Identifying the Cyberattack Patterns and Doing the Easy Stuff

Elena Abrazhevich/Shutterstock.com

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
By CyberAvengers

By CyberAvengers

|

The math favors the attackers. There is little you can do about the attacker, but there is a lot you can do about you.

Another week, another set of cybersecurity stories occupying our bandwidth, if you’ll pardon the pun. Where would you like to start? Indictments? Sophisticated attacks on private sector interests and critical infrastructure? The tidal wave of sudden cybersecurity experts on the airwaves?

One of the greatest cybersecurity challenges is the bleed over into virtually everything we do. And making that challenge even more difficult is the misuse of vocabulary. Was the election “hacked” as so many say? No. Was confusion and discord spread during the campaign? Yes. Did it make a difference? Incalculable. You see, the chefs have created a minestrone soup of cybersecurity issues and the servers can’t really tell the customers what the ingredients of the soup are. So that’s what we’re going to start, as best we can, from scratch so you can identify the key ingredients and know how to react, at least to the easy stuff.

Start here: The U.S. is always a target. Take that as a given. The U.S. will always be the biggest and most sought-after target for the foreseeable future. If some foreign entity is not trying to mess with us or attack our networks, something is very off in the world. So treat interference, whether it is information warfare or an advanced persistent threat into our networks and everything in between, as constants, not variables. They’re going to happen and the only way to slow them down is through fear of consequence, usually in the form of economic pressure or kinetic warfare. We opt for the former if we have any say in the manner, but recognize the latter must always be on the table.

With that out of the way, here’s the next to know: Things are going to get worse. We felt that way in 2017. We feel that way in 2018. We are probably going to feel that way in 2019. Why? Here’s a quick rationale: For the attacker, the capability to conduct attacks will rise and cost to carry them out will continue to fall. For the defender, the capability to stop attacks will continue to be weakened and cost to prevent them will continue to rise.

In other words, the math favors the attackers. There is little you can do about the attacker, but there is a lot you can do about you. So are we prepared? On a good day, we’d venture to say “not really” using exhibits like: WannaCry (not good at patching), ransomware in general (not having easily accessible backups) and giving access to accounts (phishing, spearphishing, and pretexting).

You see, in each case we generally knew what to do…except we didn’t do it! We deserve the red card in all of these cases. So it’s broken record time for us (or “repeat” if you use an MP3 player) and to illustrate our “easy to-dos” we will use a US-CERT alert from this past March as a real example.

In a nutshell, this campaign seeks to compromise targets (the oldest tricks are still most often the best). Initial victims are peripheral organizations, such as trusted third-party suppliers. In this case, they are identified as staging targets. The threat actors use the staging target’s networks as pivot points and malware repositories for their intended targets. Therefore, both staging and intended targets are both victims in this case. Here is a list of tactics, techniques and procedures (TTPs in cyber speak) the threat actors used in this case:

  • Spear-phishing, which is in the news a lot lately, but if you want to know the differences between phishing, spear-phishing, and pretexting, go here.
  • Watering-hole domains involve attacking and infecting a domain the intended target is normally known to visit. Attackers look for vulnerabilities in the code of the website and inject their own malware there. More info here.
  • Credential gathering is about as straightforward as it gets but the techniques can be different.
  • Open source and network reconnaissance.
  • Host-based exploitation is taking advantage of the webhost. Not all organizations have the ability to host their own needs, so you are at the whim of your host sometimes. If you’re in this boat, make sure you learn the differences between shared servers, virtual private servers and dedicated servers. They make a difference. Think apartment building, condo and house.
  • Targeting industrial control system infrastructure.

The reason we did this little explanation section is that we are cognizant of the fact that cybersecurity is everybody’s problem and we need to what we can to up everybody’s game. Cybersecurity is not the exclusive play space of IT staff, vendors, consultants and contractors. In fact, as we have shown before, they are a large part of the problem.

So how do we defend against this type of attack described above? Well, it’s two-fold and it’s a two-fold process that applies to virtually every single cybersecurity problem out there: It’s a combination of technological solutions and doing the basics.

As for the technological solution, we won’t spend too much time on it here. Why? They cost money. Sometimes, they cost a lot of money, money you may not have as a small-to-medium sized business. Yes, we like machine learning and anomaly-based tools if they’re used as surgical tools, but this article focuses on “the easy stuff” and doing the easy stuff will significantly reduce your cyber risk profile. Here’s a quick list:

1. Do you trust your third party? The National Institute of Standards and Technology Cybersecurity Framework focuses on the need for a trusted third-party cybersecurity review. It’s necessary, given that third parties have caused or contributed to breaches and can easily be the weak link in your cybersecurity risk profile. What can you do?

  • Fully audit/review your contractor before you do business with them. Paper reviews are good. In-person reviews are better.
  • Practice least privileged access. Give them what they need. Nothing more.
  • Make sure your contractual terms allow you to enforce cybersecurity at the vendor level.
  • Make sure that you know how your contractor is handling, storing, and secure your data. Trust, but verify.

2. Don’t click the link or open the attachment! For the love of all things fuzzy and cute, just don’t. Plucking out these fake emails is like working out. If you’re not training, you’re not ready for game day. And guess what? In the cybersecurity world, “game day” is every single day you touch technology, without exception. Everybody needs to be training, from the part-time facility staff to the board of the directors.

3. Avoid the waterhole. Understandably, easier said than done. You have an expectation the sites you visit routinely will be safe, but you shouldn’t always assume their safe. We’ve seen some of the biggest companies have their sites hacked. If there are domains your organization regularly visits, it’s a good idea for your IT staff to do some regular “spot checking” to see if there is something wrong with the site. If so, warnings need to go out. This is a team sport. Also, teach your staff to be careful while browsing the internet. And if you’re dealing with super sensitive information, consider the practice of whitelisting sites and applications.

4. Don’t share credentials or personal information. If an email, text, website or app is asking for your credentials, red lights should flash in your mind. A general rule of thumb: If you go to a website that you frequent often, say like your vendor’s site or your bank, and then the site asks you for your credentials, chances are that’s legitimate because you initiated that action (a little bit more tricky with apps). But if something is asking you or prompting you to give up some information, be cautious and begin wonder why and whether it’s legitimate. The call to your IT department or bank to verify may cost you five to 10 minutes, but it could save you and your organization a world of hurt.

5. Train and practice for the worst. Simple. Just do it. Don’t have an incident response, business continuity and crisis communication plan. Instead, test them—and test often. Minimum twice a year. Make sure your vendors are doing so also.

6. Deal with your aging infrastructure. We understand that this is a time and cost problem. Perhaps you have been putting off upgrades because they’re too expensive. We appreciate that limitation, but there comes a point where the vulnerabilities outweigh the costs savings. Make sure you #PatchIt and if there is a common vulnerabilities and exposures announcement, make sure your IT staff is on it within 72 hours. Tough to do, yes. But necessary.

Above is a partial list of things you can do, but these are easy things to do. We even have more tools here to help you. Just remember this: If you’re not doing the basics, doesn’t matter if it’s a 14-year-old script kiddie or a nation state, both will treat you as an easy target. Best if you make yourself a difficult target to exploit so they can move on to somebody else.

The #CyberAvengers are a group of salty and experienced professionals who have decided to work together to help keep this nation and its data safe and secure. They are Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma and Christophe Veltsos.

NEXT STORY: Time to Modernize Our Approach to Data

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.