Security tools are not enough, lock everything down, Threatlocker

clock • 3 min read
Security tools are not enough, lock everything down, Threatlocker

Applications and devices need to be stopped from doing what they have no business doing

There are many, many security tools designed to keep data safe and intruders off networks, from simple AV software to IDS systems to SOCs, SIEMs and AI, but in all their number and variety they are still insufficient, as evidenced by the rising incidence of cyber crime and the increasing volumes of data stolen.

One problem is that the tools are always one step behind the attackers, an issue that has taken on a new dimension with the likes of ChatGPT which, non-coders can use to write malware. Another is that attacks happen most often outside business hours, meaning protections need to be operational 24/7, said Rob Allen, VP of operations at ThreatLocker, speaking at Computing's Cybersecurity Festival last week. And phishing, the primary attack vector, is a largely unsolved problem, since it only needs to succeed once.

Moreover, the most damaging attacks are multi-stage missions, with attackers combining several techniques including "living off the land" or making use of legitimate software that's bundled with operating systems and network management tools, such as IP scanners and, on Windows machines, PowerShell.

Attacks exploiting the Follina flaw in Microsoft Office included malicious Word documents that used PowerShell to download malware from the web with virtually no action required by the user.

"PowerShell is used in 90% of ransomware attacks," said Allen. The devastating attack on the Irish Health Service used PowerShell at five different stages, he added. 

Make a rule. Stop PowerShell from accessing files and folders

How to stop it? The answer in this case is a simple one: ringfencing.

"Stop thinks from calling PowerShell. If they don't need to talk to PowerShell, don't let them talk to PowerShell and you stop a lot of these attacks in their tracks."

Similarly, unrecognised USB devices should be blocked so that malware can't be introduced that way. AV tools are ineffective against rubber ducky type attacks where a malicious device masquerades as a keyboard or mouse, often running a PowerShell script that immediately starts syphoning data.  

"Make a rule. Stop PowerShell from accessing files and folders. Don't let it access the Internet," Allen advised. "Then it can't be used to download malware, or to exfiltrate data, or to execute remote code."

In another example, an attack using 3CX communications software downloaded malware from GitHub. "Why does 3CX need to talk to GitHub? It doesn't need to talk to anything apart from your 3CX server, so make sure it only talks to that server and block it, so it can't be weaponised against you," said Allen.

Online backups are another treasure trove for attackers - who we must assume are already present on the network. A small change to a config file can send data to an address controlled by the hackers. "It won't get noticed and it's a really easy way to exfiltrate large amounts of data in a short period of time."

Detection tools and training are essential, as is effective staff training, said Allen, but in themselves they are not enough. The zero-trust techniques of ringfencing, allow listing, source control, configuration management, storage and access controls are zero trust techniques that stop applications and devices doing what they have no business doing.

You may also like
FBI obtains 7,000 LockBit decryption keys

Hacking

Offers victims hope of free data decryption

clock 07 June 2024 • 3 min read
Russian hackers behind London hospitals cyberattack

Hacking

The attack has forced hospitals to postpone or relocate elective surgeries

clock 06 June 2024 • 2 min read
London hospitals in disarray as cyberattack cripples testing services

Hacking

Poses serious challenge to urgent and emergency care

clock 05 June 2024 • 4 min read
Most read
02

New York Times confirms data leak

10 June 2024 • 3 min read
03

Adobe users revolt over updated terms of use

06 June 2024 • 3 min read
05

Joanna Smith

10 June 2024 • 1 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security Technology

NCSC CTO: UK tech sector not incentivising companies to build secure software

NCSC CTO: UK tech sector not incentivising companies to build secure software

Calls for market reform to usher in secure future tech

clock 17 May 2024 • 2 min read
Wales launches CymruSOC, the UK's first national cybersecurity operations centre

Wales launches CymruSOC, the UK's first national cybersecurity operations centre

A ‘defend as one' approach for public services

John Leonard
clock 10 May 2024 • 1 min read
How a council consolidated security tools and saved 40%

How a council consolidated security tools and saved 40%

Savings came from lower licencing costs and fewer training and service requirements

John Leonard
clock 24 April 2024 • 4 min read