Enterprises outsmarting themselves with security while attackers use common techniques
Bad guys use common techniques to steal data, while companies focus too much on sophisticated attacks, according to the second annual Hacker’s Playbook, based on an analysis of nearly 4 million breach methods.
Security professionals are figuring out how to block attacks from state-sponsored, advanced, persistent adversaries, said Itzik Kotler, CTO and co-founder at penetration company SafeBreach, which produced the report.
“But if you look at the different hacks, they’re not all carried out by nation-states,” he said. “They’re carried out by script kiddies and cyber criminals.”
In fact, while conducting penetration tests on behalf of its customers, SafeBreach found that old standbys are extremely effective.
There are few adversaries skilled enough to create zero days. The majority of attackers use and reuse common techniques, which is exactly what SafeBreach did when running its penetration tests.
Corporate environments typically offered many exfiltration channels, including HTTP, IRC, SIP and Syslogs.
Take, for example, Internet Relay Chat which dates back to before the Web was invented.
“It is not sophisticated at all,” he said. “And, to our knowledge, it has no business value. But it can still be used to initiate a connection out of a company and carry data.”
Syslogs are event logs from network and security products sent to external aggregators for consolidation and analysis — and are usually not scrutinised by security. They should be limited to specific servers, encrypted, or sent via a VPN tunnel.
Simiarly, SIP, which is used for voice-over-IP communication sessions, needs to be limited to specific, pre-identified servers.
And HTTP is the most common type of outbound traffic, and is the easiest protocol to take advantage of, according to SafeBreach. These communications need to be monitored and inspected by data loss prevention platforms.
When it comes to getting into a company in the first place, companies are still not locking down many common approaches.
For example, executable files in attachments were successful in a quarter of all attempts. So were Microsoft Office macros and visual Basic scripts.
And one of the oldest tricks in the book, encrypted zip files downloaded via HTTP, still works.
The kinds of files should be limited by policy or inspected by next-generation firewalls, SafeBreach recommended.
And the top five most successful malware kits have been around for a year or more, including Citadel, Dridex, Hesperbot, SpyEye and Cryptolocker.
Finally, human error was a common problem. The most damaging mistake was misconfiguring malware sandboxes and proxies. For example, sandboxes were often not set up to cover all ports, protocols, file formats, and encrypted traffic. And misconfigured proxies allow attackers to move laterally within corporate networks.
IDG News Service