Many Companies Are Still Failing at the Basics of Cyber Security, Analysis of More Than 1,000 Incidents Finds
While adversaries continuously refine their attack methodologies — primarily towards greater efficiency, simpler operation and more effective outcomes — security analysts are struck by the static nature of their recommendations to business. “The same issues and security gaps are blighting organizations’ ability to identify and respond to threats,” they say.
Secureworks has analyzed the findings of more than 1,000 incident response engagements undertaken during 2018. These include both ’emergency’ services involving live response to an ongoing incident, and ‘proactive’ services to help organizations plan for incidents and hunt for threats.
What they found was evolutionary rather than revolutionary progress by the aggressor, versus the same continuing security failures among the victims. It is the basics of security that continue to fail: poor visibility, lack of MFA, and insufficient care over third party suppliers.
Three areas of aggressor activity from Secureworks’ Incident Response Insights Report 2019 illustrate the evolutionary nature of cybercrime: ransomware, convergence of techniques between criminal gangs and state-sponsored groups, and business email fraud.
Ransomware is shifting from spray and pray against individual systems, to post-intrusion whole-business network compromise. The latter is far more effective. Spray and pray impacts an average of 1.8 hosts per incident, while the post intrusion method impacts an average of 114.3 hosts per incident — and businesses can afford much higher ransoms for release (River Beach City in Florida recently paid a $600,000 ransom for the release of its systems).
Although the use of SamSam has effectively stopped with the November 2018 indictment of two Iranian citizens, the methodology continues with Ryuk and LockerGoga. In one incident investigated by Secureworks, Emotet was used to introduce TrickBot which spread through the network before Ryuk was deployed, causing “a vast proportion of the organizationís network to become encrypted and rendered unusable.” Secureworks sees no sign of this methodology slowing down in 2019.
State-sponsored attackers accounted for just 7% of engagements through 2018, although Secureworks acknowledges that attribution is difficult. Partly, this is down to a degree of homogenization between criminals and state actors. “Many [state] groups conduct entire intrusions using publicly available tools and techniques, whereas others adopt increasingly sophisticated approaches to gain access to systems,” say the analysts. The use of publicly available tools and the growing trend for ‘living off the land‘ makes it difficult to ascribe an attack to a government.
However, the analysts described one attack where, “The behaviors were common to most targeted attacks: initial access leveraged credentials that appeared to have been acquired in a previous incident; additional credentials were stolen and a web shell was installed for persistence; file listings were generated; and then a subset of files on those lists were stolen.”
Business email fraud (including BEC and business email spoofing) is increasing. Twenty-one percent of financially motivated incidents investigated in 2018 involved business email fraud, and there is evidence that the attacks are becoming more sophisticated. In one case, note the analysts, “the threat actors monitored emails containing travel itineraries and timed their fraud activity while one of the victims was flying.” The target could not verify the legitimacy of the request, and “the threat actors successfully stole more than $1 million USD.”
But while the threat landscape is continuously evolving and getting more effective, Securework’s recommendations to business are remarkably similar to the recommendations made last year — indicating that too many companies are still failing at the basics of security. The primary recommendations were, and still are, adopt MFA, increase visibility, and improve logging.
While many attacks can still be stopped by traditional security controls at the perimeter, these controls have little effect against adversaries already on the network. Visibility into the network is required; but visibility must go beyond the perceived network, to include the whole network. Too often, organizations fail to accurately monitor all their assets. “How can an organization protect assets it does not know about?” ask the analysts.
They go further to warn that threat actors often have a better understanding of the true network topology than do the owners, giving the example of APT35 extending its access within a compromised business services organization by leveraging a previously decommissioned domain controller. When this happens, “network defenders and responders will be at a severe disadvantage,” they warn.
The second part of visibility into the whole network is meaningful logging, and Secureworks recommends that organizations log as much information as possible across their environment for full visibility. In choosing what types of information should be logged, defenders should consider what data will be useful for incident responders. With appropriate technologies and processes to filter the log information into a small number of high-priority events, defenders can also use past events to predict and block future incidents.
“For example,” they say, “logging failed access attempts can reveal what actions did not work, but that data should be compared to successful attempts to establish normal behavior for a specific user.” If normal behavior is altered, it could be an indication of attack. “By optimizing log completeness and log retention, organizations ensure that they have sufficient forensic readiness.”
But the single most common recommendation from Secureworks analysts remains, “Implement MFA.” It is almost impossible to keep legitimate credentials out of the hands of attackers. They can be stolen from elsewhere, guessed or harvested from within the network. The analysts go further to suggest that “Every service available on the Internet, including cloud applications such as Office 365/Outlook, external VPNs, and SSO pages, should require users to provide a one-time password (OTP) in addition to their regular password.” Despite OTP via SMS being deprecated by some standards, they add, “an OTP via SMS message to the userís phone is better than a single factor.”
The implementation of MFA can reduce successful incursions, impede lateral movement within a compromised network, and help secure the supply chain. “It can be easy to lose sight of security fundamentals as an organizationís complexity increases, but the recommendations in this report are widely accepted as best practices for a reason: they work,” say the researchers. “The next best step on an organization’s cybersecurity journey may be to take a step back and reassess its ability to execute the fundamentals.”