In our previous blog post’s, we have looked at modern attack
vectors that are being employed by multiple types of threat actors.
Phishing, Vishing and smishing attacks are becoming far more
common that tradition network attacks aimed toward remote listening service
ports, such as buffer overflows or default passwords. It is also true that
attacks against web applications and API’s are also becoming less frequent.
Why is this?
Well it’s quite simple, cybercrime has now become a highly
lucrative money stream for organised crime syndicates and Professional hackers.
The Professional hacker, who has learned multiple coding languages and is
highly skilled in developing code and malware, is now being employed by these
organised crime syndicates for the purpose of making the attacks more
accessible.
This can be achieved through the provision of multiple
online services or marketplaces, similar to Amazon but usually only available
through the dark networks (ToR).
These market places are used to sell the usual black market
goods, such as illegal drugs, weapons, pornography etc, but they also provide
access to a new breed of narcotic – Malware as a Service (MaAS).
The malware that has been developed by a skilled attacker
can then be bought or rented via these online market places, by relatively
unskilled and untechnical criminals and delivered via a Phishing, Vishing or
smishing campaign.
There could be many reasons why a criminal gang or organised
crime syndicate would want to target and organisation with malware, although
financial gain, extortion, blackmail, data or asset theft would be the main
drivers.
So how does tradition security testing help with this type
of threat?.
Traditional penetration testing, whereby a client would
provide a defined scope of systems to test through a more rigid, structured and
controlled manner, usually mandated for compliance purposes, is by and large
only as effective as the scope being provided. This includes PCI ASV scans.
We are not talking
about web application security assessments, Server build reviews, firewall rule
base reviews etc here though, as this is considered more auditing and is still
very important for risk management and security in depth system hardening.
We are discussing the
more tradition penetration testing in the form of an unauthenticated network
security assessment, through a defined scope or a provided set of IP addresses.
Red team assessment’s and STAR type testing do provide a
better insight into the low hanging fruit (LHF) and the immediate areas of
weakness that need to be addressed.
This is why the Bank of England, which governs the UK’s
financial and banking industry, had moved away from the traditional CESG or now
NCSC CHECK type of assessment and developed the CBEST program in 2014. CBEST is
essentially a STAR assessment, which is essentially a Red Team assessment but
slightly more advanced and targeted.
With STAR assessments, the idea is to gather information
regarding the client as an entity, usually through a provider of threat
intelligence and then target that entity using the intelligence gathered.
This intelligence could consist of an abundance of
information, but most importantly for social engineering and Phishing attacks,
it would include details of users that may be accessible or prone to be
susceptible to social engineering attacks or a weakness in a specific system or
control that could be exploited and therefore the most likely target for
attack.
So this is where the Phishing (we will include Vishing and
Smishing under a generic term Phishing) attack vectors using malware as the
payload come into focus. This malware would usually be customised to exploit
the vulnerabilities exposed and discovered through the completion of threat
intelligence.
A good security testing consultancy would be able to perform
a Phishing assessment to effectively gauge user awareness toward multiple
Phishing attack vectors, including the downloading or opening running of a
potentially malicious file.
However, as discussed in the previous blog post’s, the
Phishing assessment is really aimed toward user awareness testing and is
unlikely to provide the full level of insight into the threats exposed by an
end user running potent, malicious files and attachments.
This is where an assessment of the Client-Side technology,
through running a malware simulation test, provides a much more effective
insight into any areas of weakness in the Client-Side technology that could
expose low hanging fruit (LHF)
So what is Client-Side Technology?
Client-Side technology is the security eco system of tools
and settings applied on each client and within the environment to protect
against an attack, either through malware or by an attacker performing the same
steps manually. Or in fact these could be steps that are unintentionally being
performed inadvertently by a trusted user.
This Client-Side Technology or tools can include but are not
limited to
- Anti-Virus, Anti-malware and Anti-spam
- IDS / IPS
- Host and Network based firewalls
- Web Content Filters
- Browser Security Settings
- Network Share Permissions
- Group Policy Settings
- User Lockdown Controls
- Security Incident and Event Monitoring Systems
Traditional security testing can encompass all of these
technologies individually through various rigorous auditing type of
assessments, including client security evaluations, server build reviews,
firewall security assessments, active directory reviews etc.
However, this level of assurance takes time and costs a lot
of money, especially if an organisation requires to remain compliant or handles
any Government data at official or above.
So this is where an automated low hanging fruit type of scan
(Client-Side Technology Assessment) would benefit, as it would capture the most
likely and obvious vulnerabilities that are going to be exposed and exploited
through malware.
It would be by no means a replacement for the traditional
auditing methodologies, but if run on a regular basis as part of an ongoing
risk management process, or as part of a change control procedure, this type of
assessment would most certainly assist.
|
The main questions answered by a Client-Side Technology
assessment would include, but would not be limited to.
·
Does your AV detect known Malware downloads?
·
Is your SIEM able to trigger activities from
this tool?
·
Is Malware able to modify System Settings?
·
Is Malware able to communicate to External
servers?
·
Can Malware access sensitive data on the local
host or share drives?
·
Browser and Browser Plugin Security?
·
Is your system and data vulnerable to a
“Ransomware” attack?
The malware simulation tool could be delivered and run
through a Phishing assessment as a rogue attachment or available through a
rouge URL, although it would be more beneficial to only include a benign
tracking file within a Phishing assessment, as this type of assessment is
really only for user awareness testing.
It would be better to run a Client-Side Technology
assessment independently across multiple client user builds under the guise
of an authenticated and trusted user, as an audit or possibly as part of a
Red team assessment, whereby the vulnerabilities highlighted by the tool,
could then be exploited to allow a Consultant to gain further access or to
escalate privilege.
|
Links
Conclusion
Essentially, the types of Penetration testing being offered
by security consultancies is moving away from the traditional network security
assessments and into a more pragmatic approach in order to keep up with the
changing threat landscape.
Well the progressive
Consultancies are anyway. If you are still seeing pages and pages of Nessus
vulnerability type issues in your very expensive Penetration testing reports,
you need to change your provider.
The threat actors are growing in numbers, but they are not
all the code savvy hackers of days gone by. Traditional criminals are looking
for an easy quick form of revenue and are looking to utilise online services to
exploit basic weaknesses with organisations through automated, remote tools and
malware.
Professional hackers who can code are being utilised to create
a simplified attack platform for the lesser skilled criminal masses who use the
basic techniques to attack the low hanging fruit within any unsuspecting
organisation.
No comments:
Post a Comment