Spam Prevention, Anti-Virus, Intrusion Prevention – these are just a few solutions you may already be using as part of your cyber security strategy. Whilst these are all effective in their own right, have you ever taken the time to look at your entire Cyber-attack chain, your end-to-end defences, and wondered what would happen if they were bypassed?
Analysing vulnerabilities within your entire Cyber-attack chain (also known as the cyber-kill chain) can help put strategies, or technologies in place to “kill” or contain attacks at various stages to better protect your systems, data and employees.
Our SOC and red teaming experts often come across organisations who rely on one or two solutions and assume this makes them safe. Unfortunately, this is not the case, and hasn’t been for a while. To expand this point, I’m going to explain why Defence in Depth is a better strategy.
What is Defence in Depth?
Defence in Depth is an approach to cybersecurity in which a series of defensive mechanisms are layered in order to protect valuable data and information.
A medieval defence system is a good analogy. For example, castles were designed to be hard to attack with large moats, vast walls, numerous look out points and a series of complex passages.
The same concept can be used to plan your own cyber security strategy. In other words, by using a layering tactic, this offers a more comprehensive approach to information and electronic security.
Don’t overlook physical security
You may have considered different cyber security technical solutions, but what about buildings, or the place where your data resides? For example, your data could be in a shared facility where anyone could break in, or even, in some cases, walk in. Yes, really – you would be surprised at what can happen! By focusing on the bigger picture, while also analysing your cyber-attack chain, you can adopt multi-layered security to protect your organisation.
Here at CANCOM, our SOC team are continuously researching new ways to help customers improve their security.
For example, from our active research we recently found 29 subdomains that were vulnerable to be taken over. These were in various industries from sports, investment, car manufacturing to name but a few. In the event of an attack by a malicious adversary, this could lead to the theft of data from either customers or employees. To resolve this, we would either suggest returning the unclaimed endpoint to the user, or, if the subdomain is not in use, we recommend removing it and setting up a policy to actively check listed subdomains.
We found a number of further misconfigurations in web applications, for example we saw a ticketing system used by a large IT firm had misconfigured their email template which could have allowed for all emails, both new and those already received, to deliver malware. We identified over 100,000 emails with this vulnerability present and, these, in turn, had been sent to over 1000 users.
Like many, we have seen an increase in phishing campaigns that target end users, but we have also seen an increase in attacks on RDP (Remote Desktop Protocol) scans. These were mainly attacking environments that didn’t have a good security culture and so provided an easy route in.
Vulnerability Use Case
We recently analysed an environment that already had many of the recommended cyber security defences in place. For example, an anti-phishing/anti-spam filtering solution, Intrusion Prevention Solutions, Endpoint Monitoring and Antivirus.
However, by embedding another link within an article, linked to from an email, this lured the recipient into clicking a bad link, and bypassed the normal scanning tools. This illustrates that even with anti-phishing in place, defences can still be breached.
So, what could have been done to prevent this? Firstly, you might be asking why the IPS solution didn’t prevent this in the first place. Normally, it would; however, these days, we are mostly at home, so the average home router does not have this functionality and people are not always connected to a VPN.
To analyse what went wrong, and to prevent further attacks, we firstly checked the Cyber-attack Chain, or the Mitre Att&ck framework. This is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. This helped us to understand how an attacker had bypassed the previous measures.
When we dug deeper, we saw there had been a successful Defence Evasion; the email solution was exploited by allowing a phishing email through. This could have easily led to Credential Access or Installation with further persistence. So, the go-to solution I would use is a DNS Filter/Content Manager, tools such as Cisco Umbrella or DNS Filter. These filters would have analysed the clicked link, and as the domain in question was less than 15 days old, blocked it, and prevented this scenario.
Analysing the different attack frameworks provided in globally accessible knowledge bases, such as Lockheed or Mitre, are vital in identifying missing solutions. Running a red team engagement can also quickly boost the identification of missing solutions. In a red teaming engagement, we can simulate a security attack to quickly identify points of vulnerability and the best solutions to remediate these.
Defence in Depth now critical
Because attackers are using many different types of techniques and are always on the offensive, it’s essential to look at all avenues to protect your organisation. I often advise our customers, they may want to approach their security with the same kind of rigour employed by Space X, the American aerospace manufacturer and space transportation services company founded by Elon Musk. To stop their rocket blowing up upon landing, they are investing in continuous and iterative improvements.
It makes sense to take a similar approach to your cyber security, continuously improving your defence to prevent data and financial loss.