Unbroken Chains

  • While it is our belief that this section can be of interest and benefit to our readers, there are a couple of caveats that should be made clear from the beginning. First of all, we have only recently updated the VERIS schema to allow for collection of event chain data. Secondly, not all incident and breach records offer enough details to attempt to map out the path traveled by the threat actor. 

    We collect an action, actor, asset, and attribute at each step. However, each may be "Unknown" or omitted completely if it did not occur in that particular step of the attack. To create a single path from these factors, we begin by placing the actor at the first step at the beginning of the path. It’s followed by the action and then attribute present in the step. For the remaining steps it proceeds from action to attribute to action of the next step, simply skipping over any omitted.

    This calls for the old Billy Baroo. 

    Last year we pointed out how a golfer navigating a golf course is a lot like an adversary attacking your network.11 The course creator builds sand traps and water hazards along the way to make life difficult. Additional steps, such as the length of grass in the rough and even the pin placement on the green can raise the stroke average for a given hole. In our world, you’ve put defenses and mitigations in place to deter, detect, and defend. And just like on the golf course, the attackers reach into their bag, pull out their iron, in the form of a threat action, and do everything they can to land on the attribute they want in the soft grass of the fairway. 

    The first thing to know is that unlike a golfer who graciously paces all the way back to the tees to take his or her first shot, your attackers won’t be anywhere near as courteous. In Figure 29 we see that attack paths are much more likely to be short than long. And why not, if you’re not following the rules (and which attackers do?) why hit from the tees unless you absolutely have to? Just place your ball right there on the green and tap it in for a birdie or a double eagle, as the case may be.

    "My golf security is so delicate, so tenuously wired together with silent inward prayers, exhortations and unstable visualizations, that the sheer pressure of an additional pair of eyes crumbles the whole rickety structure into rubble." 

    —John Updike, with the sympathy of some CISOs.

  • And while your normal genteel golfer will abide (to a greater or lesser degree) by the course rules on the off chance that there is a Marshall watching and start on hole 1, threat actors will invariably take the shotgun start approach. They will begin their round on the hole they are shooting for, whether it’s confidentiality, integrity, or availability. Figure 30 provides a look at the three holes on our InfoSec golf course. It displays the number of events and threat actions in the attack chains, by last attri­bute affected. There is a lot to take in, and we do want to point a few things out. First, starting with Confidentiality, take a look at just how many short paths result from Misuse and Error, and to a lesser extent from Physical actions. On the other hand, we can see Hacking actions bounding back and forth between attributes for several steps. In Integrity we see an especially long chain beginning with Hacking and going to and fro between that and Malware as it compromises the Confidentiality and Integrity of the target.

  • Figure 30
  • Obviously, there’s a lot going on in Figure 30. An easier way of looking at it is what actions start (Figure 31), continue (Figure 32), and end (Figure 33) incidents.

  • Figure 31


  • Figure 32


  • Figure 33
  • We see that while Hacking is a little farther ahead, the first action in an incident could be almost anything. The most interesting part is that Malware is at the end of the chart, even behind Physical, which requires the attacker to be, well, physically present during the attack. Malware is usually not the driver you use to get off the tee; remember that most is delivered via social or hacking actions.

    Moving on to Figure 32, Malware makes its grand entrance. It may not be the opening shot, but it is the trusty 7-iron (or 3-wood, pick your analogy according to your skills), that is your go-to club for those middle action shots. Interestingly, there are almost no Misuse and Physical middle actions and no Error in our data set. That’s primarily because these are short attack paths and to be in the middle you have to have at least three events in the chain.

    And finally, we get a chance to see where attacks end in Figure 33. The most significant part is how Social is now at the bottom. While social attacks are significant for starting and continuing attacks as seen in Figure 31, they’re rarely the three-foot putt followed by the tip of the visor to the sunburned gallery.

    At this point, you may be wondering if your sand traps are sandy enough. Figure 34 comes from breach simulation data. It shows that in testing, defenders fail to stop short paths substantially more often than long paths. So, just in case you were looking on your systems and thinking "it’s the other guys that let the attackers start on the putting green," short attacks work.

  • Figure 34
  • Attack Paths and Mitigations 

    Our friends at the Center for Internet Security contributed some thoughts on mitigating attack paths:

    Much of security has been founded on cat­alogues of controls, vague vendor promises, laborious legislation, and tomes of things to do to keep your organization safe. Within this sea of options, we also have to justify our budgets, staff, and meet the business needs of the organization. Leveraging an attack path model is not only an important step towards formalizing our understanding of attacks, but also a means to understanding our defense. Previously, when looking at attack summary data we were presented with a snapshot of an attacker’s process which requires us to infer the preceding and proceeding events. Wheth­er we realize it or not, such interpretations impact how we plan our defenses. Defending against malware takes a different approach if the malware is dropped via social engineering, a drive-by download, or brought in by an insider via a USB device.

    In addition, while being faced with what seems like an endless list of potential attacks, limiting ourselves to snapshots also hinders our ability to find commonalities between these attacks. Such commonalities may be key dependen­cies in an attacker’s process which represent opportunities for us to disrupt. The more we can understand the sequence of events happening in an attack, the more we as a community can make it harder for adversaries to reuse the same process.

11 We are not saying hackers have early 90’s John Daly mullets. We don’t have data to support that. We just imagine that they do, and that this is why they all wear hoodies in clip art.

12 There’s a lot going on in this figure. Take your time and explore it. For example, notice the differences between short and long attacks.

Services and/or features are not available in all countries/locations, and may be procured from in-country providers in select countries. We continue to expand our service availability around the world. Please consult your Verizon representative for service availability. Contact us.