07 May 5 Emerging Vectors of Attack and Recommendations for Mitigating the Risks
A lack of network visibility is a key challenge we hear about often from the network security community. It’s the result of a complicated mix of issues such as infrastructure complexity, BYOD, and the cloud transformation, among others.
Compilations like these all ranked among the top 10 challenges in network security as identified by network security professionals we recently surveyed. These were also central elements in a panel session held at the RSA Conference titled, The Five Most Dangerous New Attack Techniques and How to Counter Them.
This particular panel is held annually and brings together a group of experts from the SANS Institute. It’s moderated by SANS Institute Research Director and Founder Alan Paller and describes the current threats his team identifies in their research, along with recommendations for mitigating the associated risks.
Here are our notes about these five attack techniques from the session.
1) Manipulating domain naming infrastructure
Adversaries are using credentials they’ve stolen to log into DNS providers and registrars to manipulate the DNS records. That’s according to Ed Skoudis, a SANS instructor credited with creating the penetration testing program there. For example, an attacker will manipulate email records so that messages intended for your organization are redirected through a server the attacker controls which allows them to intercept the message.
With email intercepts, they are able to apply for Transport Layer Security (TLS) certificates and use the links in intercepted email messages to verify domain ownership. He points to Krebs on Security, among other sources that have documented these attacks against government, law enforcement and commercial enterprises.
Some of the recommendations Mr. Skoudis suggests are:
- Implementing multi-factor authentication for changes made to the DNS infrastructure;
- Deploying DNS security including both signed and validated records;
- Revoke any illegitimate certificates that currently exist; and
- Monitor for public changes to DNS records and digital certificates associated with your organization.
2) Domain fronting
Domain fronting is a technique used by adversaries to obscure their geographic location. It was the second attack technique in the session and was also presented by Mr. Skoudis. This enables an attacker to hide the origin of his or her command and control (C2) and build a reliable channel to exfiltrate data to an unidentifiable location.
One of the challenges with these attacks is that some security pros believe the issue has been fixed. This is because Google and Amazon have limited domain fronting on their content delivery networks (CDNs). Yet the problem remains because there are other CDNs where domain fronting it still works.
He unpacks how this attack unfolds in four steps:
a) The adversary uses a compromised server – with undetected malware – on an internal network to send a DNS request to a trusted website on a CDN where the attacker has also set up customer accounts;
b) The server sets up a TLS connection to that trusted site;
c) The malware on the server sends an HTTP 1.1 request with a Host: Header asking for something other than that trusted site. Usually, this requests the ‘customer account’ the attacker has set on the CDN (network defenders typically can’t see what inside the requests because the traffic is encrypted, but this technique can help); and
d) The trusted site on the CDN then sends the request to the attacker’s instance, which in turn forwards that request to the attacker’s server of origin. The result, Mr. Skoudis, says, is an attacker has built an exfil channel that looks to defenders like a trusted site on a CDN. This vector isn’t likely to go away because this has shown attackers how to “disappear into the cloud.” This is because organizations that use cloud-based services effectively use those services as if they are part of their infrastructure. The cloud vendors can’t simply shut it down for risk of denying access to those services, and so adversaries can “launder” their activity from cloud to cloud.
Among the recommendations Mr. Skoudis made are:
- Implement TLS Interception at the network boundaries;
- Encrypt data in the cloud and store the encryption keys elsewhere; and
- Consider tools to spot beaconing through domain fronting such as a free one called Real Intelligence Threat Analytics (RITA) provided by Black Hills Information Security.
3) Targeted cloud individualized attacks
Heather Mahalik presented the third attack technique by describing a forensic investigation on which she had worked. She’s the course director for mobile forensics at SANS and also serves as the director of forensics engineering at ManTech.
The investigation she was part of involved a woman who was being tracked. Somehow the adversary knew about conversations she had in private chat messages, understood her physical location, and oddly, seemed to know when she was about to switch devices. This was, what Ms. Mahalik called a “targeted cloud individualized attack.”
Part of the problem is that people openly broadcast everything they do on social media – details that can be collected bit by bit, which can lead to compromised accounts and situations like this one. We post birthdays, photos from vacation and take social media quizzes that reveal our first pet’s name, which at least for a while, was a predominant security question used by banks to confirm identity.
Compounding the problem is the fact people don’t realize how much personal information, including location data, is captured by the services we use on personal devices and then stored in the cloud. This is by design as many services provide a convenience we want but it sacrifices our privacy.
It’s not just apps on our phones that are capturing information either. This data is also captured by our vehicles, watches, fitness trackers, tablets – and even PC and laptops which typically have location services switched “on” by default.
Attackers can gain access to this data through a variety of means such as hacking weak passwords, social engineering and phishing emails. While these attacks are personalized, they can very well become organizational or corporate problems where personal devices have access to corporate networks (i.e. BYOD), for example.
Some of the recommendations Ms. Mahalik made are:
- Use strong passwords or consider employing a password manager;
- Use two-factor authentication (2FA) and if a service doesn’t offer 2FA re-consider your use of that service;
- Review privacy settings on the services you do use, including authorized third-party apps with access to your data (i.e. checking myactivity.google.com); and
- Enterprises with BYOD-style cultures or policies should require disclosure if the user learns their personal device has been compromised.
4) Encryption and the loss of network visibility
SANS Dean of Research Johannes Ullrich, who also serves as the head of the SANS Internet Storm Center, presented the fourth threat as a loss of network visibility for the network defender. Traditionally, one of the best ways to ensure network security was by monitoring DNS logs, because virtually every activity on the network, even malicious activities, leave DNS traces.
When someone visits a website, the client machine first calls a recursive server that is usually managed by an enterprise or ISP. If the network traffic between this initial connection can be intercepted, an adversary can see what you are doing. However, defenders also want to monitor this connection because if there is malware on the network, this is where they will see it – when it beacons out to connect to DNS to resolve the malicious host.
Of course, this has raised privacy and data security issues, which HTTPS helped to mitigate. More specifically, DNS over HTTPS secures the client connection to the recursive server. It’s great for privacy and data security, but it also removed the ability defenders had to identify malicious activity using this technique.
Some of the recommendations Mr. Ullrich proposed are:
- Limit private web browsing on an enterprise network (or the expectation of privacy on company resources);
- Use a bona fide virtual private network (VPN) for personnel working remotely; and
- Re-evaluate the balance between security and privacy on enterprise networks and perhaps give some of that visibility back to the defenders.
>>> Related content: Can You Analyze Encrypted Network Traffic for Cybersecurity Threats?
5) How hackers can exploit hardware features
Computers are not just a CPU, according to Mr. Ullich, who also presented the fifth attack. Many machines today have multiple chips that “are systems in their own right with processing power, memory and code running on them.” It’s not that these are vulnerabilities, rather it’s that these systems provide features that adversaries can exploit to gain more persistent access to a system.
He pointed to baseboard management controllers (BMCs) as an illustration. BMCs are often connected to privileged networks or management networks that are used to reboot machines and power them off or on, for example. An adversary that gets ahold of a server can use a BMC to scan for additional hosts.
Some professionals might believe these privileged networks are air-gapped – that you can’t access them from outside the network. While that’s partly true, you can access the server from outside the network, and then connect to the management network from the tools already present on the server.
He points out the risks are true in the cloud too. Some IT professionals wouldn’t think to check the BMC on a cloud server to see if the previous user had made a change. It’s a good way to show why these tools need to be secured using the same security principles that apply to external networks.
Mr. Ullrich suggested the following measures:
- Secure or remove management utilities;
- Control access to the management network;
- Use strong credentials to access these networks; and
- Implement network monitoring on these management networks.
* * *
The full session was recorded and runs just a little more than 45 minutes including a Q&A period. You can find the recording embedded above, on the RSA Conference website or on the RSA Conference YouTube channel.
If you enjoyed this post, you might also like:
Considerations for Planning, Structuring and Deploying a New Network Security Strategy