I recently participated in a network security training program in order to better understand how criminals gain access to network systems. The trainer and network security consultant agreed to provide tips, but wanted to remain anonymous.
While the playbook for network penetrations varies from attacker to attacker, there are some consistent patterns that emerge from each enterprise-level incident. Network penetrations can be broken down into three steps, each with distinct signatures.
1. On-Ramp to the Network. Attackers have to get a foothold in the network, and this is most often done by social engineering targets to download malware or submit credentials to a phishing site. Additional on-ramps include watering holes, compromised logins, third-party hacks, and exploiting vulnerable third-party apps, particularly content management systems.
2. Navigating the Network. Once inside, attackers will use internal documentation to further their attack, pivoting from corporate user to corporate user via compromises to eventually gain access to documents and databases.
3. Exfiltration. Data exits the system in surprisingly simple fashions. Sometimes it is hidden in traffic, but more often than not, it is zipped or encrypted and moved off the network to a drop site before detection systems can alert users and leakage can be stopped.
Nearly all of the network attacks involve the following failures, oversights, or policy breakdowns:
- Human error is almost always involved. Whether attackers enter through the front door or move laterally through the network, the attackers need employees to take some sort of action, whether it is entering credentials into a phishing site or opening a malicious attachment.
- Employees use corporate emails to register for third-party sites that have been hacked and, even worse, reused passwords.
- Lack of two-factor authentication for access to VPN networks, databases, and shares contribute to many of the breaches and magnify password reuse problems.
- WordPress plugins are exploited for credentials to access servers or to create phishing pages. In general, servers running CMS applications are hackersÕ on-ramp of choice.
- Once inside networks, reconnaissance is performed through corporate directories, wikis, and share sites. Attackers find targets with desired accesses and move laterally using malware or phishing sites sent from internal email.
- Network traffic monitors fail or are evaded during exfiltration.
- Monitor access to corporate directories and create algorithms that set off alerts if there are a large number of searches coming from an employee. Pay particular attention to searches for sys admins and help desk employees in rules, as well as search strings for customer databases and network credentials.
- Run ad-blocking applications on corporate machines.
- Evangelize security to everyone in the company, from InfoSec to HR to sales. Follow up with red team events, like setting up phishing pages and targeting employees with spoofed emails to ensure that people are taking security seriously. Pay special attention to help desk and sys admins.
- Document all third-party dependencies, how they are integrated, and evaluate their need while understanding how they are vulnerable.
- Ensure that two-factor authentication is enabled for all key accesses.
- Monitor Pastebin and other typical “dump” sites for employee Twitter credentials and continue to react accordingly when stolen credentials are recovered by vendors.
- Map publicly available VPN services and proxy services, both underground and commercial, to add to firewall rules.
The most vulnerable components of any corporate network are humans. Most breaches start with an employee electing to open the door for an attacker after being socially engineered.
The most basic social engineering attacks still take place by spoofing email addresses of known colleagues or contacts found during initial reconnaissance on sites like LinkedIn or Facebook and sending malicious content. The Syrian Electronic Army has used this method with surprisingly effective results to access web-based work email accounts that can then be used to subsequently cause more damage, like changing DNS and accessing social media accounts or document theft. Hacktivist groups like Anonymous will often use similar reconnaissance to take advantage of call centers and customer support to reset passwords in order to gain access to corporate servers and inboxes.
Unsurprisingly, other social engineering campaigns have leveraged the global connectedness that social media offers. A China-linked campaign in late 2014 targeted employees of male-dominated sectors like technology and nuclear engineering. Attractive women “friended” engineers using Facebook and then passed along links to malicious files in chat messages.