CERT NZ recently released its Quarterly Report to 30 September 2017. The report summarises both incidents and trends observed by CERT NZ during the quarter along with a small amount of commentary and some case/malware studies. One of the key take-aways is that the vast majority of incidents are initiated from inside the victim’s network. It is not a good enough plan to “throw in a firewall” and hope the perimeter is secured. Throwing in a firewall has never been a sufficient strategy by itself, but attackers very seldom target just the perimeter and the focus for businesses should now be firmly on prevention, detection and response to events being initiated within the network.
This probably fits with your experience and intuition for how modern threats and exploits behave, but let’s put some statistics and specific examples around this idea.
The Quarterly Report highlights that of the 297 incidents reported directly to CERT NZ:
- 153 related to phishing and password harvesting
- 28 related to malware
- 23 related to scams and fraud
- 16 related to ransomware (in addition to the malware items above)
That’s 220 out of 297, or 74% of reported incidents attempting to gain their initial foothold within the network, as opposed to hammering away at the perimeter (eg firewalls, UTMs, web-facing services, etc).
Spell it out for me, with examples
These types of threats generally use some method to hop through the perimeter via an otherwise legitimate channel. The best example is email. You need to receive email, and emails need (or at least really want) to contain more than just text: they want to include links to things on the internet; they want to include attached files; and, they might even want to include scripted code, just like web pages do. Emails are commonly even structured using the HTML format, which is what all web pages are written or ultimately transmitted with. So email client applications (eg Outlook, Mac OS Mail, etc) have to be able to understand all of the things that web browsers understand in order to render web pages. That means they are pretty much subject to the same types of exploits, risks and holes as web pages are – with one important difference: emails are apparently sent directly to you, and normally trying to get your particular attention.
Emails are used to send legitimate and important information directly to you, and you want to see and interact with those emails. You want to see what is in those emails that are begging for your attention – you want to open those attachments and click on those links. And those links can send you very seamlessly to legitimate-looking web sites that ask you to log into something (ie share your credentials). Web sites you’ve been taken to via an email often carry a implied trust because of how you arrived there (a legit-looking email told me to go here, and the web site looks legitimate just like the email did). Well, if you put together the fact that a) emails can have all the capabilities or web pages; and b) you are hard-wired to open and interact with those emails; and c) there is an implied chain or trust or legitimacy for certain well-crafted emails, then you understand why phishing is such an effective and popular way into your network. If an attacker can get you to do something you shouldn’t, starting with a very compelling email, they might be able to exploit your PC, your network, and your business, all from the inside out.
There are of course other ways to hop right into your network through the front door – including via your web browser, and less pervasively via removable storage like USB keys. The methodology with malicious/compromised web sites is very similar to that with email, and in some cases all you have to do is visit the wrong web site and the malware or exploit can take hold. Email and phishing are so popular, however, because of the way in which we have historically thought about email. That’s why the majority of all reported incidents reported to CERT involved phishing and/or attempts to harvest credentials via fake legitimate-looking web sites you visited because an email asked you to. That’s 153 out of 297 of them.
What does this mean?
It means you need to recognise that most threats to your business stability, intellectual property and customer/employee privacy hop straight through your perimeter and do things that your firewall or UTM probably can’t see. It means that you need to take measures to prevent these “walk through the front door” risks, without taking your eye off the perimeter protections. It means that you need to train, and test, and re-train your staff to know what these threats look like, and how to avoid them. And, importantly, it means you need to know what is going on inside your network, not just on the edges of it.
That is the main point of this post. Yes, prevention is the best medicine, and yes you need to avoid as much as possible. But you should also recognise that most business have little or no way of knowing that something bad has a foot-hold inside their network. Detection and response are at least as important as perimeter defences and avoidance strategies.
How will you know that something has got in and is busy compromising the value of your business? Perhaps about 74% of your attention should be on what goes on inside your perimeter defences, and making sure you can prevent that or at least know about it as quickly and reliably as possible.
phew! We can help with that.