Miscreants and the Principle of Least Effort
Back in the old days, when security was much more of an afterthought, it was obvious that miscreants were familiar with the principle of least effort. Information security was still in its Wild West days. Managed disclosure and patching did not really exist. Most companies were just coming to realize they would need to put some effort into securing their assets. I was tasked with most of the security deployments and forensic investigation at a startup hosting company. We had a lot of bandwidth (at the time) and a lot of poorly managed servers. You could watch our gateway and know when a new vulnerability was discovered in the underground. You could see miscreants scanning for a specific service in a specific network. Miscreants had done their homework, and knew where the vulnerable hosts resided. This targeting was efficient. Sure enough, hosts would start being compromised and a few days later some sort of official disclosure would happen detailing the vulnerability the miscreants had been scanning for.
Fast forward to a new century, and add a decade plus a few years and what has changed? Not much, really. Armed with the knowledge of a budding WordPress botnet, my research team, which is part of Cisco Security Intelligence Operations, stood up a new, very basic WordPress installation that had a very simple-to-brute-force login / password combination. We mapped a domain that might gather some interest in order to better understand the threat. This host was not co-located inside a hosting center known for WordPress installs. We spent time monitoring the host and analyzing the logs in an attempt to get a nugget of information. The fact that it was not co-located within a network known for WordPress installs resulted in very little if any probing.
So what did we learn? Not much, except that not much has changed from a miscreant’s perspective. If you are a miscreant and want a specific type of vulnerable host would you spend your time scanning the Internet as a whole or would you go to networks that you know hold a lot of these types of hosts? I know what I would do if it were me. I would expend the least amount of resources to identify the most potential targets. It’s the principle of least effort from a miscreant’s point of view.
So how can we use this to our advantage? Well, security through obscurity in a certain sense has some merit, although it’s not something you should rely on. You could host a service in a network that is not known for hosting specific services or applications. That would at least remove your installation from the most targeted areas. Is the extra effort worth it? That is for you to decide, but if you can use it to your advantage to reduce the chance you become a target then why not?