It is fascinating to look at how information is being handled using massive databases and database technologies like Hadoop, and how information is being analyzed and monetized by companies like Facebook. It is even more fascinating looking at how information is being secured and stolen by and from companies, like Equifix and from governments offices, like the Office of Personnel Management (OPM).
My curiosity about how security breaches evolve over time and more specifically, how organizations’ own credentials and accounts were used to compromise data, “pushed” me to write this blog. I looked back at major nation-states offensive operations, like Operation Olympic Games and Operation Aurora, that date back to 2010. And continued to survey more recent breaches like Equifax and the Bangladesh bank heist, with the intention to identify trends and sketch a rough forecast, as to how the next major breaches might look like. This is what I found out:
Credentials — organizations’ own accounts and passwords, are used again and again in every stage of the attack:
- Infiltration — hackers use compromised credentials from one service or network, to compromise another network — cases that support that, are the OPM breach, the Lockheed-Martin — RSA breach and the Ukraine power plants breach case, where credentials in the administrative network allowed the hackers access to the Operational Network (OT). Recent breaches that exposed enormous dump of personal information including user names and passwords, allow hackers to try and check for recycled password by users who use the same password for web services like LinkedIn and Facebook and for their organizational network password.
- Lateral Movement — hackers used locally found credentials, default passwords and service credentials to maneuver across the network and compromise more credentials till finally hitting their intended target. Cases that support this scenario are the Aramco breach where the hackers used domain admin credentials and similar credentials to infect (and eventually destroy) thousands of machines. Another supporting case is the Bangladesh bank breach, where hackers used the credentials to move across the bank’s network till finding SWIFT-Net-Link credentials that allowed them access to the SWIFT system.
- Data exfiltration — hackers use compromised credentials to access sensitive data and exfiltrate it to a destination server which is controlled by them. Supporting cases are the Target breach, where hackers used a service account credentials to exfiltrate credit card data, the DNC (Democratic National Committee) breach, where hackers used compromise credentials to access email accounts and the Anthem breach, where hackers used admin credentials to access databases of PII.
The analysis of all the recent breaches also brings up trends. Those trends expose common attack vectors and attack surface utilized by hackers to successfully compromise the network and hit their intended target. Here are the trends I found in the recent history of breaches:
- Usage of valid third party credentials to infiltrate the network. The breach to Lockheed Martin network after compromising RSA’s secure ID is an outstanding case that demonstrates that this attack vector can even allow hackers to circumvent protected network boundaries. The well-known Target breach and the OPM breach are also supporting cases for this trend. Organizations that allow remote connection to their network, whether it be contractor portal, point of sales or ICS controls, must have security controls in place to monitor the operations and contain any possible intrusion with minimal damage.
- Dirty networks — In almost every single breach mentioned here, the hackers gained more and more privileges as they moved about the network compromising more and more machines. Organizations and networks that sanctify credentials hygiene can eliminate the opportunities credentials present when scattered across the network. Such networks do not allow accounts with privileged access to the organizations’ servers, connect to unprotected end points. This is exactly the scenario hackers are looking for to escalate privileges. Stuxnet for example, one of the most sophisticated malware found to date, used credentials to spread and maintain persistence in the most protected networks. The Aramco, HomeDepot, SANDS casinos, Ukraine power plants and the Bangladesh bank breaches (and many others breaches) all share this attack vector.
- Security is a target — Security personal and security controls installed across the network became the first target for the perpetrators. It is clear that attacker will hunt for security operators and engineers’ credentials, as those might be more than privileged — not only allowing access to sensitive assets across the network (that requires protection) but also provide security management privileges that allow manipulation to security controls — shut anti-viruses, add privileges, change policies and so on. Moreover, organizations and attackers understand that security controls have their own attack surface, which is very lucrative to compromise. Compromising security controls like anti-viruses, allow the attackers to blind the controls or even compromise it’s highly privileged credentials that in some cases expose each and every machine the security control is installed on. It is evident that attackers target the security personal in social engineering campaigns to phish their passwords — Operation Socialist is a supporting case here. However, there is no clear information about security controls exploitation as this is a very sensitive information. UPDATE: Actually at the time of writing, it has been revealed by unidentified sources, that Russian hackers leveraged Kaspersky endpoint agent to compromise sensitive documents from the NSA and other organizations.
At last, we can discuss the future of data breaches, targeted attacks and credentials theft. Based on all recent breaches and the trends I listed above, here is a concise “forecast”:
- Clouds and fog — Migration to cloud infrastructure, whether it be private or public, might be a major pain for access and privilege management and operations visibility. Security Operation centers (SOC) teams, who are controlling and monitoring privileged activity, might not have the visibility required to spot malicious / suspicious activity in time. Therefor, time for detection (which is currently about 110 days on average) might rise again to the number we have seen about 2–3 years ago (220 days and above).
- 2-factor vs Single Sign On (SSO) — As cloud becomes standard infrastructure for organizations to run enterprise services on, Single-Sign-On mechanisms becomes common and necessary to allow users smooth operations without the need to type in their passwords more than they current need to, which is already tiring. The SSO mechanisms, like the one Okta presents, require users to insert their password once a day or so, to access all the organizations provided services using a token kept somewhere in the end-point. If 2-factor is deployed, the user will have to successfully authenticate using 2-factor and then get this token, which should have a long enough life span to allow the user password-less work time. From the offensive point of view, hackers inside the network will embrace the technology that allow them to bypass the 2-factor authentication and use legitimate tokens issued to the user. To counter that vector, organization will have to monitor privileged accounts actions closely and limit the SSO mechanisms to services and users that do not pose immense risk to the organizations.
- Accurate privileges — As privileged account management and protection becomes second nature to security teams, the attackers will have to adapt and use compromised credentials with the least privileges they require, to avoid being exposed. As highly privileged accounts have more chances to be closely monitored, attackers will create a new accounts with specific privileges or modify non privileged account with a specific permissions to have access permissions on one hand, and on the other, avoid any restrictions and potential exposure by the SOC teams. This offensive least privilege concept will require organizations to continuously monitor and assess the privileges of all accounts.
This concise review of the history of credentials theft exposes the significance of credentials in the hands of hackers. Credentials were a key asset in breaches 8 years ago and those very same credentials still have a major role in all recent security breaches. Third parties, dirty networks and security controls will probably continue to lead the way in the targeted attack threat landscape, while visibility and authentication challenges will gain more and more momentum.
As it was fascinating to list and analyze all the recent security breaches, it will surely be fascinating to return to this analysis towards the end of 2018 - review recent breaches and confront the trends and forecast with the newly registered facts. We will have to wait and see…