Why Do Commonly Used Security Measures Fail

Why Do Commonly Used Security Measures Fail

A simple firewall used to be effective; those days have long since disappeared

Information security is defined as a reactive activity, as it involves managing risks that may have a serious effect on the organization if they occur. If we analyze the history of information security, the Pareto principle holds true. It states that, for many events, roughly 80 percent of the effects come from 20 percent of the causes. Therefore, departments responsible for information security try to dedicate their limited resources to that 20 percent.

Sometimes this strategy is effective; sometimes it isn’t enough. Over the last few decades, there were occasions when a simple firewall or antivirus software was enough to prevent the vast majority of attacks, but hackers’ tools and tactics have continuously evolved and evaded these basic measures. Additionally, the IT usage patterns of employees and customers have also evolved, resulting in an infinite loop for the risk management process, making constant re-evaluation of threats necessary in order to find the right countermeasures for the identified risk. Unfortunately, the Pareto principle can no longer be used in cybersecurity.

All hardware and software elements, with or without network connectivity, can be the source of an attack, and there are multiple motives and strategies on the hacker side that are impossible to second-guess from the CISO’s chair.

Identifying Major Breeds of Modern Cyberattacks

Ultimately, there are two major types of cyberattacks. The first can be compared to a fisherman trawling the ocean. Attackers cast a wide virtual net out into the internet not knowing what they will catch, or if they’ll even catch anything. Ransomware is a good example of this tactic. Cybercriminals own or rent a botnet and spread their malware through this network, using email or social accounts that were stolen from an internet service provider’s large database and made available on the Darknet. Their investment is quite low, but the payout can be high if they are able to catch a lot of unsuspecting Internet users with a wellconstructed message.

With the ransomware-as-a-service model, virtually anyone can create their own code, spread it to the target audience and harvest the paid ransom in Bitcoin. In such cases the motive is fairly simple: collect as much money as possible. They typically target end users to prey on their ignorance of how cyberspace operates. However, those end users are often sitting in an office during these attacks and are using corporate devices connected to the corporate network. From a defense perspective, this type of attack seems to be manageable, although it still causes huge problems for companies that haven’t invested in education for their staff or in the latest technologies.

The second attack model is more strategic and focused. It can be compared to a fisherman who is looking for a particular species of fish, uses a specific “rig” and selects a location where they know the fish is located. These cyberattacks target only one organization with a special cyber-weapon crafted and sharpened against its weaknesses. Many times, this attack is indirect, as attackers hack a trusted third party first and reach the target organization from their network. Rogue actors have the necessary resources, such as time, money and expertise and they usually have specific motives for the attack.

This is referred to as a targeted attack or Advanced Persistent Threat (APT). The National Institute of Standards and Technology in the United States defines this term as “an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission, program or organization; or positioning itself to carry out these objectives in the future.

The advanced persistent threat: 1. pursues its objectives repeatedly over an extended period of time, 2. adapts to defenders’ efforts to resist it and 3. is determined to maintain the level of interaction needed to execute its objectives. The intruder can capitalize on any vulnerability in the infrastructure, leading to a “needle in the haystack” approach from a defense perspective. In addition, the initial steps to discovery take months or years and usually stay under the radar, while exfiltration only takes seconds or minutes. Victims don’t have time to even realize that something bad is happening.

Understanding Motivations Behind the Attacks

To truly understand why commonly used security measures fail, we have to understand the nature of targeted attacks or an APT. In its well-known Cyber Kill Chain model, Lockheed Martin defines an APT in the following seven steps.

Reconnaissance. Attacker defines its target, gets as much information as possible from it and tries to identify vulnerabilities in the target infrastructure.

Weaponization. Attacker creates a cyber weapon that enables remote access to the target infrastructure. This is usually a malware, such as a virus or worm, which exploits one or more identified vulnerabilities.

Delivery. Attacker delivers weapon to victim. It can be transmitted via email attachments, websites or USB drives.

Exploitation. Cyber weapon takes effect and exploits relevant vulnerabilities on the target network.

Installation. Cyber weapon opens a remote connection, usually a backdoor, and lets attacker access the target infrastructure.

Command and control. Through the already-opened access, cyber weapon lets the attacker remain in the victim’s infrastructure.

Actions on objective. The attacker takes necessary steps to reach their objective, such as data exfiltration, data destruction or encryption for ransom.

Naturally, those seven steps apply to hundreds of tactics, thousands of known tools and the same amount of currently unknown tools. NotPetya ransomware is a good example of how well-known tools and tactics gave life to a new strategy. According to expert opinions, the motivation behind this specific malware was to influence Ukraine’s standard daily operation and to test the resistance of the maritime industry, even though it appeared to be ordinary ransomware. It utilized the same EternalBlue vulnerability as Wannacry had a month prior, and used the hacker’s favorite Mimikatz tool to extract privileged accounts from the memory.

Nothing new there. However, the malware is believed to have originated from the software update mechanism of M.E.Doc, a Ukrainian tax preparation software, widely used in the country. No one expected that the source of a global malware campaign would be a local software’s update that has to be installed for security reasons. The masterminds on the attacker side did their job perfectly by building upon known vulnerabilities on both the human and technology side and utilized existing tools and techniques to reach their strategic goals.

How Attackers are Outpacing Defenses

The MITRE Corp., a nonprofit organization that operates research and development centers sponsored by the federal government, published a large database on cyberattack tactics and techniques. MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. It largely reflects Lockheed Martin’s Cyber Kill Chain and provides a useful insight into how those seven steps can be carried out. During the pre-attack phase (Steps 1-4), 173 different techniques were identified under 17 attack categories. In the attack phase (Steps 5-7), 10 categories were identified for 169 techniques. While attackers can freely use these techniques, it is virtually impossible to implement countermeasures against all of these steps in a complex environment.

Targeted attacks reach a turning point when the rogue actor tries to break out from the hacked computer, better known as “lateral movement.” Looking back at NotPetya, the ultimate goal of gathering credentials from an infected computer is to enable lateral movement. Privileged account credentials are the keys to the kingdom. If the intruder can steal these passwords, it is very difficult to identify them from that point, as they will perform seemingly legitimate activities. This can be presented through the Remote Desktop Protocol example.

FireEye’s Mandiant, which handles the investigation of targeted cyber security incidents, writes the following on its blog: “While performing incident response, Mandiant encounters attackers actively using systems on a compromised network. This activity often includes using interactive console programs via RDP such as the command prompt, PowerShell, and sometimes custom command and control (C2) console tools.”

Usage of RDP is a confirmed tactic by MITRE, and even the most advanced cybercriminal groups such as APT1 or Lazarus used this protocol many times. In practice, Windows servers usually enable remote connection through RDP as they need to be managed somehow. Those servers can be on premise or in the cloud as well. Therefore, if the attacker has a privileged account, he has a great chance to access the whole Windows infrastructure.

Beyond Passwords — Next Generation Defense

So how can RDP connections be secured? While the use of strong passwords to enable Network Level Authentication is often recommended, it cannot solve the issue of stolen credentials, and even password managers can be tricked with an authorized privileged user account. Only multifactor authentication seems to be an effective measure, but this is often unfeasible due to infrastructure restrictions.

Unfortunately, that is just one example of the challenges that need to be addressed, and every one of the multitude of techniques comes with its own set of challenges. As attackers improve their strategies, organizations need to improve their defense tactics and supporting toolkits. There are some new technologies emerging that appear to be very promising and may hopefully restore the balance between attack and defense. According to Gartner’s Hype Cycle for Emerging Technologies 2017, Machine Learning or Software-Defined Security are moving toward mainstream adoption and there are a growing number of cybersecurity solutions coming onto the market that incorporate these technologies.

This article originally appeared in the February 2018 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3