Authored by: Carolyn Crandall, Chief Deception Officer, Attivo Networks – Halloween is upon us once more, but as with most things, it looks a little different this year. While adults wrestle with the countless disruptions the COVID-19 pandemic has brought to their lives and businesses, children worldwide are grappling with the sad possibility that trick-or-treating may not be an option this year. Unfortunately, the pandemic has not similarly deterred cybercriminals. Cyberattacks are on the rise, with attackers leveraging the widespread remote work and other consequences of the pandemic to ransack networks throughout the world.
It’s one thing when attackers find ways to circumvent network protections, but it’s quite another when their victims open the door and welcome them inside. Today, too many breaches are enabled by mistakes and misconfigurations, with users falling victim to social engineering tactics or leaving administrative credentials exposed. These mistakes are the cybersecurity equivalent of leaving a bowl of candy on the porch for trick-or-treaters to take from as they please, except the ghost knocking on the door isn’t a kid in a costume—it’s an attacker after your data. This Halloween, keep an eye out for these common exposures that can create easy inroads for attackers.
Exposed and Stolen Credentials
The 2020 Verizon Data Breach Investigations Report (DBIR) included a statistic that should spook cybersecurity professionals more than any ghoul or goblin ever could: 80% of hacking-related breaches were carried out either through brute force methods or using stolen credentials. This finding indicates that far too many organizations are either using weak, easily guessable credentials or failing to protect them sufficiently. Unfortunately, these credentials are ultimately falling into the hands of criminals. Social engineering tactics have been particularly successful for attackers, many of whom are exploiting the COVID-19 pandemic to fool their victims more easily.
Attackers often don’t need to resort to trickery, though. Sometimes, orphaned or forgotten credentials are sitting exposed on an endpoint—and if cybercriminals are trick-or-treaters looking for candy, exposed credentials are Reese’s Peanut Butter Cups. Using valid credentials, attackers can circumvent most perimeter defenses entirely, entering the network where they are free to move about and attempt to escalate their attacks. Fortunately, technology like the Attivo Endpoint Detection Net (EDN) solution can give defenders the necessary visibility into exposed credentials, attempts at credential theft, and attacks on Active Directory as threat actors attempt to escalate their privileges. The defenders can then identify and isolate attackers before they can strike. The ability to derail attackers by giving them fake data can be the ultimate trick vs. treat.
The 2020 DBIR didn’t just highlight the danger of credential theft. As I noted in a recent blog, Verizon’s research indicates that misconfigurations and other mistakes are on the rise, with the percentage of error-driven breaches caused by misconfigurations up from under 20% last year to over 40% in 2020. The move to the cloud has made systems more challenging to configure, primarily due to the number of different systems forced to interact. The resulting confusion often causes policy evasion activity to go undetected. Why would an attacker knock on the front door and ask for one candy bar when they could sneak around back and steal the whole bowl instead?
As with exposed credentials, solving the problem of misconfigurations requires improved network visibility. The ThreatDefend platform provides that visibility, not only working to identify misconfigurations, but to provide early threat detection and high-fidelity alerts that enable efficient incident response when attackers attempt to exploit them. To see the new “ghosts” entering the network, security teams can easily view new devices added to the network and quickly boot out unwanted intruders.
Unprotected Active Directory
Active Directory (AD) is the house on the block giving out full-size candy bars. It’s the one every trick-or-treater in the neighborhood makes a beeline for, and if they aren’t prepared, they’ll be completely cleaned out in a matter of minutes. Active Directory is the master directory service that controls access to the enterprise network, and more than 90% of businesses use it. That makes it an obvious target for attackers looking to gain additional privileges and escalate their attacks.
Unfortunately, AD is a complicated system, and it isn’t, by nature, easy to lock down. After all, the intended purpose of AD is to make it easier for authorized users to access the services they need. Limiting that access can result in inefficiencies and disrupt business operations, which is a headache of a different sort. New concealment technology works to protect AD better than ever (ensuring that greedy intruders come away without so much as a “fun size” bag of M&Ms) by returning false information in response to AD queries. When the attackers use the fake data, the solution isolates them in a decoy environment, where the defender can gather valuable adversary intelligence such as TTPs and IOCs. What street did the attacker come from? What type of candy did they ask for? What path did they take through the neighborhood? This sort of information can help defenders better prepare for the future.
Don’t Greet Attackers Like Trick-or-Treaters
When it comes to personal and business information, a certain amount of risk is unavoidable. Names, titles, and even contact information for executives is often a matter of record, and social media and other public exposure is a necessary part of today’s business environment. Attackers will harvest this data before they attack, using it for spear-phishing and other schemes in an attempt to trick individuals into providing valuable information. But that’s no reason to make their lives even easier by handing out credentials, attack paths, and AD access like candy.
Nothing is as scary as an exposed network, and savvy attackers will jump at the chance to exploit simple mistakes. Whether these nefarious trick-or-treaters come dressed as ghosts or ninjas (or corporate CEOs asking for iTunes gift cards), improved network visibility and detection capabilities can help defenders keep them off of the porch —and away from the valuables.