The news has lately been thick with reports of major attacks on corporate networks. In the cases of the Panama Papers, the OPM leak, and the Hacking Team leak, the results were catastrophic leaks of extremely confidential information.
In each case, the organizations that were hacked spent a great deal of time and energy on PR after the fact downplaying the significance of the leaks. But in each case, the hacks were made possible because of basic flaws in the network infrastructure and a failure to take security seriously.
Perhaps the worst recent attack was the case of the Bangladeshi central bank. Reports suggest they did almost nothing to secure their infrastructure prior to the attack, and it wound up costing them many tens of millions of dollars.
In truth, a determined and well-resourced attacker can always find a way in. If your information is of value or interest to a foreign government, you should probably assume they’ve already taken it. But in the Panama Papers and Hacking Team leaks, the attackers were probably independent, non-government hackers.
In all of the cases, though, there were critical errors made in securing network infrastructure.
The good news — and the bad news
Right now, the most worrisome network threats fall into four main categories: malware, phishing, denial of service (DoS) attacks, and advanced persistent threats (APTs).
The good news is that it’s neither extremely hard nor overly expensive to mount a reasonably effective defense.
The bad news is that it’s impossible to create a perfect defense. In particular, you can’t keep determined, skilled, and well-resourced attackers like government agencies away from your data. They’ll always be able to find and exploit vulnerabilities in your defensive security infrastructure.
So let’s focus on the more manageable task of keeping out the routine criminals.
1. Malware and ransomware
Malware is the modern term for what we used to call a computer virus. The term has changed because the threat has changed—today’s malware is much more dangerous. It’s usually deployed starting with a small “dropper” program that then contacts a command-and-control host (variously abbreviated C&C, CC, or C2) to get further instructions and download additional malware.
One of the most dangerous and growing types of malware is crypto-ransomware, which immediately sets about encrypting all your files, including all files on any network shares. It then offers to give you the key to unlock your files in exchange for paying a ransom.
Defenses against malware and ransomware
Most malware isn’t targeted. By that I mean it’s produced with the general intent of catching somebody—anybody—not you in particular.
Malware writers often exploit software vulnerabilities in common applications like your web browser, Flash, Word, or Excel. In many cases, they also exploit operating system vulnerabilities.
First line of defense
There are two critical elements in a first line of defense against malware.
First, keep up with software patches. If you apply all patches as soon as they’re released, you’ll be ahead of just about all malware threats.
Second, use a good endpoint protection system. Endpoint protection is what we used to call anti-virus software. Traditional anti-virus software relied heavily on file signatures. Whenever a new file appeared on your computer, the anti-virus software would scan it. It would calculate an overall file checksum that it could compare against a database of known malware, and it would scan through the file to see if it contained a sequence of bytes associated with any known malware.
Anti-virus packages are still valuable tools, but the problem is that malware writers have started adopting clever tricks like encrypting the code with random and frequently changing keys. That means the malware will never appear with the same checksum twice, and the internal byte sequences will be obscured.
To combat random keys, modern endpoint protection software generally includes some sort of sandboxing feature. The suspected malware is unpacked in a safe, virtualized environment and allowed to install itself and run while the scanning software carefully monitors it for signs of any malicious actions.
But the fight against malware is an ever-escalating battle. Malware writers have started building special sandbox avoidance techniques that detect when they’re running in a sandbox instead of a real system.
So most good endpoint protection systems also monitor the real endpoint workstations for signs of malicious software actions and try to block the malware before it’s too late.
Second line of defense
The second line of defense in protecting infrastructure from malware is to assume the first piece of malware will actually be a dropper, and that it will reach back across the Internet to a Command and Control server for further instructions and further software packages.
Modern malware is often highly modular, so we can often catch the infections by implementing good scanning on the network edge. This is different from a traditional Intrusion Detection System (IDS), which generally monitors inbound connections. Here, we’re monitoring outbound connections.
We’re looking for several key indications of compromise including:
- Connecting to known malware domains or C&C systems
- Downloading suspicious files
- Traffic patterns that appear to indicate interactive VPN-like activities, which might indicate a remote access Trojan (RAT)
But be aware! In the case of common ransomware infections, additional command-and-control action often isn’t necessary. The initial piece of malware just starts encrypting every file it can read and keeps going until you stop it. If it’s been allowed to unpack itself and start running, it’s probably already too late.
The best defense against encrypting ransomware is good old-fashioned backups. Find and shut down the infected machine, then start restoring files from the backup.
If you keep the backups offline or otherwise inaccessible to normal users, and if you take backups at least daily, then your exposure is limited to whatever has changed in the last 24 hours. It isn’t great, but it’s usually not a disaster. And it’s certainly preferable to paying ransom, since there’s little reason to believe the criminals will actually give you the decryption keys after you’ve paid.
I actually don’t consider phishing to be an IT security problem. It’s a social engineering attack in which an attacker contacts a person inside the organization, often through email, and tricks that person into doing something.
In some cases, the person is tricked into transferring money to the attacker’s account. In other cases, the target is tricked into installing or running software that helps the attacker with the next stage of their attack.
Because phishing isn’t really a technological attack, technological solutions are generally ineffective. Closing the door to an email-based phishing attack doesn’t necessarily close the door against a similar attack conducted over the telephone or through the mail. This is old-style fraud — it has always existed and it will always exist.
Defenses against phishing
There are two main defenses against phishing.
The first is education. You can reduce the chances you or your client will suffer from a phishing attack if everyone is vigilant and aware of what phishing looks like. But this really only reduces the chances. An extremely clever attacker will always be able to come up with a convincing ruse.
What would happen if they emailed a realistic looking invoice to somebody in the Accounts Payable department, designed to look exactly like it came from one of your suppliers? It’s almost certain the message would be opened. The same would be true of a realistic resume sent to the HR department.
So the other defense against phishing is procedural. Make it a well established and rigidly adhered to process that money transfers are never done without verbal confirmation from a small number of specifically named individuals. The CEO will never send an email to the head of accounting requesting a money transfer to a mysterious supplier in a foreign country. And even if they do, standard procedure is to call the CEO’s cell phone and verify the instructions.
If the phishing attack is a method of deploying malware, then you can at least fall back on the malware defenses mentioned in the previous section.
3. Denial of service
Denial of service (DoS) attacks can be launched fairly easily by unskilled attackers, and they can be carried out without needing access to your internal infrastructure.
The simplest DoS attacks try to overwhelm your Internet link by sending huge amounts of traffic so that legitimate business traffic gets shut out. More sophisticated DoS attacks involve less traffic, instead using up other network resources.
DoS attacks are sometimes done to disrupt business and sometimes to extract a ransom to make the attacks stop.
Defenses against denial of service
The trouble with most DoS attacks is that once they hit, they’ve already used up your Internet resources. It doesn’t help to throw away malicious packets if there are so many of them that the link is full.
You really can’t protect against most DoS attacks. The best approach is to use a protection service provider like CloudFlare or Arbor Networks to interrupt the attacks somewhere upstream from your infrastructure.
Protection services typically work by directing your traffic through their infrastructure before it gets to you. They’ll either automatically detect attacks or allow you to specify you’re under attack. Then they simply redirect the malicious packets into the trash can, and only forward the legitimate traffic to you.
Another good and popular way of mitigating DoS attacks is to put public-facing infrastructure on a cloud service provider with ample resources. That way, if you’re attacked, there’s no effect on your real infrastructure, just on the web hosting provider, which will generally have robust DoS mitigation systems.
More sophisticated DoS attacks seek to disrupt web infrastructure without necessarily using lots of traffic as the attack mechanism. Instead, these mechanisms use software vulnerabilities in the web hosting systems to take the systems off-line, or they use up all resources on those systems to prevent them from accepting new connections.
Since the more sophisticated attacks are generally based on software vulnerabilities, it’s hard to create permanent defenses against them. But regularly patching Internet-facing infrastructure goes a long way to minimizing risk.
4. Advanced Persistent Threats
Advanced persistent threats (APT) are the attacks everybody fears. In an APT, the attackers manage to build a back door into your infrastructure, then carefully extract your most valuable data. The effectiveness of this type of attack depends on the skill of the attackers and your ability to detect and stop them.
APT attacks often start out as malware or phishing attacks. The attacker has to somehow get a foothold inside the infrastructure. Then, typically, the attacker instructs the initial dropper software to download a remote access Trojan, which is like a VPN that allows them interactive access.
I say typically because there have been a few cases where APT attacks have happened entirely without external feedback, but it’s a ridiculously difficult way to attack a network, and nobody would do it this way if they had the option of interactive access.
Defenses against APTs
The defenses against APT attacks include everything we said about malware attacks. It’s also useful to monitor your Internet links for the typical signatures of RAT-like traffic patterns. However, if your attackers are skilled, an APT attack can go undetected for considerable lengths of time as they move laterally within your network looking for valuable data.
For this reason, in addition to prevention and detection, it’s useful to have good forensic abilities when it comes to APT attacks. In particular, it can be very useful to maintain thorough logs of every access to every file and system on your infrastructure so you can reconstruct what user IDs accessed what resources from what systems. This is most easily done using the Active Directory or LDAP server logs.
Another useful forensic capability is some sort of packet capture or traffic flow monitoring tool. NetFlow-based systems can keep track of every conversation that takes place, including source and destination addresses, protocols, and amount of data transferred. This is often supplemented by detailed packet capture data, which can show you exactly what was transferred.
In my next blog post, I’ll get more specific about tactics that can help secure network infrastructure against attack. I’ll focus particularly on network architecture, since good architecture is a critical element of secure infrastructure.