Four ways an attacker can infiltrate an organization by diverting security solutions
Employing one of the many security solutions on the market today does not mean your organization is immune to infiltration – that much is clear from the constant string of hacks making headlines. Recognize that even the best products cannot offer 100% protection from malicious threat actors who want access and penetrate into your system.
Additionally, there are hundreds of security products on the market which bombard IT workers with thousands of alerts per week, most of which are indication of something, not necessarily bad. These actually allow real threats to sneak past security professionals by making attempts to find a needle in a haystack nearly impossible.
However, the problem goes beyond those issues. Even if we theoretically had the perfect security product that blocks direct infiltration into the company, threat actors who want to get in will find a way. Call it infiltration by design.
Here are four ways that an attacker can infiltrate the organization by diverting most common security solutions:
1. Infecting a device early on in the supply chain. In this scenario, a threat actor infects a 3rd party component shipped with operating systems. These 3rd party components are usually pre-installed software products that are shipped by an OEM manufacturer to promote certain services and products such as anti-theft capabilities and targeted advertising. The problem is that most of these “extra-packages” are persistent, designed to remain on the system even after professional system cleanup or a total disk drive replacement. The risk? These software packages receive the highest level of system privileges, enabling them to perform any activity. Essentially, these packages render any security measure implemented by the OS vendor as useless. In fact, some of these packages are known to double-act as backdoors. Recently, a mass spyware campaign was exposed, revealing that for the two past decades, numerous common firmware packages were actually spyware tools. Earlier this year, Superfish, ad adware program preloaded on certain laptops was found vulnerable enabling threat actors to launch Man-in-the-Middle attacks against the victim.
2. Infecting a cloud service used by the organization. In this scenario, the threat actor infects a common file sharing service with malware. Since the organization employees later sync with that service, the employees’ are now all infected. In fact, Dropbox warns precisely against this threat, encouraging users to consider additional security measures when sync’ing files.
3. Leveraging design vulnerabilities. Sophisticated attackers will find and exploit design flaws that are unanticipated by the OS and application authors, as well as those who create solutions attempting to prevent the infiltration of malicious code. For example, take Sandworm, a design flaw vulnerability appearing in a Windows component. Essentially, Sandworm can lead to remote code execution. Last year Sandworm was used in a cyber-espionage campaign attributed to Russia, where targets included: NATO, Ukraine, Poland, EU, European Telcos and the Energy Sector. The attackers were able to easily bypass defenses until the exploits and vulnerabilities were discovered and signatures or new work-around detection techniques were developed and bolted on to infiltration-oriented solutions.
4. Data only attacks. In this scenario, an exploit based on common memory corruption vulnerabilities such as Buffer-Overflow and Use-After-Free enables arbitrary remote code execution. What makes this scenario so unique, and hence extremely difficult for infiltration tools to detect, is the fact that the exploitation is done by manipulating existing data only. In other words, the attack introduces no payload, but changes the application behaviour by manipulating only data in the application address scope. Such an attack was presented in Black Hat Europe by Francisco Falcon “Exploiting Adobe Flash Player in the era of Control Flow Guard”.
How can we address infiltration by design? The idea of catching up with malicious code at the infection point has failed. It’s important to recognize that attackers must create malicious code that both accomplishes its objectives to find and exfiltrate valuable data or ransom systems while simultaneously remaining below the radar of the system users and the system’s standard defenses.
Given that a compromise of our systems is inevitable, we need to approach attacks like we approach chronic diseases, meaning managing the disease rather curing it. As mentioned above, in the case of cybersecurity, that means preventing the consequences of infiltration—namely, the theft of valuable data. Just as the right treatment can alleviate suffering and increase longevity, organizations must learn how to work securely in the face of a persistently compromised network.