Major data breaches make headlines too frequently, reinforcing the fact that even if organizations deploy top of the line security products, threat agents can still find a way to infiltrate.
By bypassing common security solutions, there are four standard ways attackers can still “Infiltrate by Design”:
- Leveraging Design Vulnerabilities: An attacker can leverage an unexpected software’s functionality flow in order to compromise the underlying system. A perfect example is Sandworm, a design vulnerability found in a component of Windows which enabled a threat actor to abuse its functionality in order to download files and execute malicious code. Many major targets were affected by the Sandworm vulnerability including the EU, NATO, Poland, Ukraine, and the European energy sector and telecoms. Since the program’s functionality was kept intact, the attackers were able to bypass infiltration-detection solutions.
- Data-Only Attacks: This exploit is based on vulnerabilities such as Buffer-Overflow and User-After-Free in order to perform remote code execution. The exploit itself has no malicious payload and involves only manipulating existing data, which makes it extremely hard to detect. Generally speaking, the exploit alters the behavior of the application by manipulating the data in the application address scope.
- Infecting Devices Early in the Supply Chain: In this case, threats against third-party components come in the form of pre-installed software aimed at promoting various services such as anti-theft and targeted advertising. A threat actor will infect this component when it is shipped with an operating system. The major threat is that these components are designed as persistent “extra packages,” meaning that they will stay on a device even after a system clean-up or hard drive replacement. Furthermore, due to their high-level of privilege, they are able to perform virtually any function on a device, so any security measure implemented by the OS will be useless against these packages. Such a concern was raised when Superfish, an advertising component which OEM’ed with laptop manufacturers, was found vulnerable to threat actors aiming to launch man-in-the-middle-attacks.
There have also been various situations where software packages have doubled as a backdoor, such as last year’s exposure of spying programs found on computing products of major manufacturers.
- Infecting via Cloud Services. In these scenarios, a threat actor infects a common file-sharing service with malware. Organization employees will unknowingly sync with the service, and will inevitably be infected. Dropbox is one company that warns against this risk, and encourages its users to take additional precautions when syncing files.
As these scenarios show, it is impossible to prevent “infiltration by design”. However, that does not mean we need to succumb to cyber-attacks. In fact, making the analogy to a chronic illness, we need to work towards controlling and managing an uncured illness. Once we accept that network compromise is inevitable, we can instead understand how to manage the consequences of an infiltration.
And, similar to a chronic illness, the right treatment will benefit organizations that are constantly faced with the threat of a compromised network, allowing the business to continue as usual while keeping their data secure, despite the infiltration. Once this approach is taken, companies and organizations can focus on stopping even the most creative of external threat actors from compromising proprietary systems and stealing valuable data.
[su_box title=”About Roy Katmor” style=”noise” box_color=”#336588″]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.