Cyber threats hiding in plain sight, says Palo Alto Networks

Cyber attackers exploit commonly used business applications to bypass security controls, research shows

Cyber attackers exploit commonly used business applications to bypass security controls, research from enterprise security firm Palo Alto Networks has revealed.

Traditional exploit techniques used in innovative ways can mask dangerous threat activity, according to the firm’s latest annual Application Usage and Threat Report that analyses the link between the two.

“Today’s advanced cyber threats use applications as their infiltration vector, exhibit application-like evasion tactics, and act as, or use common network applications for communications and exfiltration,” the report said.

This means the threat is not primarily from things like social media sites, but from core business applications, said Alex Raistrick, regional vice-president, Western Europe, at Palo Alto Networks.

“Attackers are using the very applications that companies require to do business,” he told Computer Weekly.

The report findings are based on analysis of traffic data collected from 5,500 network assessments and billions of threat logs over a 12-month period.

Read more on cyber attacks

Common sharing applications such as email, social media and video remain favoured vehicles for delivering attacks.

Researchers found that 19% of threats observed were code execution exploits that were delivered across common sharing applications.

Although only 5% of threat activity was seen within these applications, the report said attacks delivered in this way are often the start of multi-phased attacks rather than the focus of threat activity and could be linked to 32% of all attacks.

Researchers found that a small number of applications exhibited nearly all of the observed threat activity.

Networking and utility apps accounted for 11% of all apps observed but were linked to 62% of threat activity, and business apps accounted for 8% of all apps observed but were linked to 27% of threat activity.

According to the report, 99% of all malware logs were linked to the User Datagram Protocol (UDP), an alternative to the Transmission Control Protocol (TCP), the majority of which were generated by a single threat.

Researchers found that attackers also commonly use applications such as FTP, RDP, SSL and NetBIOS to mask their activities.

“These applications were found on nearly every network we analysed and it’s evident they have now become a favourite vehicle through which attackers can mask their activities,” the report said.

Just over a third of applications observed can use SSL encryption, but many network administrators are unaware of what applications on their networks use unpatched versions of OpenSSL, which can leave them exposed to vulnerabilities such as Heartbleed.

“Our research shows an inextricable link between commonly used enterprise applications and cyber threats,” said Matt Keil, senior research analyst, Palo Alto Networks.

Our research shows an inextricable link between commonly used enterprise applications and cyber threats

Matt Keil, Palo Alto Networks

Most significant network breaches start with an application such as email delivering an exploit, researchers found.

“Then, once on the network, attackers use other applications or services to continue their malicious activity – in essence, hiding in plain sight,” said Keil.

“Knowing how cyber criminals exploit applications will help enterprises make more informed decisions when it comes to protecting their organisations from attacks,” he said.

The report recommends that information security teams deploy a balanced safe enablement policy for common sharing applications alongside security awareness training for users.

“Because Palo Alto technology is designed to identify applications, not just port numbers and protocols, it enables businesses to tie them to users and enable a 360-degree view of activity,” said Raistrick.

“This approach also enables companies to stop unwanted applications and safely enable the ones they need by ensuring they are not masking malicious traffic,” he said.

Researchers said security teams should also ensure they can control unknown traffic, which although averages about only 10% of bandwidth, the risk is high. Controlling unknown UDP/TCP will quickly eliminate a significant volume of malware, they said.

The report also recommends that security teams should identify and selectively decrypt applications that use SSL.

“This is why it is important to understand the data and see exactly what is moving through networks rather than relying merely on a port number 443 to identify SSL traffic and assume that it is safe,” said Raistrick.

Researchers said selective decryption, in conjunction with enablement policies, can help businesses uncover and eliminate potential hiding places for cyber threats.

Read more on Hackers and cybercrime prevention