What Attackers Want for Christmas
December 22, 2017
Our guest author Krampus has a special blog post for the Team with the festive Red colours:
Christmas lists are always a problem, here are some examples to get attackers thinking during the holiday season:
- Leaked (NSA) exploits: ETERNALBLUE, ETERNALROMANCE and friends have been a rare delight this year, bringing a smile to the lips of ol’Krampus. The destruction wreaked by WannaCry, NotPetya and BadRabbit has spoken to the power of these leaked exploits. There’s nothing that Krampus likes better than gaining SYSTEM privileges directly over the network!
- Vulnerable Supply Chain: Big or small, secondary or tertiary, supply chains have been this year’s go-to attack vector. Krampus likes to go for the weakest link in the supply chain and pivot up from there into the target, exploiting highly-connected vendors, subsidiaries and suppliers to reach the goal.
- Poorly trained workforce: The human element is what gets naughty children on Krampus’ list and Krampus loves the organizations that help to get them there! Not training the workforce to pick on social engineering attacks and terrifying them of the consequences of making a mistake is a fantastic way to help attackers get what they want for Christmas.
- Credential hygiene: While exploits are effective, other methods of gaining access shouldn’t be ignored. Poor credential hygiene has been exploited by worms like NotPetya with tremendous effect. By taking advantage of password reuse, especially for accounts with Administrator privileges, attackers have been able to compromise environments at scale in a matter of minutes. An all-time Krampus favourite!
- Data breaches: Nothing warms Krampus’ blackened heart than the theft of hundreds of millions of sensitive records. Data breaches provide such wonderful opportunities for theft, fraud, account takeover, credential reuse and extortion! They happen with a pleasing regularity and Krampus can only say: “bring ‘em on!”.
- False positives: An organization may have a SOC, but luckily for ol’Krampus, they are typically flooded with false positives, which allows Krampus and friends to rampage unimpeded through their preferred targets. Misconfigured logging systems create a noisy environment where the defenders can’t see the danger until Krampus is long gone! A trusted and loyal friend over the years!
- Target-rich environments: Once inside a particular environment, it’s always preferable for there to be a lack of segmentation so that exploits and credential reuse can be used to find vulnerable systems. In particular, sensitive data should be available in as many different places as possible and accessible by as many users as possible. This way Krampus doesn’t have to be that specific in his targeting; the naughty list can be as long as you like!
In order to keep Krampus and his hoards out of your network, we recommend robust security engineering principles to defend your networks:
- Default deny: that is, “only provide access where it has been explicitly granted, otherwise deny”.
- Least Privilege: that is, “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job”.
- (Attack) Surface Reduction: that is, reduce the amount of services running, the number of privileged users and the number of entry points into the system.
- Need to Know/Compartmentalization: that is, only grant access where there is an explicit business requirement to do so.
- Defence in Depth: that is, not one single control is sufficient to adequately protect a system. Careful usage of the other four principles in physical, technical and administrative controls will go a long way to keeping Krampus out!
You can find out more about these principles in a previous post we have written on the importance of security engineering.