The math favors the attackers. There is little you can do about the attacker, but there is a lot you can do about you
Another week, another set of cybersecurity stories occupying our bandwidth, if you’ll pardon the pun. Where would you like to start? Indictments? Sophisticated attacks on private sector interests and critical infrastructure? The tidal wave of sudden cybersecurity experts on the airwaves?
One of the greatest cybersecurity challenges is the bleed over into virtually everything we do. And making that challenge even more difficult is the misuse of vocabulary. Was the election “hacked” as so many say? No. Was confusion and discord spread during the campaign? Yes. Did it make a difference? Incalculable. You see, the chefs have created a minestrone soup of cybersecurity issues and the servers can’t really tell the customers what the ingredients of the soup are. So that’s what we’re going to start, as best we can, from scratch so you can identify the key ingredients and know how to react, at least to the easy stuff.
Start here: The U.S. is always a target. Take that as a given. The U.S. will always be the biggest and most sought-after target for the foreseeable future. If some foreign entity is not trying to mess with us or attack our networks, something is very off in the world. So treat interference, whether it is information warfare or an advanced persistent threat into our networks and everything in between, as constants, not variables. They’re going to happen and the only way to slow them down is through fear of consequence, usually in the form of economic pressure or kinetic warfare. We opt for the former if we have any say in the manner, but recognize the latter must always be on the table.
With that out of the way, here’s the next to know: Things are going to get worse. We felt that way in 2017. We feel that way in 2018. We are probably going to feel that way in 2019. Why? Here’s a quick rationale: For the attacker, the capability to conduct attacks will rise and cost to carry them out will continue to fall. For the defender, the capability to stop attacks will continue to be weakened and cost to prevent them will continue to rise.
In other words, the math favors the attackers. There is little you can do about the attacker, but there is a lot you can do about you. So are we prepared? On a good day, we’d venture to say “not really” using exhibits like: WannaCry (not good at patching), ransomware in general (not having easily accessible backups) and giving access to accounts (phishing, spearphishing, and pretexting).
You see, in each case we generally knew what to do…except we didn’t do it! We deserve the red card in all of these cases. So it’s broken record time for us (or “repeat” if you use an MP3 player) and to illustrate our “easy to-dos” we will use a US-CERT alert from this past March as a real example.
In a nutshell, this campaign seeks to compromise targets (the oldest tricks are still most often the best). Initial victims are peripheral organizations, such as trusted third-party suppliers. In this case, they are identified as staging targets. The threat actors use the staging target’s networks as pivot points and malware repositories for their intended targets. Therefore, both staging and intended targets are both victims in this case. Here is a list of tactics, techniques and procedures (TTPs in cyber speak) the threat actors used in this case:
- Spear-phishing, which is in the news a lot lately, but if you want to know the differences between phishing, spear-phishing, and pretexting, go here.
- Watering-hole domains involve attacking and infecting a domain the intended target is normally known to visit. Attackers look for vulnerabilities in the code of the website and inject their own malware there. More info here.
- Credential gathering is about as straightforward as it gets but the techniques can be different.
- Open source and network reconnaissance.
- Host-based exploitation is taking advantage of the webhost. Not all organizations have the ability to host their own needs, so you are at the whim of your host sometimes. If you’re in this boat, make sure you learn the differences between shared servers, virtual private servers and dedicated servers. They make a difference. Think apartment building, condo and house.
- Targeting industrial control system infrastructure.
The reason we did this little explanation section is that we are cognizant of the fact that cybersecurity is everybody’s problem and we need to what we can to up everybody’s game. Cybersecurity is not the exclusive play space of IT staff, vendors, consultants and contractors. In fact, as we have shown before, they are a large part of the problem.
So how do we defend against this type of attack described above? Well, it’s two-fold and it’s a two-fold process that applies to virtually every single cybersecurity problem out there: It’s a combination of technological solutions and doing the basics.
As for the technological solution, we won’t spend too much time on it here. Why? They cost money. Sometimes, they cost a lot of money, money you may not have as a small-to-medium sized business. Yes, we like machine learning and anomaly-based tools if they’re used as surgical tools, but this article focuses on “the easy stuff” and doing the easy stuff will significantly reduce your cyber risk profile. Here’s a quick list:
1. Do you trust your third party? The National Institute of Standards and Technology Cybersecurity Framework focuses on the need for a trusted third-party cybersecurity review. It’s necessary, given that third parties have caused or contributed to breaches and can easily be the weak link in your cybersecurity risk profile. What can you do?
- Fully audit/review your contractor before you do business with them. Paper reviews are good. In-person reviews are better.
- Practice least privileged access. Give them what they need. Nothing more.
- Make sure your contractual terms allow you to enforce cybersecurity at the vendor level.
- Make sure that you know how your contractor is handling, storing, and secure your data. Trust, but verify.
2. Don’t click the link or open the attachment! For the love of all things fuzzy and cute, just don’t. Plucking out these fake emails is like working out. If you’re not training, you’re not ready for game day. And guess what? In the cybersecurity world, “game day” is every single day you touch technology, without exception. Everybody needs to be training, from the part-time facility staff to the board of the directors.
3. Avoid the waterhole. Understandably, easier said than done. You have an expectation the sites you visit routinely will be safe, but you shouldn’t always assume their safe. We’ve seen some of the biggest companies have their sites hacked. If there are domains your organization regularly visits, it’s a good idea for your IT staff to do some regular “spot checking” to see if there is something wrong with the site. If so, warnings need to go out. This is a team sport. Also, teach your staff to be careful while browsing the internet. And if you’re dealing with super sensitive information, consider the practice of whitelisting sites and applications.
4. Don’t share credentials or personal information. If an email, text, website or app is asking for your credentials, red lights should flash in your mind. A general rule of thumb: If you go to a website that you frequent often, say like your vendor’s site or your bank, and then the site asks you for your credentials, chances are that’s legitimate because you initiated that action (a little bit more tricky with apps). But if something is asking you or prompting you to give up some information, be cautious and begin wonder why and whether it’s legitimate. The call to your IT department or bank to verify may cost you five to 10 minutes, but it could save you and your organization a world of hurt.
5. Train and practice for the worst. Simple. Just do it. Don’t have an incident response, business continuity and crisis communication plan. Instead, test them—and test often. Minimum twice a year. Make sure your vendors are doing so also.
6. Deal with your aging infrastructure. We understand that this is a time and cost problem. Perhaps you have been putting off upgrades because they’re too expensive. We appreciate that limitation, but there comes a point where the vulnerabilities outweigh the costs savings. Make sure you #PatchIt and if there is a common vulnerabilities and exposures announcement, make sure your IT staff is on it within 72 hours. Tough to do, yes. But necessary.
Above is a partial list of things you can do, but these are easy things to do. We even have more tools here to help you. Just remember this: If you’re not doing the basics, doesn’t matter if it’s a 14-year-old script kiddie or a nation state, both will treat you as an easy target. Best if you make yourself a difficult target to exploit so they can move on to somebody else.
The #CyberAvengers are a group of salty and experienced professionals who have decided to work together to help keep this nation and its data safe and secure. They are Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma and Christophe Veltsos.