lolloj - Fotolia
Learn lessons from attacks, says McAfee investigations chief
Organisations should use every cyber attack as an opportunity to learn, identify weaknesses and improve security posture, according to McAfee’s head of cyber investigations
Organisations should not miss the opportunity to improve their defences by analysing every cyber attack, according to John Fokker, head of cyber investigation at McAfee.
“They should not only be looking at attacks they are getting, but also monitoring and analysing attacks on other organisations to ensure they would be secure if targeted by similar attacks, because if others are being hit by a particular attack method, it could be just a matter of time before it affects your organisation,” he told Computer Weekly.
Few organisations can say they do not have to worry about nation-state attacks and attack techniques, said Fokker, as these capabilities are increasingly being used by cyber crime groups that are either copying nation-state attacks or are tapping into the skills of those who work as nation-state hackers.
“There is definitely cross-pollination between nation-state actors and cyber criminals. As a result, cyber crime attackers are becoming more skilled and their attacks more sophisticated,” he said, citing the Carbanak gang as an example.
“They had an APT-like modus operandi [associated with nation-state attacks], but had a very clear financial goal to steal millions through targeting banks.”
In addition, Fokker said nation-state attacks are steadily increasing, particularly by nation states such as North Korea that are motivated by financial gain rather than politics
“Organisations are often not aware of what data assets would be attractive to such attackers, so they may be targets, but are just not aware of it,” he said.
“With the EU’s GDPR [General Data Protection Regulation], however, hopefully that is raising the awareness among organisations that personal data is one of the most-targeted data types,” he added.
However, GDPR provides an opportunity for organisations to make personal data protection a selling point, said Fokker. “Organisations could gain competitive advantage by investing in personal data protection and demonstrating to their customers that they can be trusted to keep it safe,” he added.
Cryptojacking is fast becoming the most popular type of attack by both nation state and criminal groups, said Fokker.
“Crytopjacking has overtaken ransomware attacks in recent months as a top way of generating funds for cyber criminals with a lower risk of getting caught, although there has also been sharp increase in targeted ransomware attacks in the same period,” he said.
Although many organisations view cryptojacking as more of a nuisance than a threat, Fokker said these attacks should not be ignored.
“If your organisation has been hit by a cryptojacking attack, that means the attackers have found a way into your network, which in turn means that there is something the targeted organisation needs to identify and fix before that weakness is exploited by a more damaging form of attack,” he said.
In terms of time to detection, Fokker said relatively few mature organisations at are the top end of the spectrum, where they are able to detect intrusions within hours, days and weeks, rather than months and even years.
Just as organisations cannot afford to ignore nation state and cryptojacking attacks, Fokker said they need to pay attention to well-known vulnerabilities such as open remote desktop protocol (RDP) connections that can provide an easy way in for attackers.
The use of RDP creates risk because it has the ability to control a computer remotely and therefore has become increasingly popular with cyber attackers seeking to control system resources and data over the internet – consequently, it is a “major attack vector” that organisations often overlook.
RDP usage should be closely regulated, monitored and controlled, the FBI and US Department of Homeland Security said in a joint security alert issued in September 2018.
Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the internet to compromise identities, steal login credentials and ransom data.
Read more about RDP-enabled cyber attacks
- In just two and a half years, SamSam campaigns are believed to have netted nearly $6m for cyber criminals.
- Adversaries have started becoming more interested in older protocols, including Microsoft’s remote desktop protocol.
- RDP is challenging drive-by-download as the top infection vector for ransomware.
Fokker said investigations often reveal that where RDP connections are exploited, many of the targeted organisations were unaware of the vulnerability in their environment. He also noted that stolen credentials feature in a large proportion of attacks.
This indicates that many organisations could reduce their vulnerability to attack by improving security in this area through the introduction of steps such as multifactor authentication, and improving access controls and management, particularly for privileged accounts.
“Administrations will set up RDP sessions to do some work remotely, for example, and then forget to close them when they are done or organisations will buy a machine from a third party without realising there was RDP access set up that attackers could find and use,” he said.
This type of risk, said Fokker, is akin to the risk with devices that make up the internet of things (IoT) where the device, like the RDP, is acquired and set up for a particular purpose, but with little regard to the security implications.
Credit card fraud continues to remain common, he said, and like RDP and IoT should not be overlooked by businesses, particularly e-commerce sites.
“Attackers typically target third-party payment services handling their card transactions. By exploiting vulnerabilities and injecting code, they can steal large numbers of credit card details for use in cyber fraud campaigns,” he said.
For this and other reasons, Fokker said organisations should pay attention to security around all interactions with third-party suppliers.
“Because supplier logistics are typically complicated, they underestimate the risk and often do not know the security posture of their suppliers, which could result in a significant exposure to risk,” he warned, adding that although network segmentation is advised, this cannot be solved with technology alone.
“Organisations need to work with their suppliers around cyber security policies and requirements, and build them into service-level agreements and other contracts wherever possible. Doing due diligence around cyber security with suppliers is another key area that should not be overlooked.”
Fokker’s parting comment is that organisations should understand that it is not always the most sophisticated attacks that cause the most damage.
“They are enabled by things like poorly protected credentials all the way up through to social engineering attacks, and that is why it is important to train and educate employees, customers and partners so they become one of the strongest elements of your cyber security and not one of the weakest.”
To protect against RDP-based attacks, the FBI and DHS recommend that businesses:
- Audit networks for systems using RDP for remote communication and disable the service if unneeded or install available patches.
- Verify that all cloud-based virtual machine instances with a public IP do not have open RDP ports, specifically port 3389, unless there is a valid business reason to do so.
- Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access it through the firewall.
- Enable strong passwords and account lockout policies to defend against brute-force attacks.
- Apply two-factor authentication where possible.
- Apply system and software updates regularly.
- Maintain a good back-up strategy.
- Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
- When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
- Ensure third parties that require RDP access are required to follow internal policies on remote access.
- Minimise network exposure for all control system devices and, where possible, disable RDP for critical devices.
- Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods, such as VPNs.