If you are reading this, you are probably concerned about your information security and most likely aware of the KRACK exploit that was recently disclosed.

The KRACK vulnerability affects any device that connects to a Wi-Fi access point that uses the Wi-Fi Protected Access 2 (WPA2) standard for security. WPA2 has been used on all certified Wi-Fi hardware since 2006 and is based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11i technology standard for data encryption.

In other words, pretty much any Wi-Fi-enabled device you can imagine is vulnerable to this attack. Upon successfully exploiting KRACK, an attacker is positioned as a man-in-the-middle between the client and the access point, meaning he or she can decipher encrypted data sent over a secure channel via your Wi-Fi.

Patching the KRACK Vulnerability

The management and remediation of the KRACK vulnerability can be broken down into a simple two-step process: Assess the vulnerability exposure and then apply patches when the respective vendors release them. It sounds simple, but patching endpoints can be a tedious process for large organizations, especially if they operate Internet of Things (IoT) or embedded devices that rely on Wi-Fi. Many organizations even lack a comprehensive inventory of such devices.

Although KRACK has got a lot of attention recently, it isn’t an entirely new method to break the WPA2 four-way handshake. Just as commodity solutions evolve iteratively, so do exploit kits and cybercriminal methodologies. KRACK merely shows how this type of exploit can be simplified and automated.

Unfortunately, there is no silver bullet. Since the vulnerable devices can survive for longer periods of time in the network, it is important to implement active monitoring of potential attacks during patching and remediation processes. Monitoring needs to happen at different layers, be it network activity, endpoint behavior or vulnerability assessments. These efforts, which are traditionally driven by different silos within an organization, need to come together to effectively manage the threat. The effectiveness of any threat response activity comes down to the communication and information sharing between the teams working on the issue. It would be even better if the correlation of this information could be automated.

Become a Security Superhero With Security Intelligence

That’s where a security intelligence platform comes in handy. Such a tool can consolidate data from all segments of your enterprise infrastructure to effectively monitor and respond to threats.

First and foremost, it allows you to bring all your vulnerability assessment data into one solution, irrespective of the vendor used to scan for this information. Organizations typically use multiple tools to gather this data as a best practice, but they run the risk of developing a fragmented program. It is important to bring this data together, normalize it and see it through a single pane of glass.

A security intelligence solution might produce an overwhelming number of vulnerable assets. That’s why it’s crucial to monitor logs from network devices. Your wireless local area network (LAN) controllers might detect rogue access points and log them, but they can easily go unnoticed. These controllers can feed the data back into the security intelligence platform, enabling the security team to detect and disrupt a KRACK attack in real time, since the creation of rogue access points is a key step in the attack.

As mentioned above, the KRACK attack exploits the four-way handshake of WPA2. Security teams can monitor for this communication on the fly and detect a KRACK attack in progress by using a real-time network traffic analysis tool to identify behavioral anomalies. A simple rule could capture the four-way handshake and interruption in the third phase, which is indicative of KRACK activity, and alert the analysts. If the target asset is known to be vulnerable and there are alerts on potential rogue access points on the network, the security team has almost a 100 percent chance to accurately identify and remediate the threat.

A Silver Bullet? Not Quite

The ability to leverage the insights you gain through one operation across your threat intelligence landscape is extremely powerful — even more so if you can automate it. However, you must have some idea of what you are looking for. Security analysts need help staying on top of the mountains of threat data that don’t necessarily make it to the front page of your favorite research blog. A cognitive security solution can help security teams make sense of the data they are analyzing. A simple query for an alert on rogue access point creation can help analysts nip a KRACK attack in the bud.

That sounds an awful lot like a silver bullet. It isn’t, but it is the closest thing you can buy to facilitate a solid security practice and help the Clark Kents of your team transform into security superheroes.

Learn more about IBM QRadar Advisor with Watson and start a free trial

More from Network

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Databases beware: Abusing Microsoft SQL Server with SQLRecon

20 min read - Over the course of my career, I’ve had the privileged opportunity to peek behind the veil of some of the largest organizations in the world. In my experience, most industry verticals rely on enterprise Windows networks. In fact, I can count on one hand the number of times I have seen a decentralized zero-trust network, enterprise Linux, macOS network, or Active Directory alternative (FreeIPA). As I navigate my way through these large and often complex enterprise networks, it is common…

Easy configuration fixes can protect your server from attack

4 min read - In March 2023, data on more than 56,000 people — including Social Security numbers and other personal information — was stolen in the D.C. Health Benefit Exchange Authority breach. The online health insurance marketplace hack exposed the personal details of Congress members, their families, staff and tens of thousands of other Washington-area residents. It appears the D.C. breach was due to “human error”, according to a recent report. Apparently, a computer server was misconfigured to allow access to data without proper…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today