Cyber Threat Intelligence Shows Majority of Cybercrime is NOT Sophisticated
20.1.2017 Securityweek Analysis
It’s a new year and while some things change, some things stay the same (or similar). There’s lots of FUD about the sophisticated cyber attacks that are multi-threaded and obfuscated. Certainly there are attacks that fall into this category, but if you look at all of the cybercrime activity from the past year, it’s clear that the majority of threats do not have the level of sophistication that is often talked about.
Rather, what cyber threat intelligence is showing us is that most threats simply exploit a series of well-documented vulnerabilities and other weak points to move along the path of least resistance – and the most profit. Let’s look at some of the top threats out there today through the prism of the threat triangle, which is the actor’s capability, intent and opportunity:
1. Ransomware - This threat leverages old school, but effective, Social Engineering tactics. Getting someone to click on a malicious macro still works … even though macros are not commonly used anymore (seriously, have you or do you know anyone who has ever used a macro?). It’s human nature to be curious and that curiosity is easily exploitable.
Here are things you can do to reduce an adversary’s opportunity of successfully carrying out a ransomware campaign (and to limit your risk even if a ransomware attack is successful):
Deploy anti-phishing capabilities as this is the most common method used by attackers to kick off a campaign. Anti-malware software configured to scan all email attachments will help catch most malicious attachments. All settings that allow the documents to download and open directly should also be disabled.
Restrict unnecessary users from having administrator-level permissions on their local machines, unless specifically required. Unfortunately, in many cases local admin is given to users to make them stop complaining about an app not working. Limiting this privilege could lessen the impact of ransomware.
To all Microsoft shops - Did you know there is a GPO that can help? Microsoft has adapted group policy settings to assist system administrators in taking more appropriate steps in defending against threats such as ransomware while still keeping accustomed user functionality.
Train your users. Yeah this isn’t a new concept either, but it can be effective if done well. I don’t mean just a written policy that is a long list of “do this, don’t do that.” I once worked for an organization that had over 100+ slides in their cyber security user orientation deck, which is overwhelming to say the least. Your training program should hit on the most important points and not overwhelm users where they will tune out. Understand the top three threats to your users and focus on those top three. Have a conversation with your users. What works here is actually putting your users through real-life scenarios and doing this on a semi-regular basis. It keeps it fresh in their minds and makes them more aware.
Patch your gear - Did you know that most ransomware is served up via exploit kits when your users visit a compromised site or are delivered via a malicious payload in a phishing email? Did you know that all of the CVE’s that help protect against both scenarios have been out for quite a while? Be aggressive with vulnerability management in your user environment as they are the highest exposed.
2. Exploit kits - Many of these kits out there leverage CVE’s for which there is no good reason to NOT to patch them. Look at the RIG, Sundown and Magnitude exploit kits as recent examples. The below list includes current and past attribution lineage:
The RIG EK Exploits: CVE-2012-0507, CVE-2013-0074, CVE-2013-2465, CVE-2013-2471, CVE-2013-2551, CVE-2013-3896, CVE-2014-0311, CVE-2014-0322, CVE-2014-0497, CVE-2014-6332, CVE-2015-0313, CVE-2015-2419, CVE-2015-3090, CVE-2015-5119, CVE-2015-5122, CVE-2015-5560, CVE-2015-7645, CVE-2015-8651, CVE-2016-0034, CVE-2016-0189, CVE-2016-1019, CVE-2016-4117, CVE-2016-7200, CVE-2016-7201, CVE-2016-3298
The Sundown EK Exploits: CVE-2012-1876, CVE-2013-7331, CVE-2014-0556, CVE-2014-0569, CVE-2014-6332, CVE-2015-2444, CVE-2015-0311, CVE-2015-0313, CVE-2015-5119, CVE-2015-2419, CVE-2016-0034, CVE-2016-4117, CVE-2016-0189, CVE-2016-7200, CVE-2016-7201
The Magnitude EK Exploits: CVE-2011-3402, CVE-2012-0507, CVE-2013-2551, CVE-2013-2643, CVE-2015-0311, CVE-2015-7645, CVE-2015-3113, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1019, CVE-2016-4117
There is no reason these CVE’s should be present in your environment!
3. Credentials management - Password complexity and reuse is again nothing new or sophisticated, yet we continue to see new attacks leveraging compromised credentials from old breaches. A few business process and technical recommendations you can implement to limit this security issue:
· Re-examine your password policies and ensure they are being enforced. Users will always gravitate to the path of least resistance and will tend to leverage the weakest password option being presented. Forcing password resets at certain time periods and implementing two-factor authentication can also help protect systems from password reuse attacks.
· If you have not already done so, you should investigate deploying an easy-to-use password manager for your user base. Also don't make the assumption that this is just limited to business-related credentials. It is commonplace for a user’s personal and business credentials to be co-located both on personal and business devices. If you choose to procure a password manager for your organization, think about extending the licenses to your employees’ personal devices as well.
· Training and education - Customers, employees and other users should be dissuaded from reusing passwords from other accounts. If you suspect data has been compromised, whether directly from your site or from another breach, take proactive measures to prevent password reuse attacks by resetting passwords.
4. Extortion - Similar to ransomware, this threat leverages targets based on an unhealthy level of presence. The difference is that while ransomware encrypts your data and keeps it captive until the bad guy gets paid, an extortionist gains leverage against an organization by compromising their data via exfiltration and then embarrassing the victim to pay up. A recent example of cyber extortion revolves around an actor by the name of TheDarkOverlord, who uses social media to publicly threaten organizations and potentially expose the stolen sensitive data if not paid off.
· Remove the Opportunity - The root issue here is that our adversaries require “us” to present vulnerabilities to them in order for them to succeed. If you remove the opportunity you are directly influencing their capability to extort.
· Cyber Security “Technical Debt” - When an organization presents too much opportunity for an adversary, I am reminded of the term “Technical Debt” which is a metaphor for designing software properly versus taking short cuts to get something done faster and cheaper. To get something developed and quickly out the door, oftentimes those shortcuts taken require you to essentially take out a loan with a high interest rate. Eventually that loan will come due and you will end up paying more in the long run. The key point here is that with today's cybercriminal tactics, taking a technical debt loan opens up a whole list of additional impacts that were not typically a risk in the past. When an organization chooses to take a big technical debt loan out, it is ultimately presenting more opportunities for an adversary to exploit. You are now taking on additional risk that can potentially cause irreparable harm to your organization. These risks, if breached can cause impacts to customers (trust and loyalty), brand and reputation, and regulatory or legal action to name a few.
With cyber threat intelligence that is relevant to your business, supply chain and industry, you can pinpoint key areas of risk to address. What we’ve seen over the past year is a good reminder to focus on the security basics before addressing the more complex. There are a lot of headline-grabbing threats that tend to generate a needless frenzy, which in many cases may not have as direct an impact on your organization anyway.