Understand the Weak Security Controls and Practices Routinely Exploited for Initial Access
Threat actors are able to exploit many of the following poor configurations, poor security practices, and weak security controls in order to utilize these initial access techniques.
Threat actors are able to exploit many of the following poor configurations, poor security practices, and weak security controls in order to utilize these initial access techniques.
The following techniques (in MITRE ATT&CK format) were commonly used to implement the tactic (MITRE ATT&CK Tactic TA0001) to gain initial access to victim networks:
Exploit Public-Facing Application [MITRE ATT&CK Technique T1190]
External Remote Services [MITRE ATT&CK Technique T1133]
Phishing [MITRE ATT&CK Technique T1566]
Trusted Relationship [MITRE ATT&CK Technique T1199]
Valid Accounts [MITRE ATT&CK Technique T1078]
Some of the common weak security controls include:
- Multi-Factor Authentication (MFA) is not enforced: MFA, particularly for remote desktop access, can help prevent account takeovers. With Remote Desktop Protocol (RDP) as one of the most common infection vectors for ransomware, MFA is a critical tool in mitigating malicious cyber activity. Do not exclude any user, particularly administrators, from an MFA requirement
- Incorrectly applied privileges or permissions, and errors within access control lists: These mistakes can prevent the enforcement of access control rules and could allow unauthorized users or system processes to be granted access to objects
- Software is not up-to-date: Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system. This is one of the most commonly found poor security practices
- Use of vendor-supplied default configurations or default login usernames and passwords: Many software and hardware products come “out of the box” with overly permissive factory-default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service. However, leaving these factory default configurations enabled after installation may provide avenues for an attacker to exploit
- Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup: These default credentials are not secure—they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software. Network defenders should also be aware that the same considerations apply for extra software options, which may come with pre-configured default settings.
- Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access: During recent years, malicious threat actors have been observed targeting remote services. Network defenders can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity
- Strong password policies are not implemented: Malicious cyber actors can use a myriad of methods to exploit weak, leaked, or compromised passwords and gain unauthorized access to a victim system. Malicious cyber actors have used this technique in various nefarious acts and prominently in attacks targeting RDP.
- Cloud services are unprotected: Misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even crypto jacking
- Open ports and misconfigured services are exposed to the Internet: This is one of the most common vulnerability findings. Cyber actors use scanning tools to detect open ports and often use them as an initial attack vector. Successful compromise of a service on a host could enable malicious cyber actors to gain initial access and use other tactics and procedures to compromise exposed and vulnerable entities. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services.
- Failure to detect or block phishing attempts: Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems. Initial infection can occur in a variety of ways, such as when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in phishing emails
- Poor endpoint detection and response: Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices. These techniques can be difficult to detect and protect against.
Recommended mitigations include those associated with control access (including the use of a Zero Trust security model), credential hardening, more robust and comprehensive centralized log management, the use of antivirus programs, detection tools (endpoint and intrusion), regular search and assessment of vulnerabilities (penetration testing), and rigorous configuration management programs.
Threat Actors Leverage DNS in the Attack Chain
The song remains the same. Threat actors frequently use DNS to support malware infiltration, command and control, and attack execution. DNS is continually used to set up and execute attack chains. The attack may involve DNS queries when the victim’s system is compromised and infected. DNS is almost always used when an infected system communicates with the command and control (C&C) servers.
The role of core networking services such as DNS in network security are central to network security defense and protection. Advanced, real threat analytics such as those found in BloxOne Threat Defense, focused on DNS services, are critical to identifying and preventing many of these DNS-based attacks.
Threat intelligence is an important part of the defensive mix. Threat intelligence can bring you a very current set of malicious hostnames, domains, IP addresses that you can use such that your DNS servers can then detect and block command and control (C&C) communications to malicious destinations. Advanced techniques such as behavioral analytics and machine learning on real-time DNS queries can rapidly detect and stop zero-day DNS tunneling, DGA, data exfiltration, Fast Flux, lookalike domains, and more. Visibility is also key. The integration of data with SIEM and SOAR infrastructure can provide significant reductions in time for the detection of threats and the automation of incident response.
(Source : Infoblox.com)
For reading more interesting trends, whitepapers and perspectives on cybersecurity, please visit Security Edge