protection – and the list may almost be endless.
The economical aspect of cyber war
In IT security, a layered approach is considered the best option. There is the perimeter (that some claim is dead with mobile computing), application security layers, De-Militarized Zone, etc. The more tools deployed, the better the security posture.
But just like physical war, there is a price for every tool and every protection layer. The more tools businesses add, the higher the CapEx and OpEx needed to finance.
A closer look: Fighting multi-vulnerability attacks
Attackers employ multi-vulnerability attacks campaigns, which target the application infrastructure in several layers — the network layer, the server layer and the application layer. Attackers are aware that even when their targets deploy network security tools, they typically deploy a firewall and IPS. Running multiple attack vectors that aim for multiple vulnerabilities of the target IT infrastructure is highly destructive, as even if only one of the attack vectors infiltrates, the business is severely damaged. More info on multi-vulnerability attack trend and techniques can be found on the Security Incidents Report 1H2011 website.
To fight the multi-vulnerability attack campaigns, IT or security managers have to invest in additional security layers including DoS Protection, NBA, WAF, and maybe more. For online businesses, a reasonable ROI per security product deployment is within one year for a three-year product lifecycle. So the IPS return on investment (ROI) is one year. If you add DoS Protection, it will take you two years to achieve ROI. Adding NBA, WAF, Anti-virus GW, URL filtering and so on will get your ROI far beyond three years. Financially, it’s a fight that you may not be able to win. You either invest in security more than you gain, or if you do not, your business runs the risk of being shut down by damage due to cyber attacks, and possibly even by authorities due to non-compliance.
Rethinking point security solution
The multi-vulnerability attacks case is an example of how cyber warfare is not only about technologies and processes, it’s about the money. Can you afford this war? The attackers typically invest a fraction of the victim’s investment.
Perhaps it is time to rethink the layered security approach. Selecting best-of-breed tools is a good practice in an ideal world. In the real world, where you need to keep the doors – and website — to your business open, you may need to adopt another approach. Ask yourself, ‘What is the most effective shield that I can afford?’ This is where the integrated approach is needed, preferably with a good security information event manager (SIEM).
Deploying an integrated DDoS attack mitigation system that provides several protection modules including IPS, NBA, DoS Protection, and maybe WAF with an integrated SIEM, can save significantly the overall costs. But its main advantage is the ability to detect emerging threats inherently, thus allowing the security manager to update the security posture gradually with no need to deploy new tools. The point is in the ability to detect emerging threats and attempts.
If we take the example of a typical attacker, they gather information prior to launching the attacks. An integrated system with an effective SIEM will allow the security manager to identify the information gathering stage and modify the protection rules for future attack attempts. By detecting the attacks at an early, probing stage, you not only save on possible damage, but you also save on tools that may be needed once the attack is launched – to mitigate it. And that will keep your business open to fight another day.