The threat landscape is constantly evolving. It is increasingly important for organizations to invest in security to mitigate both internal and external malicious actors. New threat vectors are emerging including:
- Internet of Things (IoT) devices - the weak security makes them easy to hack
- Bring Your Own Device (BYOD) - if the worker’s device is compromised through downloading a file, the hacker can gain access to company servers
- Remote workforce - working from home requires servers to be remotely accessible, which implies illegitimate users can also access them
However, the preferred attack vector according to Verizon’s 2017 Data Breach Investigation Report is still stolen credentials. Basic steps to mitigate this risk include training your users, requiring strong passwords and frequent password change, setting up Multi Factor Authentication (MFA) and Mobile Device Management (MDM), creating security policies, and providing minimal permissions for each user.
Kaspersky Global IT Risk Report 2016 lists the top causes for data breaches as:
- Viruses, malware and trojans
- Lack of diligence and untrained employees
- Phishing and social engineering
- Targeted attack
- Crypto and ransomware
Kill Chains for Targeted Attacks
The following steps are typically used during a targeted attack:
The first step typically used during a target attack is reconnaisance to search for vulnerabilities. This may include both external and internal reconnaissance. External reconnaisance is data gathering from outside the target’s network and systems, and may include dumpster diving, phishing, social engineering, water holing, and baiting to create a weakness through stolen passwords or malware. Internal reconnaisance is data gathering inside the target’s network and systems, such as tailgating, sniffing and scanning, in order to compromise passwords and map networks, servers, and ports.
After reconnaissance is complete, the hacker moves on to compromising the system. This can take several forms, such as:
- Extortion Attacks – holding data to ransom or threatening to expose information. Becoming preferred by hackers as you get direct payout from the target rather than finding a third party
- Data Manipulation Attacks – changing or corrupting data to undermine trust in the integrity of the organisation’s data
- IoT Device Attacks – typically involves compromised devices participating in DDoS attacks
- Backdoors – software that has been compromised at source or within the supply chain to enable hackers to access it after it has been deployed onto the organisation’s infrastructure
- Mobile Device Attacks – malware installed on BYOD devices can be used to attack organisational data systems
After these steps have been completed, the hacker can expand their presence to find high-value data and gain control of the infrastructure. At this point, the hacker is often looking for directory servers, email servers, database servers, or file shares. They can do this using network mapping (since the movement is within a subnet and so would not cross a security boundary), alternative data streams (hiding payload files with legitimate system file names while piping data between commands), or even using legitimate system tools such as Remote Desktop and Windows Management Instrumentation.
At this point, the hacker has all the access required to escalate their privileges within the system and, when they have what they wanted, conclude the mission.
Defense in Depth
The most vulnerable component of our defense strategy are the people who own and operate it. All the available research shows that most attacks succeed because a user’s identity has been compromised. These stolen credentials are then used to create weaknesses that can be exploited to damage the organization.
The first and most important layer of our defense strategy must therefore be practical security policies that are easily understood by our users. Each user should be fully trained on security practices and be given regular refresher training as threats, tools and processes evolve. This is especially important to high value users like administrators, developers and systems operators.
Building from the bottom up, our Defense in Depth strategy needs to protect our infrastructure. Depending upon the specific technology choice, there are a range of tools and best practices that will enable us to secure, monitor, detect and respond to security incidents. The big take-away from this section is that we need to compartmentalize our network infrastructure to prevent lateral movement from the periphery of our network towards our critical Data at Rest servers.
Software that we create to run in the Data Presentation, Data in Motion and Data in Action zones needs to provide two different kinds of protection.
Software vulnerabilities need to be eliminated by training developers and running static analysis tools to detect the common threat vectors, including SQL injection, buffer overflow, cross site scripting, and structured exception handler overwrites.
Transport vulnerabilites need to be eliminated by validing the users or applications involved in each transaction, compartmentalizing services so all data flows across intrusion detection devices, encrypting data as it crosses security boundaries, and checking data is not modified during transport.
Data at Rest
As described above, the primary targets for a targeted attack will include directory servers, email servers, database servers, and file shares.
Whilst Data as a Service generally doesn’t have much to add to Directory and Email Servers, there is a lot we can do with File and Database Servers.
Firstly, we encrypt the media that the data resides on. This is especially important for physical media stored on-premises. When media is being disposed of, ensure that it is first erased and then physically destroyed to prevent dumpster diving attacks. Even when storing information in the cloud, utilise available storage level encryption mechanisms.
Next, we encrypt the content of the data itself in a way that is transparent to the user accessing it – make it easy for the user to implement the security policy! For data files, use Information Protection tools that lock data based on security levels and restrict access. These tools can be extended across mobile endpoints to prevent data leaking from emails.
In databases, we can increase security at the row level by checking the users accessing the data and implementing version control to identify and recover from data manipulation attacks. We can also use auditing and machine learning to identify threats and abnormal activity, and vendor analytic tools for threat analysis and alerting.