The ‘weaponisation’ of vulnerabilities
2018 set a record for the number of new vulnerabilities identified and reported in a single year.
According to Craig Jett, VP, Global Security Consulting – Dimension Data, Dimension Data’s Executive Guide to the annual NTT Security 2019 Global Threat Intelligence Report highlighted an increase of 12.5% in the number of new vulnerabilities discovered during 2018.
Jett delves into some of the findings that were uncovered, especially the dramatic rise in vulnerabilities, and discusses the causes and impacts, and provides some practical recommendations on how to raise and improve your business’s defences.
How are vulnerabilities becoming ‘weaponised’?
Jett says the ‘weaponisation’ of vulnerabilities means that cyber criminals are exploiting them to launch highly co-ordinated attacks against individuals, businesses and specific groups by using a combination of technical and non-technical tools. He adds that, in most cases, these vulnerabilities are targeted in automated exploit kits, which are developed by criminal groups and monetised in various online forums.
Unfortunately, these exceptionally well-organised campaigns are becoming more robust, precise and targeted than ever before. "Attacks are being informed by in-depth information that cyber criminals have gained from multiple sources about their targets. And they’re increasingly diversifying the manner in which they execute their attacks.
"Let’s use the example of attacks on specific individuals. By scouring various channels – both legitimate and illicit – attackers are able to amass sufficient information about their targets to build a comprehensive profile about them. Gradually, they gather enough material to determine what’s going to be the most effective method(s) of attack and they’ll typically utilise multiple attack surfaces to pursue their targets."
Sadly organisations are also subjected to these types of co-ordinated attacks, but often an attack against an individual and a business are strongly connected.
"For example, one of our client’s executives was approached by an individual masquerading as a respected leader of another business, regarding a potential merger. The approach was convincing, and the cyber criminals had gathered a wealth of information about the person purporting to represent the organisation seeking to be acquired. Here, of course, the ultimate objective was a monetary gain to seal the acquisition deal."
Jett says that once cyber criminals have successfully compromised a company’s systems and stolen the information they want – they’ll sell it for profit on the dark Web and/or attempt to extort funds or blackmail the organisation by threatening to sell their trade secrets to competitors.
"These co-ordinated, longer-term types of attack are very different to what we’ve seen in the past, where attackers’ tactics were usually short and sharp: ‘Let’s break down the door, grab what we can, and run.’ Organisations need to be aware of these shifts and adjust their defence mechanisms accordingly."
The reality is that a lot of these vulnerabilities were discovered in older software and have been present for years.
These vulnerabilities often reside in older systems and ageing computers that are unable to run new versions of software, but are still being widely used today.
"For example, many hospitals operate medical equipment that runs on versions of Microsoft Windows as old as v3 or thereabouts. Generally, these devices operate perfectly well for their intended purpose. And this doesn’t just apply to hospitals: within most organisations, somewhere, you’ll likely find older devices and computers that have been repurposed to perform some kind of basic function, perhaps simply providing supporting as a print server, for instance. These devices present an attractive attack surface for hackers, as the system software is long-retired and is no longer being updated or patched. With little or no modern security controls protecting them, they can represent a cyber security risk. Here, a vulnerability assessment would be advisable."
However, many vulnerabilities to modern software still exist, and often, for many years following their discovery.
"Bash, Shellshock, Apache Struts, and Samba are good examples of older vulnerabilities that continue to see significant exploit traffic. Shellshock, the critical flaw in Linux and Unix operating systems that can allow an attacker to run malicious code remotely on a targeted system, was first discovered in September of 2014. However, it continues to be left unpatched in many organisations."
Unfortunately, these vulnerabilities offer a lucrative target for attackers. With minimal effort, intelligence-gathering on vulnerable systems can be automated, widening the range and scope of the scans.
How do you balance the need to deal with both new and old vulnerabilities?
Jett says in addition to fending off traditional attacks, using tried-and-tested tools, security professionals now need to find ways to protect the organisation and their users from newer, more sophisticated types and methods of attack.
But some of the newer, emerging vulnerabilities, such as crypto jacking1 and the latest breed of Web attacks, are relatively easy for cyber criminals to introduce and are often not detected. In some cases, all that is needed is to visit a single, compromised Web page for your system to become infected by malware. Sadly, one doesn't even need to click on anything on the site.
So this shift towards more sophisticated types of attack requires a very different defence mindset and model. Everyone needs to be more vigilant – not just security professionals, but also users – as today, it’s so much easier to unwittingly create system vulnerabilities.
"Many vulnerabilities exist in common systems, utilities and applications, and application code libraries used to support daily operations. This is because codes are generally written for a variety of purposes and housed in shared code libraries. It’s not uncommon for elements of existing code to be re-used or amalgamated into code that’s being used to develop new products or services, as they perform a specific, essential function." he adds.
"However, if a piece of existing code happens to have a vulnerability – and it’s re-purposed by other developers who don’t perform appropriate testing on it – and it’s subsequently released, the vulnerability can quickly perpetuate throughout the organisation. In most cases, there’s no malicious intent involved. Code wasn’t deliberately written to compromise the organisation’s security posture; it’s usually the result of innocent oversight.
"Especially in the age of DevOps, where teams are sharing and re-using code, libraries and container images. Much of this has been developed without security in mind. This is why teams need to begin integrating security into the DevOps process.
The aim is to embed security into every part of the application life cycle – development, build, and run-time – thereby minimising vulnerabilities and bringing security closer to IT and the business’s overall objectives."
Jett's top five pieces of advice for combating vulnerabilities and bolstering the cyber security posture:
- Be honest with yourself about your current state of cyber preparedness and vulnerability management capabilities.
- This is where it makes sense to enlist the services of an independent cyber security advisory partner to benchmark your organisation’s current state of cyber maturity, through the lens of the business’s overall strategic priorities.
- Gain consensus among your business and IT teams regarding where the most pressing challenges lie and how you’re going to address them.
- Formulate a plan and roadmap, which is business-led rather than technology-driven and identifies your immediate priorities, to move you from your current to your desired state.
- As you advance on your journey, continually re-evaluate your people, processes and technologies to measure the progress you’re making, and to validate that the plan you’re implementing is still serving you well.