Open in app

Sign in

Write

Sign in

Cybersecurity: You can’t fight a Cyborg with bows and arrows

Kerstin Stief
11 min readJun 22, 2021

The threat landscape for enterprises — large and small — is changing. External attackers are still responsible for most attacks. Their share is rising steadily at the same rate as the involvement of internal perpetrators is declining.

Espionage also appears to be playing an increasingly minor role. The involvement of actors identified as nation-state or state-affiliated fell from 23% to less than 5% over the past two years. On the other hand, the share of organised crime rose from 39% to over 80% in the same period. De facto, all attacks are now financially motivated. The most popular tools and methods include the use of malware (70%) and the exploitation of vulnerabilities: human — this includes misconfigurations as well as social engineering — and systemic. Ransomware is also on the rise again. And despite all the awareness measures, phishing continues to thrive: a full 11% more fell for it compared to 2020.

The source of the figures are the last three editions of the Data Breach Investigation Report (DBIR) published since 2008 by Verizon Communications Inc. The current report with many details can be downloaded from the company’s website.

But, but, but … I am using a firewall!

The other side is also using technology. Without time pressure and with sufficient resources (knowledge, money, technology) almost every attacker finds a way into the company. Complex and heterogeneous IT service landscapes, outdated technology, stinginess in SLAs, outdated software versions or patch levels, missing or inadequate backup and disaster recovery strategies as well as 85% human factor make it mostly quite easy for potential attackers.

Attackers for whom time and resources do not matter are particularly dangerous

A firewall may still help against a few so-called script kiddies. However, it fails completely when it comes to more complex attack scenarios (Advanced Persistent Threats, APTs) and human weakness.

It becomes dangerous when time and money play no role for the attacker. Even technically less adept colleagues can find everything they need on the Darknet. At the latest since the attack on Colonial Pipeline, this is no longer a secret. Service providers like Darkside have specialised in providing others with knowledge and tools: Cybercrime as a Service.

Little effort, maximum damage

Great danger lies in the period between the disclosure of a security vulnerability and the availability of patches. On average, it takes nine days after a security vulnerability becomes known until a patch is available. But even with the availability of patches, the danger is not over. Research by FireEye Mandiant Threat Intelligence found that known vulnerabilities continued to be exploited for up to a month after a patch was released — in some cases, for as long as two years afterward.

Why is that? Patches cannot always be applied immediately. Depending on the size of the company, it can take up to 30 days. Some companies never patch their systems. Either because they don’t know about the patches, don’t have the necessary resources, don’t have a patch strategy or generally have little IT expertise, or don’t consider themselves a target for attack. The latter is a mistake that can cost dearly.

Known vulnerabilities are often targeted by so-called script kiddies: It takes little time, little budget, and you don’t have to have much of a clue. It is also not important who is attacked or whether the attack is successful. They just look what works and feel like as great as a real cybercriminal when it does.

These freeloaders really don’t scare anyone. But even without a known vulnerability, more and more attacks are succeeding. It gets interesting when supposed ignorance meets curiosity. Entropic chaos has already unearthed some vulnerabilities.

The great art of Zen Fuzzing

Fuzzing is a technique from pentesting. It involves sending random, actually invalid sequences or arbitrary code to an application, interface or protocol and seeing what happens. This technique is also known as monkey testing.

Fuzzing can help find bugs and deadlocks in code or detect undefined behaviour. In addition to wild keyboard orgies, tools such as software or ready-made random code are also available. The Open Web Application Security Project (OWASP) has a list of tools and knows the methods of fuzzers.

Of course, the other side also knows these tools and approach. Fuzzing has very likely played a major role in more than one zero-day exploit. The nasty thing about zero-day attacks is that they are unknown and there are neither signatures nor patches for them. To put it bluntly, a classic UTM firewall is completely worthless and cannot detect zero-day attacks at all. The only chance is behavioural analysis (anomaly detection) in combination with whitelisting and application or protocol decoders — also known as Next Generation Firewall (NG FW). Two things are crucial to recognise a real NG Firewall: 1.) near linespeed even when all functions are enabled and 2.) a Single Pass Engine (SPE).

However, even this technology has limitations. If the behaviour deviates abruptly from the once learned pattern — as in the case of a pandemic when suddenly everyone is working from home — even the good guys are locked out. The other example is the manipulation of supply chains, as happened with SolarWinds. There, the attackers disguised themselves as a valid-looking update or plugin and thus easily passed all security gates. Unfortunately, no anomaly detection or zero-trust technology can help.

The digitisation of organised crime has only just begun. To arm itself against it, a company must not only understand the individual stages of an attack. More importantly, it needs to build a layered security architecture, use advanced technology such as machine learning (ML), artificial intelligence (AI) and graphs, and take preventive measures such as establishing its own intelligence service — threat intelligence. The use of military-prepared professionals is also helpful.

War is war. In cyberspace, too.

The military-style concept of a kill chain describes the structure of an attack. The complete chain consists of several phases and begins with the identification of a target. This is followed by preparations for the attack, the attack itself and finally the destruction of the target. The task of the defense is to break such a kill chain.

Anatomy of a cyber attack

Computer scientists at Lockheed-Martin described the intrusion kill chain framework for computer networks in 2011. Similar to the military-inspired concept, a cyber kill chain also consists of several stages. Understanding the stages of a cyber attack helps identify and combat attacks, including complex scenarios such as advanced persistent threats (APTs).

Lockheed Martin breaks down the cyber kill chain into seven stages:

  1. During reconnaissance (Reconnaissance level), an attacker selects the target, explores it and attempts to identify vulnerabilities.
  2. During weaponization (Weaponization), the intruder develops tools tailored to the previously identified vulnerabilities.
  3. In the course of delivery (Delivery), the attacker infiltrates its target with the created weapon.
  4. After successful infiltration, the weapon is activated in the course of exploitation.
  5. A successful trigger initiates the installation of an access point through which the attacker enters the target network undetected.
  6. Once the attacker has penetrated a network, he can establish additional measures for permanent access to the target network (command and control).
  7. Now the attacker can initiate further actions to destroy his victim. (Actions on Objective).

For the individual phases of the Cyber Kill Chain, MITRE has established ATT&CK® (Adversarial Tactics, Techniques, & Common Knowledge), a freely accessible knowledge base. Based on real-world observations of the tactics, techniques, and procedures (TTPs) used by attackers, the matrix is constantly being updated and expanded.

You get me, you get me not

Attack and defence is a constant race. Often, the initial stages of a cyber kill chain are difficult or even impossible to identify. Also, the order of the individual stages is not strictly fixed or not all stages are always applied.

To successfully disrupt an attack, different countermeasures must be taken for each stage. The earlier an attack is detected — and repelled! — the better.

An interesting key figure in this context is the dwell time during which attackers can move undetected in an environment — the so-called dwell time. This period of time between the point at which an attacker penetrates to the point at which he is detected is also referred to as Mean Time to Detect (MTD). It is noteworthy in this context that, according to the M-TREND Report 2021, the average dwell time in the Americas decreased from 66 days (2019) to 17 days (2020), but in EMEA it increased from 54 to 66 days during the same period. After all, according to Sophos’s Active Adversary Playbook 2021, attackers in German companies are only expected to go undetected for an average of eleven days.

There is no one size fits all

IT security is as individual as each company itself. However, there are basic principles that can form the basis of any security concept. However, individual measures should always be tailored to the specific circumstances of a network or business model and its processes.

In addition to classics such as deep packet inspection (DPI), segmentation, intrusion detection and prevention systems (IDS/IPS), data leak prevention (DLP) or indicators of compromise and attack (IoC/IoA), real-time correlation of events and behaviour analysis or anomaly detection are proving to be particularly effective.

Zero-trust models and architectures such as SASE (Secure Access Service Edge) are gaining in importance, as are predictive analytics, graphs or proprietary threat intelligence.

Below we give examples of effective measures for each phase of an attack:

Reconnaisance
At this level, much can be accomplished with policies and filters for interfaces and access points at the network perimeter:

  • block any probing such as port scans
  • apply patches and updates early to close any gaps quickly
  • consequently hide the network as much as possible (e.g. set unused NICs to stealth mode).
  • block IPs known to be malicious as well as certain regions (IoC)
  • hide information, e.g., by encrypting at least the transport layer
  • establish a Zero trust model

On a social level, it helps to offer workshops in which employees learn how to use social media with confidence (media competency). To protect employees, everyone should only have access to information they need to perform their job (need-to-know principle). This requires continuous classification of all data, but protects against unintentional disclosure of information in the course of social engineering.

Work-from-anywhere organisations should emphasise modern, centralised device management and, if possible, rely on virtual desktops (VDI). This way, even private devices cannot reveal any information that could help potential attackers penetrate the network. The use of holistic solutions such as VMware’s Anywhere Workspace Suite is recommended.

Real-time graphs as part of Security Orchestration, Automation, and Response (SOAR) can provide early warning of unusual network activity and help to initiate appropriate countermeasures at a very early stage.

Graphs represent a set of objects together with the connections existing between these objects. A graph consists of nodes (vertices), attributes and links (edges). neo4j has summarised the essentials in an article.

Weaponization
Here, the potential victims cannot actively do anything. This only happens on the attacker side. However, the less attack surface is offered, the less attractive it becomes for an attacker. Ergo, a good first line of defence can act as a filter and contain the number of attempted attacks.

Delivery
The simplest as well as most effective methods include whitelisting, signatures (like fingerprints) of allowed applications, zero trust, centralised application catalogs, and restricting access rights. In the course of SOAR, anomaly detection performs well. If possible, non-standard ports should always be used for services and applications. For securing communication paths and access, signatures are particularly well suited and better than those medieval username-password combinations. If there is no other way, two-factor authentication should be used in any case. This will at least ward off the simplest man-in-the-middle attacks.

Otherwise, of course, it also helps to block communication with IP addresses and URLs known to be malicious, and to restrict communication with regions with which you have no or only sporadic business relationships. Everything that needs to connect to the internal network (mail server, VPN gateway, …) should be moved to a demilitarised zone (DMZ) and equipped with additional filters. Unknown things should first land in a sandbox before they are unleashed on the network. Zero-trust models also prove their worth at the delivery level.

Access points should always be secured in two stages, e.g., by a combination of NG and proxy firewall or router (packet filter) plus NG firewall. Work-from-anywhere organisations additionally protect themselves through automation, centralised and unified management of all devices, users, applications, cloud services and data, and virtualisation of workstations.

DPI and IDS should be deployed throughout the network, not just at the perimeter. DANE and DNSSEC bring additional security to the (transport) network. Unfortunately, far too few still use them. The use of DMARC and DKIM can protect against phishing — here, too, there are still far too few who really know how to use them.

Exploitation
Known remote exploits can be blocked by an IPS. Otherwise, anomaly detection, zero trust and whitelisting as well as access restrictions also help at this level.

Installation
Zero trust, anomaly detection, a central app catalog and whitelisting are also effective protection measures at this level. Network segmentation and containerisation can contain propagation.

The use of micro services helps in that services and protocols are kept to a minimum. Attackers have a harder time installing something that looks like an official service to a normal LINUX, for example, but is just bloatware for the concrete environment.

Command & Control
Behavioural analysis (anomaly detection) can be used to identify (and block or isolate) suspicious connections or network objects. An appropriate policy can automatically isolate infected hosts from the rest of the network and send an alert.

Known CnC servers and protocols can be blocked directly. Suspicious command-and-control connections or services are a bit different. On the surface, they look just like content delivery networks (CDNs). A good IPS separates the wheat from the chaff.

Data leak prevention protects against the unintentional leakage of data. This involves scanning the allowed payload for unusual activity or patterns. Anomaly detection in network connections can be used to detect and block unusual targets.

Deep packet inspection (DPI) helps detect suspicious protocols and applications, both internally and externally.

Signatures, whitelisting and modern solutions such as Rubrik protect backup data from encryption by ransomware. A WORM archive guards against intentional or unintentional data loss. However, the latter is disproportionately costly to maintain against the rules of GDPR and the legally compliant storage of data.

Conclusion

The first two stages of the kill chain often fail in the case of fuzzy attacks or attacks by script kiddies. Here, everything that is available is fired at once. Only early patching, zero trust, anomaly detection and good DDoS protection will prevent your organisation from greater damage.

The higher the level of the kill chain — i.e., the deeper an attacker penetrates the network — the more complex the countermeasures become. It can be assumed that the attacker will go to great lengths to remain undetected for as long as possible. The attack scenarios are usually very complex, can be delayed for years and require several different triggers before they reach the penultimate stage. In this context, one speaks of Advanced Persistent Threats.

Effective protection is always a combination of different technology, vendors and measures. Globally, it is important to eliminate silos and prevent shadow IT with centralised services and automation. The more transparent a network is, the harder it is for attackers to hide in it. Zero trust, dynamic network objects, behavioural analysis, whitelisting, virtualisation or containerisation and automation are part of every security toolbox.

In case all security measures fail, a functioning disaster recovery strategy helps. The measures should be continuously tested and adapted. In the event of a disaster, two key figures are crucial: RPO and RTO. The first is the delta between the current and recoverable state of the data (Recovery Point Objective), the second is the time required for recovery (Recovery Time Objective). Both should be as close to zero as possible. Solutions like those from Rubrik can do this.

SMEs are better off relying on cloud and managed services from the outset. They remain one of the most worthwhile targets. The often prevailing lack of budget, resources and know-how make it particularly easy for attackers. In 2019, small and midsize businesses accounted for just one-third of victims of successful cyberattacks, according to Verizon DBIR. Within a year, their share rose to nearly 50%.

This article has been originally written for data://disrupted®

It Security
Cybersecurity
Strategy
Security
Threat Intelligence

--

--

Kerstin Stief

Written by Kerstin Stief

2 Followers

Publisher & Editor in Chief data-disrupted.de | Cocktail Mixer | House Electrician | Copy Cat | PR as a Service mende.media | B2B | ICT only | Open Source first

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams