NotPetya, a recent malware, masquerading as the known Petya ransomware started wreaking havoc at a world scale last week. Initially, it looked like another wave in the malware storm that started with Shadow Brokers’ publication of EternalBlue and other zero-day vulnerabilities in Windows OS. And, in fact, NotPetya used EternalBlue as one of the lateral movement methods in its arsenal. But, apparently, the developers of NotPetya wanted to hit some high-value targets and the risk that these networks had already been fully patched would have ruined their attack.
Really, it’s not just me saying that Active Directory is the crown jewel. It's actually them, the hackers, that de facto target the active directory in almost every advanced attack. They look for domain credentials and administrative accounts, they practice domain reconnaissance, privilege elevation, targeted attacks against the domain controller and more. Their motivation is similar to terror. For example: produce widespread fear, obtain recognition and attention of media, steal money, damage facilities and functionalities. This is why it was not surprising to learn about the QakBot Trojan causing a mess.
Password leaks from public breaches help us learn how people think, allow us to identify patterns and build dictionaries of passwords. As password cracking methods evolve, Upper characters, Lower characters, Special characters and Digits (ULSD) recommendations and password complexity mean less.
The other day I was speaking to a good friend of mine. He’s an executive consultant working for a large Fortune 1000 organization. As we are talking I realize that he has access to a lot of highly sensitive information that if exposed could be rather damaging to the company. He was lamenting to me how he needed to get access to some data on one of the servers but IT blocked him from accessing it until he completed a mandatory online “IT Security Awareness” training.
In recent years, we have seen hospitals, insurance companies (Aetna), giant corporations (Sony) retailers (Home Depot and Target), and tech companies (Yahoo, LinkedIn, Dropbox) all breached because of some type of insider threat or compromised credentials. So, it’s no surprise that Insider threats are a growing concern for organizations.
Enterprises define security policies that match their business objectives. By setting security policy rules, an organization can better enable the business to achieve its goals while protecting them from advanced threats. They work reasonably well, even allowing for the well publicized breaches and insider threats. Without policies or a set of tools in place for such eventualities, it will be very difficult for the business to operate effectively when under attack.
When Mark Zuckerberg’s passwords were hacked from his twitter and other accounts, that news got everyone’s attention . Online articles suggest that hackers got his password from the 2012 LinkedIn breach where 117 million accounts compromised. Mr Zuckerberg reused his passwords on other services, like Twitter, which got compromised.
This incident along with many other similar hacks proves that cyber-attacks are not isolated events, they are like a giant wave with long-term effects that can set off a chain of events.
This weekend, Sage Group sent out a warning to its customers about a data breach. According to the BBC, the breach exposed the personal details of employees at close to 300 companies in the UK and Ireland.
We security professionals are constantly reading over and over: Time is not on our side. In the recent Verizon DBIR 2016 report they illustrate how quickly threat actors go in and out of networks. There are many other similar security data reports that list the possible reasons and detach responsibility which ultimately means “all we can do is our best.”