Current p2p trends threatening enterprise security

File sharing has become more common place, which means there are common threats that lurk in p2p traffic

Security threats from peer to peer (p2p) communication are nothing new, but they are becoming more sophisticated. From ransomware and botnets, these threats are a global threat that continue to evolve in more sophisticated ways. If security teams aren’t looking for them, they may go undetected, which could be costly for the enterprise.

The TrendLabs Security Intelligence blog has been talking about ransomware and CryptoLocker threats for the better part of this and the last decade. In his August 2015 post, Macro Threats and Ransomware Make Their Mark: A Midyear Look at the Email Landscape, Maydalene Salvador, noted that the number of spammed messages in 2014 was nearly 200 billion emails.

“But not all spammed messages related to macro threats had attachments. Other emails contained links that led to legitimate file hosting websites like Dropbox, where the malicious file is hosted,” Salvador wrote.

Whether the files are encrypted and held for ransom or injecting malware that can then steal credentials, users continue to click on and share these virulent attachments.  These massive campaigns continue to benefit the bad guys by granting them access or earning them a payload.  

Chase Cunningham, director of cyber threat research, and Jeff Schilling, CSO, of Armor spoke about today’s common p2p threat, the CryptoLocker campaign. Schilling said, “Individual computer threat actors are sending phishing emails to victims. That crypto software sees what protocols are open across your network. Then they lock up the files, encrypt them, and hold them for ransom.”

[ ALSO ON CSO: Peer-to-peer, wireless network could help in disasters ]

Criminals have now entered the server arena, said Schilling.

“It used to be botnets five years ago, but they made the switch to web servers which gives them more power. If you don’t have a lot of p2p protocols, they can compromise one server and then gain deeper access,” he continued.

Cunningham added, “From a technical perspective, if your infrastructure is not seeing what is going on in the network, you’re not going to see the p2p traffic. If your organization is not actively engaged in collecting targeted threat intelligence, you don’t know what may show up in your network.”

There is almost no regulation in the p2p file sharing software industry, said Schilling, “So who’s to say what ports and protocols are in there?”

One solution is to monitor for it, all the way down the entire stack. “You need to have threat intelligence. Most organizations are lucky if they have antivirus and anti-malware,” said Schilling, but they need consistent monitoring.

A common monitoring problem, said Schilling, is that most network traffic is monitored from north to south. Observing the east to west connection between the server in our environment and other servers will unveil different threats. 

“Most organizations don’t put the sensors in between the servers to pick up that p2p activity. We had a customer last year who had a botnet enter into the corporate environment, and it spread to one server in our environment, but we blocked it because we were monitoring east to west and had a white listing,” said Schilling.

While there are multiple tools on the market that map out network and IT professionals about all the connections, “A lot of people don’t want to invest in those tools,” said Schilling. “They don’t because they really don’t want to know how bad it is.”

Cunningham and Schillling said that CryptoLocker remains another p2p problem, “It’s something that is really taking off this year, and the vulnerabilities on their personal laptops and devices are from not shutting down those p2p protocols,” Schilling continued.

Once criminals gain access to one machine, they can see all ports and protocols in that network. “Very few should be open,” Cunningham said. “People are doing file shares or they are mapped to network drives and the malware migrates and encrypts those network drives.”

Avoiding these threats has a lot to do with network design and creating network access control systems so that when a computer connects to a network, only certain traffic is allowed. “All ports and protocols are locked down. Many users can do all the business they need to do from guest networks which are segmented from the corporate network,” said Schilling.

In addition, “Segment the users who are using their own devices away from the corporate network. Treat that user population as if they are already compromised,” Schilling continued.

Michael Taylor, lead applications developer at Rook Security, said that depending on the nature of the attack coming from the p2p, avoiding threats can be very difficult.  “Instead of coming from a few servers or hosts, they are outsourcing those onto many, many hosts. Using firewalls is not going to block all of that traffic.”

Botnets from p2p applications are popular and more sophisticated in their communication methods, and eradicating them requires eliminating the herd, which is different from a traditional botnet threat with a command center.

“When you have a botnet, you have to have some of the servers telling the other servers what they should be doing. If you can isolate your network from the command and control servers, the conductor of the botnet can’t get to the control setting,” said Taylor.

If you have those few command and control servers that are static, it is easier to isolate that traffic.

“You can basically cut off the instructions from the person who is operating the botnet, then it will allow you to have some time for remediation, but with the p2p setting, the more decentralized the botnet is, the more difficult it is to isolate that communication,” Taylor explained.

[ MORE: Botnet trafffic in 2015 - the invisible force that wants to eat the Internet ]

The threats from these botnet range from DDoS to spam emails to using them to infiltrate a network by compromising a work station within an environment. Once they have access, they can then pivot onto a server where there is confidential information stored. 

"You can also use those hosts for extended phishing attacks, identifying executives or other targets for spear phishing or whaling campaigns, or targeting employees with ready access to the data you are after,” said Taylor.

Data is most often the primary target for criminals. “That’s been a fairly lucrative attack vector for these bad actors where the executives seem to be fairly easy prey. They have authorized wire transfers or had their own hardware compromised because of the amount of data executives have access to,” said Taylor.

Depending on how the network has been segmented, it might not be the case that a criminal could go directly from a single work station to the enterprise crown jewels, but the attacker might be able compromise credentials that would allow them to navigate that network. 

Having the signatures at the perimeter of the network as well as the internal network, said Taylor, “You would be able to see traffic coming from the outside of the network and then when someone started trying to access others on the inside.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSODropbox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place