On April 11th Verizon published the annual data breach investigation report. It contains a lot of useful information based on real world incidents. IMHO, it is a must read for everyone in InfoSec. Find it here.
The report has provided excellent insights into the types of threats our industry and customers should consider to ensure that application access is delivered securely.
Here is what I’ve learned from this report:
Top action in a breach – “use of stolen credentials”.
Source: Verizon DBIR 2018
Never mind the how – user’s credentials will be compromised! It’s a fact! The question is how can I protect, detect and quickly respond to compromised user credentials?
Protect – Let’s start with the basics – protecting privileged accounts, which if compromised will do the most damage (and the compromise of which is usually one of the stepping stones in every successful breach).
Protecting compromised accounts is difficult. There are several products out there that specialize in just that, however we can no longer have a stand-alone “vault” disconnected from the dynamically changing infrastructure.
Designing privileged access *MUST* keep with cloud and on-premise, DevOps processes integration and infrastructure-as-code in mind!
Detect – I’m not going into details here but searching could provide some products which specialize in just that ☺.
Respond – Once a compromised account has been detected, how do you disconnect and block access to the compromised account, and make sure it’s really blocked?! Blocking the account in your IdP has several issues I can think of (replication latency, token lifetimes, etc.). OK, so let’s go “network level” – Firewall? VPN? Good luck there – even if your firewall has identity awareness, how many rules do you need to change? In how many locations? Not sure this is a route you wanna go…
- When evaluating privileged access solutions take a cloud-first approach, think about DevOps, API and integrations.
- Evaluate your response capabilities when a compromised account has been detected, namely how fast, and how sure can you be that the compromised account has been blocked from all network and application access.
Ransomware is significantly affecting servers –
Ransomware is the prevalent type of malicious software (over 40% of all malicious software investigated were ransomwares), and over 25% of the assets impacted in ransomware incidents were servers.
Source: Verizon DBIR 2018
This makes perfect sense! Ransomwares are considered malwares, and share many of the same techniques, such as lateral movement, credential stealing and others.
These ransomwares are using compromised credentials joined with remote execution techniques (think PsExec, wmic process creation, etc.), network level vulnerabilities and other worm capabilities.
For example, WannaCry was using both methods, MS17-10 AND compromised credentials to move laterally across the network.
Ransomware moving laterally doesn’t distinguish between a client or a server OS. So similar to Murphy’s law “If something could go wrong it would” It is the same with ransomware – “If a system can be accessed it will”. So if the system is vulnerable, or can be accessed using the compromised credentials, game over!
Now that we’ve established that – let’s ask the question of how can we minimize the impact of these types of attacks?
Is network segmentation the answer? Kind of – if you could remove your crown-jewels from the network that would be great. Managing network segmentation projects is complex, tough and not something you can implement quickly in your legacy RPC, dynamic ports, not mapped datacenter. Having said that, we can at least try to do things right in our new data-centers, which are usually cloud-based.
That’s where the new software-defined-perimeter solutions could help. Think about a network where access is granted only at the application level, allowing only authenticated users to consume content from your servers, without exposing them to network level attacks.
This type of solution can completely isolate your servers from both the internet as well as the end-users network, where all types of “bad-wares” coming from.
Consider software-defined-perimeter solutions to reduce the network attack surface of your applications and separate them from the end-user network, which is usually the patient 0 of the ransomware infection.
Hope you found this useful.
Feel free to ping me at email@example.com to chat on my new hobby – software-defined-perimeters.