When A Simple SPAN Port Is Enough (by Timothy Schmidt)
Sharkfest 2018 - TCP Fundamentals Part 2 (by Chris Greer)

Network Security Countermeasures and Solutions -"Things You Must Do, First" (by Andrew A. Vladimirov)

Before even planning, not to mention budgeting and starting to implement any countermeasures, it is necessary to have a clear picture of what do we actually defend against, as well as what is it that we are defending. Unfortunately, in over 15 years of my experience in information security this is rarely the case. More often than not, decisions on security safeguards depend on anything (ranging from vendor relationships and discount offers to aggressive security solutions marketing and relevant media hype of the year) but the actual risks faced and attacker strategies employed.

So, a question of “how effective/modern/popular the proposed safeguard (whatever it might be) is?” is blatantly wrong (and yet remains a very common question from the IT side).

There must be, of course, an implemented security baseline (including, at least, strong password policy enforced, antimalware on all Windows and MacOS hosts, SPAM filter, stateful or proxy perimetre firewall, reasonable network separation rather one nightmarish flat network with everything on VLAN1 still seen in numerous SME’s, some user security awareness training, and hard drive encryption on mobile hosts taken off site including BYOD). However, everything else is subject to discussion. 

The question “does it address the real risks we face according to their criticality” is the right one, but it requires approaching information security as a form of risk management it is, which is often not the case. So, it's a question of overall strategy, then tactics, and not “which particular gun is more powerful/we fancy more”. I’m deliberately using military analogies here as 8 years ago we did a book that approaches information security through a military strategy framework, the second edition came 4 years ago, and despite all technical change it is as relevant now as it was then.

 

We, of course, cannot anticipate all attacker actions, but we can diminish their space for maneuver and even direct them where we want to (e.g. a honeypot, or at least non-critical systems/isolated networks that hold no sensitive data at all) as much as we can (afford) by:

  • Making educated guesses on what they can do based on a) threat intelligence b) pentesting/vulnerability scanning/other security auditing and threat modelling outcome c) incident statistics / attack attempts track record
  • Understanding and reducing the attack surface (easier said than done those days due to cloud/SaaS/BYOD/telecommuting and remote work including outsourcing to 3rd parties)

So, it’s not only about how they strike, but also where and what they can strike (which is often not that obvious, “tangible”, and not covered by the “traditional” controls). Hence the criticality of

  1. Data discovery (including in the cloud and on end-hosts, some of which are likely to be BYOD)
  2. Old good asset discovery and inventorisation, including the “intangibles” (user accounts, external services and applications in use, virtual instances in public clouds), desirably dynamic and in (near)-real time.
  3. Data and asset classification to prioritise risks (if you can’t fully know where all business information is, then narrow the scope to sensitive information only)

So, the “old school” (read ISO27001:2005) asset-centric approach is not dead in the waters, but the very definition of “asset” is now redefined as more intangible and account-centric. Think of all the SaaS services and apps your employees may be using and where (deliberately or not) business information may end. Can you list them? Are they allowed by the current Acceptable Use policy, and if not should it be updated? Are they shared? How strong their authentication is?

If, let's say, corporate Mac users employ iTunes for automated backup by default, does it mean sensitive company data ends up in personal iTunes storage, especially from BYOD Macs? If so, what exactly do we do about it? Ban BYOD? Block iTunes? Deploy DLP? Somehow enforce strong auth to iTunes and write it off as an acceptable risk? Encrypt all sensitive data in a way it doesn’t matter where it is providing the attackers can’t get the key?   

The “where and what” are excellent starting points where the defender at least has some control, and which determine a lot of the “how’s” at the same time. Yet, I’ve encountered numerous cases where understanding the actual attack surface (as opposed to a nice network diagram at the IT director’s whiteboard) is severely at lack. So, ongoing decent data, system (including virtual, mobile, BYOD), account, service, and application discovery and mapping are a must, and should be accompanied with their classification reflecting the real value of these assets for the company. Now let us move on to the “how’s”.

The current hype is, of course, social engineering (which is statistically justified, e.g. according to the UK Metropolitan Police 91 % of successful last year breaches began with a phish, and online social engineering is by no means limited to phishing). Then there are numerous client-side attacks, typically targeting browsers or browser plugins. However, are social engineering attacks as non-technical as the majority seems to think? And does it mean that the traditional server / database / network side exploitation and countermeasures are now relegated to history? 

In reality, hackers don't care which methods they employ providing they lead to a desired result. In a Sun Tzu described-manner, attacks flow like water finding any available gaps and filling them in. While there are simple mass attacks relying on a large number of targets (“spraying bullets in the dark rather than sniping”, the latter being a realm of APT) and looking for the low hanging fruit while using just one tested and tried methodology (pharming, "script kiddie scanning" for unpatched services, password guessing etc.), determined and skilled hackers employ a combination of social engineering and technical (client/server/application/database/all 7 OSI layers network) attack means which interchange subject to how events unfold and where the next available gap can be found. While social engineering tends to predominate at the initial "getting the foothold" stage, and purely technical means tend to do so at the next stages of privilege escalation and further intrusion, this generalisation has numerous practical exemptions.

I would argue that there is really no such thing as purely non-technical social engineering, unless it is done in person, over the phone, or via printed letters. Even the most basic social engineering attempts such as whale phishing (“Hi, I’m your boss, could you please send me such and such sensitive info ASAP”), or ancient pretending to be tech support and asking for login credentials requires correct harvesting of target contacts (this may take more than just visiting Linkedin) and bypassing SPAM filters, source domain checks, and may be even a DLP (if in place). The rabbit hole, of course, goes much deeper than that. There are multiple technical ways of luring targeted users to do what social engineers want them to. For a reasonably recent working example of such methodology, please see https://www.securityweek.com/phishers-use-new-method-bypass-office-365-safe-links, however many other means including clickjacking, abusing URL splitting, and malicious banner insertion will do. For local attacks with the same aim, any man-in-the-middle or session hijacking trickery will work, and then there is the whole art of wireless hotspot cloning as the easiest and most straightforward way to get unauthorised access to traffic and execute both man-in-the-middle and client side attacks (including trying to push malicious updates to local apps as in https://www.hackers-arise.com/single-post/2017/10/11/MitM-Attacks-Hijacking-Software-Updates-with-evilgrade)

A simple "please open this attachment" attack is not technically simple at all: the malicious attachment should successfully pass email filters prior to reaching the target, local antimalware upon execution, and provide a reliable backchannel / way to control the system (e.g. via powershell) without triggering any alerts and causing suspicion (unless we are talking about blatant ransomware). As numerous antimalware vendors move to full HIPS model rather than just an antivirus, circumventing it becomes more complicated (as the HIPS will look at suspicious system calls, processes executed with undue privileges etc. rather than just malware signatures/heuristics). It agreeable, though, that the complexity is at the malware writers side while cybercriminals can simply buy what they need at Darknet. 

Once the foothold is established, more often than not a soft network underbelly is there to take over using the "traditional" service and network attacks (and despite all the volumes written and told on defence-in-depth up to date). If you are adventurous enough, use Metasploit/Armitage “Hail Mary!” (launch all exploits at all discovered hosts) option inside your network perimeter and see whether it comes up with a shell (while externally, such attacker brutality doesn’t work for eons). However, it also provides great opportunities for social engineering, especially if the foothold is a user account with a high degree of trust. This is a common outcome of a browser client-side attack as authentication cookie or password stored in the browser cache is compromised, so in such a case a browser/plugin or web app exploit is used first to enable effective social engineering to follow.

Until how (and where) attacker approaches work in combination and create compound risks is properly understood, the defenders will continue building virtual Maginot lines and gasping at being outflanked yet another time. So, prior to any infosec planning, try at least answering the following five key questions:

  1. What are your most critical assets at the moment and why? (these are not necessarily tangible, could be intellectual property, contract agreements, customer lists etc.)
  2. Where exactly are they? (could be in the public or other cloud, stored by a SaaS service, or locally on systems well outside network perimeter)
  3. How and who can directly get to them a) remotely b) locally? (the “critical” attack surface)
  4. How and who can get to them indirectly?  (the overall attack surface) and
  5. Which methods could they employ to do so, and how easy is it going to be? (having a recent pentest or other security audit report, social engineering and physical security assessments included, helps a lot here)

While answers to the first question determine the impact, those for the rest of them define the likelihood, which gauged together compose the actual risk. It may seem straightforward, but easier said than done in practice, which could be the reason why frequently it is not done at all.

PhotoAuthor - Andrew Vladimirov - Principal Information Security Consultant

  • Andrew has over a decade’s commercial experience in preparing organisations for ISO 27001 audits and currently heads up the consultancy division.
  • Andrew was one of the first UK IT professionals to obtain the Certified Wireless Network Administrator certifications.
  • Andrew is a researcher with a wide area of interests ranging from cryptography and network security to bioinformatics and neuroscience, publishing his first scientific paper at the tender age of 13.
  • Andrew is the co-author of several books including Wi-Foo: The Secrets of Wireless Hacking; Hacking Cisco Exposed; and most recently Assessing Information Security: Strategies, tactics, logic and framework.
  • CISSP, CCNP, CCDP, CWNA, TIA Linux+. Certified ISO/IEC 27001:2013 Lead Auditor.
  • Security risks management, information security management systems (ISMS) and standards/compliance expert/auditor.
  • Infrastructure appliances and low level protocols security, applied cryptography, incident response and investigation specialist.
  • Andrew regularly runs bespoke information security training courses and seminars.
  • A founder of Arhont -A Top Security company - www.Arhont.com

Poachers turned gamekeepers to provide the best advice

Wholly independent means we give impartial advice

Proprietary tools and best practice processes differentiate us from competitors

At the forefront of developments in information security providing technical excellence

Authored the first penetration testing guidebooks on Wireless and Cisco

Always up to date on security matters and keep abreast of all new development and threats

Contributors to international security community

Hands on experience allows us to implement countermeasures in versatile environments

Well versed in advanced applied cryptography, configuration, penetration and hardening

Known as the ‘Consultants - Consultant’, we mentor and train industry experts

 

Comments