Here we are at October, sipping pumpkin lattes and eating threat intelligence. Each month, we are reminded how common problems can reverberate as new challenges. Like ripples racing across a still lake, these problems can quickly escalate into something far less placid.
New Infection Vectors
WHAT: Different avenues of infection present themselves each day. Email attachments, un-approved USB devices plugged in, and even improper browsing habits all conspire to infect us.
Lately, we have seen an increase in emails with attachments requesting payment on a past due bill. The attachment is malicious and when opened infects the host. If the anti-malware on that host is out of date, the malware can not only disable it, but spread itself to other hosts. Those hosts can include things as innocuous as a IP camera. This camera has gone from silent observer in the corner of a hallway, to the nexus of an enterprise-wide breach.
WHY: It is not enough to just have anti-virus software. It must be kept current, monitored, and updated. However, the larger issue here is segmentation. Devices like cameras and printers need to be isolated from other hosts. These devices are notoriously vulnerable to all manner of exploits. Wireless networks are no exception. Wireless cameras and printers should be fully isolated on their own SSID with limited to no Internet access.
Internet of Things (IoT)
WHAT: Following from the previous issue, IoT is exploding in popularity. No longer is it just the computer that gets compromised. All sorts of items that can be bought have network connectivity, usually related to firmware updates. IP surveillance cameras and security system DVRs are great examples. These devices often have hard-coded usernames and weak default passwords. They also commonly use insecure protocols, like telnet. Ugh, telnet. Seriously?
Recently, we encountered an IP camera with a hard coded password that was extremely easy to brute force crack. Actually, a hacker found this and used it as a pivot point into the environment. Ideally, noise and traffic like this triggers all sorts of alerts on the SIEM, or the firewall passing that traffic. In our case, the Sherlock team spotted these quickly, and reacted in moments. The camera was locked down and the hacker booted from the environment.
However, what if there was nobody watching, as is often the case? This is how mega-breaches begin.
WHY: Several key things here could prevent this situation from occurring. Namely, strong security controls that limit the spread of malicious entities. Network segmentation and strong firewall rules are vital. Next, daily or weekly reviews of logs and alerts. Who handled the alerts generated about this device? Why did those alerts generate? How long did it take to respond to the alert? It is not enough to just gather log data, somebody (or something) has to watch for unusual behavior. Lastly, a periodic review of firewall rules. Look for odd entries, or unknown rules that have been added since the last review. When, who, and why are good questions to ask against any differences found when no change-notification is present.
Booter For Hire
WHAT: DDoS has become a popular tactic to coerce companies into paying to stop attacks. As more and more vulnerable devices become connected to the internet, as mentioned above, the volume of bandwidth used to attack those companies increases. Recently, we have seen the emergence of “Booter-for-Hire” groups (you can read more about them here on Kreb’s Blog or this excellent report on DDoS at Imperva’s site.) These organizations provide on-demand DDoS attacking services. For a few Bitcoins, you can order and schedule a DDoS attack on anybody.
Remember that small IP camera that was commandeered earlier? That is now an asset that in the botnet army DDoSing you, or somebody else. What appears to be innocent traffic coming off your network is, in reality, attacking another company to try to take them offline. This could inevitably lead to your IP address(s) being black-listed, damage to your company’s reputation, and other undesirable situations.
WHY: All the suggestions mentioned above work here as well. Segmentation, strong firewall policies, SIEM monitoring. One of the fundamental hunts we do on the Sherlock team is searching for nodes consuming an abnormal amount of bandwidth (high DNS queries, or ping traffic, etc.). This is one of the more reliable methods of spotting the source of an infection.
Like the plonk of a rock in a lake, one infection can ripple across the organization. A single camera or host can go from innocent node on the network, to participation in a global crime syndicate. These ripples can quickly go from peaceful waves, to a tsunami of packets in no time.