This was an article I published about a year ago. It’s still relevant so I thought it would be useful to post here…
It isn’t clear if there were more data breaches in 2014 than any other year or that we are just receiving more reports of data breaches because of regulations and/or the fact that more than 70% of breaches are being detected by third parties, not the company under attack according to Trustwave (https://www2.trustwave.com/rs/trustwave/images/2014_Trustwave_Global_Security_Report.pdf) and eventually those stories get out.
But those are large national chains or multi-national organizations that are being attacked, you may say. According to the Verizon’s annual Data Beach Investigations Report (http://www.verizonenterprise.com/DBIR/), the majority of investigated data breaches are with companies with less than 100 employees. The truth is that small businesses are typically easiest to pray and with the help of computer automation, not a lot of effort is required by the attackers.
We’ve broken down data breaches into five phases. By identifying how these breaches occur, companies can do their level best to protect themselves and their stakeholders. You will also see how SPAM (unwanted/unsolicited email) plays a large role.
In order to understand where to attack, these bad actors will use a wide variety of information sources, some of their own, some freely available, and some they will purchase or outsource to third parties. On the freely available side, attackers will use websites like Google and a security search engine called Shodan to determine what software a company uses and figure out if there are any known vulnerabilities and freely available tools to exploit them.
Spam may seem like mostly a nuisance, but it’s particularly useful in this initial phase. Spam may be used to deliver malicious attachments, and links to infected websites. A small program masquerading as an invoice from UPS or a purchase order from one of your clients can easy provide a foothold into your organization. These are all phishing attempts, ways to trick you to go to a website or open an attachment that you think is legitimate. Another way that phishing is used is to gather your username and password on that fake website. Many times a phone call will be used to either legitimize a link received in email or as another way to gather information.
The vast majority of spam came from so-called Canadian Pharmacy sites, and as Brian Krebs explains in his book Spam Nation (http://krebsonsecurity.com) these were largely Russian organized crime gangs, selling knock of pharmaceuticals made in Indian factories. The pharma sales as well as their payment processors used that money to fund other malicious projects such as building fake AV software. As Krebs continues, “we assume that if we don’t open these emails or don’t purchase anything, we aren’t affected.” Unfortunately, nothing can be further from the truth.
Spam is largely delivered from botnets, large networks of zombie computers waiting for an attackers commands. These same botnets are used for targeted attacks against firms to prevent their websites or ecommerce operations from functioning properly and forcing a company to pay up a ransom before stopping.
Once an attacker gains a foothold into a computer, they will start dropping their programs. These programs have several duties in their mission. The initial recon “team” will scan the local device and network and provide a fingerprint of each device.
This recon program will identify which computers on the network could potentially have important information. In most businesses, one (or more) will be a domain controller. These domain controllers are the central directory of all user accounts and passwords for the system. As you can imagine this will be a highly sought machine. Another may be a file server where documents are stored which can be a treasure trove of information. A database server may also be present which could lead to additional bits of information such as credit card data or other PII (Personally Identifiable Information) such as Social Security Numbers or health records. The recon program will also identify if there are any other networks that the computer connects to such as a management network, frequently used by Information Technology to separate critical server and network management, a point of sale network, or externally hosted web servers.
All of this information will be sent back to the masters for further analysis. The computers not considered high-value will have a bot net application installed so that the computer can be leveraged for future attacks and spam delivery or “sold” to other bot-masters.
The high value targets identified in the Harvesting phase, will then be leveraged to move around the company. Typically to do this, a user whose account has been compromised, will not have access to these privileged systems (we hope). Through some known vulnerabilities, the attacker will attempt to escalate his privilege on the computer he is connecting to in an effort to get a privileged user account such as an administrator. Unfortunately, many times the passwords are easily guessed and systems will still have their default passwords on them making them easy targets.
This administrator account is then used to move laterally in the environment, first targeting the domain controller identified in the harvesting stage. Once on that system, the attacker will attempt to dump the database of usernames and passwords directly or through a backup of the server. Some password cracking tools will then be used either on the computer itself or after removing the database to the attacker’s systems. Once the passwords are known, the attacker really no longer needs to use any nefarious tools and can move around with ease looking like any other administrator.
Any databases will be accessed to see if there are any tables that have important information such as social security numbers, health records, or credit card numbers. These are items that can easily be monetized by selling on the black market.
File servers will be scanned looking for documents that may contain financial information, intellectual property, health records, business meeting notes, or passwords, among others. This information is packaged up.
If an attacker values a target and may not want to trip any alarms preventing future access, they may set up ways that they can access the system remotely through remote back doors or even using the company’s own VPN (Virtual Private Network) software.
Frequently this will be on a utility, backup, or other server that many not be as closely watched as a high value target, knowing that they can always get back to the highly valued targets if they desire to.
Once all of the information is put together for an attacker to retrieve, they will export it out right from under the victim’s nose. Unfortunately most businesses don’t monitor what is leaving the network so it becomes a relatively easy process to exfiltrate data. Even if they are unable to use standard protocols like FTP (file transfer protocol) or it may be difficult to email out large attachments. Nearly all companies allow relatively open connectivity to websites. So it becomes a trivial exercise to move the data into another server they control for later sale or exploitation.
What can we do about it?
There are several areas that will go a long way to minimize your chances of being a victim. There are no silver bullets and there is no such thing as 100% security.
The Department of Homeland Security recently released their framework and even a self-assessment. It’s very comprehensive but potentially very daunting for a small business to consider, even one that has their own Information Technology group responsible for security. The Council on CyberSecurity, an independent, global non-profit entity took over from the SANS Institute on the Critical Security Controls 20 (CSC 20). It doesn’t replace the other frameworks but provides excellent guide to deal with the foundational controls required to increase the security posture of a company. (http://www.counciloncybersecurity.org/critical-controls/)
However, it’s meant for security teams, not necessarily business owners but it’s worth asking whoever is responsible for Information Security at your firm, what they are doing and hopefully with your executive support, can make sure that your company is passed over when it comes to data breaches. The US Department of State determined that over 3,000 attacks it had experienced in 2009, the CSC 20 “showed remarkable alignment.” Since then most U.S. and European government departments and offices have adopted the CSC20.
Summary of CSC 20
- Know what you have and standardize how they are deployed– both authorized and unauthorized. Prevent unauthorized systems and devices (such as wireless access points) from connecting. Secure and protect your systems configurations. Ensure there are no accounts unnecessarily created (on purpose or illegitimately)
- Continuously monitor your systems and applications for vulnerabilities and remediate
Block malicious software from tampering with systems or data
- Ensure that systems and data are sufficiently backed up in order to fully restore a system back to a known good state. Regularly test your restoration process
- Ensure your teams are properly trained on the tools you have and the risks you experience
- Only allow remote access to legitimate users and through legitimate services. Apply filtering wherever possible and applicable
- Control access based on the need to know. Minimize who has access to what data and minimize, control, and tightly manage privileged accounts such as administrators
- Control the flow of data both in and out of network borders through the perimeter and from physical attacks
- Review and monitor audit logs, respond to incidents in a systematic way. Incidents are stressful enough, have a plan and follow it
- Ensure your network design is robust for your needs; keep critical networks separate
Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities, weakness in defenses, and shortcomings in processes.
Wow, that’s a lot for a small business to handle
It is true, but it is the new normal. It’s best to get a professional to work with you on this, however, there are some things you can start doing today:
- Keep all of your systems up to date: desktops, servers, third party software and plugins, network devices, A/V signatures, etc.
- Educate your employees. Train your staff to watch out for social engineering tactics. Remember any employee can be a target and a risk point regardless of position in the firm
- Put in an effective backup and disaster recovery plan in place
- Consider application whitelisting for critical systems.
Hopefully we’ve taken you through a timeline of what a data breach looks like and identify where your weak areas may be in defense. It can seem daunting but there are some steps that your IT people can take to ensure that you make it more difficult and have the information to properly an adequately respond in case of an event.
Although defenses are great and following the requirements above will go a long way to keep your corporate data safe, nothing is guaranteed. A persistent threat actor will find a gap and get through. Catching that activity as quickly as possible is the key and narrow the time between infiltration and detection, thus minimizing the damage to your organization, its clients and its reputation.