Zero day to commercial exploit kit in 4 days… how do we weather the cyber security storm?

Cyber Security Storm

Just four days after Adobe Systems patched a vulnerability in Flash Player, a malware researchers spotted a drive-by download attack that was exploiting it to install CryptoWall ransomware on the victim’s computer.  Further research showed that the exploit was added to the commercial exploit kit called Magnitude  and that this has clearly now been adopted by cybercriminals across the world for use in large-scale attacks.   The flaw, tracked as CVE-2015-3113 in the Common Vulnerabilities and Exposures database, had zero-day status — that is, it was previously unpatched — when Adobe released a patch for it. Allegedly, it had already been exploited by a China-based cyber espionage group for several weeks in targeted attacks against organizations from the aerospace, defence, construction, engineering, technology, telecommunications and transportation industries.

Whilst this highlights the increasingly small time frame users have to deploy patches, it also adds a further air of futility to patching as a reliable method of staying ahead of online attackers – from petty criminals to well funded crime gangs and shady government organisations – that want to get their hands on your data or your money.

What does this mean for those charged with managing cyber security within organisations?  Just like going outside on a cold, wet winters day, you need multiple layers of protection to give you the resilience necessary to weather the never-ending cyber security storm.

People

Your people are an attacker’s easiest route to compromise.  Many exploits rely on enticing end-users to click on a URL or open a malicious attachment so it can get to the vulnerable software – in this case Adobe Flash Player – typically through phishing e-mails or re-directing users to malicious or compromised web sites.  Your people are therefore also your first layer of defence.  Teach users good cyber hygiene through your security awareness campaign.  Teach users how to spot phishing e-mails and malicious web sites.  Teach users to spot the indicators that their computer may have been compromised and what they should do if this happens.   People aren’t perfect, but they may be your last line of defence if your other controls fail.

Technology

The fundamental requirement for many of these types of exploits to work is the need for access to a vulnerable system so it can deliver and execute the exploit code.  As discovered by the malware researcher, the delivery mechanism in the Adobe exploit was a drive-by download – all the user therefore had to do was visit the web site for the exploit code to run and for the victim’s computer to become compromised.  The simple act of visiting a web site gave the attacker sufficient access to do so.

This sounds a bit scary, but here are a few of the many technical controls that can help mitigate against (but not eliminate) this threat.

– Install a good anti-malware software package on your users devices, make sure it has the capability to detect, prevent and report malicious activities on the device, and make sure it is updated regularly (ideally in real-time, but at least every few hours)

– use an e-mail anti-spam/anti-malware service to get rid of any potentially malicious e-mails and attachments before it even reaches the end-user.  Be careful in granting users the ability to recover e-mails trapped by these services, they may just end up releasing malware into your IT infrastructure.

– Use blacklists on your firewall to prevent users from visiting known bad sites, or whitelists if staff are only allowed to visit specific web sites. if your budget have a bit of stretch in it, invest in a next generation application-layer firewall/intrusion detection solution that can inspect network traffic for sins of malware or an intrusion to protect your network perimeter.

– Patch regularly.  Patching remains important in closing vulnerabilities down in the long term.  Where systems cannot be patched due to operational reasons, they should be isolated from the internet or internet-accessible devices (and mobile storage devices!) to prevent compromise.

– Make sure your own web services are secure.  Do not allow an attacker to compromise your site and using it for distributing malware.  Make sure the web service is suitably hardened from a configuration perspective.  Use a firewall to restrict which ports as accessible from the internet. And lastly, always keep your web site’s administrative credentials secure. Use two-factor authentication if possible to provide an additional level of security around privileged user accounts.

Process

Lastly, it is important to have clear processes in place for dealing with suspected cyber security breaches.  Aspects such as ‘who is in charge of the incident’ and ‘what should the first responder actions be” must be clearly defined and practiced beforehand, a bit like a Formula One pitstop. so that when the need comes (when, not if!) your team can work seamlessly together to deal with the breach and its aftermath.