Trust is overrated

Don’t be fooled by threats on your internal network

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

🔒 Related Stories: Cybersecurity for Executives

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

My last few posts on Cybersecurity for Executives covered network traffic and data flows between your company and the Internet and other entities outside your organization. Often security professionals call these external sources untrusted. Now I’m going to shift to talk about your internal network or the systems that reside behind your firewall, inside your network. In the past, this part of your network and the devices you operate yourself are referred to as trusted.

In theory, communication between the systems that reside inside your network should be safe. After all, they are your systems managed by your IT team and used by your staff. Unfortunately, this is often not the case. In too many major breaches, malware was able to break into an Internet-connected device, and then jump from that system to another device in your environment. The ability to move from one infected machine to another in a network is called “pivoting.”

How does the malware get onto a system in the first place? Any number of ways. One of your trusted employees could easily make a mistake and click on a phishing email. Someone could click the wrong link on a web site or open a malicious file. Perhaps an attacker was able to obtain a password via brute force (trial and error guessing) a user name and password. The attacker may have infiltrated a legitimate software update process to insert malicious code in place of a valid update or exploited a machine is running out of date software such as a web server or any device connected to the Internet as discussed in this article that explains CVEs.

Once the attacker is on one of your systems, the next step will be to scan your internal network looking for other resources to attack. Often it is easier for an attacker to get into machines the internal network because the systems trust each other. Legitimate technologies used by IT departments can be leveraged by attackers to traverse your network looking for sensitive data. The attacker may be able to jump from system to system until they reach your most sensitive data. At this point, the attacker will attempt to exfiltrate the data. When exiting the network with pilfered data, the attacker may follow the same path back out or use a completely different route.

The Target breach was an excellent and highly sophisticated example of pivoting (if I am allowed to use the word “excellent” and “breach” in the same sentence). Attackers first targeted a computer used by an HVAC vendor. They did not, as some have incorrectly stated, attack HVAC systems. They were able to get malware onto a machine used by a person who worked at the HVAC company and logged into a vendor management system at Target. Presumably, the attackers knew the HVAC company was a Target vendor since the vendor list existed on a public web site.

The attacker obtained credentials to log in to the vendor management system via malware delivered to an employee who clicked a link in a phishing email. With access to the vendor management system, the attacker could search for flaws in that web application, and use the vulnerabilities discovered to break into the machine hosting the vendor management software. From that machine, the attacker pivoted to other infiltrate other systems in the Target network. Reports speculate the attacker may have obtained access to the domain controller on the network, which is the machine that controls the whole network and all the user accounts. Pentesters and attackers like to call this getting “domain admin.” If an attacker can get domain admin on your network they can pretty much do anything they want since they can set up any accounts they need with permission to access whatever they want.

After some pivoting, the attacker was able to get into the system that deployed software updates to the point-of-sale (POS) systems in different locations. Perhaps they obtained administrative credentials to that system, and maybe because Microsoft published a case study about Target using that particular solution (SCCM) to update POS machines, the attackers knew exactly how to leverage this system next. With access to this deployment system, the attacker could insert malicious code into the deployment process that was quickly distributed to all the POS systems in a short amount of time.

In order for systems to process data, it needs to be decrypted. I’ll talk more about encryption in an upcoming post but for now, understand that when data is encrypted, it is in a format that someone reading it can’t understand. To you and me, it would be a random string of letters and numbers. Once it is decrypted, it becomes readable text — like this blog post. A computer cannot process random letters and numbers as if it were a credit card number. At some point when data is processed it needs to be decrypted in memory if a system needs to understand and read the data to validate it, update it, or query it to find information. This data processing generally happens in the memory of a computer. It was at the point when the data was decrypted that the attacker’s malware scraped and stole the credit card numbers.

Attackers sent commands over the network in a very crafty way. When network administrators are testing whether or not machines can connect on the network, they often use what is called a ping command, or the ICMP protocol. This traffic would be common, and often network administrators or security professionals would ignore it when they see it in the logs because it looks normal and harmless. The attackers were able to insert commands to control their malware over the network traffic into specially crafted ICMP packets that contained extraneous data. The ICMP protocol is supposed to follow a specific format. Most network devices will check that the necessary data points exist but may not be checking for extra data that should not be there. If network monitoring does not look for malformed packets, then this additional data could be tacked onto seemingly harmless ICMP packets to send it through the network.

After this point, they sent the stolen data to FTP (file transfer protocol) sites they had set up on other hacked networks in locations like Florida and Brazil. FTP is a way to send files over a network to another remote location. At least some of the owners of the FTP servers were unaware their machines were involved in this attack. This example also shows why attribution, or determining who performed an attack, is hard, and hacking back might cause problems. It may look like someone is attacking you when in fact the attacking server itself is being controlled by malware, and the owner doesn’t know it.

The Target breach shows how attackers can infiltrate and traverse networks. If you want to read a more detailed account, you can read my paper called Critical Controls that Could Have Prevented the Target Breach in the SANS reading room. This method of attacking systems is a common pattern referred to as the Cyber Kill Chain. It involves a series of steps from reconnaissance to exploitation to exfiltration. If you trust all the systems to talk to each other in your network (also called a flat network), it gives the attackers many opportunities to seek vulnerabilities and sensitive data by scanning and pivoting.

The NotPetya malware is another example showing how attackers traverse internal networks due to excessive internal access. It hit some companies hard, deploying ransomware to many machines very rapidly. In this case, updates from an accounting system vendor in Ukraine distributed the malware. If you have a business, presumably you are using some accounting software. If you install the software on your local computer, it needs to get updates from time to time from the vendor. In the case of the NotPetya malware, the company that provided the accounting software was called MeDoc. Purportedly Russian hackers got into the MeDoc systems and inserted malware into the software update process. When companies downloaded updates for their accounting systems, they got some bonus software of the evil variety.

Once that software got into the internal network, it quickly spread from machine to machine in an automated way. This type of malware is called a “worm.” Each machine that was subsequently infected had ransomware installed on it. Similar to WannaCry mentioned in a prior post, the ransomware demanded a payment in exchange for decrypting the files. Wired called NotPetya the most devastating CyberAttack and it hit companies like Maersk hard.

In my post on the exponential risk of Internet-exposed ports I explained that certain ports should never be open to the Internet. You might want to read that first if you haven’t already. One of those ports that organizations should never expose is port 445 which is used for a protocol called SMB (Server Message Block). Some companies do use this port internally for legitimate reasons. However, when designing and configuring the local network, that port doesn’t need to be accessible from and to every machine. Network administrators can construct local networks to only allow traffic to that port from the systems that are supposed to be sending that traffic. The same goes for every other port — only allow what is required for both inbound and outbound connections.

Not only are attackers able to get into internal networks, they often stay there for months before an organization realizes they are present. When I started in the SANS Institute cybersecurity master’s in information security engineering program, the average time to a breach was 11 months according to the Verizon Data Breach Report. Organizations in the United States were finding out about compromised data because the FBI (Federal Bureau of Investigation) was knocking on their door to tell them that someone was selling their data on the dark web.

The dark web is a place where nefarious individuals buy and sell things that probably shouldn’t be for sale — like hacking tools and other people’s credentials, identity, and credit cards. You can’t get there from your typical web browser and Internet connection. There’s a great documentary about the dark web and the people who run stolen credit card marketplaces on a show called American Greed from CNBC if you want to watch a great real-life hacker story including undercover FBI agents and a hacker who takes out other hackers — and ends up in jail. The whole American Greed series fits in nicely with this blog post. It’s incredible what people will for the sake of money — both the people who perform the nefarious deeds and the people who trust them.

The average time for a breach to exist on a company network has gone down significantly, but the time is still months according to the 2019 Verizon Data Breach Report. If hackers have months to live inside a network, they have a great deal of time to steal money, intellectual property, and monitor communications. To prevent attackers from maintaining this access, you’ll want to keep them out in the first place, but chances are one will get in at some point. For this reason, protect not only your perimeter but also your internal network. You can do that by limiting which systems can talk to each other on the internal network by setting up different network segments for different types of systems that do not need to communicate. Also turn on the firewalls on your local computer operating system. Windows, Mac, and Linux systems have built-in firewalls. In most cases, two end-user computers such as new laptops on the same network never have any business talking to each other. There is usually is no need for end-user systems to allow inbound network traffic. Web servers running different applications don’t generally need to communicate over the network. You get the idea.

Side note for network geeks and anyone at Google who is listening — this is why the Google Chrome QUIC protocol causes some problems. It makes a network administrator’s ability to block and spot malicious activity more difficult by creating network traffic that talks to computers in the opposite direction of most other standard protocols. If end-user machines only request traffic it makes life easier because you can simply block all incoming requests. If you block Google QUIC on the network, your browser will still work — it will use standard protocols that make outbound requests and get inbound responses so standard firewall rules will work.

On top of blocking unnecessary traffic and patching your systems, you’ll want turn on logging and monitor your network for suspicious traffic. If you don’t have a lot of security or IT staff to do this type of monitoring, various tools that can help. On AWS, you can turn on GuardDuty and send alerts when suspicious activities occur. Azure and Google have similar services that help you spot malicious traffic, though Azure Firewall is very expensive compared to other options. Another tool that can help is Cisco StealthWatch Cloud — it’s designed to be easy to use and can alert to suspicious behavior in the cloud and on-premises. These are just a few of the tools I’ve used before. There are plenty of others out there. Most of them will give you a free trial.

For more advanced network monitoring, I teach a class that includes a full day of networking on how to design networks in the cloud that help prevent and identify breaches. Some of this also applies to on-premises environments even though my primary focus is cloud security. You can design your network to make it harder for attackers to infiltrate, pivot, and make it easier to spot malicious traffic. We talk about the things mentioned in this blog post and look at how to prevent these problems in class lecture, discussions, and hands-on labs.

One other sad, but true, fact is that you need to protect your internal network and data from people you hire. Although we would like to trust everyone the fact is, people steal things for money, idealogical reasons, or do things in retaliation when they are upset. I’ll talk about this in more detail in a blog post on credentials, but yes, it happens. I can’t say from first hand knowledge but someone in one of my security classes who worked for the NSA said Edward Snowden was a nice guy who asked to borrow someone’s access to obtain the information he exposed. Another person shut down cloud resources after he was fired. A network administrator held the City of San Francisco’s network hostage.

For executives who want to reduce risk on internal networks, don’t let your internal systems trust each other. Ask your programmers if they are validating every single input and output for the systems they develop. No data coming from any source should be trusted. Even the actions of your employees should be validated and monitored. This concept is referred to as a “Zero Trust.” Ask your security teams and networking teams how many possible paths an attacker can take through your internal environment. One entry point may be from the Internet via a phishing email to a laptop to other laptops. Another may be from a server update process to other systems on the network. Pay special attention to the number of paths that can get to your sensitive data. Then work to reduce the total potential avenues an attacker has to get into and out of your network, and the number of machines any one system can in turn infect.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2019

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab