More is Less: Why conventional security alone can’t match today’s threat landscape
There’s a locked steel door at the end of a hallway. Employees swipe their badges to get in. A sign reads “Authorized Personnel Only”. There are cameras facing the entrance and cameras inside as well. You’re a highly skilled thief. Will you get in?
Cyber security is complex, but this analogy holds up. The technology tends to fit into these categories.
- Locked reinforced doors
- Authorized access
- Protect what’s inside
- Cameras to record activity
- Eyes on glass
Security has advanced but the approach hasn’t changed much over the years. We continue to find better ways to do these things.
What needs to change?
Too Many Doors
Cisco forecasts 29.3 billion connected networked devices by 2023. Servers, laptops, routers – don’t forget printers, cameras, sensors and controllers – hundreds of types found in dozens of classes make up corporate infrastructures that are impossible to manage. According to RiskIQ research, large-cap organizations in the UK, called the FTSE-30, have an average of 114,504 IP addresses, 8,427 hosts, 45 Mail servers and 7,790 Cloud-hosted applications. Security is caught in a numbers game that they cannot keep pace with.
To make matters worse, the same report noted that most organization underestimate the size of their attack surface by 30%. For some companies that can mean there are tens of thousands of IP addresses in their environment that they are not aware of. This impacts companies of all sizes.
Between 10 and 15% of the average on-premise tech stack consists of products with no clear owner. In addition, according to McAfee research, on average 10x more unknown cloud services are used versus known services.
Shadow IT has long been a huge problem. COVID-19 and the rush to remote work just amplified it. With Shadow IT comes shadow credentials – related accounts with weak passwords (e.g. Solarwinds123) that may not even have password resets for attackers to worry about.
You can’t protect what you can’t see.
Reinforcement, Locks and Authorized Access
Reinforcing, locking, and controlling entry doesn’t always work. In the case of SolarWinds, these controls weren’t even irrelevant. The attacker entered as a trusted and privileged user and the payload was digitally signed by them. Security typically tracks patching levels of trusted 3rd party software but doesn’t scrutinize communications channels, giving the attackers privileged access and a virtually invisible Command and Control (C2) channel. With a foothold, as an administrator, the attacker gained access to the organization’s global administrator account and/or trusted SAML token signing certificate enabling them to impersonate existing users and accounts, including highly privileged accounts. This exposure is known as “Golden SAML” gives the attacker free reign to move laterally and access any asset as an administrator in the network. This Microsoft blog explains the attack in detail.
Cameras Outside and Behind Closed Doors
Working under the identity of an authorized privileged user the attacker applies their tradecraft in avoiding detection.
This Microsoft blog outlines the anti-forensic techniques used in the SolarWinds attack.
- Avoided shared indicators for each compromised host by deploying custom Cobalt Strike DLL implants on each machine
- Blended into the environment by renaming tools and binaries to match files and programs on the compromised device
- Disabled event logging using AUDITPOL before hands-on keyboard activity and enabling back afterward
- Created firewall rules to minimize outgoing packets for certain protocols before running noisy network enumeration activities
- Disabled security services on targeted hosts before moving laterally
- Changed artifacts’ timestamps and leveraged wiping procedures and tools to hinder malicious DLL implants discovery in affected environments.
Hiding out in privileged software is not the only way to avoid detection.
This article outlines other avenues. One of which is exploiting IoT and OT devices. Many of these devices are not monitored or secured with the same rigor as other IT assets. This issue is particularly vexing for healthcare and manufacturing where securing medical devices and manufacturing control systems with conventional security technology is either not feasible or highly impractical.
100% of the Doors are Real
A lot of smart people are sharing valuable insights into the SolarWinds attack TTPs but the bottom line is the attack was successful, against advanced defenses.
So what’s the point of this Door Analogy?
- Ever IP address is a door and there are just too many.
- With conventional security it is 100% certain that every door is real.
- Conventional security requires that you A) account for every door B) secure every door.
- With all those doors and all those blind spots, it’s an unwinnable game.
- Attackers have the playbook – whether it by supply chain exploitation or phishing, they know how to get in and once they’re in, they know how to hide their tracks
Back to our hallway – this time you, the skilled thief, are faced with three doors. The doors and the rooms behind them are identical. They are secured the same way and real employees appear to enter and leave each room. Unbeknownst to you, two rooms are actually traps and as you decide which door to enter you’ll either apply your trade in a real room or waste your time in a fake while you teach your opponent your techniques. We tend to overcomplicate Cyber-Deception, but the concept is really quite simple. In an environment with no deception, it is 100% likely that any given asset under attack is real. However, when that asset is accompanied by one trap the likelihood drops to 50% – two traps 33%, etc., and with each phase of reconnaissance and lateral movement the guessing game begins again.
So yes, you actually reduce Threat Event Frequency by adding fake assets to your attack surface. More Traps = Less Risk.
This won’t work with Honeypots, they’re too complex. This strategy is only sustainable when traps are, not only authentic, but light, fast and easy. Our customers gain the upper hand over their adversaries. They play the numbers game against them. They hide their assets in a crowd. They slow the attack by making their attacker guess. When they inevitably guess wrong, our customers get an early warning and move quickly and contain the attack. This solution is in production in over 250 IT environments because it works and it scales. If you’d like to learn more, click here and we’d love to hear from you.