Why advanced threats are less dangerous than simple attacksDate: Jul 15, 2014
The more threats change, the more they stay the same.
According to noted security researcher Marc Maiffret, despite countless advances made by cyberattackers in recent years, many of the most popular and successful techniques have been in use for years.
"There's always the tried-and-true things that we hear about, things like buffer overflow and other types of memory corruption, which are just as much of a problem today as they were 20-plus years ago with the Robert Morris worm," Maiffret said.
In this interview, conducted at the 2014 RSA Conference, Maiffret, chief technology officer of BeyondTrust Inc. and noted security researcher, discusses today's most disconcerting attack trends, including attackers' user of valid credentials, unpatched Microsoft and Adobe vulnerabilities and legacy software and platforms like Windows XP.
Eric Parizo: Hi, I'm Eric Parizo from SearchSecurity.com. Thanks for joining us today. Joining me is Marc Maiffret. Marc is the chief technology officer for BeyondTrust. Marc, thanks so much for stopping by.
Marc Maiffret: Thanks for having me.
Eric Parizo: Marc, let's talk about the threat landscape for a few minutes. You're a long time security researcher with extensive experience finding vulnerabilities. That said, what recent or emerging attack techniques really catch your eye and that enterprises should be paying attention?
Marc Maiffret: It's interesting from kind of classes of attacks. There's always the tried and true things that we hear about, things like buffer overflow and other types of memory corruption which is just as much a problem today as it was 20-plus years ago with the Robert Morris worm, the first computer worm. A lot of times its new forms of technology that just kind of allow you to deliver attacks in a different way, like when social media came about. It didn't necessarily have new threats itself as much as it was a new way to deliver these things.
I think what's probably most interesting from an attacker perspective is that these days by the time somebody's breaking into your network and when data's being stolen, really the behavior, it's not really involving hacking at all. Once credentials are stolen, once you piggyback on Active Directory or some other IT management system, really what you're doing is just being a very nefarious administrator.
I think if more companies realized that if you don't have the right controls on what is happening from accounts and legitimate user accounts in your environment, there's no hacking. There's no exploiting. They already have the credentials, and what are you able to monitor and detect at that point. Because if you don't have the right controls there then you're hoping you stop it at the malware level or at the exploit level, and that can be hit or miss definitely.
Eric Parizo: How do you reconcile the industry's focus on advanced attack methods and the success attackers seem to have with simple tried and true attack methods? What does it say about how companies do and should focus their time and resources?
Marc Maiffret: I think our industry a lot of times when we talk about threats we're talking about it as a one size fits all. To one person something like APT and advanced threats, if you are the right government agency, if you're the right high profile company, that's a very real problem that you face.
For a lot of the average businesses, though, they're not being compromised through zero-day, in most cases, because you simply don't need to use something as valuable as a zero day attack. You can break into your average company by using the three month old Adobe vulnerability or Microsoft vulnerability, and that's all you need to do to get there.
Again, I think it varies. Yes, there are advanced attacks and things people need to worry about, but for the most part its people that are getting caught up with some of the hype and all the things that happen, because it's interesting. It's great to read about it. It's fascinating what some of the advanced adversaries are doing, but the average attack can typically be stopped through very, very simple means whether it's the basics of configuration or patching. Just having good network architecture on how you do egress filtering and stuff goes a lot further sometimes.
Eric Parizo: Now the Windows XP end of life is upon us. Many organizations have used the Microsoft Enhanced Mitigation Experience Toolkit, or EMET, to mitigate risk to XP, but issues with EMET have recently surfaced. What's your take on EMET and XP and the risk they present?
Marc Maiffret: XP end of life is amazing. It's a good thing for security. Windows 7 and Windows 8, they're not perfect by any means, but they absolutely raise the bar from an exploitation perspective in a different way. I think just XP going away is going to be very helpful.
There are a lot of times where from a vulnerability research perspective people say that you find a vulnerability and that they wrote an exploit for it, but if you read the fine print their exploit in something like Metasploit or whatever only works on XP and a certain service pack. It doesn't work against something like EMET. It doesn't work against the more modern OS. Obviously, there are plenty of exploits that do.
From an EMET perspective there have definitely been a few vulnerabilities and a few kind of perfect storms where people bypass EMET, but if you look at the vast majority of exploits EMET prevents a great deal of them and absolutely raises the bar where you need a very specific very good vulnerability to be able to get around it. I think it's something that Microsoft is going to keep making better.
But, EMET also highlights one of the challenges of to do security right and to really restrict what should happen on a system, it's hard to do, because there are also a lot of applications that in the process of doing that you break. There's a reason that EMET is an add-on tool versus just outright included as part of the operating system. It's because of those incompatibilities. While EMET on your lab system throwing exploits at it stops a lot, it's not so straightforward to roll out in a large enterprise in all the compatibility and settings that you need to work on. It takes time.
Eric Parizo: Switching gears a little bit, Apple recently had to patch virtually all of its platforms to deal with an SSL TLS flaw that enabled man in the middle attacks. What's your analysis there, and why has there been an increase in those man in the middle attacks?
Marc Maiffret: I think from the Apple SSL bug some people try to say it's a purposeful mistake, but I think mistakes happen all the time. I think that's what it was. I think man in the middle attacks get a lot of focus because of the nature of just what's making the headlines, what's going on from a monitoring perspective. Stuff with Snowden, all these types of things have kind of made it more of a focus.
A bug like that, it's one of those that it's a simple mistake with very tragic consequences. There have been worse vulnerabilities in Apple products than even that bug, but clearly that's kind of an embarrassing one. I think we continue to see more things like that as Apple takes more and more market share.
Eric Parizo: Specifically regarding man in the middle attacks, what do you credit the rise to?
Marc Maiffret: Yeah, there are definitely more conversations about man in the middle attacks. Again, I think a lot of that has to do with the kind of government level monitoring of what people are trying to do, but at the end of the day, as much as it's talked about, your average business is getting compromised because of Java, because of Adobe, because of some unpatched Windows vulnerability versus some super sophisticated kind of man in the middle attack.
Eric Parizo: Finally, you're a very well-known advocate for a fairly simple list of security controls that can eliminate the vast majority of threats. Tell us what's on that short list.
Marc Maiffret: There are examples of breaches that happen every year. I get asked the question all the time. I have antivirus, or IPS, or these different systems, and why aren't they working?
A lot of it is the ease in which an attacker can set up a lab environment to mimic your average company. I mean most companies are using one of the two popular antiviruses, one of the four main firewall or IPS vendors, so it's very easy to tailor your exploit in your malware to bypass those systems.
The one thing that you have at your disposal to kind of make your company and your business a little bit more unique in raising the bar really is how you configure your systems, how you configure your network. A good example, I believe it was for 2012, is there was roughly 20% or 30%, I forget the exact statistic, of Microsoft vulnerabilities that in order to be properly exploited that all exploits at the time actually leveraged the WebDAV protocol which is essentially a service that's turned on by default in Windows. Very few companies actually use it. You can disable it through group policy. It's a straightforward thing.
We see stuff in breaches, I won't name the retailer, where the attackers ended up taking data out over FTP port 21. When things like that are happening it's very clear that there's not proper network egress filtering. I find it amazing sometimes when you see companies looking to acquire advanced threat and analytics solutions and all these other things, and they're not doing the most basic of just filtering executables at their gateway.
Does that prevent everything? By no means. But, does it at least raise the bar where your average cybercrime or even average cybercrime kind of targeted attack is going to have to jump through a lot more hoops? It makes it much, much more difficult. It doesn't make a lot of sense when people are looking for some new solution when they're still not doing those kind of basic configuration best practices - your users are still running as administrator, for example. I don't care what you buy, you're in a bad spot.
Eric Parizo: All right. Marc Maiffret of BeyondTrust, thank you so much for the advice today.
Marc Maiffret: Thanks so much.
Eric Parizo: And thank you as well. Remember, for more information security videos you can always visit SearchSecurity.com\videos. Until next time, I'm Eric Parizo. Stay safe out there.