Security tools are not enough, lock everything down, Threatlocker

clock • 3 min read
Security tools are not enough, lock everything down, Threatlocker

Applications and devices need to be stopped from doing what they have no business doing

There are many, many security tools designed to keep data safe and intruders off networks, from simple AV software to IDS systems to SOCs, SIEMs and AI, but in all their number and variety they are still insufficient, as evidenced by the rising incidence of cyber crime and the increasing volumes of data stolen.

One problem is that the tools are always one step behind the attackers, an issue that has taken on a new dimension with the likes of ChatGPT which, non-coders can use to write malware. Another is that attacks happen most often outside business hours, meaning protections need to be operational 24/7, said Rob Allen, VP of operations at ThreatLocker, speaking at Computing's Cybersecurity Festival last week. And phishing, the primary attack vector, is a largely unsolved problem, since it only needs to succeed once.

Moreover, the most damaging attacks are multi-stage missions, with attackers combining several techniques including "living off the land" or making use of legitimate software that's bundled with operating systems and network management tools, such as IP scanners and, on Windows machines, PowerShell.

Attacks exploiting the Follina flaw in Microsoft Office included malicious Word documents that used PowerShell to download malware from the web with virtually no action required by the user.

"PowerShell is used in 90% of ransomware attacks," said Allen. The devastating attack on the Irish Health Service used PowerShell at five different stages, he added. 

Make a rule. Stop PowerShell from accessing files and folders

How to stop it? The answer in this case is a simple one: ringfencing.

"Stop thinks from calling PowerShell. If they don't need to talk to PowerShell, don't let them talk to PowerShell and you stop a lot of these attacks in their tracks."

Similarly, unrecognised USB devices should be blocked so that malware can't be introduced that way. AV tools are ineffective against rubber ducky type attacks where a malicious device masquerades as a keyboard or mouse, often running a PowerShell script that immediately starts syphoning data.  

"Make a rule. Stop PowerShell from accessing files and folders. Don't let it access the Internet," Allen advised. "Then it can't be used to download malware, or to exfiltrate data, or to execute remote code."

In another example, an attack using 3CX communications software downloaded malware from GitHub. "Why does 3CX need to talk to GitHub? It doesn't need to talk to anything apart from your 3CX server, so make sure it only talks to that server and block it, so it can't be weaponised against you," said Allen.

Online backups are another treasure trove for attackers - who we must assume are already present on the network. A small change to a config file can send data to an address controlled by the hackers. "It won't get noticed and it's a really easy way to exfiltrate large amounts of data in a short period of time."

Detection tools and training are essential, as is effective staff training, said Allen, but in themselves they are not enough. The zero-trust techniques of ringfencing, allow listing, source control, configuration management, storage and access controls are zero trust techniques that stop applications and devices doing what they have no business doing.

You may also like
LockBit re-emerges a week after takedown

Threats and Risks

'Damage control for the LockBit brand, a show of strength'

clock 26 February 2024 • 2 min read
Operation Cronos: NCA reveals details of LockBit affiliates

Threats and Risks

Operation has been crippled - for now

clock 22 February 2024 • 3 min read
US charges two Russian nationals in LockBit ransomware case amid global crackdown

Law

The indictments coincide with a significant takedown of LockBit in a joint operation by US, UK, and other international law enforcement agencies

clock 21 February 2024 • 3 min read
Most read
01

'Microsoft Copilot is a gimmick', says top CIO

28 February 2024 • 2 min read
02
03
04

Cyber incident disrupts another UK university

25 February 2024 • 2 min read
05

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security Technology

UK's biometrics commissioners steps down, signalling missteps

UK's biometrics commissioners steps down, signalling missteps

Home Office is ignoring new technologies

Muskan Arora
clock 31 January 2024 • 4 min read
Endpoint is the path of least resistance, says Threatlocker

Endpoint is the path of least resistance, says Threatlocker

IT Leaders Summit debates the true purpose of endpoint security.

Penny Horwood
clock 05 October 2023 • 2 min read
GitHub announces passwordless authentication trial

GitHub announces passwordless authentication trial

The trial can be considered a milestone in the long demise of passwords

Penny Horwood
clock 13 July 2023 • 2 min read