Why advanced threats are less dangerous than simple attacks

The more threats change, the more they stay the same.

According to noted security researcher Marc Maiffret, despite countless advances made by cyberattackers in recent years, many of the most popular and successful techniques have been in use for years.

"There's always the tried-and-true things that we hear about, things like buffer overflow and other types of memory corruption, which are just as much of a problem today as they were 20-plus years ago with the Robert Morris worm," Maiffret said.

In this interview, conducted at the 2014 RSA Conference, Maiffret, chief technology officer of BeyondTrust Inc. and noted security researcher, discusses today's most disconcerting attack trends, including attackers' user of valid credentials, unpatched Microsoft and Adobe vulnerabilities and legacy software and platforms like Windows XP.

View All Videos

Transcript - Why advanced threats are less dangerous than simple attacks

Eric Parizo: Hi, I'm Eric Parizo from SearchSecurity.com. Thanks for joining us today. Joining me is Marc Maiffret. Marc is the chief technology officer for BeyondTrust. Marc, thanks so much for stopping by.

Marc Maiffret: Thanks for having me.

Eric Parizo: Marc, let's talk about the threat landscape for a few minutes. You're a longtime security researcher with extensive experience finding vulnerabilities. That said, what recent or emerging attack techniques really catch your eye and that enterprises should be paying attention?

Marc Maiffret: It's interesting from kind of classes of attacks. There's always the tried and true things that we hear about, things like buffer overflow and other types of memory corruption which is just as much a problem today as it was 20-plus years ago with the Robert Morris worm, the first computer worm. A lot of times its new forms of technology that just kind of allow you to deliver attacks in a different way, like when social media came about. It didn't necessarily have new threats itself as much as it was a new way to deliver these things.

I think what's probably most interesting from an attacker perspective is that these days by the time somebody's breaking into your network and when data's being stolen, really the behavior, it's not really involving hacking at all. Once credentials are stolen, once you piggyback on Active Directory or some other IT management system, really what you're doing is just being a very nefarious administrator.

I think if more companies realized that if you don't have the right controls on what is happening from accounts and legitimate user accounts in your environment, there's no hacking. There's no exploiting. They already have the credentials, and what are you able to monitor and detect at that point. Because if you don't have the right controls there then you're hoping you stop it at the malware level or at the exploit level, and that can be hit or miss definitely.

Eric Parizo: How do you reconcile the industry's focus on advanced attack methods and the success attackers seem to have with simple tried and true attack methods? What does it say about how companies do and should focus their time and resources?

Marc Maiffret: I think our industry a lot of times when we talk about threats we're talking about it as a one size fits all. To one person something like APT and advanced threats, if you are the right government agency, if you're the right high profile company, that's a very real problem that you face.

For a lot of the average businesses, though, they're not being compromised through zero-day, in most cases, because you simply don't need to use something as valuable as a zero day attack. You can break into your average company by using the three month old Adobe vulnerability or Microsoft vulnerability, and that's all you need to do to get there.

Again, I think it varies. Yes, there are advanced attacks and things people need to worry about, but for the most part its people that are getting caught up with some of the hype and all the things that happen, because it's interesting. It's great to read about it. It's fascinating what some of the advanced adversaries are doing, but the average attack can typically be stopped through very, very simple means whether it's the basics of configuration or patching. Just having good network architecture on how you do egress filtering and stuff goes a lot further sometimes.

Eric Parizo: Now the Windows XP end of life is upon us. Many organizations have used the Microsoft Enhanced Mitigation Experience Toolkit, or EMET, to mitigate risk to XP, but issues with EMET have recently surfaced. What's your take on EMET and XP and the risk they present?

Marc Maiffret: XP end of life is amazing. It's a good thing for security. Windows 7 and Windows 8, they're not perfect by any means, but they absolutely raise the bar from an exploitation perspective in a different way. I think just XP going away is going to be very helpful.

There are a lot of times where from a vulnerability research perspective people say that you find a vulnerability and that they wrote an exploit for it, but if you read the fine print their exploit in something like Metasploit or whatever only works on XP and a certain service pack. It doesn't work against something like EMET. It doesn't work against the more modern OS. Obviously, there are plenty of exploits that do.

From an EMET perspective there have definitely been a few vulnerabilities and a few kind of perfect storms where people bypass EMET, but if you look at the vast majority of exploits EMET prevents a great deal of them and absolutely raises the bar where you need a very specific very good vulnerability to be able to get around it. I think it's something that Microsoft is going to keep making better.

But, EMET also highlights one of the challenges of to do security right and to really restrict what should happen on a system, it's hard to do, because there are also a lot of applications that in the process of doing that you break. There's a reason that EMET is an add-on tool versus just outright included as part of the operating system. It's because of those incompatibilities. While EMET on your lab system throwing exploits at it stops a lot, it's not so straightforward to roll out in a large enterprise in all the compatibility and settings that you need to work on. It takes time.

Eric Parizo: Switching gears a little bit, Apple recently had to patch virtually all of its platforms to deal with an SSL TLS flaw that enabled man in the middle attacks. What's your analysis there, and why has there been an increase in those man in the middle attacks?

Marc Maiffret: I think from the Apple SSL bug some people try to say it's a purposeful mistake, but I think mistakes happen all the time. I think that's what it was. I think man in the middle attacks get a lot of focus because of the nature of just what's making the headlines, what's going on from a monitoring perspective. Stuff with Snowden, all these types of things have kind of made it more of a focus.

A bug like that, it's one of those that it's a simple mistake with very tragic consequences. There have been worse vulnerabilities in Apple products than even that bug, but clearly that's kind of an embarrassing one. I think we continue to see more things like that as Apple takes more and more market share.

Eric Parizo: Specifically regarding man in the middle attacks, what do you credit the rise to?

Marc Maiffret: Yeah, there are definitely more conversations about man in the middle attacks. Again, I think a lot of that has to do with the kind of government level monitoring of what people are trying to do, but at the end of the day, as much as it's talked about, your average business is getting compromised because of Java, because of Adobe, because of some unpatched Windows vulnerability versus some super sophisticated kind of man in the middle attack.

Eric Parizo: Finally, you're a very well-known advocate for a fairly simple list of security controls that can eliminate the vast majority of threats. Tell us what's on that short list.

Marc Maiffret: There are examples of breaches that happen every year. I get asked the question all the time. I have antivirus, or IPS, or these different systems, and why aren't they working?

A lot of it is the ease in which an attacker can set up a lab environment to mimic your average company. I mean most companies are using one of the two popular antiviruses, one of the four main firewall or IPS vendors, so it's very easy to tailor your exploit in your malware to bypass those systems.

The one thing that you have at your disposal to kind of make your company and your business a little bit more unique in raising the bar really is how you configure your systems, how you configure your network. A good example, I believe it was for 2012, is there was roughly 20% or 30%, I forget the exact statistic, of Microsoft vulnerabilities that in order to be properly exploited that all exploits at the time actually leveraged the WebDAV protocol which is essentially a service that's turned on by default in Windows. Very few companies actually use it. You can disable it through group policy. It's a straightforward thing.

We see stuff in breaches, I won't name the retailer, where the attackers ended up taking data out over FTP port 21. When things like that are happening it's very clear that there's not proper network egress filtering. I find it amazing sometimes when you see companies looking to acquire advanced threat and analytics solutions and all these other things, and they're not doing the most basic of just filtering executables at their gateway.

Does that prevent everything? By no means. But, does it at least raise the bar where your average cybercrime or even average cybercrime kind of targeted attack is going to have to jump through a lot more hoops? It makes it much, much more difficult. It doesn't make a lot of sense when people are looking for some new solution when they're still not doing those kind of basic configuration best practices - your users are still running as administrator, for example. I don't care what you buy, you're in a bad spot.

Eric Parizo: All right. Marc Maiffret of BeyondTrust, thank you so much for the advice today.

Marc Maiffret: Thanks so much.

Eric Parizo: And thank you as well. Remember, for more information security videos you can always visit SearchSecurity.com\videos. Until next time, I'm Eric Parizo. Stay safe out there.

+ Show Transcript

Join the conversation

8 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do organizations focus too much on stopping advanced threats instead of simple attacks?
Cancel
It makes sense that they might - these are the things that get more press and may be more of an interesting project to tackle. But like anything, it's important to get the basics down before moving on to those more complicated challenges. 
Cancel
It's not that they focus too much on stopping advanced threats - they usually don't do enough to stop even simple attacks.
Cancel
As Ben says, the stuff that gets the ink is the big attack. But from a practical point of view, I think the team should be focused on keeping both security areas intact. While the big breach might cause a huge wound, if your company keeps getting pinged by little attacks you'll probably bleed as much over the long haul. It's all balance.
Cancel
If Marc's point was that for many (most?) of the installations attackers don't need an APT-level attack because a simple exploit would succeed - then yes, his point is well taken.

If he is trying to say that advanced threats aren't really there or aren't really interested in "you", and therefore shouldn't be paid attention to - then IMHO it's total and unadulterated BS.
Cancel
Interesting take. I still say vigilance shouldn't take a vacation just because you think a threat is unlikely. Look at all the stuff that's happened in the short time that IT security has been an industry.
Cancel
mouse0741020 Jul 2014 1:30 PM
If Marc's point was that for many (most?) of the installations attackers don't need an APT-level attack because a simple exploit would succeed - then yes, his point is well taken.
If that was his point? Then what else could the point be?

I am not sure if you read the article before commenting or you failed to understand the point being made, but your comment seems to indicate, ignorance, lack of basic reading and comprehension skills. You preceed these two bits of opinion with "If", that alone indicates you did not understand what the conversation was about. Please read and listen to the discussion one more time. At no time did Marc ever indicate that "advanced threats aren't really there or aren't really interested in "you", and therefore shouldn't be paid attention to - then IMHO it's total and unadulterated BS."

It was very easy to understand that even if you put in the most advanced security systems and you changed the lock on the door, put in a new grill, if you leave the key under the mat or the flower pot, then it is to naught that you have defeated your security measures.
If your users are still giving out username and password to "IT guy on the phone", then all the other security measures have been compromised already. if you are still running unpatched software that have exploitable vulnerabilities, then your other advanced intrusion techniques do not have to be exploited because the simple ones are still there and available. jeez!!!
Cancel
Oh boy, Marc is risking ticking off the "researchers" and "analysts" in our field by taking such a stance. I say this tongue-in-cheek because that's my take on this subject (i.e. http://securityonwheels.blogspot.com/2014/08/the-latest-android-gmail-security-flaw.html).

You see, many of the people who continually claim that the sky is falling due to whatever zero-day, cross-site request forgery, or advanced persistent threat almost always have something to gain from it. They also have an inherent inability to see the bigger picture of information security and how it fits within the business. The research that comes out over and over again underscores the fact that basic security flaws are the ones that are creating the most problems. It's basic 80/20 Rule stuff...Unfortunately, to many, history doesn't exist.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close