Listen to a news report or read a news headline in the paper about a security breach and you are likely to hear from the affected company that it was a victim of a sophisticated attack. The reason for this is simple: no-one wants to admit that they were actually the victim a rather simple attack. They like to portray their organisations as being so secure that it took a bunch of complex measures by a hacker to breach their systems. In reality, many sophisticated attacks rely on hackers identifying easily exploitable vulnerabilities either within the software or, more likely, among the practices of employees. Software may be vulnerable because there are security defects written into the code. This is not deliberate: engineers are usually keen to develop secure software. But they can be led to make poor judgements or mistakes by the demands of overeager product owners or project managers who need to meet tight deadlines. Human error is not limited to software engineering or configuration of the systems on which applications are hosted, anyone in the organisation can be a target for hackers who exploit human weaknesses. According to a recent study, about 46% of breaches are initiated by phishing attacks. Phishing attacks involve hackers sending convincing emails to users with the aim of either tricking the recipient to disclose information (such as credentials or credit card data) in a spoofed website, or opening an attachment containing malware. Not all phishing attacks involve emails, some are channelled through voice calls and SMS messages. The hacker’s playbook may look something like this:
- Activate a phishing attack to obtain credentials
- Use credentials to access internal systems
- Locate more privileged accounts
- Use privileged accounts to install malware
- Use malware to identify services running within the organisation and vulnerabilities associated with those services and send details back to hacker
- Hacker loads new malware to exploit identified vulnerabilities
- Hacker executes the attack (exfiltrating data, ransomware attack, sabotage etc.)
- Hacker disappears and covers tracks
On the face of it, this looks like a complicated chain of activities that organisations would consider a sophisticated attack. In fact, there is nothing sophisticated at all. Indeed, many ‘sophisticated’ attacks can be prevented by a few simple measures to stop the hacker navigating this path.
The first step is to mitigate the risk of your employees falling for a phishing attack. These can come in different guises, such as emails, voice calls or SMS messaging. The key to preventing phishing attacks from opening the door to your organisation is to educate your employees and regularly check that they understand how to identify a phishing attack and know what to do when they suspect one. By reducing employee susceptibility to falling for phishing attacks through a programme of education, you reduce the risk significantly. But some hackers may successfully catch a bite and extract credentials from an employee. All employees need to access parts of the internal network. But more often than not, they are given more privileges than needed to do their job. A finance officer may have privileged access to a database that contains financial records so that they can create new queries to update the database, an engineer has access to a production system to debug code in a live environment, or the managing director has privileged access to sensitive market information. So the next level of mitigation is to exercise the practice of least privilege, which means that employees only have the rights to do what is needed to carry out their work. If privileged access is required, employees should only be able to access credentials through a privileged access management system that generates one-time credentials to complete a specific task. Systems should also be protected by multi-factor authentication which means that attackers need more than just credentials to access a system. However, once an attacker has gained privileged access to the internal system and can install malware, the next level of mitigation is to ensure you are regularly scanning your network for installed software and cross-referencing it against a database of permitted software. If malware is installed, it is likely to be communicating back to the hacker, so checking the network for unusual network activity is an essential defence against potentially malicious applications and services running in your organisation’s network. Finally, you should ensure your log files are kept well away from potential hackers to prevent them from forging log entries to cover their tracks. To do this, you should consider a breakglass policy to access logs using a temporary key that limits what the user can access.
The sophisticated attack is essentially a set of simple exploits chained together to create a path to the attacker’s target. Granted, some attacks may require a high level of persistence and skill by attackers, but ultimately, they are looking for gaps in your organisation’s security defence system: a person susceptible to a well targeted phishing attack, an unpatched server, a rogue privileged account, a known vulnerability in your infrastructure or a weak endpoint. Countering sophisticated attacks consists of doing basic security well. You do not need a sophisticated security policy, just one that deals with the many simple security weaknesses that could affect your organisation. I’ll leave you with a blog by Twitter on the recent attack that used many of the techniques highlighted in this article to gain access to a number of Twitter accounts that tricked Twitter account followers into parting with their hard-earned money. Sophisticated? Not really?