The past few months have accelerated the struggle between cybercriminals and those that defend against them. It seems that once again we are back on the defensive—as fast as law enforcement can arrest the bad guys, more and increasingly vicious cyber-attacks are unleashed. It’s been ugly, heartbreaking, and in some cases demoralizing.
Even though Microsoft has released 44 patches for 44 vulnerabilities—13 of which were rated “critical”—we have still been hit with a Microsoft Word zero-day exploit. Depending on who you see as your threat, it may or may not be helpful to know this exploit was equally popular for cybercriminals dropping ransomware, banking Trojans and targeting Ukrainian rebels with malware.
Apparently—and I should use the word “allegedly” here—the mantra of Russian cybercriminals and Russian Intelligence Service offensive cyber operations is: “never let a good zero-day go to waste, comrade.”
The most worrying part of this story is that this particular zero-day exploit has been around since security firms identified attacks as far back as November 2016, with most firms pointing to the Dridex banking Trojan as the major payload.
Is everyone now celebrating because we have a long overdue patch for a pernicious vulnerability that has been plaguing us (and apparently Ukrainian rebels) for six months? Sadly, no. Even for those in Dallas who can still focus after hackers took control of the local emergency sirens, things have recently taken a turn for the worse.
Between WikiLeaks, which is hell bent on exposing all the CIA hacking tools in a bunch of disclosures called “Vault 7,” and ShadowBrokers, which is dumping zero-day exploits for the Windows operating system after having previously tortured everyone with a Cisco ASA or PIX back in August, the Internet has become a way more dangerous place. That sucks for defenders. When you combine that with the “regular” vulnerabilities being highlighted by NVD, US-CERT and Full Disclosure, it’s hard to be positive about preventing anything from getting “pwnd” by bad guys.
So, you’re patching and updating your systems as fast as you can and as fast as the vendors can figure out how the exploit works, build a patch and test it to ensure it does not break anything. Advantage bad guys. Bad guys don’t have to worry about whether their exploit breaks things—so long as it works—and they don’t care if your media player can’t stream April the Giraffe.
How do you tackle the problem of zero-days? Well it’s a combination of your existing best practices—which you are already doing, right?—and securing what’s being targeted. Many of the exploits dumped by Shadowbrokers assume access to Server Message Block (SMB) and the ability to make an SMB connection over TCIP. The recommended best practices are to disable SMBv1 and make sure you are blocking outbound and inbound UDP ports 137 and 138, as well as TCP port 139 and 445 at the firewall.
Since one of the exploits targets Kerberos, we know Kerberos clients need to send UDP and TCP packets on port 88, so blocking that at the firewall tool would give you a win. Since security researchers have managed to get their hands on the payloads, you can expect antivirus vendors to be issuing updates pronto.
With all that has been happening, it’s important to look at some survey data to provide some context on why defending your business from cyber-attack, including zero-day attacks, is critical.
In early 2017, SolarWinds MSP investigated the cybersecurity preparedness, experiences and failings of 400 SMEs and enterprises split equally across the US and the UK.
While 87 percent of organizations have complete trust in their security techniques and technology and 59 percent believe they are less vulnerable than 12 months previous, 71 percent of those same organizations have been breached in the same period. Statistically, the belief that “it will never happen to us” simply doesn’t add up.
Why is this happening? Because the basics are being missed:
- Most organisations make no changes to their technology or processes following a breach.
- Detection, response and resolution times are all growing.
- Even basic technologies are not being deployed.
- Widely accepted security techniques and processes remain overlooked.
- User training is massively under-prioritised.
- Security policies are inconsistently applied.
- Vulnerability reporting is often weak, or even non-existent.
The survey offers more insights and data into what kind of security technology is being used and reveals an updated cost of data breach. Given the revelations of the past few weeks, it’s important to read; the bad guys have more tools to break into networks than ever before.
The full report from SolarWinds MSP, entitled “2017 Survey Results: Cybersecurity: Can Overconfidence Lead to an Extinction Event? A SolarWinds MSP Report on Cybersecurity Readiness for U.K. and U.S. Businesses,” is available here for download.
About the Author: Ian Trump, CD, CEH, CPM, BA is an ITIL certified Information Technology (IT) consultant with 20 years of experience in IT security and information technology. Ian’s broad experience on security integration projects, facilitating technological change and promoting security best practices have been embraced and endorsed by his industry peers. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.