The “Switch Target” Part I – Why Me?

By Peter M. Tran, Senior Director, RSA Advanced Cyber Defense Practice 

Conventional computer network defense (CND) concepts in the past 10 + years introduced practices such as adversary “beach head, pivot point, lateral traversal, command/control” analysis for passive cyber defense. If I don’t see it on my network, then I must not be a target and/or my business is of no interest to advanced threats actors, right? The correct answer is in asking yourself as a business, “why me?”

I like to use basic cops and robbers analysis when looking at the changing landscape of advanced threats and how to help enterprises approach developing advanced approaches to cyber defense. What’s the best way in and out of your primary target? Is it a direct path or  multi-dimensional vectors exist?

Let’s walk through one scenario using a simple bank heist theme. First, pick a good location (high value target), a bank in a town that’s on the edge of town with easy access to a highway. You’ve done your homework and know your target’s monitoring and defense systems, mean time to detect, alerting and when and in what direction the cops (incident responders) will be coming from. You go in heavily armed (malware, diversionary DDoS, sacrificial attack vectors), get as much cash as you can and get back to your vehicle.

Upon leaving on the road that leads to the freeway, you drop tire spikes (malware drop zones) to create a cushion of time for you to get away. As you get on the freeway, you drop more tire spikes and find an exit not too far from where you did the robbery (high value target) and switch to a different vehicle (the Switch Target).

Let’s stop here. Now ask yourself,  can I be used as a switch target as a business network in a cyber context as a pathway out for the attackers? If this is the case, can I also be used as a Switch Target for a pathway in to a primary target of interest?

In Part II, I’ll address in more detail Cyber Switch Targeting and the use of advanced analytics to enumerate what an attack infrastructure may look like.

Peter Tran leads RSA’s world-wide Advanced Cyber Defense Practice and directs overall professional services for Global Incident Response/Discovery (IR/D), breach readiness/management, remediation, cyber intelligence/exploitation analysis, Advanced Security Operation Center (ASOC) design/implementation and proactive computer network defense.