In mid-April 2018 Cisco released their annual Cyber Security Report. The 68-pages or so highlight what they see as the main threats and potential defence strategies. The report is summarised here and will hopefully prove less painful than reading the whole 68-pages. Leave that to us!
In the report, Cisco and their threat researchers, partners and the communities they interact with, highlight three key themes. These being that:
That’s not to say that everyone is exposed and that it’s just a matter of time. No. However, we do need to be aware of this. Knowing where your own weaknesses lie and knowing what your attackers are likely to target (Sun Tsu) is a great help.
Encryption is another area that is being exploited. With Google and others encouraging encryption and flagging unencrypted traffic as potentially unsecure, companies are widely adopting SSL and https. What was initially seen as a safety feature is now being used by threat actors for their callback traffic. Being able to identify malicious traffic within encrypted traffic is now a necessity.
Email. This is still widely used for distributing malware through the file extensions being used are changing to cover more and more document types. Malicious files or code is being hidden inside ZIP, RAR or other archive type files as these are often harder to scan. Sandbox evasion techniques are also starting to be seen with some of these files as the type of malware delivered becomes more sophisticated. Equally, they warn about the old threats. As these become cheaper on the dark web, and as the tools make it easier, more people are using them and pushing them out. Too much time can be spent looking for the detail that the elephant in the room can easily be missed.
The second trend identified how legitimate cloud-based services, like Dropbox, can be used to hide malware. A piece of code is delivered to the endpoint (usually via a phishing mail) then calls back to a Dropbox file, which is seen as legitimate traffic. However, the file could contain malware or more
often a link to a website with malware on it. Since the initial communication is with a legitimate site this link can be used to hide malicious traffic.
We are now starting to see the widescale adoption of Internet of Things devices, especially in the home or smaller offices. Anything from security cameras to the coffee machine and this is providing plenty of opportunities for attackers to take advantage of technology that is not really understood.
Many of these devices are also prone to weaknesses and have no way of being easily updated. We saw recently how an IoT device (e.g. a fish tank 1 ) can provide the necessary gateway in to, what was otherwise, a secure network.
Industrial Control Systems (ICS) also tend to use many of these IoT-type devices (IIoT)(2). They are often just as vulnerable as many of the consumer or user devices and many of the same rules apply. Remove default passwords, patch regularly and use network segmentation. However, according to
the report and rather disappointingly, patching of IoT devices just isn’t happening. This is due to several reasons such as lack of awareness, lack of ownership or difficulties identifying affected devices.
We’ve also seen how IoT devices can be recruited to be part of a successful Distributed Denial of Service (DDoS) attack(3).
Whilst DDoS used to target the network layer and network access, they are increasingly being targeted at specific applications or at least the application layer and those protocols. Part of the driver is that DDoS attacks and scrubbing services are more effective than they used to be, so those attacks are becoming less successful. By moving the target up the OSI stack, attackers are having a much greater effect.
Another factor in this is, shadow IT. Typically non-IT people setting up applications in cloud-based services, such as AWS and Azure, or even on internal systems, may not have the same system and security knowledge and therefore may be missing some basic steps and thus leaving systems vulnerable. In the report these are described as ‘leak paths’ and finding them and fixing them is incredibly difficult.
Whilst the topic of staffing is covered later in the report, it is only discussed briefly and is referenced in just a couple graphics. However, one of the earlier graphics highlights what skills companies would add if they could recruit additional bodies. This, by default, means that many companies are missing some if not all of these skill sets or technologies and this is often what drives the decision to outsource to specialist Managed Security Service Providers.
Another driver for using MSSP’s is the increasing number of security technologies being deployed. This also means the number of alerts, often for the same thing, is increasing and putting additional load on the already stretched security of IT teams. The other report (that we’ve highlighted in our previous blogs) is that many of these alerts aren’t being investigated and those that are, often aren’t remediated.
So, what can be done? Going back to the start of the report, Cisco makes a number of useful recommendations. They are quoted here, in full and without alteration, as they all make perfect sense and should form part of an overall security strategy.
Secon Cyber offers many tools or solutions that can help with these recommendations. From a Managed Detection and Response service, with a consolidated risk-based dashboard, to virtual patching, network inspection and monitoring, DDoS protection, training and awareness, phishing tests, privileged access management and secure passwords, cloud discovery and protection. We also offer health checks, consultancy and work with independent 3rd parties for penetration testing and ISO27000 audits.
1 – https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked- a-fish- tank-to- steal-data- from-a-casino/#5187f30232b9
2 – http://www.trapx.com/wp-content/uploads/2017/08/TrapX- Original-Research- Industrial-Control- Systems-Under-Siege.pdf
3 – https://www.us-cert.gov/ncas/alerts/TA16- 288A