The relationship between cyberthreats and apps on enterprise networks

Network security company Palo Alto Networks released on 3rd June its 2014 Application Usage and Threat Report (AUTR), which aims to provide insights on how business leaders and security practitioners need to reassess and strengthen their security posture.

Based on analysis of traffic data collected from 5,500 network assessments and billions of threat logs over a 12-month duration, the report revealed how attackers exploit commonly used business applications to bypass security controls.

Key findings of the AUTR include the following:

  • Common sharing applications such as e-mail, social media, and video remain favoured vehicles for delivering attacks but are often the start of multi-phased attacks rather than the focus of threat activity.
  • 99 percent of all malware logs were generated by a single threat using UDP; attackers also use applications like FTP, RDP, SSL, and NetBIOS to mask their activities.
  • 34 percent of applications observed can use SSL encryption; many network administrators are unaware of what applications on their networks use unpatched versions of OpenSSL, which can leave them exposed to vulnerabilities such as Heartbleed.

We spoke to Sharat Sinha, Vice President for Asia Pacific of Palo Alto Networks, to learn in detail some of the report's findings. Aside from discussing issues surrounding enterprise applications and data breach, Sharat also shared some security tips for enterprises to stay protected.

The report analyses applications that penetrate enterprise networks. Which apps are found to be the most susceptible to breaches?

The report findings showed that common sharing apps like e-mail, instant messaging and social media delivered roughly 30 percent of the threats observed, but the activity itself was strangely low.

Despite accounting for a high percentage of exploits, common sharing applications accounted for only five percent of threat activity. It was found that while common sharing apps were favoured vehicles for delivering attacks, they were the start of multi-phased attacks rather than the focus of threat activity.

In fact, social media delivers far less than anyone would imagine. User Datagram Protocol (UDP), Domain Name System (DNS) and Server Message Block (SMB) are consistently represented as commonly targeted by or used by threats. Secure Sockets Layer (SSL) use remains far higher than we think.

In light of the above, it is now evident that attackers are hiding in plain sight. This may sound like old news, but the data shows several examples where cyber threats are using applications as their infiltration vectors, exhibit application-like evasion tactics and either act as, or use, common network applications for lateral communications and exfiltration of data.

It is more profitable for hackers to target companies this way as they expose company secrets and confidential strategies -- ultimately creating huge losses for the overall business.

How can cybercriminals use apps to access the enterprise networks?

The attacker establishes a foothold, and then uses the compromised end-point/person's network credentials to move laterally within the network. The compromised endpoint itself is not the target--it is the vector through which the attacker enters the network and finds valuable IP or data to steal.

Think of someone robbing your house. The thief might break in through the front door or a side window, just like an exploit would enter your network using expected means like SMTP, IMAP or POP3. The thief then opens the back door to let his friend into the house--in network terms, the second payload being pulled down.

These two wander around your house, inspecting what you have that's worth stealing. In network terms, the attacker escalates privilege and now looks like a legitimate user on your network with full control over the endpoint--your house--but the endpoint itself is not the target. The two thieves see your big screen TV and your state of the art sound system. They also see your jewellery case in the bedroom. They see these things because once they're inside your house, they can see everything -- none of it is separately secured -- just like what we are seeing in many of the networks we analyse.

Assets are there for the taking because security administrators have no isolation of data and have not segmented their networks.

So these two thieves load up your SUV in the garage with everything they want, close all the windows and doors behind them, open your garage from the inside, back out, close all the doors and drive away. The house looks totally normal from the outside, but your valuables are gone. In your network, the data exfiltration has occurred through a different application-- perhaps via SSL, or FTP, or UDP.

What's at stake, and what do cybercriminals stand to gain?

This year, global cybercrime will cost companies approximately US$300 billion to US$1 trillion alone (2012 Law & Boardroom Study) and following a data breach, companies can expect the value of their brand to decline as much as 30 percent.

Businesses fear cyberthreats because it means lost data, lost assets, lost IP and lost reputation. Stolen information such as billing, addresses, credit card information is sold to a variety of buyers often for nefarious purposes, such as identity theft, spam and phishing.

In light of last years' attacks on media and government-linked websites in Singapore, organisations are quickly learning that the problem will only get worse thanks to cyberwars for economic purposes, the increasing complexity of threats and the more devices there are connected to the Internet.

What are some key learning points for enterprises based on the findings of the study; and what can enterprises do to protect themselves?

The traffic and associated threat patterns discussed within this report exemplify how cyber criminals are opportunistically hiding in plain sight, yet there are some fairly straightforward steps that organisations can take to minimise or eliminate the hiding places within the network.

Our advice to business leaders and security practitioners in light of the AUTR data is as follows:

  • Deploy a balanced safe enablement policy for common sharing applications. First determine which applications are in use and by whom. Then in collaboration with the business groups, determine the business use case, and establish security policies that enable the required applications while blocking others. Key to the success of this recommendation is documentation of the policies, education of your users, and periodically reviewing and updating the policy.
  • Control unknown traffic, isolate and segment business services and applications. Every network has unknown traffic. It is small in volume, averaging roughly 10 percent the bandwidth observed, but it is high in risk. Controlling unknown UDP/TCP will allow you to quickly eliminate a significant volume of malware. As an extension of controlling unknown traffic, your business applications and services should be isolated, applying zero-trust principles based on the applications and users that require access.
  • Determine and selectively decrypt the applications that use SSL. The use of SSL is a double-edged sword. You get privacy and protection on one hand, but masking threats and exfiltration of data either directly or indirectly via exploits like Heartbleed on the other. Selective decryption, in conjunction with enablement policies outlined above can help you uncover and eliminate potential hiding places for cyber threats.

What do enterprises have to do to ensure that their customers are protected?

Enterprises owe it to their customers to ensure that all data, including credit card information, mailing lists and personal information, are protected. The recent eBay data breach exemplifies the importance of this responsibility, and it is imperative for governments, organisations and enterprises alike to have software in place that will provide fool-proof protection to the network, which will in turn ensure peace of mind when it comes to customer protection.

In order for this to succeed, collaboration between the business and government sector is critical in order to protect infrastructure and customer data that sustain businesses everywhere.

The good news is that we are already seeing such collaborations in the region, such as the Asia Pacific Computer Emergency Response Team (APCERT), which provides technical assistance and best-practice sharing and training amongst its members.

We can expect to see more of such initiatives in the future, led by the respective governments in the region.

Join the CSO newsletter!

Error: Please check your email address.

Tags business issuespalo alto networksapplicationssecuritysoftware

More about Computer Emergency Response TeameBayPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zafirah Salim

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place