Cloud

12/5/2017
05:15 PM
50%
50%

Study: Simulated Attacks Uncover Real-World Problems in IT Security

Some 70% of simulated attacks on real networks were able to move laterally within the network, while more than half infiltrated the perimeter and exfiltrated data.

Organizations continue to focus on protecting the perimeter while neglecting to monitor bad guys getting inside and ultimately pilfering data, says a security researcher at SafeBreach, which released a new report today.

In 3,400 breach methods used for 11.5 million attack simulations, SafeBreach in its new Hacker's Playbook Findings Report found that virtual attackers had a more than a 60% success rate of using malware to infiltrate networks. And once in, the malware could move laterally roughly 70% of the time. In half the cases, they could exit networks with data, according to simulated attacks SafeBreach conducted on its customers.

"The most surprising thing is that there is so much focus on the hard-candy shell of the perimeter without paying enough attention to the soft, squishy middle," says Chris Webber, a security strategist at SafeBreach. "It is not that hard to get past the perimeter and once the attacker is in, it is really easy to move around laterally and then exfiltrate out." 

Webber points to the amount of money and solutions he has seen customers pour into protecting the perimeter, yet the majority of simulated malware attacks were still able to move around and steal information.

When it comes to malware infiltration methods, the research found nesting, or "packing," malware executables fooled security controllers more than 50% of the time. For example, packed executables inside JavaScript had a 60.9% success rate of infiltrating a network, while an executable inside a VBScript (VBS) using HTTP managed to make it in 56.5%, and an executable inside a compiled HTML file format (CHM) extension had a 55.9% success rate.

But WannaCry 2.0's method of exploiting a server message block (SMB) vulnerability in Windows achieved a 63.4% success rate in simulated attacks SafeBreach performed, pushing it to the top of successful infiltration methods.

Financial malware Carbanak, which relies on Google's App Script, Sheets, and Forms cloud-based services to communicate its malware commands, also ranked among the top five infiltration methods used in the study. 

"So, in the case of Carbanak, the infiltration 'move' we highlighted was indeed the transfer of the specific Carbanak malware file via HTTP," Webber says. "This could be stopped, for example, by network controllers configured to scan for malicious files and block them before they make their way to the endpoints/hosts for installation to disk."

Concerns over lateral movement appear to be overlooked by a number of organizations, says Webber.

"Folks are focused on keeping things out and not worrying about the other phases of the kill chain," Webber says.

That approach could be a problem, the report notes, given Petya and EternalRocks were both identified as having worm-burrowing capabilities that could move laterally in the network.

Data exfiltration is the last hurdle cyberthieves face, and they usually opt for the easiest method of stealing data, the report found. Traditional clear or encrypted Web traffic, or traditional Web ports, are the preferred method for attackers to exit the network with their cache of data, according to the report.

"A lot of outbound traffic is making its way out through Port 443 (HTTPS) and Port 123 (NTP)," Webber says. "They are pumping out all of your data past your controls by stuffing the data into encrypted packets that look like packets for things like keeping time on your computer and sending it out over NTP [Network Time Protocal]."

Port 123 had a 63.1% exfiltration success rate and Port 443 had 53.7%, according to the report.

Fixing the Links

Webber says it is not enough to try to stop attackers from breaking into the network, nor is it adequate to try to box them in by preventing their entry and exit. Paying attention to lateral moves within the network is also important, he notes.

However, organizations face limited resources. "It comes down to understanding each company. If you have a ton of credit card data, then you spend all the more time from preventing them from exiting the network. But if you have a manufacturing company, then you are more concerned about getting hit with a ransomware attack that can stop your operations. You would probably care more about internal segmentation to prevent worms from moving across your system," he says.

He adds that the best moves companies can take to secure their systems is to optimize their current security solutions, constantly update the configurations as needed, and then test the changes they make.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17534
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.
CVE-2018-17980
PUBLISHED: 2018-10-15
NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain privileges via a Trojan horse wintab32.dll file located in the same directory as a .nxs file, as demonstrated by a scenario where the .nxs file and the DLL are in the current working directory, and the Trojan horse code is execute...
CVE-2018-18259
PUBLISHED: 2018-10-15
Stored XSS has been discovered in version 1.0.12 of the LUYA CMS software via /admin/api-cms-nav/create-page.
CVE-2018-18260
PUBLISHED: 2018-10-15
In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The profile image in the User settings section can be run in the update / upload area via /admin/media/upload?actions=false.
CVE-2018-17532
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.