In a recent piece in Forbes following the Anthem data-security breach, legendary venture capitalist Vinod Khosla wrote “There’s a universal truth regarding every cyber-attack: attack behavior never appears normal”.
While Mr. Khosla is a maverick in many fields I believe this time he got it wrong. Please allow me to explain.
Let’s consider a different example, the recent Carbanak cyber crime campaign, through which over 100 global banks were robbed of an estimated one billion dollars. The technology aspect of the attacks got the most media attention. However, in reality the technology was not nearly as advanced as state-of-the-art technology used by some intelligence agencies around the world (e.g. Stuxnet, Flame or the Equation Group).
But the operational aspect of this attack—in other words, how it unfolded and how the hackers pulled off their crime—is not that far behind the way nation states are conducting cyber operations.
Such attacks are based on overwhelming intelligence superiority, a result of hard, patient, methodical work by sizable professional teams. It looks like this was the ‘modus operandi’ of the Carbanak group, who collected thousands of hours both audio and video recordings from their targets. For instance, it takes at least 30 minutes to go through an hour of collected room audio. This implies the group utilized dozens of linguistic experts, analysts and a well organized command structure.
This approach gives attackers a high level of OpSec including, among other things, a detailed statistical model of ‘normal’ behavior in the victim’s network (sometimes by using the same tools as the victim). Given this level of OpSec and the patient, thorough operation method, there are all reason to expect the attack behavior to appear as normal as anything else in the victim network.
Behavioral analysis may be efficient in some cases or against some adversaries, but it’s far from being the silver bullet of cyber defense Mr. Khosla implies it is.