[BreachExchange] How a cybercriminal might infiltrate your corporate network

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 25 19:38:54 EDT 2016


http://www.philstar.com/business-usual/2016/04/25/1576350/how-cybercriminal-might-infiltrate-your-corporate-network

Philippines – Security is no longer an afterthought. It’s a major component
to the success of a business. This means the chief information security
officers (CISO) need a spot at the executive table to ensure the IT
security plans align with the business goals and objectives.

We are all connected to the Internet which is great; however being
connected also means that we are all in a very large ecosystem. It’s
important to realize that anything happens with one company will often
affect many other companies.

Direct business partners will be affected and even the most remote company
can be affected.

For example when a breach happens in a company, often times personally
identifiable information (PII) data are stolen.

The data can not only be sold for use for identity fraud, but also for use
in much more believable phishing attacks. The more information an attacker
has about you, the more they can make that email look real and get you to
click it.

Many of the attack techniques used today are similar to the attack few
years ago such as compromising weak passwords, phishing attacks and malware
downloads from browsing infected websites or advertisement sites. However,
there are some mounting cyber problems that are enabling the attackers to
deliver their exploit more effectively and stealthier.

One of them being social media and on-line services.

Everyone today is using some form of social media such as Facebook and
LinkedIn, as well as online dating sites. Because of this, attackers are
shifting their entry points into user’s devices via these sites via social
engineering, preying on the human emotions side. Social Engineering
concepts are the same, but the attack vector or surface has changed. Next
is the evasion techniques used by the attackers.

The ability for the attacker to conceal themselves continues to advance.
Because of this often times just having traditional anti-virus is not
enough.

Among the new hacking techniques, phishing attack is most likely the number
one way to gain unauthorized access to company networks. A phishing email
will attach a piece of malware or a malicious link, and is created to look
legitimate and enticing for users to click the link.

Another technique used by the hackers is the drive-by attack. The attackers
will compromise a website and install a malicious java script that will
redirect an unsuspecting user to another website containing malicious
payload (malware) that will then be downloaded in the background to the
user’s device. In a targeted attack, the attackers will spend many months
researching websites that companies or industries will frequent and infect
those websites.

The next technique used is malvertising. This attack is similar to the
drive-by attacks except for the attacker will focus on infecting the
advertising sites. An attacker can infect one ad site which in turn could
infect 1000s of other websites.

Last but not least, the mobile attack. Many attacks against mobile devices
are similar to the above listed attacks; they are just targeting the mobile
device. In addition, malware can be delivered through SMS messages or they
mask themselves as other fun applications such as games or even pornography.

Once the attacker has successfully breached a network and is sitting on a
user’s device such as a laptop/desktop or mobile devices, the attacker now
needs to download more malware and tools to complete their missions.
Usually the data they are looking for is not on the workstations; it’s in
the servers/databases and such. The following are some high level steps an
attacker will take once inside the network:

• They will download other tools and malware for further network compromise.

• They will map the network to find other servers to find the data they are
looking for. They will also look for the Active Directory server which
contains all the usernames and passwords. If they can crack that then they
have keys to the kingdom.

• Once they find the data they will usually find a staging server to copy
all data they are looking for. The ideal server for this will be one that
is stable (always stays up) and has access out to the Internet.

• That data will slowly be sent back to their (attackers) servers which
many times are on a cloud server somewhere making it harder to block the
source.

If the cybercriminals are inside the network for a long period of time,
they will be able to obtain any type of information that is available. Most
company data are stored electronically. The longer they are in the more of
a chance they have in learning your business processes and data flow. An
example of this is the Carbanak attack. In this attack, the bad guys were
able to track down the admin’s computers to get access to the video
surveillance cameras and watch how the bank tellers worked and record every
last detail of their process which in turn they mimicked to transfer money
out through their own systems.

As I mentioned above, the usual entry point into the network is through
users clicking on malicious links. Once the user device is compromised, the
attackers will start moving about the network to find the data they are
looking for. This is where network segmentation becomes extremely
important. One, it helps reduce the impact of the breach since a company
can isolate the breach to a specific location while not affecting the rest
of the network. Also, it allows for sensitive data to be zoned in a higher
security area which will give the bad guys a tougher time to exfiltrate
data. Lastly, “You can’t protect and monitor everything within your
networks”. The networks are too large and complex; so find the critical
data, isolate it and put more granular focus on monitoring the avenues of
approach to that data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160425/a0da888d/attachment.html>


More information about the BreachExchange mailing list