Network security company Palo Alto Networks released on 3rd June its 2014 Application Usage and Threat Report (AUTR), which aims to provide insights on how business leaders and security practitioners need to reassess and strengthen their security posture.
Based on analysis of traffic data collected from 5,500 network assessments and billions of threat logs over a 12-month duration, the report revealed how attackers exploit commonly used business applications to bypass security controls.
Key findings of the AUTR include the following:
- Common sharing applications such as e-mail, social media, and video remain favoured vehicles for delivering attacks but are often the start of multi-phased attacks rather than the focus of threat activity.
- 99 percent of all malware logs were generated by a single threat using UDP; attackers also use applications like FTP, RDP, SSL, and NetBIOS to mask their activities.
- 34 percent of applications observed can use SSL encryption; many network administrators are unaware of what applications on their networks use unpatched versions of OpenSSL, which can leave them exposed to vulnerabilities such as Heartbleed.
We spoke to Sharat Sinha, Vice President for Asia Pacific of Palo Alto Networks, to learn in detail some of the report's findings. Aside from discussing issues surrounding enterprise applications and data breach, Sharat also shared some security tips for enterprises to stay protected.
The report analyses applications that penetrate enterprise networks. Which apps are found to be the most susceptible to breaches?
The report findings showed that common sharing apps like e-mail, instant messaging and social media delivered roughly 30 percent of the threats observed, but the activity itself was strangely low.
Despite accounting for a high percentage of exploits, common sharing applications accounted for only five percent of threat activity. It was found that while common sharing apps were favoured vehicles for delivering attacks, they were the start of multi-phased attacks rather than the focus of threat activity.
In fact, social media delivers far less than anyone would imagine. User Datagram Protocol (UDP), Domain Name System (DNS) and Server Message Block (SMB) are consistently represented as commonly targeted by or used by threats. Secure Sockets Layer (SSL) use remains far higher than we think.
In light of the above, it is now evident that attackers are hiding in plain sight. This may sound like old news, but the data shows several examples where cyber threats are using applications as their infiltration vectors, exhibit application-like evasion tactics and either act as, or use, common network applications for lateral communications and exfiltration of data.
It is more profitable for hackers to target companies this way as they expose company secrets and confidential strategies -- ultimately creating huge losses for the overall business.
How can cybercriminals use apps to access the enterprise networks?
The attacker establishes a foothold, and then uses the compromised end-point/person's network credentials to move laterally within the network. The compromised endpoint itself is not the target--it is the vector through which the attacker enters the network and finds valuable IP or data to steal.
Think of someone robbing your house. The thief might break in through the front door or a side window, just like an exploit would enter your network using expected means like SMTP, IMAP or POP3. The thief then opens the back door to let his friend into the house--in network terms, the second payload being pulled down.
These two wander around your house, inspecting what you have that's worth stealing. In network terms, the attacker escalates privilege and now looks like a legitimate user on your network with full control over the endpoint--your house--but the endpoint itself is not the target. The two thieves see your big screen TV and your state of the art sound system. They also see your jewellery case in the bedroom. They see these things because once they're inside your house, they can see everything -- none of it is separately secured -- just like what we are seeing in many of the networks we analyse.
Assets are there for the taking because security administrators have no isolation of data and have not segmented their networks.
So these two thieves load up your SUV in the garage with everything they want, close all the windows and doors behind them, open your garage from the inside, back out, close all the doors and drive away. The house looks totally normal from the outside, but your valuables are gone. In your network, the data exfiltration has occurred through a different application-- perhaps via SSL, or FTP, or UDP.
What's at stake, and what do cybercriminals stand to gain?
This year, global cybercrime will cost companies approximately US$300 billion to US$1 trillion alone (2012 Law & Boardroom Study) and following a data breach, companies can expect the value of their brand to decline as much as 30 percent.
Businesses fear cyberthreats because it means lost data, lost assets, lost IP and lost reputation. Stolen information such as billing, addresses, credit card information is sold to a variety of buyers often for nefarious purposes, such as identity theft, spam and phishing.
In light of last years' attacks on media and government-linked websites in Singapore, organisations are quickly learning that the problem will only get worse thanks to cyberwars for economic purposes, the increasing complexity of threats and the more devices there are connected to the Internet.
What are some key learning points for enterprises based on the findings of the study; and what can enterprises do to protect themselves?
The traffic and associated threat patterns discussed within this report exemplify how cyber criminals are opportunistically hiding in plain sight, yet there are some fairly straightforward steps that organisations can take to minimise or eliminate the hiding places within the network.
Our advice to business leaders and security practitioners in light of the AUTR data is as follows:
- Deploy a balanced safe enablement policy for common sharing applications. First determine which applications are in use and by whom. Then in collaboration with the business groups, determine the business use case, and establish security policies that enable the required applications while blocking others. Key to the success of this recommendation is documentation of the policies, education of your users, and periodically reviewing and updating the policy.
- Control unknown traffic, isolate and segment business services and applications. Every network has unknown traffic. It is small in volume, averaging roughly 10 percent the bandwidth observed, but it is high in risk. Controlling unknown UDP/TCP will allow you to quickly eliminate a significant volume of malware. As an extension of controlling unknown traffic, your business applications and services should be isolated, applying zero-trust principles based on the applications and users that require access.
- Determine and selectively decrypt the applications that use SSL. The use of SSL is a double-edged sword. You get privacy and protection on one hand, but masking threats and exfiltration of data either directly or indirectly via exploits like Heartbleed on the other. Selective decryption, in conjunction with enablement policies outlined above can help you uncover and eliminate potential hiding places for cyber threats.
What do enterprises have to do to ensure that their customers are protected?
Enterprises owe it to their customers to ensure that all data, including credit card information, mailing lists and personal information, are protected. The recent eBay data breach exemplifies the importance of this responsibility, and it is imperative for governments, organisations and enterprises alike to have software in place that will provide fool-proof protection to the network, which will in turn ensure peace of mind when it comes to customer protection.
In order for this to succeed, collaboration between the business and government sector is critical in order to protect infrastructure and customer data that sustain businesses everywhere.
The good news is that we are already seeing such collaborations in the region, such as the Asia Pacific Computer Emergency Response Team (APCERT), which provides technical assistance and best-practice sharing and training amongst its members.
We can expect to see more of such initiatives in the future, led by the respective governments in the region.