[BreachExchange] Human Predictability Make Attacks Easy For Threat Actors

Tue Mar 6 18:52:40 EST 2018

https://www.forbes.com/sites/forbestechcouncil/2018/03/06/
human-predictability-make-attacks-easy-for-threat-actors/#62b6492618e5

Now that the books are closed on 2017, the cybersecurity industry is
developing a better understanding of the strategies currently used by
threat actors and cybercriminals. Unfortunately, we’ve found that malicious
groups are still using the same malware — with slight tweaks and
modifications — as they have in years past. And it’s still working.

Why? Simply, our behavior hasn’t changed. The innovation, agility and
outside-the-box thinking of threat actors should serve as motivation to
adjust our actions. As individual users, we’re largely apathetic and stuck
in our flawed ways — and threat actors are taking notice.

Malware Cocktails Are Still In The Mix

For the past several months, I’ve been touting the existence of malware
cocktails as an easy yet strategic means for threat actors to evade static
or signature-based security controls. Since a majority of end-users still
don’t practice basic security, cybercriminals can either make minor changes
to exploits or blend components of several different pieces of malware to
form seemingly new attacks.

For example, in 2017, we saw a new kind of ransomware called Bad Rabbit,
which appeared in Russia and Ukraine and spread throughout a day. It was
first discovered when it was attacking large Ukrainian organizations and
Russian media outlets. Later, it found its way into the United States and
Western Europe.

Bad Rabbit contained similar ingredients to NotPetya, a mid-2017 form of
ransomware that also propagated using EternalBlue, one of the exploits
leaked from the NSA in April 2017. The component usage and infection chain
were identical.

While patched systems were largely unaffected, these attacks provide more
evidence that threat actors are leveraging malware cocktails to help evade
static or signature-based security controls.

Impact On Hyper-Connected Businesses

While modified malware threats are very real, how they could potentially
impact businesses isn’t always clear. As threat actor behavior evolves,
organizations need to be proactive in defending against different malware
mixes this year, particularly as they target more and more internet of
things (IoT) devices.

For example, let’s consider the security needs of a convenience store chain
with more than 600 retail locations in the United States. Each of these
stores has at least 20 connected IoT devices. This includes everything from
point of sale (POS) terminals, Wi-Fi access points and ATMs to smart
thermostats and surveillance cameras.

As more devices are added, the security challenge becomes more complex.
This paradigm holds true for retail, enterprise, government, education,
healthcare, small to medium-sized businesses (SMBs) and consumer
environments.

To defend connected devices from external threats, and to prevent IoT
devices from being compromised as part of a larger global botnet, best
practices strongly advise organizations to build a cohesive, integrated and
layered security strategy across wired, wireless, mobile and cloud networks.

The first step is to deploy any and all devices behind a next‐generation
firewall to help prevent them from being recruited into botnets like Mirai
and IoT Reaper. Organizations should also ensure device firmware is
updated, if applicable, and that default manufacturer passwords are changed.

For added real-time threat detection and mitigation, organizations can pair
next-generation firewalls with automated cloud sandboxing, which can
discover and prevent unknown zero-day attacks like ransomware automatically
at the gateway.

It is also critical to segregate all IoT devices on a separate security
zone from the rest of the network to reduce the probability and impact of
lateral movement in case a device — or its manufacturer — becomes
compromised.

This layered approach is critical for identifying and mitigating advanced
cyber attacks — both old and new — regardless of a threat actor’s preferred
mix of malicious ingredients.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180306/ccde849a/attachment.html>