- The University , Research
- 15/01/2025
“You can’t always avoid a cyberattack”
Cyberattacks explained by head Threat Analysis group
There’s still much unknown about the cyberattack that resulted in the TU/e shutting down its network. But there are researchers at this university who are specialized in this very subject. Without giving any specifics on the current situation, associate professor Luca Allodi - head of the Threat Analysis group within Mathematics and Computer Science - gives some context on how attackers work and what possible threats are.
Willing to explain more about cyberattacks in general, Allodi does want to make one thing very clear when starting the interview: “I won’t talk about the current situation on any level of detail.” So, to make it extra clear: this interview won’t reveal any information on the current situation at the TU/e. What it will do, is give some insight in cyberattacks in general.
So let’s start at the beginning: how do you find out that you are being attacked?
“Often times there are signs that come up from logs and security alerts of monitoring systems. They pick up suspicious activity. A human analyst will then investigate and say: this looks like malicious activity, so someone should do something about it. They will get in touch with the owner of the infrastructure, to tell them there may be a problem. An emergency team picks it up from there.”
What should an organization do when being attacked?
“Everything depends entirely on the case. You look at where the attacker has entered the system, what possible next steps are going to be, how sure you are, what systems are at stake and what the shape and topology of the network are. These things all play a role and the response strategy can vary hugely. So there is no single silver bullet way of answering anything. I think you can find different response strategies that are all equally justifiable. There’s always a risk assessment behind it, that looks at what in the current situation is the best shot.”
Can you avoid a cyberattack?
“Not all, not always. You can only be prepared to react in a rational way when you find evidence something is happening. Rational is an entirely subjective definition, it completely depends on your current stage, what information you have, how sure you are about the information you have and how well you can assess the information you do not have.”
Avoiding the attack in the first place is not possible?
“Especially for large organizations and networks that’s difficult, particularly networks that tend to be more open because of how they are organized, like those of universities. Access points are public and you may not always have a very consistent list of people who get access. By nature these networks tend to be more exposed, because the service is about giving people access to shared resources. From a system’s perspective there’s really no difference between a user and an attacker. The behavior is different, so based on that you can start detecting malicious actions, but these networks offer more hooks for attackers to interact with than other networks that are more closed."
"The attacker has so many possible access points, that in general picking up signs - early signs of an attack - is already proof that the organization is doing things right. It is impossible to keep attackers out at all times. What you can do is protect your systems. By patching them and looking after the vulnerabilities that the technology has. But then there are always things that you can’t control. Like users who may accidentally click on a link.”
It is said that users are the weakest link of a system, is that true?
“It's a debated statement. In our research we see that users may be a weak link in some sense, but also an enormous resource in another sense. If you start looking at the data, people can actually save organizations. For example by reporting actions. But users make mistakes, we all do, I do too. I’m sure all of the security conscious people do as well. You get an email and you click on a link, it happens.
Whether that’s defining that the user is the weak link: I think that’s fairly unfair. It’s not the user’s job to protect the organization. We can instrument our systems in such a way that it’s easier for the users to take savvy, wise cautious decisions when they interact with it. And I think that’s the point at which we need to stop bothering the users about keeping things safe. Some risk is always there. It’s more important to be prepared and to identify when things happen.”
How are organizations affected by cyberattacks?
“That depends on the objective of the attack. It may be that it’s a random remote access that is launched by an automated agent of some kind. It may be an attack that stops at the scan or at the very early initial access phase. But then attacks can develop depending on the goal of the attacker. So there are certain actions they can take. Lateral movement, for example, is a very important one. The attacker gets access to a first point and then he can move laterally within the organization, that means to other systems that are in the same network and from there it can jump to different network levels, to explore the network.
The asset discovery or beginning is a very important part of a planned attack. With serious consequences that may be about data exfiltration, or implanting ransomware or backdoors. The entry point is not the final stage that the attacker wants to be at. So then moving around, exploring, testing different things, escalating privileges and impersonating different users are all tactics that the attacker can put into place to obtain the goal. The goal may be that they sit quietly in the system and just observe for very long periods of time what happens. Sometimes it may be that one bit at a time they extract data slowly to stay under the radar. Sometimes they make a lot of noise and they drop a big ransomware bit that infects the whole organization and encrypts everything. It completely depends on the attacker. Espionage kind of attacks tend to be really quiet, they delete their traces and remain under the radar for a long period of time.”
Whilst with ransomware they just kick in the front door?
“Ransomware doesn’t have to be super-fast. It’s not the case that attacks that affect data availability like ransomware or wipers and that kind of malware are immediately caught the moment the attacker is in. Sometimes the attacker remains quiet. Some malware also has conditions attached to it for it to run. So when certain conditions are met on the system, then the malicious payload manifests itself. These are all characteristics of somewhat advanced attacks. I’m not talking about particularly resourceful attackers, but well prepared ones at least.”
So taking the network offline is a way to stop an attacker from getting further into the system?
“I think it serves the purpose of cutting off the attacker from the network. Depending on what he has done up until that moment, it certainly removes a whole lot of options for the attacker. That doesn’t mean that if there is an autonomous agent that the attacker has been able to install on the system before getting cut off, that autonomous agent can’t work anymore. It remains in the network and if it needs to move around, it will. But these attacks tend to be quite noisy.
At a moment when nobody has access to the systems anymore, it is easier to trace these lateral movements. Especially if it’s autonomous, which often is noisy, because it tends to do a lot of scans within the network. It needs to find targets to explore the network and then replicate itself. So it is true that even in a scenario where the network is cut off from external actors, something can still be happening internally. But I would say that it’s probably much easier to monitor and detect, because you put yourself in a much stronger position by cutting it off.”
It does sound almost impossible to find something that has been installed in some small corner of your system.
“It is very difficult. But again, I think that reducing the noise that these systems are generally producing through other user interactions helps a lot with identifying the signals. The more stable information you gather about what stage the attacker has gotten into, the stronger your position is in making conclusions about what systems you need to pay particular attention to. So you can see whether there is any evidence that there is any autonomous lateral movement happening.”
Is your group also affected by the outage?
“Yes, some of our research has been put on hold, because we can’t access some of the systems. We have some remote exercises to do with collaborators. Those had to be cancelled and postponed because we can’t pull it off at this stage. And of course the monitoring center that the Security Group runs - the Eindhoven Security Hub - is partially affected. Not for services outside of TU/e, but some of our internal visibility is cut off.”
Is this situation relevant to your research?
“We work a lot on criminal activity: what do they do, when do they attack networks, how do they do it and what are the proceedings of that. And we do a lot of work on the monitoring part as well. So yeah, it is a situation that is of interest to the Security Group.”
Discussion