SAN FRANCISCO — Major trends in cyberattacks see threat actors engaging in old tactics to create greater disruption. These include life outside the cloud, bypassing multi-factor authentication, threats to data backups, stalkerware and satellite attacks, according to SANS Institute leaders during day three of the RSA conference. .
Vowing to “keep it boring,” Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite and SANS faculty member, explained that “attackers are using old techniques to do fancy new things.”
Click here for all the coverage from the RSAC.
Organizations need to go back to basics, “as technology evolves and things change for us as users, what impact does that have on attacks?” Mahalik said. Attackers use new techniques, but they also rely heavily on things that work because “why would they reinvent the wheel?” »
“If you’re an attacker and want to access it, why not use what’s already working?” she added.
This can be seen with the shift from off-the-ground attacks to off-the-cloud attacks. In 2020, the technique of living off the earth has flourished using binaries and embedded operating systems.
While it’s still a widespread threat, Katie Nickels, director of intelligence for Red Canary and senior nonresident fellow at the Atlantic Council, explained that organizations also need to monitor attacks outside of the cloud, because it’s “not enough to pay attention to operating systems and endpoints.
The method isn’t new, but Nickels said attacks leveraging cloud services are on the rise to match the increased use of cloud services for the enterprise. These attacks are simple, inexpensive, and convenient for setting up an infrastructure.
“Adversaries can easily spin infrastructure to compromise our organizations, and it also makes it easier for them to blend in,” Nickels said. “As a network traffic advocate, it’s hard for me to tell if this cloud traffic is legitimate or benign? It’s really hard.
“We all use cloud services legitimately in our organizations, things go right through those firewalls and proxies,” she continued.
For example, in “living off SaaS” attacks, threat actors target ngrok software, used by developers to share code without the need for domain hosting. However, malicious users can also take advantage of the software to easily obtain a URL, Nickels noted that ngrok is “ideal for the developer, but also ideal for adversaries”.
So how can organizations fight against what they don’t see? The answer is not simply to change the detection response or block all bad domains, especially since ngrok is legitimate software.
“It’s an infrastructure thing,” Nickels said. “Know the normal, find the wrong. …use what’s normal for cloud services in your environment to help identify the bad stuff.
Actors Bypassing Multi-Factor Authentication
While admitting it may be “more of a shiny object,” Nickels is also concerned about threat actors bypassing multi-factor authentication. MFA is “an incredibly powerful force for security,” but nation-state hackers have used brute force attacks to gain access to an account, simply by guessing the password.
Even if a targeted organization has disabled the MFA service for an employee, the attacker can still access the account in Active Directory, if it is not disabled. During an attack, the threat actor was able to switch from AD, re-enable the MFA service for the targeted account, to “essentially bypass MFA”.
However, “just because adversaries can bypass doesn’t mean you should stop using MFA, which prevents 99% of the problems,” Nickels said. “Keep using it, but think about how you implement it…and come back to proven methods that will help you with this technique.”
Johannes Ullrich, Dean of Research for the SANS Technology Institute, SANS faculty member, and founder of the Internet Storm Center, added that the most common problem with MFA implementations is the mishandling of lost second factor authenticators. , broken or stolen. Entities should consider their password reset or recovery policies, especially with something like a web breach.
Medical safeguards under threat
Another notable threat to the healthcare industry is the ongoing risks associated with backups. Backups are generally said to be essential to ensure that systems can be effectively recovered from a ransomware attack, but what happens when backups are corrupted by the attacker?
Most organizations have a diverse set of backup technologies, including those stored in the cloud, Ullrich explained. Each iteration comes with unique attack methods, enhanced by possible misconfiguration, password errors, and other errors.
Attackers just have to “take advantage of this instrumentation,” Ullrich said. If users stop clicking on malicious attachments or links, attackers can switch to stealthier methods.
It’s the same idea behind off-cloud living tactics, where an actor walks into the backup solution and “sets up a second destination.” Attacks become more evasive when entities use the same cloud solution for services as they do for their cloud backups. This is an ideal method to “make it even more difficult to identify that something strange is going on”, he added.
Everyone is a target, so no entity should believe they are not important enough to be targeted, Mahalik explained. Even if something was a common threat in the past, hackers will still take advantage of old techniques that are seeing continued success.