Why Do Commonly Used Security Measures Fail
A simple firewall used to be effective; those days have long since disappeared
- By Csaba Krasznay
- Feb 01, 2018
Information security is defined as a reactive
activity, as it involves managing risks that
may have a serious effect on the organization
if they occur. If we analyze the history of information
security, the Pareto principle holds
true. It states that, for many events, roughly
80 percent of the effects come from 20 percent
of the causes. Therefore, departments responsible for information
security try to dedicate their limited resources to that
20 percent.
Sometimes this strategy is effective; sometimes it isn’t enough.
Over the last few decades, there were occasions when a simple
firewall or antivirus software was enough to prevent the vast majority
of attacks, but hackers’ tools and tactics have continuously
evolved and evaded these basic measures. Additionally, the IT usage
patterns of employees and customers have also evolved, resulting
in an infinite loop for the risk management process, making
constant re-evaluation of threats necessary in order to find
the right countermeasures for the identified risk. Unfortunately,
the Pareto principle can no longer be used in cybersecurity.
All hardware and software elements, with or without network
connectivity, can be the source of an attack, and there are multiple motives and strategies on the hacker side that are impossible
to second-guess from the CISO’s chair.
Identifying Major Breeds of
Modern Cyberattacks
Ultimately, there are two major types of cyberattacks. The first
can be compared to a fisherman trawling the ocean. Attackers
cast a wide virtual net out into the internet not knowing what
they will catch, or if they’ll even catch anything. Ransomware
is a good example of this tactic. Cybercriminals own or rent a
botnet and spread their malware through this network, using
email or social accounts that were stolen from an internet service
provider’s large database and made available on the Darknet.
Their investment is quite low, but the payout can be high if they
are able to catch a lot of unsuspecting Internet users with a wellconstructed
message.
With the ransomware-as-a-service model, virtually anyone
can create their own code, spread it to the target audience and
harvest the paid ransom in Bitcoin. In such cases the motive is
fairly simple: collect as much money as possible. They typically
target end users to prey on their ignorance of how cyberspace
operates. However, those end users are often sitting in an office
during these attacks and are using corporate devices connected to
the corporate network. From a defense perspective, this type of
attack seems to be manageable, although it still causes huge problems
for companies that haven’t invested in education for their
staff or in the latest technologies.
The second attack model is more strategic and focused. It
can be compared to a fisherman who is looking for a particular
species of fish, uses a specific “rig” and selects a location where
they know the fish is located. These cyberattacks target only one
organization with a special cyber-weapon crafted and sharpened
against its weaknesses. Many times, this attack is indirect, as attackers
hack a trusted third party first and reach the target organization
from their network. Rogue actors have the necessary resources,
such as time, money and expertise and they usually have
specific motives for the attack.
This is referred to as a targeted attack or Advanced Persistent
Threat (APT). The National Institute of Standards and Technology
in the United States defines this term as “an adversary that
possesses sophisticated levels of expertise and significant resources
that allow it to create opportunities to achieve its objectives by
using multiple attack vectors (e.g., cyber, physical and deception).
These objectives typically include establishing and extending
footholds within the information technology infrastructure of the
targeted organizations for purposes of exfiltrating information;
undermining or impeding critical aspects of a mission, program
or organization; or positioning itself to carry out these objectives
in the future.
The advanced persistent threat: 1. pursues its objectives repeatedly
over an extended period of time, 2. adapts to defenders’
efforts to resist it and 3. is determined to maintain the level
of interaction needed to execute its objectives. The intruder can
capitalize on any vulnerability in the infrastructure, leading to a
“needle in the haystack” approach from a defense perspective. In
addition, the initial steps to discovery take months or years and
usually stay under the radar, while exfiltration only takes seconds
or minutes. Victims don’t have time to even realize that something
bad is happening.
Understanding Motivations
Behind the Attacks
To truly understand why commonly used security measures fail,
we have to understand the nature of targeted attacks or an APT.
In its well-known Cyber Kill Chain model, Lockheed Martin defines
an APT in the following seven steps.
Reconnaissance. Attacker defines its target, gets as much information
as possible from it and tries to identify vulnerabilities
in the target infrastructure.
Weaponization. Attacker creates a cyber weapon that enables
remote access to the target infrastructure. This is usually a malware,
such as a virus or worm, which exploits one or more identified
vulnerabilities.
Delivery. Attacker delivers weapon to victim. It can be transmitted
via email attachments, websites or USB drives.
Exploitation. Cyber weapon takes effect and exploits relevant
vulnerabilities on the target network.
Installation. Cyber weapon opens a remote connection, usually
a backdoor, and lets attacker access the target infrastructure.
Command and control. Through the already-opened access, cyber
weapon lets the attacker remain in the victim’s infrastructure.
Actions on objective. The attacker takes necessary steps to
reach their objective, such as data exfiltration, data destruction
or encryption for ransom.
Naturally, those seven steps apply to hundreds of tactics,
thousands of known tools and the same amount of currently unknown
tools. NotPetya ransomware is a good example of how
well-known tools and tactics gave life to a new strategy. According
to expert opinions, the motivation behind this specific malware
was to influence Ukraine’s standard daily operation and
to test the resistance of the maritime industry, even though it
appeared to be ordinary ransomware. It utilized the same EternalBlue
vulnerability as Wannacry had a month prior, and used
the hacker’s favorite Mimikatz tool to extract privileged accounts
from the memory.
Nothing new there. However, the malware is believed to have
originated from the software update mechanism of M.E.Doc, a
Ukrainian tax preparation software, widely used in the country.
No one expected that the source of a global malware campaign
would be a local software’s update that has to be installed for
security reasons. The masterminds on the attacker side did their
job perfectly by building upon known vulnerabilities on both the
human and technology side and utilized existing tools and techniques
to reach their strategic goals.
How Attackers are Outpacing Defenses
The MITRE Corp., a nonprofit organization that operates research
and development centers sponsored by the federal government,
published a large database on cyberattack tactics and techniques.
MITRE’s Adversarial Tactics, Techniques, and Common
Knowledge (ATT&CK) is a curated knowledge base and model
for cyber adversary behavior, reflecting the various phases of an
adversary’s lifecycle and the platforms they are known to target.
It largely reflects Lockheed Martin’s Cyber Kill Chain and provides a useful insight into how those seven steps can be carried
out. During the pre-attack phase (Steps 1-4), 173 different techniques
were identified under 17 attack categories. In the attack
phase (Steps 5-7), 10 categories were identified for 169 techniques.
While attackers can freely use these techniques, it is virtually impossible
to implement countermeasures against all of these steps
in a complex environment.
Targeted attacks reach a turning point when the rogue actor
tries to break out from the hacked computer, better known as
“lateral movement.” Looking back at NotPetya, the ultimate goal
of gathering credentials from an infected computer is to enable
lateral movement. Privileged account credentials are the keys to
the kingdom. If the intruder can steal these passwords, it is very
difficult to identify them from that point, as they will perform
seemingly legitimate activities. This can be presented through the
Remote Desktop Protocol example.
FireEye’s Mandiant, which handles the investigation of targeted
cyber security incidents, writes the following on its blog:
“While performing incident response, Mandiant encounters attackers
actively using systems on a compromised network. This
activity often includes using interactive console programs via
RDP such as the command prompt, PowerShell, and sometimes
custom command and control (C2) console tools.”
Usage of RDP is a confirmed tactic by MITRE, and even the
most advanced cybercriminal groups such as APT1 or Lazarus
used this protocol many times. In practice, Windows servers usually
enable remote connection through RDP as they need to be
managed somehow. Those servers can be on premise or in the
cloud as well. Therefore, if the attacker has a privileged account,
he has a great chance to access the whole Windows infrastructure.
Beyond Passwords —
Next Generation Defense
So how can RDP connections be secured? While the use of strong
passwords to enable Network Level Authentication is often recommended,
it cannot solve the issue of stolen credentials, and
even password managers can be tricked with an authorized privileged
user account. Only multifactor authentication seems to be
an effective measure, but this is often unfeasible due to infrastructure
restrictions.
Unfortunately, that is just one example of the challenges that
need to be addressed, and every one of the multitude of techniques
comes with its own set of challenges. As attackers improve
their strategies, organizations need to improve their defense tactics
and supporting toolkits. There are some new technologies
emerging that appear to be very promising and may hopefully
restore the balance between attack and defense. According to
Gartner’s Hype Cycle for Emerging Technologies 2017, Machine
Learning or Software-Defined Security are moving toward mainstream
adoption and there are a growing number of cybersecurity
solutions coming onto the market that incorporate these
technologies.
This article originally appeared in the February 2018 issue of Security Today.