Keep the Holidays Merry
By Buzz Hillestad
Fraudsters take every advantage they can to steal IDs and money from people. The Holidays are particularly brutal for this type of activity. From social engineering attacks tricking you into giving them your information to phishing attacks designed to compromise your computer, these attacks are real and do real damage to people who fall victim to them.
One very specific type of attack that happens during The Holidays is the DHL package claim. You get an email supposedly from DHL that claims you have a package they have been trying to deliver to you and that all you need to do is follow the link in the email to claim it. While DHL isn’t always the subject of this type of email, the trick and result remain the same. Sometimes the attackers use other mailing services or even online stores such as Amazon.com or eBay.com.
This type of attack is successful due to the way most computers work and are set up. Below there is a diagram of a simplified hacker social engineering attack kill-chain. It is called a kill-chain due to the fact that it shows the path a hacker takes to get to what they want most, the data.
The first column of the diagram shows the attack vectors the attacker will try to exploit. If an attacker convinces someone in your organization to click the link in a phishing email, it will usually successfully drop a payload that will give the attacker what is called “shell access” to the computer. The payload is downloaded from their command and control (C&C) server out on the web. From there, the attacker can send commands to the machine to make it do basic things.
In order to completely take it over, though, the attacker has to be able to elevate privileges on the computer. Privilege elevation is required to fully take over the computer. This means that the attacker can install her own applications and weaponized the compromised workstation. If you organization is using admin accounts or local admin accounts for the users on the computers, it’s game over. If your organization does use restricted accounts, you are protected for this first attack vector but your org is not in the clear.
If the attacker cannot gain administrator access through the compromised user credentials, she will have to exploit a vulnerability that allows her to elevate privileges outside of normal parameters. The best defense for this is vulnerability management. How often you scan for vulnerabilities and remediate them will determine your success with vulnerability management.
Lastly, your organization can have a desktop that is completely compromised but can’t go anywhere else on the network due to proper LAN segmentation. Making sure firewalls are strategically placed between LAN segments and using proper egress and ingress filtering between those segments is critical with being successful with LAN segmentation.
The bottom line is that we need to assume our workstations will get breached. We need to plan for this assumption with the controls mentioned at the very least. Below is a diagram that completes the one above with the attack vectors and their protections. If we think of these protections as speed bumps, we can then focus on detection and response. Once we’ve detected our nemesis within our walls, we can figure out how they got in, with proper forensics, and how to prevent them from getting in again. Information security is a cycle not and endgame. Remember that and stay vigilant.
In the next installment of this 2 part series we will look at what the criminals can actually do with the data they steal.
Buzz Hillestad is Principal Consultant and Partner at Helix Security in Sioux Falls.