The recently published book, Navigating the Digital Age: The Definitive Cyber Resource Guide for Directors and Officers, is an interesting read. What it sometimes lacks in consistency, it makes up for in diversity of viewpoint. In one part of the book, an author may write that IT administrators need to focus more on border security, and then a few chapters later, another author may be arguing practically the exact opposite. This is no accident — Navigating the Digital Age is more like a collection of whitepapers arranged by area of interest than a conventional book. So, while every paper may not appeal to you, it is likely that some will meet your interest and level of awareness.
One article that I found insightful was, “Breaking the Status Quo: Designing for Breach Prevention,” by Davis Hake of Palo Alto Networks (Chapter 28). In particular, I liked the treatment of the “cyberattack lifecycle,” highlighted in blue toward the end of the article. It shows a good understanding of the modern security landscape, and there are a few things that I would emphasize and add to what they wrote:
- Reconnaissance — It’s true that attackers are often able to find out a great deal of information about a target through simple Internet searching. Between professional sites like LinkedIn and search engines, attackers are given more useful information than you might think. Among the things worth considering as part of your security posture is what type of metadata your company exposes through published documents and whether it is possible to identify valid user IDs through services such as SMTP or employee directories. In the former case, freely available metadata scanning tools can be used to quickly identify valid user IDs (and your user ID format, if this is not the email address) and as a part of a password guessing attack. In the latter case, our own team has had success enumerating valid user IDs by brute force, extracting names from U.S. Census data. Having a solid plan for how you manage this data (and knowing how to tell when things are not going to plan) can have a big impact on your effective security level.
- Weaponization/Watering Hole/Exploitation — As noted by Palo Alto Networks, outdated software and spear phishing attacks are indeed the problem! While there are many ways to get malware onto your systems, the easiest method for attackers is to take advantage of third party applications on user workstations. Ten or twenty years ago, the most common attacks were against Internet servers, but now the users and their workstations are the focus. Very few organizations (in fact, virtually none that I have assessed) have a comprehensive and effective plan for keeping third party software such as Adobe Acrobat and Java up to date. Until you do have this, you will likely be playing a perpetual game of “whack-a-mole.”
- Installation — Yes! As Palo Alto Networks writes, once an attacker has gotten a metaphorical foot in the door, it all becomes about trust relationships. Virtually every organization has trust relationships that they may or may not be aware of. Consider the following questions: Do you have unique local administrator passwords on each machine? Do you use software or hardware firewalls to limit exposure between devices of differing security levels? Do you strictly limit the granting of local administrator rights to users? If not, the attacker will most likely be able to escalate that regular user ID into an administrator credential in a matter of hours, or even minutes.
- Command and Control — In addition to all the other problems in dealing with malware, modern C&C traffic is usually encrypted within HTTPS tunnels, making it very difficult to identify, let alone control. In particular, it can be difficult to effectively decrypt and analyze HTTPS traffic. Aside from a device properly configured to observe HTTPS traffic, having the ability to block traffic by IP address blacklists is particularly helpful.
- Actions on the Objective — Treat your network as compromised. It probably is. If it isn’t, you are probably just lucky (so far). Assume that you cannot stop malware from getting in, and find other ways to deal with it — logging and log reviews, good incident response procedures, and contingencies for protecting and backing up essential data in the event of a nasty incident, such as an attack via CryptoLocker or other ransomware. This is where a good assessment of your practices and procedures can really be valuable, as it is often a human that can most effectively identify and deal with an attacker in your network.
Overall, I think this is an informative, useful publication that I consider well worth reading.
Lastly, do you have an article or topic that you would like to discuss further? Feel free to email me at firstname.lastname@example.org.