We Need to Care More About Root Causes of Exploitation

You are going to be a far better defender if you recognize that ransomware is not your real problem. ?Your real problem is how ransomware got in.

To best fight adversaries you have to figure out how those adversaries initially break-in (i.e., root cause, initial access, etc.) to your resources (e.g., computers, devices, networks, etc.)?and then concentrate on mitigating those entry way vulnerabilities. Said another way, if you want to stop people from breaking into your house you have to figure out if they are more likely to use the doors, windows, floors, walls, ceiling, roof, etc., to break in and fortify against the most likely attacks.

This has been a key cybersecurity message I have been communicating for two decades and included in my best-selling book, A Data-Driven Computer Defense: A Way to Improve Any Computer Defense book (https://www.amazon.com/gp/product/1092500847).

Above is my current list of the possible, initial breach root causes. The current iteration has 12 separate root causes. Every malware and hacker attack I can think of can be fit into one of these categories.

I change it a bit every few years, adding, removing and renaming categories in my attempts to clarify and clearly communicate. It is hard to get a list of “root causes” accurate. It has taken me decades to get it right. My first few attempts were really bad, an amalgam of root causes and malicious outcomes of root causes. It is easy to get it wrong. In fact, most people and organizations and their reports and surveys get it wrong.

For example, I frequently see social engineering and/or phishing, which is the number one most popular root cause for most attacks, often co-mingled with other categories like malware, ransomware, and drive-by downloads. The latter examples are outcomes from social engineering. How do you think that malware, ransomware, and drive-by downloads most frequently get the opportunity to exploit someone? Often, it is social engineering. It can also be because of any the other root causes, but social engineering is involved the largest percentage of them.

I often see password theft as a root cause. Password theft is an outcome of a root cause: social engineering, unpatched software, guessing or cracking (i.e., brute force/computational attack), physical, etc. Ransomware is not a root cause, it is an outcome of a root cause method.

Here is a great example of mixed causes and outcomes. I love Verizon’s annual Data Breach Investigations Report (https://www.verizon.com/business/resources/reports/dbir/). It is one of the most respected reports in the industry and often communicates really good lessons. But it has classification issues. Here is one of their findings:

Figure 5 (and the underlying) data supposedly shows how hackers and malware break into “your estate”. “Creds”, meaning logon credential exploits is in first place. It is a strange finding because there is not a survey or finding around that does not usually show phishing or social engineering as the number one cause of successful hacks. Is Verizon’s data correct (and everyone else’s findings are wrong) or is it an accurate outlier?

Well, perhaps both. My big question is how did those logon credentials get compromised? Was it password theft, social engineering, password guessing, or password hash cracking? Where did those maliciously used credentials come from? The odds are that the vast majority came from people who were socially engineered out of them (50% of all phishing attempts are to steal credentials) or they were stolen from another site or service the user was registered on using the same password? How did the hacker get into the web site to steal the user’s credentials? Probably social engineering, unpatched software, or misconfiguration. How did the bots originally get on devices to become a part of a botnet? Probably social engineering, unpatched software, misconfiguration, and user-error (i.e., not changing default passwords). That is the problem with mixing outcomes (in this case, stolen or guessed creds) and root causes.

Here is another table in the same Verizon report.

I like a lot of the categories but the categories leave me wondering how do all the malware instances get executed? Is it social engineering? Likely. How does malware get involved in a software update? Could that be social engineering or a supply side attack? How does a backdoor get directly installed? Social engineering, unpatched software, logon compromise, or misconfiguration. How does malware get remotely injected or directly installed? Those are likely outcomes of some other vulnerabilities, not root causes.

Missing Root Causes

Many reports, surveys, and frameworks completely miss some root causes. I get it. It is hard to be inclusive. Here is an example from Mitre’s ATT&CK framework (https://attack.mitre.org/), which I love overall.

Mitre has nine initial access techniques (and more sub-techniques under each technique. How did drive-by compromise or exploit public facing application happen? Those are outcomes, not root causes. How did the hacker or the hacker that supplied those valid accounts get them? How were external remote services abused? A lot of that has to be because of social engineering. Mitre has trusted relationships, which refer to third party vendors, but nothing to cover trusted insiders (which is an easy add to trusted relationship techniques or as a stand-alone category). What about eavesdropping? Where would that be covered? If I steal your storage device, where does that fit? What about side channel attacks? I love Mitre and the ATT&CK framework, but its “Initial Access” methods are lacking.

I don't blame any of these efforts. They come from excellent organizations who do a GREAT job overall. It's just that getting the right initial access categories is a hard thing to do. I've been focusing on it for over 20 years as something I think about nearly every day and try to figure out. I know how hard it is to get right.

Focus More on Root Causes Not Intent

I am also much more interested in how an attacker or malware first gained initial access to a system and less interested in what they did once they were inside (i.e., outcomes). It is not to say that defenders do not need to be worried about further attacks in a chained set of attacks or intent, just that if you want to stop attacks, you need to focus on the initial access root exploit first and best. If someone is trying to break into my house, regardless of the intent once they are in the house, I need to stop them from getting into the house, period. If I stop them from getting into my house, I do not have to worry so much about their intent.

In today’s world, I hear people focusing on intent way too much. For example, everyone is scared of ransomware attacks. And there is good reason to be afraid of them. They are popular (nearly 50% of businesses get hit by them each year), they cause tremendous business disruption, and they are costly (in both extortion payment and recovery). But to ultimately stop ransomware attacks, we need to focus on how ransomware is initially getting into our environments. If we do not stop them from getting initial access, we will never stop ransomware. And if we stop ransomware from breaking in, we stop nearly everything else in the process - because they share the same initial access methods. That’s why we need to better focus on initial access and less so on outcomes. Focusing on initial access methods is simply more effective at stopping hackers and malware across the larger spectrum than focusing on a single type of outcome.

On that same vein, we are already seeing ransomware pivot to other sorts of attacks: Distributed-Denial-of-Service (DDoS) attacks, crypto-mining, botnets, and pure data exfiltration. What the attackers do once inside your environment may change. How they break in your environment usually doesn’t change that much. The same 12 methods that were used to break into devices and networks 30 years ago are still the exact same ones being used today.

Focus on Root Causes

To repeat: I am also far more interested in preventing initial access attacks (i.e., root causes) than any other aspect of computer security. Stop the initial access and you stop everything else. Many hacker attacks, like “pass-the-hash” attacks cannot happen until after the attacker first gains initial access, and usually gains access to elevated accounts or privileges. Once they do that, what can’t they do? They can do everything capable allowed by the software and hardware. What they are doing NOW is just one possible outcome. If you stop the initial access you stop the subsequent future attacks, again, regardless of intent or outcome. I think chained exploits and attacks, like pass-the-hash attacks, are interesting and need to be paid attention to and mitigated, but secondarily after focusing on and mitigating initial access attack methods.

Root Cause vs. Outcome

How do you tell the difference between a root cause and an outcome of a root cause? If you get rid of a root cause, it eliminates every outcome that could have used the same initial access exploit. Kill one thing and mitigate many otherwise unrelated things. However, if you get rid of an outcome, it only gets rid of just that outcome. For example, if we get rid of ransomware, it only eliminates ransomware.

If we do not get rid of the initial access method ransomware gangs use to spread ransomware, say social engineering, but get rid of ransomware (i.e., the outcome), something else malicious (e.g., backdoor trojan, password keylogger, etc.) can use the same root cause to exploit the targeted victim. If we get rid of a root cause, say social engineering, we get rid of every malicious attack that could use that root cause to spread and exploit.

Talking the Same Language

Anytime an industry is trying to improve something, in this case defeating hackers and malware, it is necessary to track metrics of the problem over time to see trends and measure if the currently implemented mitigations are working. To do that, the industry must agree on which metrics to track and create common definitions and categories that everyone can understand and use. Without that you end up with a Tower of Babel situation and it is far harder to get everyone rowing in the same direction to solve the common problems.

We do not have that in the cybersecurity industry right now. Different entities, surveys, and reports track cybersecurity problems differently. We do not even agree on what the root causes are, much less what to call them. We must come up with a common set of understandings and an agreed upon set of initial root causes if we are finally going to begin to, significantly reduce cybersecurity risk. It is a must.

I think our best bet for a common, agreed upon, schema, is for NIST (National Institute of Standards and Technology), the Cybersecurity and Infrastructure Security Agency (CISA), or Mitre to establish those metrics and categories. I am currently working my personal best to create movement within those organizations to create initial access category standards, although so far with little success. Still, I keep on plodding along. I do not let constant defeat and discouragement stop me. I am a bit of a bulldozer that way.

In summary, if you are going to best defend your house, you need to understand all the possible root causes of how thieves break in and focus on mitigating the most likely near future threats first and best. You have got to figure out whether to first concentrate on the windows, doors, or wherever thieves are successful. Then shut the holes down. It is the only way to significantly reduce the risk. You are going to be a better defender if you recognize that ransomware (or whatever cybersecurity threat you are most worried about) is not your real primary problem, it is how it got in. And if we are going to stop hackers and malware most efficiently, we need agreed upon initial access categories to better help our data collection and metric efforts. We need to speak the same language in our search to mitigate cybersecurity threats more efficiently.?