As Information Security consultants, most of us like to talk to our customers about zero-day vulnerabilities and how to deal with these. It’s an intriguing subject, with a bit of a cloak and dagger feel around it, and always makes for an interesting discussion with our clients. However, a recent study commissioned by CyberArk highlighted that the majority of criminals do not use valuable zero days exploits; instead they use phishing and simple guessing techniques to obtain login credentials of executives or IT staff which they then exploit to gain access to valuable information.
“Everyone thinks about the zero-day vulnerability, but they’re rarely exploited in a widespread pattern in the wild. They’re so valuable that attackers apply them in very limited way,” said Craig Williams, senior technical leader and security outreach manager for Cisco Talos Security Intelligence and Research Group. “For every zero day you hear about, there are millions of known vulnerabilities that are far more likely to be used against you.”
The study, based on interviews with representatives Cisco Talos Security Intelligence, Deloitte Financial Advisory Service, Deloitte & Touche Cyber Risk Services, Mandiant (a FireEye company), the Advanced Cyber Defense team at RSA and the Verizon RISK Team, analysed the forensic experiences of these companies as they investigated the world’s most serious security breaches.
The report highlighted some interesting aspects of the criminal cyber attacks:
– the top security incident response firms claim that for more than 80% of all major attacks investigated, privileged accounts have been compromised and exploited as part of the attack;
– attacks often persists for months or even years before they are discovered. Mandiant claims that the median number for days in an ongoing attack is 229;
– security investigators report a range of privileged account exploits, from hacking embedded devices in the Internet of Things to establishing multiple privileged identities in Microsoft Active Directory to ensure redundant points of access.
– Service accounts are now sought-after targets. According to Verizon’s Christopher Novak, “Many of our recent investigations have seen exploits in service accounts – probably in 80% to 90% of the cases.”
Priviliged accounts are the keys to your kingdom, and should be very well looked after. Make sure you have identified all user and service accounts that have elevated privileges accross your IT estate, and take the steps necessary to keep these safe, including:
– make sure default user account names and passwords are never used on any systems (not even in development as these may be used as a springboard onto your production environment
– make sure you use complex passwords or passphrases to make it hard for hackers to guess or brute force, and use good user account management practices to keep these accounts secure
– educate your staff to be ale to identify and deal with the threat of social engineering techniques employed by hackers, including phishing and impersonation of legitimate fellow members of staff
– make sure any potential compromises are reported as soon as possible, and make sure you have procedures in place to deal with these types of breaches very quickly
– log, monitor and correlate privileged user activity. If possible, collect logs remotely as one of the tricks attackers pull with privileged accounts is the deletion of audit logs to cover their tracks
– disable and delete any privileged accounts that you don’t require – if these do not exist they cannot be abused.
This study reminds us that making sure the basics of information security is continuously covered is still key to securing the enterprise.
(The full study can be downloaded here)