06 Oct Are You Helping Hackers?
Don’t live in a fantasy world when it comes to cybersecurity
Atlanta, Ga. – Oct. 6, 2021
Everybody fantasizes about making their IT environment hack-proof. And many security vendors feed into this fantasy by making excessive claims about their technology.
I suggest a different approach — one that makes much more sense in a world full of bad actors trying to attack you in a thousand different ways. Instead of researching security tools in some vain attempt to figure out how you can perfectly defend your most critical assets, it’s wiser to:
- Research what bad actors are currently doing to attack organizations like yours.
- Understand that your objective isn’t to make your organization 100 percent invulnerable — which is both financially and technically impractical — but instead to make your organization vastly more difficult to hack than other organizations with a similar threat profile, given your available staffing and budget.
- Identify and remediate everything you’re doing to help hackers, rather than hinder them.
Top Ten Techniques
Let’s start by considering the first bulleted item above. I’ve created an infographic that organizes the techniques threat actors use to attack their targets into ten basic categories. I won’t claim that my list is comprehensive. Nor would I claim that it’s the one and only way to taxonomize the behaviors of threat actors. But my list does serve as a good starting point for framing the cybersecurity challenge from the attackers’ point of view.
I believe that secops professionals too often think about cyberdefense in terms of what they need to defend and/or the technologies in their cyberdefense portfolio — rather than in terms of what they need to protect their organization from.
But the outside-in perspective is much more sensible. After all, whether in war or sports or business, it pays to know thy enemy. So thinking about what that enemy might do — rather than just about what they might do it to — is essential. This is especially true given the fact that bad actors don’t have to attack an organization’s most valuable “crown jewels” directly. They only have to compromise a single unimportant asset. Then, from that asset, they can mount an attack on more vital targets.
Hindrance Tip #1
With this perspective in mind, let’s consider the first attack technique listed in the infographic: exploiting predictable and weak credentials. And, again, we’ll address this first technique by thinking in terms of how organizations often unknowingly make life easier for attackers — rather than harder.
1. Rotating passwords. Many secops professionals believe they’re making their environment safer by forcing users to constantly change their passwords. But this practice actually does just the opposite. The more frequently we make users change their passwords, the more likely they’ll resort to some easy way of remembering them.
Hackers love these predictable passwords — especially when those passwords follow an easily discernible pattern (like “kweenJAN123,” “kweenAPR456,” “kweenJUL789,” etc.).
The smarter policy is to rotate less while requiring stronger passwords — i.e., making them longer, requiring multiple character types, and enforcing rules against passwords that are too easily guessed (such as names of pets or numbers that match birthdays).
2. Using the same passwords for both the enterprise and public web services. Public sites constantly get hacked. And when they do, site owners try to reassure the public that no sensitive personal data (credit cards numbers, banking information, etc.) was compromised.
That may be true, but users’ login credentials are almost always compromised — whether they’re hashed or in cleartext. So if a user uses the same or a similar password in the enterprise, hackers can readily make the correlation.
A good policy is therefore that users create unique passwords for internal logins. Secops staff should also monitor thefts of public site credentials to see if any of them match up with internal users. And if they do, secops must ensure that those users’ passwords are completely different from what they were using on the public site.
3. Insufficient credential diligence. Yes, you’ve password-protected your CRM database, SharePoint servers, and remote access VPN. Good on you!
But what about that printer on the third floor that’s exposed to the internet without you realizing it? And are you sure your firewall is configured to restrict access to all your services via VPN? Or did you miss a spot?
Again, these credentialing weak spots don’t have to be anywhere important for them to result in a compromise — because bad actors will attack an organization’s most important resources from their seemingly least important ones.
These are just a few ways to hinder credential-based attacks, rather than helping them. And per the second bullet above, hindering those exploits will likely frustrate bad actors just enough to motivate them to move on to another target.
I invite you to look at the other nine threat types yourself — and to determine the best ways to hinder them. And schedule a penetration test to check your ecosystem. I assure you that by thinking like an attacker, rather than a defender, you’ll much more effectively mitigate your organization’s infosec risks.
– Eric Escobar is a seasoned pentester and a Principal Security Consultant at Secureworks. On a daily basis he attempts to compromise large enterprise networks to test their physical, human, network and wireless security. His team consecutively won first place at DEF CON 23, 24, and 25’s Wireless CTF, snagging a black badge along the way. Forcibly retired from competing in the Wireless CTF, he’s now a member of the DEF CON Wireless Village team. Before entering the cyber security arena, Eric attained both a BS and MS in Civil Engineering along with his Professional Engineering license.
Secureworks is 100 percent focused on cybersecurity. In fact, it’s all we do. For nearly two decades, we’ve committed to fighting the adversaries in all their forms and ensuring that organizations like yours are protected.
Secureworks® Taegis™, a cloud-native security analytics platform built on 20+ years of real-world threat intelligence and research, improves your ability to detect advanced threats, streamline and collaborate on investigations, and automate the right actions.