A lot has been written already about the “Aurora” attacks on major US companies. Speculation about and investigations into the origin of the attack and the code used has kept many researchers busy since January.
iSec Partners is no exception – they have been looking into the vulnerabilities that enabled these attacks to happen. As in many cases, the weak link has proved to be the human factor.
All the attacks have started with the victim falling prey to a social engineering ploy and visiting a malicious website. The browser used had a vulnerability that allowed malware to be loaded on the victim computers, from which it contacts a control server.
The attacker then escalated his privilege on the corporate Windows network and tried to to access an Active Directory server to obtain the password database. Using cracked credentials, the attacker gained VPN access, and from that point on the goal of the attack depended on the compromised system. Intellectual property or credentials, personal data or source code – everything was accessible once the attacker was “inside”.
Companies have been dealing with the breach in their own different ways – Google has even asked the NSA for help. But what about those companies that haven’t been hit by these attacks? What can they do to prevent that from happening?
Here is a few short-term recommendations, as given by iSEC:
1. Log and inspect DNS traffic
2. Establish internal network surveillance capability
3. Control inbound and outbound network traffic
4. Expand log aggregation
5. Expand Windows endpoint control
6. Audit VPN access and enrollment.
7. Test malware scanning against known rootkits.
As regards long-term goals, companies should:
1. Build a security operations team
2. Secure your overseas offices
3. Classify and catalog sensitive data
4. Secure their Active Directory network (smartcard logins, steering clear of shared local accounts, using read-only domain controllers in overseas offices, and more).
The main lesson to be learned from these attacks is that times have changed. Anti-virus solutions and patching are no longer enough, and attackers will enter your system through back doors. Thinking that your company is not big enough to attract attention is wrong – it’s the medium and small companies that usually don’t have the funds to build an extensive security perimeter. In short, many best practices are becoming obsolete.
But, according to the Register, sometimes even all this things won’t be enough. “Attackers are willing to spend months attacking people in these companies, and they write custom malware specific to those companies. The malware for each of these companies has been customized based on the versions of vulnerable software they’re running, as well as what kind of anti-virus they’re using,” said Alex Stamos, one of the iSec founders and the compiler of the report. “These guys really understand how to take control of one laptop and turn it into domain admin access.”
To see the above mentioned recommendations explained in-depth, download the iSec report.