• No results found

Looking Behind the Attacks - Top 3 Attack Vectors to Understand in 2015

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Looking Behind the Attacks - Top 3 Attack Vectors to Understand in 2015"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

Looking Behind the Attacks - Top 3 Attack

Vectors to Understand in 2015

Malcolm Orekoya – Network & Security Specialist

30th January 2015

(2)

Table of Contents

Introduction ... 2

Identity Defines Everything... 2

Malware Phone Home ... 4

SSL – Secure so Ignore?... 5

Summary ... 5

About Network Utilities ... 6

(3)

Introduction

We saw an unprecedented number of high profile cyber-attacks and malware infections reported in 2014 – Target, Snapchat, eBay and Adobe (to name a few). This has brought cyber security much more into focus, not only for c-level executives and cyber security analysts, but also for world leaders. The complexity of these attacks and the frequency that we saw in 2014, begs the question what does 2015 hold?

Research statistics from AV-Test shows that the total number of new malware detected in 2014 alone was over 143 million and this figure has more than quadrupled since 2012. (http://www.av-test.org/en/statistics/malware/). As connected devices will

undoubtedly remain on the rise in 2015, riding the wave of the new Internet of Things (IoT) era; along with its myriad of security implications, the likelihood is this increased trend of new malware will continue upwards. We will see even more malware

specifically targeting the IoT, so a few good questions to ask now might be – what really lies beneath these cyber-attacks?

What attack vectors are prominent? What new ones will we see in the future? And how can I protect against being a victim in 2015 and beyond?

Network Utilities has used its expertise in providing identity centric networking and security solutions for Enterprises and Service Providers for over 20 years, to look behind the attacks and highlight the key elements that malware, advanced

persistent threats (APT) and other cyber-attacks typically use to infiltrate networks and how businesses can protect their valuable assets and data.

Identity Defines Everything

In this digital world, if we look at all interacting ‘things’ or entities, at the heart of it there must always be an assigned identity. These identities, which ultimately define a user, a device, a company, a system etc. allow you to stipulate the relationships and rules of engagement between them - that is, the access control policies. By being able to assign an identity to your network users, you are able to achieve the following:

(4)

Authentication: the ability to reliably validate the identity of something attempting to access a resource against a known database or directory, using single or multi factor authentication.

Access control: being able to control access to resources, giving permissions to

only those identities that are authorised.

Tracking: the ability to provide everything within a network with a unique

unalterable identity, means that all activities performed within the network can be traced to a source.

Nonrepudiation: As a result of successfully implementing authentication, access

control and tracking an organisation can rely on the ability of an identity (user and/or device for example) to deny or repudiate an activity performed on the network.

Auditing: The ability to keep records of all security relevant events and actions of

all identities on the network, provides documentary evidence of the sequence of activities that have taken place over a specific time period in relation to an operation, procedure or event.

How does this all relate to attacks? Well for network owners, knowing the identities of things using the network is important to enforce who has access to what and when, amongst other things. For hackers compromising these identities is also important for gaining illegitimate access. One method of doing this is via stolen credentials, which has been one of the most widely used attack vectors for several years, as highlighted in the Verizon Data Breach Investigation Reports (DBIR) for 2012, 2013 and 2014 (http://www.verizonenterprise.com/DBIR/).

The tactics used by attackers to hijack credentials, such as keyloggers, phishing techniques, man-in-the-middle attacks, password dumper malware, targeted

attacks, social engineering techniques etc. are all a means to retrieve credentials and circumvent any authentication mechanisms in place. Also in many cases this can be an element of a more elaborate attack to ultimately engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks.

The need therefore for the identity of things using your network to be defined, unique and securely verifiable is paramount. This will mean access to resources can be securely authorised and tracked. In 2015 the use of multi factor authentication will likely become mandatory, especially for remote access, but it will also become more widely used for internal access. One should also not underplay the

effectiveness of simple solutions in this regard. For example simply making sure default passwords are not in use across the network, using stronger passwords and

(5)

avoiding the use of straight dictionary words, can cut out a huge chunk of the problem.

Malware Phone Home

Malicious software can come in various forms with varying goals, but a vast majority of malware today plays a major part in botnet attacks, that is, a robot network of internet connected devices that are used as part of a larger attack, such as DDoS attacks. Devices can be infected by malware by a variety of methods, such as false website adverts that induce users to click on rogue adverts or purchase rogue software. Irrespective of how devices get infected with malware, in almost all cases of botnet malware, the infected device has to establish an outbound connection to a command-and-control (C&C) server (host). This is the home server, the command centre if you like, that the malware has to communicate with in order to receive further instructions of what malicious action to take next and when.

The ZeuS family of malware for example is well documented to use C&C malware for its activities, to the extent that there have been networks setup to track it’s C&C activities online (https://zeustracker.abuse.ch/statistic.php). There are however several variants of the ZeuS malware, such as GameOver Zeus (GOZ), which focused on stealing bank credentials and others that take part in botnets for other type of attacks. This shows that even a single type of malware that infects a device can perform multiple tasks, therefore proving that simply blocking one attack vector method, does not guarantee security.

Stopping the infection of malware on devices should be part of any administrator’s defense indepth strategy first and foremost, but when a device is infected with malware already, there also needs to be mechanisms in place to deal with this. In order to do this effectively we need to understand how C&C malware inherently functions. The behaviour of the initial connection to the C&C server in almost all cases, involves a need to resolve a domain name system (DNS) record to the IP address of the C&C server. Therefore the DNS activities on the network need to be understood and protected. If network administrators are able to monitor and block such rogue DNS queries, the activity of such malware can essentially be stopped or at least most certainly stalled. In 2015 advancements to the security of DNS, such as DNSSEC, which seeks to improve on the integrity of DNS data, must become more widely used across Internet Protocol (IP) networks.

In addition, if all outbound communications from the trusted network can be monitored, providing visibility of all protocols and applications communicating outbound, all malicious outbound activity can also be stopped. There are lots of other protocols besides DNS widely used across the internet today, such as NTP, which were not built with security in mind and were certainly not built for the scale of use that we see today. These protocols will continue to fall victim of misuse and must not only be inherently improved as protocols, but more importantly the

improvements must be implemented by network administrators as soon as possible.

(6)

Mechanisms need to be put in place to monitor and control various elements of outbound traffic. Web filtering gateways, proxy servers, application firewalls, DNS firewalls, whitelists and blacklists are all methods that should be employed at different layers in a 2015 network that seeks to prevent any malware from utilising its transport network or devices as a means to its end goal.

SSL – Secure so Ignore?

Historically a lot of attack vectors have not necessarily been completely new nor have the protocols being misused. As mentioned earlier DNS, for example, has been in use on the internet for decades, but was not necessarily being used as widely as it is now for malicious activity. As cyber-attack tools become more advanced and easy to get hold of, other protocols being misused will come to the forefront, not because they are new protocols or only suddenly getting abused, but more likely because the tools and computer resources required to misuse them at scale and speed has simply improved.

So we need to keep an eye on protocols and methods that we currently use in our networks today, which appear to be secure at the moment, as that could quite easily change in the near future. One such technology is secure socket layer (SSL)

encryption, which has been in use to secure communications between two

endpoints for decades, and more recently has become the default communication method for many online services. Companies like Google, for example have activated SSL encryption by default and many other organisations have done the same.

Although SSL establishes a secure encrypted link between two endpoints, usually client and server (such as a web browser and website), it is already susceptible to attack and misuse. The main issue with SSL at present is probably that administrators see it as secure and therefore do not look to control much of its communications on the network. As SSL becomes more widely used, to deliver direct communication between endpoints, it is likely that hackers will look to infiltrate this mechanism. Therefore it is important that administrators do not ignore SSL traffic on their network and start looking to control more of what this protocol does on the network. There are mechanisms in place via next-generation firewalls and other types of security appliances to securely intercept and decrypt SSL traffic in order to inspect what is being carried across this transport layer. As SSL becomes more widely used and IoT most likely will utilise it as part of its transport mechanism,

administrators in 2015 need to keep a very close eye on this attack vector and monitor its growth in being used for malicious activity.

Summary

The spate of cyber-attacks and data breaches that we witnessed in 2014, especially of high profile large companies, such as Sony, eBay, Twitter, Target, JPMorgan Chase etc. clearly shows that cyber criminals took their criminal activities to a new level this past year. This is particularly worrying because one would assume that these

organisation have the finances to employ top of the line security personnel to run a WHITEPAPER - Copyright Network Utilities (Systems) Limited 5

(7)

top shelf information security team or department. But when organisations like the US Pentagon can fall victim to hackers, then the rest of us could be left thinking – we don’t stand a chance.

The first thing to note however is computer networks essentially all boil down to ones and zeros, and there is no distinction in this regard given to a small, medium, large or super large network. Inherently all these networks use the same or similar underlying protocols and services, especially on the internet. Therefore what a malicious user concocts to break down a protocol or service, if successful, will apply everywhere that the protocol or service is used. This is why it is vital to look behind the attacks, to understand exactly how these attacks are taking place, what attack vectors are being used and to keep a curious eye on the trend of ‘things’, because this could arguably be a forecast of the direction in which malicious activities will head.

About Network Utilities

Established in 1993, Network Utilities (Systems) Ltd has a strong legacy of providing identity-centric networking and security solutions to both Enterprise and Service Provider businesses. We partner with our customers to provide comprehensive solutions and services through a process of listening, defining requirements, reviewing the market, enabling pilot and project delivery, and providing on-going 24/7 support services.

Contact Details:

Network Utilities (Systems) Limited

Liberty House, 516 Walton Road, West Molesey, Surrey KT8 2QF Tel: 020 8783 3800

Email: [email protected] Web: www.netutils.com

References

Download now ( PDF - 7 Page - 204.51 KB )

Related documents

Fast Edge Splitting and Edmonds Arborescence Construction for Unweighted Graphs

Given an unweighted undirected or directed graph with n vertices, m edges and edge connectivity c, we present a new deterministic algorithm for edge splitting.. Further, for

XL4000 RADIAL ARM SAW BLADES XL4000 CROSS CUT SAW BLADES S07 S03/S09 PART NO. DIAM. KERF PLATE BORE TEETH S07250* 10".135".

[r]

Intel Active Management Technology For Embedded Systems. Intel Embedded and Communications Group

Console Tool Agent Tool Setup & Configuration Tool Network Monitor Network Check Tool Traffic Generation Tool. • Provides tools to assist with training

Timetable Handling Mechanism Using Python

capable of getting optimized solutions for a number of problems like Time Table Scheduling for which no other algorithm exists. It is inspired by nature as

Perspectives of Speech-Language Pathologists on the Use of Telepractice in Schools: The Qualitative View

What themes emerge from qualitative interviews about the implementation of school-based telepractice in speech- language pathology with SLPs who have experience with this form

PubMedCentral-PMC4715578.pdf

We showed that mice with tumors derived from the human pancreatic adenocarcinoma cell line HPAF-II had shorter occlusion times than controls in ferric chloride

Simulative and esoteric aspects of pornography

Following the once assumed orientation (perceiving evil as a parody of good, interpreting the world’s history as strife between Tradition and Anti-tradition,