Hackers can break into the vast majority of targets in less than 15 hours, using freely available open source tools and exploit packs. Nearly half can then exfiltrate high value data in less than an hour, according to 2018’s “Black Report” from Australian security software specialists Nuix – whether they’re using third party access or the aircon as an attack vector.
It gets worse: six out of seven times, attackers break into their targets, gather and exfiltrate the data without getting caught. The report’s findings, published today, are based on the insight from 112 professional hackers, gathered via anonymous surveys at the “hacker summer camp” Black Hat, Bsides Vegas, and DEFCON conferences.
“This illustrates the reality of “candy bar security,” where an organization’s security posture is crunchy on the outside and chewy in the middle. It’s the result of focusing on hardening the perimeter of a network and assuming that anyone who’s on the inside should be there and is doing what they’re supposed to be doing. These assumptions are clearly not realistic today, if they ever were”, report lead author, Nuix’s Chris Pogue noted in the report.
The Easiest Industries to Hack
Despite relying on high volumes of credit card transactions (“fresh” credit card numbers typically sell for between US$5 and $30 following a hack, the report notes) the easiest sectors to hack are the food and beverage, hospitality and retail industries. Hospitals and healthcare providers; law firms; manufacturers and sports and entertainment companies were also easy targets, those profiled said.
“Yes, it is true that many respondents to the Nuix Black Report are professional hackers or members of red teams who are contracted to breach organizations. And yes, those who hack in support of a contract operate under a different set of constraints to a dedicated threat adversary. For the most part, though, they observe many of the same goals and use the same techniques to achieve those goals,” the report notes.
Private exploits, custom (handmade) tools, and commercial tools were rarely used by the hackers. “Dramatic price differences between hacking tools (mostly free) and enterprise security tools (mostly more than a BMW) are without question exacerbating the imbalance between attacker and defender”, Chris Pogue emphasised.
The Countermeasures Hackers Rate
The highest number of respondents (34 percent) said host system hardening yielded the best results. This was followed by intrusion detection and prevention systems at 18 percent and endpoint security at 14 percent. Honeypots or other deception technologies netted 10 percent, while Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) came in at only eight percent, tied with antivirus. The lowest percentages were firewalls at five percent and Microsoft’s User Account Control security framework at three percent.
“It’s funny how organizations, after they’re breached, almost always announce that it was a complex and advanced cyberattack the likes of which nobody has ever seen before. As a consultant, responding to breaches in organizations of all shapes and sizes, I have hardly ever witnessed extravagant, zero-day, or exceptionally complex attacks. They’re out there, sure, but what we routinely see is a lack of data hygiene, misconfigurations, or problems with situational awareness”, said Jim Rouse, Chief Information Security Officer at Gemini.
Fighting the “Nine Riders”
Nuix highlights “nine riders” (after the Tolkien Nazgul) to combat. (Truncated here by Computer Business Review for reader convenience). These are as follows:
The First Rider: single-factor authentication
“Attackers have huge lists of username and password combinations. All they need is for one to work. To defeat this wraith, all internal and external systems should have two-factor authentication.”
The Second Rider: unpatched servers and applications
“We routinely encounter organizations running servers or applications with known vulnerabilities and with working exploits against those vulnerabilities. Defeating this wraith requires… constant risk assessment against your own assets.”
The Third Rider: weak or default passwords
“Any worthy adversary will try admin/admin to log into your application server and micros/micros on a fresh install of the Micros point-of-sale platform. You could do worse than implementing the National Institute of Standards and Technology’s recently updated Special Publication 800-63.”
The Fourth Rider: antiquated operating systems
“Antiquated or end-of-life operating systems that can no longer obtain security or software patches need to disappear or have compensating controls. Risk managers should understand that a $1 million tool such as a microscope (true story) may be essential to our business but if it only runs on Windows XP, it will need network segmentation or jump hosts, to protect it.”
The Fifth Rider: overprivileged users
“Not all users need to be local admins or, worse, domain admins. To defeat this wraith, best practice is to separate standard user accounts from privileged accounts. Think of it as another layer of your security model. Apply the principle of least privilege.”
The Sixth Rider: non-work-related activities
“Everywhere a Nuix Investigator has gone in the past 12 months, we’ve found examples of non-work-related activities on critical breached systems. Take back your network by deploying controls over what users can and can’t do. Almost all organizations have acceptable use policies but historically they’ve lacked enforcement, technical controls, or instrumentation to monitor.”
The Eight Rider: no network segmentation
“Segmenting off networks that contain the corporate “crown jewels,” intellectual property, personally identifiable information, or other sensitive data from general-purpose networks forces an adversary to shift tactics, techniques, and procedures. It also provides natural choke points to restrict data flows into and out of that environment.”
The Ninth Rider: lack of instrumentation
“In almost all the breaches we investigated, the victims lacked visibility into crucial aspects. My favourite had implemented an endpoint detection and response solution but it was still in learning mode when the organization got breached. The EDR systems actually learned that being pwned was normal activity! To see this wraith coming, organizations need visibility into their networks, traffic, endpoints, and sensitive data to make informed decisions about the state of their environments.”