Applications and devices need to be stopped from doing what they have no business doing
There are many, many security tools designed to keep data safe and intruders off networks, from simple AV software to IDS systems to SOCs, SIEMs and AI, but in all their number and variety they are still insufficient, as evidenced by the rising incidence of cyber crime and the increasing volumes of data stolen.
One problem is that the tools are always one step behind the attackers, an issue that has taken on a new dimension with the likes of ChatGPT which, non-coders can use to write malware. Another is that attacks happen most often outside business hours, meaning protections need to be operational 24/7, said Rob Allen, VP of operations at ThreatLocker, speaking at Computing's Cybersecurity Festival last week. And phishing, the primary attack vector, is a largely unsolved problem, since it only needs to succeed once.
Moreover, the most damaging attacks are multi-stage missions, with attackers combining several techniques including "living off the land" or making use of legitimate software that's bundled with operating systems and network management tools, such as IP scanners and, on Windows machines, PowerShell.
Attacks exploiting the Follina flaw in Microsoft Office included malicious Word documents that used PowerShell to download malware from the web with virtually no action required by the user.
"PowerShell is used in 90% of ransomware attacks," said Allen. The devastating attack on the Irish Health Service used PowerShell at five different stages, he added.
Make a rule. Stop PowerShell from accessing files and folders
How to stop it? The answer in this case is a simple one: ringfencing.
"Stop thinks from calling PowerShell. If they don't need to talk to PowerShell, don't let them talk to PowerShell and you stop a lot of these attacks in their tracks."
Similarly, unrecognised USB devices should be blocked so that malware can't be introduced that way. AV tools are ineffective against rubber ducky type attacks where a malicious device masquerades as a keyboard or mouse, often running a PowerShell script that immediately starts syphoning data.
"Make a rule. Stop PowerShell from accessing files and folders. Don't let it access the Internet," Allen advised. "Then it can't be used to download malware, or to exfiltrate data, or to execute remote code."
In another example, an attack using 3CX communications software downloaded malware from GitHub. "Why does 3CX need to talk to GitHub? It doesn't need to talk to anything apart from your 3CX server, so make sure it only talks to that server and block it, so it can't be weaponised against you," said Allen.
Online backups are another treasure trove for attackers - who we must assume are already present on the network. A small change to a config file can send data to an address controlled by the hackers. "It won't get noticed and it's a really easy way to exfiltrate large amounts of data in a short period of time."
Detection tools and training are essential, as is effective staff training, said Allen, but in themselves they are not enough. The zero-trust techniques of ringfencing, allow listing, source control, configuration management, storage and access controls are zero trust techniques that stop applications and devices doing what they have no business doing.