If you are reading this, you are probably concerned about your information security and most likely aware of the KRACK exploit that was recently disclosed.
The KRACK vulnerability affects any device that connects to a Wi-Fi access point that uses the Wi-Fi Protected Access 2 (WPA2) standard for security. WPA2 has been used on all certified Wi-Fi hardware since 2006 and is based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11i technology standard for data encryption.
In other words, pretty much any Wi-Fi-enabled device you can imagine is vulnerable to this attack. Upon successfully exploiting KRACK, an attacker is positioned as a man-in-the-middle between the client and the access point, meaning he or she can decipher encrypted data sent over a secure channel via your Wi-Fi.
Patching the KRACK Vulnerability
The management and remediation of the KRACK vulnerability can be broken down into a simple two-step process: Assess the vulnerability exposure and then apply patches when the respective vendors release them. It sounds simple, but patching endpoints can be a tedious process for large organizations, especially if they operate Internet of Things (IoT) or embedded devices that rely on Wi-Fi. Many organizations even lack a comprehensive inventory of such devices.
Although KRACK has got a lot of attention recently, it isn’t an entirely new method to break the WPA2 four-way handshake. Just as commodity solutions evolve iteratively, so do exploit kits and cybercriminal methodologies. KRACK merely shows how this type of exploit can be simplified and automated.
Unfortunately, there is no silver bullet. Since the vulnerable devices can survive for longer periods of time in the network, it is important to implement active monitoring of potential attacks during patching and remediation processes. Monitoring needs to happen at different layers, be it network activity, endpoint behavior or vulnerability assessments. These efforts, which are traditionally driven by different silos within an organization, need to come together to effectively manage the threat. The effectiveness of any threat response activity comes down to the communication and information sharing between the teams working on the issue. It would be even better if the correlation of this information could be automated.
Become a Security Superhero With Security Intelligence
That’s where a security intelligence platform comes in handy. Such a tool can consolidate data from all segments of your enterprise infrastructure to effectively monitor and respond to threats.
First and foremost, it allows you to bring all your vulnerability assessment data into one solution, irrespective of the vendor used to scan for this information. Organizations typically use multiple tools to gather this data as a best practice, but they run the risk of developing a fragmented program. It is important to bring this data together, normalize it and see it through a single pane of glass.
A security intelligence solution might produce an overwhelming number of vulnerable assets. That’s why it’s crucial to monitor logs from network devices. Your wireless local area network (LAN) controllers might detect rogue access points and log them, but they can easily go unnoticed. These controllers can feed the data back into the security intelligence platform, enabling the security team to detect and disrupt a KRACK attack in real time, since the creation of rogue access points is a key step in the attack.
As mentioned above, the KRACK attack exploits the four-way handshake of WPA2. Security teams can monitor for this communication on the fly and detect a KRACK attack in progress by using a real-time network traffic analysis tool to identify behavioral anomalies. A simple rule could capture the four-way handshake and interruption in the third phase, which is indicative of KRACK activity, and alert the analysts. If the target asset is known to be vulnerable and there are alerts on potential rogue access points on the network, the security team has almost a 100 percent chance to accurately identify and remediate the threat.
A Silver Bullet? Not Quite
The ability to leverage the insights you gain through one operation across your threat intelligence landscape is extremely powerful — even more so if you can automate it. However, you must have some idea of what you are looking for. Security analysts need help staying on top of the mountains of threat data that don’t necessarily make it to the front page of your favorite research blog. A cognitive security solution can help security teams make sense of the data they are analyzing. A simple query for an alert on rogue access point creation can help analysts nip a KRACK attack in the bud.
That sounds an awful lot like a silver bullet. It isn’t, but it is the closest thing you can buy to facilitate a solid security practice and help the Clark Kents of your team transform into security superheroes.
Learn more about IBM QRadar Advisor with Watson and start a free trial
World Wide Offering Manager, IBM