Chances are good … that you’re already infected

Depending on which of the many surveys on this topic you see, network breaches typically go undetected for an average of somewhere between 100 and 200 days. Since some organizations are faster and better at detection than others, that means that some undetected breaches last much longer than that. If your organization does not have strong processes in place not only to defend against attacks, but also to monitor internal network conditions in order to detect ongoing, persistent, breaches then your organization is at risk, and the chances are good that you have already been breached.

In the process of compiling our recent Threat Intelligence Report, NTT Security analysts observed a decrease in the number of cyber-attacks in the last quarter of 2016. At the same time, the intensity and sophistication of  attacks are on the rise. Hackers are shifting their strategy from relatively clumsy and brute-force widespread attacks to a more intentional and focused effort to compromise specific targets. High-value targets are those that they can pivot from, opening the door for more malicious and potentially lucrative ongoing activities.

Remedial actions after a breach are usually complex and costly, so prevention is a better plan to help prevent attacks and protect valuable assets and sensitive information. Here are some current thoughts about how the new attacks are being launched and how you can proactively protect your organization.

The new targeted attacks

For the second half of 2016, the Finance industry showed the highest total attack volume, with 16 percent of all attacks detected. Manufacturing was the next most targeted industry (15%) followed by Business Services (14%), Healthcare (11%), and Retail (10%). Organizations in these industries must maintain the awareness that, in the eyes of the malicious actors, they are valuable high priority targets.

Having spent over 17 years in the financial space, I will use this industry to help you understand the nature of these new attacks. The majority of attacks targeting the finance sector were related to web application attacks. Most of these attacks fell into one of two categories: insecure direct object reference and directory traversal attempts, as explained in detail by OWASP. Deeper investigation of logs suggested the majority of these attacks were related to scanning, probing or opportunistic attempts to retrieve sensitive data (e.g., user passwords) from common Linux files like /etc/shadow. The top five Linux directories targeted during directory traversal attempts are listed below. It’s important to note that cybercriminals focused on investment firms and insurance companies for nearly all of this activity.

                /etc/shadow

                /etc/master.passwd (Sub ID 3)

                /etc/master.shadow (Sub ID 4)

                /etc/security/passwd (Sub ID 5)

                /etc/security/opasswd

Analysts observed large numbers of cross-site scripting (XSS) attempts in both HTTP GET and POST requests in the finance industry as well. The bulk of these attempts were identified as generic XSS attempts, designed to submit code into specific web application parameters. NTT Security analysts also observed a significant number of exploit attempts against popular HTTPoxy vulnerabilities (CVE-2016-5385, CVE-2016-5387, CVE-2016-5388, CVE-2016-1000109, CVE-2016-1000110). Disclosed in mid-2016, this vulnerability existed due to the way RFC 3875 (CGI) reads in information from the proxy header of HTTP requests and stores it into the environment variable HTTP_PROXY, which is a popular environment variable used to configure outgoing proxies. This vulnerability subsequently allowed cybercriminals to direct the vulnerable server to an address and port of their choosing.

Speaking of new threats, by now everyone should have heard of the recent Ransomware attacks, WannaCry and Petya. Our Threat Intelligence teams have confirmed that Petya was a malicious software update delivered to the targets via the MEDoc tax accounting software, developed by a Ukrainian company. Our GTIC (Global Threat Intelligence Center)team was able to confirm this through our own internal research followed by external intel source confirmation. The MEDoc application is apparently widespread and even mandated by the Ukrainian government. Of the identified victims most of them have been confirmed to have a Ukrainian presence and propagation through the network environment resulting in the global spread.

Although many organizations are in dire need of detection help as well as incident response, many more have not been impacted, of course. It is clear that multiple, in-depth defense strategies, including effective patch management, has contributed to the prevention of these types of malware impacts. 

Recommendations for protection

At a high level, most security pros and analysts advise a range of actions:

• Conduct regular vulnerability scans and penetration testing, of both internal and external facing network segments, to determine any potential security flaws and apply appropriate patches to critical assets first, followed by other systems.
• Always take a defense-in-depth (DiD) approach to security controls, thereby increasing roadblocks for cybercriminals. This DiD approach should include defining internal segmentation and segregation.
• Establish an Incident Response Team followed by tested IR processes and procedures,
• Implement a measurable and repeatable patch management program, utilizing automation and manual verification processes to ensure necessary software and hardware patches are applied, mitigating successful vulnerability exploit attempts.
• Whitelist approved applications which run on internal networks and deny all anomaly’s traffic.
• Ensure critical data and information is backed up and stored off-site. Processes and procedures to revert to backups during an incident should be tested regularly.