APTs Are So Tomorrow: Enterprises Need to Take Care of the Basics Like SQL Injection and Cross Site Scripting Before Worrying About More Sophisticated Threats

“Step right up folks! Behold the child what has four legs! Marvel at bearded lady and the wolf faced boy! Gaze upon the smallest man in the world, who fits into his giant friend’s hand!”

Circus freak shows are testimony to our fascination with the unique, the bizarre. APTs ignite the same obsession as they confound us with feats of teleportation past “128 bit encrypted firewalls”, as they say in the movies. Certainly the legends of nation states exploiting zero day vulnerabilities to break into the electrical grid are the articles we gawk over during our morning news intake while SQL injection (SQLi) and cross site scripting (XSS) are banished to the virtual back pages of technology current events.

And yet, according to the observations of IBM’s X-Force in the 2013 Mid-Year Trend and Risk Report, and data going back years, dull exploits like XSS and SQLi are still the top vectors for data breaches.

It seems as though the security administrators are suffering from attention deficit. We know how to prevent XSS and SQL injection—perform input sanitization and use parameterized queries and stored procedures—but many organizations have failed to take care of the basics before moving on to the next, hot security threat, whether it’s cloud, mobile, or APTs.

I acknowledge that it’s not as simple as focusing on one thing, getting it right, and tackling the next phase of the security program. (Fans of M*A*S*H might recognized a bit of Charles Emerson Winchester there: “I do one thing at a time, I do it very well, and then I move on”). But years have passed since the introduction of SQLi and XSS; even in the midst of the most hectic multitasking, all medium and large enterprises should have a process to identify and mitigate those vulnerabilities before they’re exploited.


So what does that mean, practically speaking?

  • Identify your external facing assets.
    Often this is easier said than done because of cloud deployments, shadow IT, and web sites deemed not important enough to bother to report as official inventory (think marketing website at a hosting provider). Techniques to help include using vulnerability scanners to find assets (obviously), referencing DNS zone files, and asking procurement for expenses related to services, such as cloud. While the focus is on finding external systems, don’t forget malicious insiders are also a threat as well. Also, external actors who manage to penetrate your outer defense may discover tasty data on vulnerable internal systems, or at least find those systems a perfect home base from whence to perform surveillance and stage attacks to gain broader access.
  • Scan the assets for vulnerabilities.
    Using black box or glass box testing, organizations can determine where the application weaknesses are. For custom applications, organizations can perform automated source code evaluation and fix security vulnerabilities before the application is deployed.
  • Mitigate those vulnerabilities.
    If applications can’t be modified, there are a few techniques for mitigating input validation and data query vulnerabilities. Database access monitoring solutions can identify suspect queries and prevent them from executing in the context of the back-end database system. IBM’s XGS offers “virtual patching” and can integrate with AppScan: if a vulnerability is found during an application scan, the intrusion prevention system can be notified and restrict that exploit string from reaching the vulnerable application. And QRadar can identify suspect activity, such as a database administrator login to a table containing credit card data after business hours.

Mature organizations wrap a manageable process around the technology controls, including change management that tracks the procurement and connection of all new systems and changes to existing systems, and testing them before they’re put into production. But don’t let perfect be the enemy of good: start where you can and chip away at the process. You can never move on from the basics, but you can reduce your effort as that part of your security program matures and becomes a routine that can be offloaded to junior staff—with supervision, of course.

The reality is that we’ll never be able to prevent a well-funded and persistent adversary from compromising our defenses. The best we can do is put up large speed bumps to make it exceedingly difficult for the enemy to achieve their goals and to detect their efforts as soon as possible—ultimately before they steal or destroy data. Sometimes the saying, “You don’t have to swim faster than the shark, you only have to swim faster than your dive buddy” holds true and the attacker will move on if you screw up their economics, but even if they are firmly fixated on you as the target, there’s no reason to give up and lay out a red carpet and a warm plate of cheese by not taking care of the basics.

more from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…