This article is the second installment in a four-part series that examines how the X-Force IRIS framework can help identify opportunities for security practitioners to increase network security and lower risk by addressing the steps an adversary typically takes to attack a network. Be sure to read part 1 for the full scoop.
Attackers are continually researching companies that are vulnerable to attack and refining their attack plan. However, there are opportunities to undermine a threat actor’s attack preparation and ability to compromise your organization successfully.
IBM X-Force Incident Response and Intelligence Services (IRIS) developed a cyberattack framework to better understand, track and defend against patterns of malicious behavior used by various adversarial actors.
The IBM X-Force IRIS cyberattack preparation framework focuses on implementing security procedures applicable to an organization’s internet-facing environment. Increasing network infrastructure security to guard against the attacker’s external reconnaissance and launch attack phases can help reduce the risk of a successful system compromise.
IRIS Cyberattack Preparation Framework — Schematic View
External Reconnaissance: How Attackers Gain Visibility Into Internal Networks
During the external reconnaissance phase of the framework, the attacker will research the target organization and look for exploitable access points, such as unsecured vulnerabilities, unpatched applications and open ports.
Attackers may search forums for usernames and passwords that could give them remote access to the organization’s internal network. They may also reach out to employees to try to convince them to provide their network access credentials or other information the attacker could use.
Finally, attackers seek opportunities to access organizations indirectly. For example, attackers may compromise companies that have third-party access to an organization’s network. This type of attack is known as a supply chain attack. Several publicly known data breaches involved an attacker exploiting an entry point through a third party with weaker security controls than the target company.
Stop Attackers in Their Tracks
On the defender’s side, there are opportunities to increase visibility on the organization’s internet-facing networks to help analysts find the anomalous or malicious activity that may indicate that an attacker is conducting external reconnaissance. The key to risk reduction during the attacker’s external reconnaissance is understanding the organization’s networks and hardening the attack surface.
First, security teams should examine the organization’s online exposure and opportunities customers have to interact with it via the internet — since a malicious actor can misuse these.
Defenders can gain visibility into an attacker’s actions during the external reconnaissance phase by closely monitoring for unusual browsing of the organization’s external-facing websites. Additionally, an organization can hunt for signs that employee authentication credentials are posted on darknet forums.
Monitoring for unusual activity on public domains can include:
- Identify the top users on company domains: Identify the most active users on an organization’s customer-facing web pages, and determine whether there are any abnormalities in their account use. Traffic from geographic regions that the company doesn’t operate in or an unusual amount of traffic coming from one internet service provider (ISP) may warrant further investigation. Often, unusual traffic can be more easily spotted after a baseline is established for what is normal.
- Be cognizant of unusual browsing of web page directories: An attacker may map the organization’s website directories and subdirectories in search of common structures that can be exploited. For example, an attacker may try to use a directory traversal attack to attempt to gain access to restricted directories. To map directories, the attacker will follow the site’s directory tree starting at the parent directory and then drill down to all subfolders and files. When monitoring network traffic, directory mapping appears unusual when compared to how a typical user would browse a webpage. For example, user activity tends to involve less systemic page accesses with highly varying amounts of time spent on any given page.
- Limit opportunities for attackers to take advantage of input validation vulnerabilities: Attackers may test input fields and search queries to determine whether there are opportunities to inject malicious code into the website. One example of an input validation vulnerability is an SQL injection attack, where malicious SQL statements are inserted into query fields for execution, potentially resulting in database information exposure or execution of malicious code on the server. Attackers may also try this path to obtain user credential sets from the underlying database.
- Monitor for abnormal user-agent strings: Attackers can also look for vulnerabilities in the web server by sending code in the user-agent string. The user-agent string is a field in the HTTP header that indicates the platform, operating system and software being used to access the web page. When a web browser requests a page from a web server, it sends the user-agent string. Defenders can whitelist typical user-agent strings and create automatic alerts to highlight any abnormal or rare user-agent strings. Finally, because this is a user-controlled input, hackers can attempt to insert malicious code into the string with the hope it will execute on the receiving system.
Although monitoring for unusual browsing may not provide conclusive evidence of a pending attack, it’s part of the overall risk picture and can provide an avenue for further research and monitoring.
Remove Excess Privileges
Attackers may search for vulnerable access points into a network using a port scanner or an exploit kit. For defenders, the best practice is to follow the principle of least privilege, meaning that a user or system should only receive the access privileges that correspond with their role. Although cyberdefense strategies most commonly reference this concept when establishing user access controls, it also applies to systems, applications and processes. Removing excess privileges can reduce the attack surface and make it more difficult for the attacker to enter and move around the network.
First, security teams should map the organization’s network and identify ports that are accessible from the internet. These open ports act as doors to confidential data on the network and threat actors can exploit ports left unlocked to gain unauthorized entry. Mapping the network properly (and periodically) can help identify risky ports to close or monitor.
When applying the concept of least privilege to servers, only allow each server to perform the roles for which it’s authorized. Ideally, for example, a domain controller should only allow traffic and protocols required for domain administration and should not directly access the internet.
By contrast, a web server should only interact with the internet in the specific way that was intended by the business and network administrators. In reality, when servers are set up with default settings, more ports are open than are required for that server’s vocation, which can result in unmonitored security gaps.
The Launch Attack Phase: Hardening the Attack Surface
Once the attacker has completed the phases of the IBM X-Force IRIS cyberattack preparation framework, he or she may choose to launch an attack against the target. However, if an attacker failed to complete some of the prepare attack phases, he or she may choose to postpone an attack until more information is garnered or move on to another, more vulnerable target.
Therefore, one of the defender’s goals is to harden the attack surface and deter most attackers from viewing the organization as an easy target.
An attacker could use stolen credentials with remote access to directly infiltrate a network, or the attacker could also choose to exploit a server. Attacks to infiltrate an internal server can take many shapes and can be as diverse as domain name system (DNS) poisoning or the use of a self-propagating worm delivered from an external network.
Closing the Gaps by Patching
Efficient and timely patch management can help reduce the risk of a successful compromise. Although patching is a basic security practice, an alarming number of companies have suffered breaches due to unpatched vulnerabilities.
According to a Ponemon Institute study of 3,000 companies, 48 percent of respondents admitted they had suffered a data breach within the past two years — and of those respondents, 57 percent of the breaches were due to an unpatched vulnerability. A 2016 study by software company Symantec found that over 75 percent of legitimate websites have unpatched vulnerabilities.
Despite this, many organizations struggle to build an efficient recurring process due to operational complexities, outdated systems and business priorities. One reason systems may go unpatched is a concern — whether perceived or legitimate — that it may result in performance tradeoffs or disruption to operations during patch testing and implementation.
To make the right decisions for the business, security teams need to be aware of business trade-offs and weigh them against the risks of continuing to operate with an unpatched system.
One way to encourage patch management is to include security and patch management performance metrics as part of the system administration processes for service, application and system owners. This strategy will incentivize operations teams to include patch management in their operations — whereas most teams are only incentivized to ensure that there is no disruption to operations.
Also, developing clear procedures to test patch implementation can help to assuage concerns that the patch will break critical business processes. Creating and using a virtual environment is one option to test patches before deploying them in the live environment. Alternatively, segmenting the network and patching in batches can limit the potential negative consequences.
The second reason that patch management often fails is that it’s a manual process where teams have difficulty prioritizing and implementing the most important patches. Ensuring that IT teams have an up-to-date inventory of every asset and automated checks for patches can help identify when and what needs to be patched.
Also, building a centralized platform that automates certain processes will create a more organized and efficient patch-management program that can result in fewer security vulnerabilities.
Attackers Come Prepared: Take Defensive Actions to Mitigate the Risk of a Cyberattack
Although there is no way to guarantee that an organization’s network will not be compromised, implementing cost-effective security recommendations can help minimize the attack surface and reduce the risk of an attack occurring.
The next installments in this series will analyze the X-Force cyberattack execution framework, which models the activities an attacker takes after compromising the network. We will provide recommendations to help defenders increase their visibility of attackers lurking in their networks and best practices to decrease the likelihood of attackers being able to accomplish their mission.
You can also learn more by reading the X-Force IRIS cyberattack preparation and execution frameworks whitepaper or listening to the recent SecurityIntelligence podcast episode, “Fight Back with the X-Force IRIS Cyberattack Preparation and Execution Frameworks.”