Light Dark
November 9, 2017 By Vinaykumar Sukumar 3 min read
Network
Intelligence & Analytics
Data Protection
Endpoint

If you are reading this, you are probably concerned about your information security and most likely aware of the KRACK exploit that was recently disclosed.

The KRACK vulnerability affects any device that connects to a Wi-Fi access point that uses the Wi-Fi Protected Access 2 (WPA2) standard for security. WPA2 has been used on all certified Wi-Fi hardware since 2006 and is based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11i technology standard for data encryption.

In other words, pretty much any Wi-Fi-enabled device you can imagine is vulnerable to this attack. Upon successfully exploiting KRACK, an attacker is positioned as a man-in-the-middle between the client and the access point, meaning he or she can decipher encrypted data sent over a secure channel via your Wi-Fi.

Patching the KRACK Vulnerability

The management and remediation of the KRACK vulnerability can be broken down into a simple two-step process: Assess the vulnerability exposure and then apply patches when the respective vendors release them. It sounds simple, but patching endpoints can be a tedious process for large organizations, especially if they operate Internet of Things (IoT) or embedded devices that rely on Wi-Fi. Many organizations even lack a comprehensive inventory of such devices.

Although KRACK has got a lot of attention recently, it isn’t an entirely new method to break the WPA2 four-way handshake. Just as commodity solutions evolve iteratively, so do exploit kits and cybercriminal methodologies. KRACK merely shows how this type of exploit can be simplified and automated.

Unfortunately, there is no silver bullet. Since the vulnerable devices can survive for longer periods of time in the network, it is important to implement active monitoring of potential attacks during patching and remediation processes. Monitoring needs to happen at different layers, be it network activity, endpoint behavior or vulnerability assessments. These efforts, which are traditionally driven by different silos within an organization, need to come together to effectively manage the threat. The effectiveness of any threat response activity comes down to the communication and information sharing between the teams working on the issue. It would be even better if the correlation of this information could be automated.

Become a Security Superhero With Security Intelligence

That’s where a security intelligence platform comes in handy. Such a tool can consolidate data from all segments of your enterprise infrastructure to effectively monitor and respond to threats.

First and foremost, it allows you to bring all your vulnerability assessment data into one solution, irrespective of the vendor used to scan for this information. Organizations typically use multiple tools to gather this data as a best practice, but they run the risk of developing a fragmented program. It is important to bring this data together, normalize it and see it through a single pane of glass.

A security intelligence solution might produce an overwhelming number of vulnerable assets. That’s why it’s crucial to monitor logs from network devices. Your wireless local area network (LAN) controllers might detect rogue access points and log them, but they can easily go unnoticed. These controllers can feed the data back into the security intelligence platform, enabling the security team to detect and disrupt a KRACK attack in real time, since the creation of rogue access points is a key step in the attack.

As mentioned above, the KRACK attack exploits the four-way handshake of WPA2. Security teams can monitor for this communication on the fly and detect a KRACK attack in progress by using a real-time network traffic analysis tool to identify behavioral anomalies. A simple rule could capture the four-way handshake and interruption in the third phase, which is indicative of KRACK activity, and alert the analysts. If the target asset is known to be vulnerable and there are alerts on potential rogue access points on the network, the security team has almost a 100 percent chance to accurately identify and remediate the threat.

A Silver Bullet? Not Quite

The ability to leverage the insights you gain through one operation across your threat intelligence landscape is extremely powerful — even more so if you can automate it. However, you must have some idea of what you are looking for. Security analysts need help staying on top of the mountains of threat data that don’t necessarily make it to the front page of your favorite research blog. A cognitive security solution can help security teams make sense of the data they are analyzing. A simple query for an alert on rogue access point creation can help analysts nip a KRACK attack in the bud.

That sounds an awful lot like a silver bullet. It isn’t, but it is the closest thing you can buy to facilitate a solid security practice and help the Clark Kents of your team transform into security superheroes.

Learn more about IBM QRadar Advisor with Watson and start a free trial

 |  |  |  |  |  |  |  |  |  |  | 
Vinaykumar Sukumar
World Wide Offering Manager, IBM

More from Network
August 7, 2023

Databases beware: Abusing Microsoft SQL Server with SQLRecon

20 min read - Over the course of my career, I’ve had the privileged opportunity to peek behind the veil of some of the largest organizations in the world. In my experience, most industry verticals rely on enterprise Windows networks. In fact, I can count on one hand the number of times I have seen a decentralized zero-trust network, enterprise Linux, macOS network, or Active Directory alternative (FreeIPA). As I navigate my way through these large and often complex enterprise networks, it is common…

June 23, 2023

Easy configuration fixes can protect your server from attack

4 min read - In March 2023, data on more than 56,000 people — including Social Security numbers and other personal information — was stolen in the D.C. Health Benefit Exchange Authority breach. The online health insurance marketplace hack exposed the personal details of Congress members, their families, staff and tens of thousands of other Washington-area residents. It appears the D.C. breach was due to “human error”, according to a recent report. Apparently, a computer server was misconfigured to allow access to data without proper…

April 5, 2023

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature