Cyberattacks and data breaches continue to dominate the news globally. The reality is that most organizations face the same often reported threats and are carrying on their work towards counteracting those risks.
Some organizations victimized by cybercriminals have shared information publicly. Others have chosen to conduct investigations and share information about the attack in a more limited way, or not at all. As a result, media themes related to cyberattacks can at times lack detailed information, with heavy reliance on unnamed sources.
Understanding today’s landscape and formulating corresponding strategies, remains important to help organizations protect themselves against the tactics that have become commonplace.
Phishing for a foothold
In some recent high profile compromises, phishing attacks have been the primary method used by attackers to gain access to the network of their targeted victim. A phishing attack is an activity that “engineers” social or behavioral responses to compromise security – no software vulnerability is needed to try to trick a person using a computer or device, into revealing their user name and password. Cybercriminals conducting attacks continue to successfully trick individuals into providing their network credentials. The attackers then use any stolen credentials to illegally access the victim’s machine, or in the case of organizations, the network. Once credentials have been obtained, the attacker may attempt to steal more credentials and get access to further resources on the network. For more information: The latest Microsoft Security Intelligence Report, volume 17, has more information on credential theft and how Microsoft is making it even harder for attackers to use stolen credentials.
Poor system hygiene
Another form of trickery has to do with attackers using malicious email attachments to try to compromise a person or persons’ systems. Their goal is often to steal individual passwords or other network credentials such as passwords used for other applications or services, in place within an organization’s environment. These attacks could take advantage of known areas of weakness. Ensuring systems take advantage of the latest updates to provide increased security, is important. In these types of email attachment attacks, users are tricked into opening those attachments. Unbeknownst to them, the attachments are malicious. These malicious attachments are designed to compromise the users’ systems and enable the attackers to steal their credentials, and systems that are not up to date are at increased risk of attack. This type of “document parser exploit” has been common for several years.
For more information: The latest Microsoft Security Intelligence Report, volume 17 has more information on document parser exploits. Primary areas include:
- Newer is better: running the latest version of document parsers, the latest service packs and security updates helps to protect against these types of attacks. Examples of document parsers are Microsoft Office, Adobe Acrobat, Adobe Reader, and others.
- Use Microsoft Update to keep your Windows based systems up to date. Microsoft Update will help keep all of your Microsoft software updated including Windows operating systems and Microsoft Office.
- Don’t open email attachments or documents hosted on the Internet if you don’t know and trust their source.
Privilege principles: least privilege not in use
Once cyberattackers have stolen credentials, they may be able to access their victim’s network. On networks where least privilege principles have been implemented, attackers are often thwarted in their attempts to move swiftly across the network and achieve their goal of gaining access to resources they need to further compromise more systems.
Protect high value assets
Each organization needs to determine what they consider to be their crown jewels and how to optimally protect those high value assets. For a number of reasons, high value assets may be co-mingled with other assets, as opposed to being more isolated or protected, within that network. In choosing not to isolate assets, the number of people who can regularly access systems, increases. For a cyberattacker with stolen network credentials, they could now have access to those high value assets, simply because the most important ones weren’t managed in a more protected or isolated way. Additionally, encrypting assets such as card swipe data, pin input data, data in flight, and data in storage, is as important a step as network isolation. These practices are not universally deployed by organizations and can contribute to the success of malicious activity. For more information: Microsoft’s Security Intelligence Report volume 17 has information on strategies covering the isolation and encryption of high value assets.
Protecting administrator credentials
Microsoft has published a series of papers on targeted attacks that includes guidance on mitigating credential theft. One such attack, called “pass-the-hash,” has been an attacker favorite for many years. This attack is typically used once the attackers have a stolen set of user credentials and have compromised the victim’s network. The goal of the attack is to harvest as many stolen credentials as possible in order to further compromise the victim’s network and remain undetected for as long as possible. Protecting administrator credentials is a critical step in containing this type of attack. Organizations that have not adopted these best practices are at increased risk against these well-known credential theft and reuse attacks. For more information: This recent paper discusses Pass-the-Hash (PtH) attacks against Windows operating systems and provides holistic planning strategies that, when combined with the Windows security features, will provide a more effective defense against pass-the-hash attacks. The strategies are useful for all types of software, as the PtH attack type is regularly used against all systems.
Perpetrator’s ongoing motivation
The main objective of targeted attacks continues to be the theft of high value data assets; not just compromising systems.
Attackers that target organizations do so because of the high value assets that exist there; such as personally identifiable information like credit card numbers or other personal information. Many criminals sell or trade such information to other criminals that seek to steal funds from bank accounts and ultimately steal identities. The victims of recent high profile attacks were targeted because they process millions of financial transactions and hold information on millions of consumers. These assets are more attractive to attackers than the satisfaction of compromising any system; whether Windows-based or any other operating system.
Protect, Detect, and Respond
Many organizations continue to use a security strategy centered on the concepts of protection and recovery. If only focused on these two categories, when the perimeter of the network is compromised, controls may be lacking to detect attackers and contain malicious activity. A more holistic security strategy that assumes a breach may occur, will benefit most organizations. This includes the establishment of effective ongoing monitoring, detection, management, and operational controls.