APTs Are So Tomorrow: Enterprises Need to Take Care of the Basics Like SQL Injection and Cross Site Scripting Before Worrying About More Sophisticated Threats

“Step right up folks! Behold the child what has four legs! Marvel at bearded lady and the wolf faced boy! Gaze upon the smallest man in the world, who fits into his giant friend’s hand!”

Circus freak shows are testimony to our fascination with the unique, the bizarre. APTs ignite the same obsession as they confound us with feats of teleportation past “128 bit encrypted firewalls”, as they say in the movies. Certainly the legends of nation states exploiting zero day vulnerabilities to break into the electrical grid are the articles we gawk over during our morning news intake while SQL injection (SQLi) and cross site scripting (XSS) are banished to the virtual back pages of technology current events.

And yet, according to the observations of IBM’s X-Force in the 2013 Mid-Year Trend and Risk Report, and data going back years, dull exploits like XSS and SQLi are still the top vectors for data breaches.

It seems as though the security administrators are suffering from attention deficit. We know how to prevent XSS and SQL injection—perform input sanitization and use parameterized queries and stored procedures—but many organizations have failed to take care of the basics before moving on to the next, hot security threat, whether it’s cloud, mobile, or APTs.

I acknowledge that it’s not as simple as focusing on one thing, getting it right, and tackling the next phase of the security program. (Fans of M*A*S*H might recognized a bit of Charles Emerson Winchester there: “I do one thing at a time, I do it very well, and then I move on”). But years have passed since the introduction of SQLi and XSS; even in the midst of the most hectic multitasking, all medium and large enterprises should have a process to identify and mitigate those vulnerabilities before they’re exploited.

 

So what does that mean, practically speaking?

  • Identify your external facing assets.
    Often this is easier said than done because of cloud deployments, shadow IT, and web sites deemed not important enough to bother to report as official inventory (think marketing website at a hosting provider). Techniques to help include using vulnerability scanners to find assets (obviously), referencing DNS zone files, and asking procurement for expenses related to services, such as cloud. While the focus is on finding external systems, don’t forget malicious insiders are also a threat as well. Also, external actors who manage to penetrate your outer defense may discover tasty data on vulnerable internal systems, or at least find those systems a perfect home base from whence to perform surveillance and stage attacks to gain broader access.
  • Scan the assets for vulnerabilities.
    Using black box or glass box testing, organizations can determine where the application weaknesses are. For custom applications, organizations can perform automated source code evaluation and fix security vulnerabilities before the application is deployed.
  • Mitigate those vulnerabilities.
    If applications can’t be modified, there are a few techniques for mitigating input validation and data query vulnerabilities. Database access monitoring solutions can identify suspect queries and prevent them from executing in the context of the back-end database system. IBM’s XGS offers “virtual patching” and can integrate with AppScan: if a vulnerability is found during an application scan, the intrusion prevention system can be notified and restrict that exploit string from reaching the vulnerable application. And QRadar can identify suspect activity, such as a database administrator login to a table containing credit card data after business hours.

Mature organizations wrap a manageable process around the technology controls, including change management that tracks the procurement and connection of all new systems and changes to existing systems, and testing them before they’re put into production. But don’t let perfect be the enemy of good: start where you can and chip away at the process. You can never move on from the basics, but you can reduce your effort as that part of your security program matures and becomes a routine that can be offloaded to junior staff—with supervision, of course.

The reality is that we’ll never be able to prevent a well-funded and persistent adversary from compromising our defenses. The best we can do is put up large speed bumps to make it exceedingly difficult for the enemy to achieve their goals and to detect their efforts as soon as possible—ultimately before they steal or destroy data. Sometimes the saying, “You don’t have to swim faster than the shark, you only have to swim faster than your dive buddy” holds true and the attacker will move on if you screw up their economics, but even if they are firmly fixated on you as the target, there’s no reason to give up and lay out a red carpet and a warm plate of cheese by not taking care of the basics.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…