9
March 2015

Targeted Attacks – The Fight Back Starts with Good Password Management

Andy Harris

When business and IT leaders see stories about “targeted” attacks and APTs in the news, the perception is often that they are so-called because they have been crafted to attack a specific organisation. After all, it’s the corporate crown jewels of sensitive IP, customer data and trade secrets that they’re after. But this isn’t the whole picture. These attacks are actually more targeted still. Very often they’re aimed specifically at individual Privileged Accounts on long-forgotten IT systems which can be easily stolen from ‘password spreadsheets’ or simply brute forced.

So if we’re going to get better at fortifying ourselves against advanced cyber attacks, we’re also going to have to get better at identifying where these weak links in the chain are.

Laser focused

Targeted attacks have been around for probably a lot longer than many people think. When Stuxnet and Operation Aurora first came to light in 2010, this for many was the first time anyone had heard of such sophisticated, laser-focused attacks. Yet even today we’re finding out about new attack groups which stretch back even further. Just last week researchers claimed to have uncovered the so-called Equation Group – which it said to have been in operation possibly as far back as 1996.

Why have these attacks been around for longer than people think? It’s because they’re specifically crafted to stay under the radar, to slip in under traditional defences and lay hidden for months or even years without alerting the IT department anything is wrong.

So what exactly happens? Well, such attacks vary in sophistication, but a common MO is to seek out specific Privileged Accounts. These are administration accounts which provide access to servers, switches, firewalls, routers, applications, databases and the like. These are the keys to the kingdom, giving access to the beating heart of the organisation. From there, the malware they’ve written especially for this task will bounce around inside the corporate network from system to system until it finds the data it’s looking for. And don’t think because your Privileged Accounts are kept separate from local system accounts that they’re safe from attack. Malware can quite easily jump that air gap.

What goes wrong

We know from data Verizon Data Breach Report that 80% of stolen credentials are obtained through:

  • Simply lifted from files that were available on sysadmin systems, either in the local file systems or non-privileged shares
  • Socially engineered by phishing or spear phishing
  • Keylogged
  • Left as Default!

However, so often the passwords for these accounts are left on the factory or admin default. No-one thinks about all the nameless routers and switches, obscure databases and generic cloud accounts tucked away inside their IT infrastructure. Also, many privileged accounts are set up for machine-to-machine communication, making it easier still for IT teams to set them up with a default password and then forget about them.

The Dangerous Desktop

But ignore basic password security at your peril. Forget brute force password cracking, by leaving in easy-to-guess default credentials you might as well be laying out the red carpet for cyber criminals.

The Password Policy Trap

Perhaps less well known is the inherent weaknesses that are generated by well meaning password policies. Most of these have limits and recommendations on length and characters etc. Research has shown that employees follow these on a linear basis, so if a the first rule is that a password should contain at least one capital letter, the first character of the invented password tends to be a capital. The longer the password limits, the more likely that full words are used with a ‘-‘ or ‘_’ between each word. The more often you ask for password changes the more likely and individual is to develop their own pattern — just because they need to remember the complex passwords. Patterns in passwords are really vulnerable to rainbow attacks. If you decide to issue complex passwords – guess what! – your employees start recording them in files on their desktop!

What to do

Don’t make the job of the cyber criminal even easier. Close down the path of least resistance for attackers by ensuring that no one keeps password lists in files and spreadsheets! You need to conduct a thorough audit of your privileged accounts. Then replace any default passwords with strong credentials – a mixture of symbols, numbers and letters and lower and upper case characters if possible. Look for the following:

  • System, Domain Admin, Admin and Root Accounts
  • Accounts on switches, routers and SDN
  • Database Accounts, Cloud Accounts
  • Built-in Device generic accounts

Remember the human factors in password policies! You’ll need to strike a balance between complexity to resist brute force attacks and refresh periods to avoid falling into the pattern trap.