This entry is the monthly continuation of Anitian’s series of threat intelligence insights from our Sherlock Managed Threat Intelligence team. The purpose of these briefings is to publish some of the significant campaigns that our team of Sherlocks are tracking at this time.
Apply our human intelligence to the numerous threats we face in the modern world and you get real Threat Intelligence. As security professionals we often focus our magnifying glasses on sexy technical things like botnets and remote code executions. But sometimes we’ve got to turn the magnifying glass around and look at ourselves. Some of the issues we’re tracking in September, 2015, several of which comprise an ongoing campaign of ours, gave us very good reason to do that.
Web Browsers Get Hammered
WHAT: August saw an uptick in critical web browser-based attacks via Internet Explorer and Firefox. These vulnerabilities allow attackers to remotely steal files or execute code at the permission of the web browsing user! Mozilla even reports attacks exist in the wild for the Firefox vulnerabilities.
WHY: The modern web browser is the most exposed and vulnerable piece of software on most computers today. By design, browsers download and execute code from remote sources. This makes browsers an extremely common attack vector. We are closely tracking logs indicative of these attacks and examining update server logs to find gaps in application patching.
IE Remote Code Execution: https://technet.microsoft.com/library/security/MS15-093
Firefox Remote File Stealing: https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
What’s It Going to Take to Get You Into this Proxy Bot?
WHAT: Stop me if you’ve heard this one:
A user browses to a normal webpage. Behind the scenes an exploit kit, such as Angler or Neutrino, hits the user’s browser. This exploit pushes through a piece of malware disguised as a plugin. The computer joins a proxy-based botnet. The attackers then sell off that access for malicious activity.
WHY: Proxy bots have been one of our on-going hunts this year. Our research indicates that few organizations block outbound proxy protocols. Unauthorized proxy traffic rarely has a legitimate use. Inside the proxy tunnel, anything can happen such as commands to dwelling malware, data surreptitiously read or copied, or remote access into your network. While we recommend blocking proxies, we watch for an increase in this traffic at the border to help hunt these kinds of infections, even if endpoint security isn’t picking them up—which endpoint security doesn’t always do! Exploit kits evolve rapidly, and their signature changes easily outpace definition updates.
Bunitu Proxy Botnet: http://www.theregister.co.uk/2015/08/11/bunitu_botnet_vpn_scam/
HolaVPN Access Reselling: http://www.forbes.com/sites/ianmorris/2015/05/29/hola-vpn-selling-users-broadband/
WHAT: Business IT departments have a tricky job: they must deliver solutions at the speed of business while educating users at the speed of humans. However, people are resourceful and will apply that to solving their selfish needs. “Shadow IT” is the user-level application of the numerous technologies available to solve daily problems. For example, if the secure file sharing solution you paid for is to complex, they will just open up a Dropbox account. Or if the corporate wireless is too slow or restrictive, they will plug an insecure consumer grade wifi router into their local switch.
WHY: Shadow IT is difficult to tame. Users with the very best intentions can unknowingly put business data at risk when they setup work-arounds. The solution to shadow IT is equally complex. It requires a combination of technical controls, policies, and user education improvements to combat it. We work with organizations to hunt down evidence of shadow IT activities, to inform leadership and prompt informed decision making.
This leads us to…
1% of Users Equal 75% of Risk
WHAT: The annual Verizon Data Breach Investigations Report has a fascinating new statistic. It states that 1% of users comprise 66%-75% of the risk to an organization via their behavior and actions. This is kind of a perversion of the Pareto Principle. It is, however, not surprising to us.
WHY: We spend great amounts of time and effort building tall walls, strong gates, deep moats, and training fire-breathing information specialists. If the right people give out their password when asked nicely, or get infected from their especially policy-exempted workstation, none of that matters. Tracking some of these threats themselves can be difficult, given sufficient time analyzing logs, our Sherlocks begin seeing patterns that may indicate particularly problematic users. Armed with this analysis, we can aid organizations in identifying users who can then be given additional attention for procedures and usage policy education. According to the Verizon DBIR, that could pay incredible security returns!
One of the greatest challenges in Information Security is the human element. Collectively, we can help each other and push forward toward creating and maintaining systems that are both usable and safe. As such, we hope these highlights for the last month have been useful to you. We welcome any conversation on these topics in the comments below!
Check back next month for our October Sherlock report.