5 Emerging Vectors of Attack and Recommendations for Mitigating the Risks

Share and earn Cybytes
Facebook Twitter LinkedIn Email

A lack of network visibility is a key challenge we hear about often from the network security community. It’s the result of a complicated mix of issues such as infrastructure complexity, BYOD, and the cloud transformation, among others.

Compilations like these all ranked among the top 10 challenges in network security as identified by network security professionals we recently surveyed. These were also central elements in a panel session held at the RSA Conference titled, The Five Most Dangerous New Attack Techniques and How to Counter Them.

This particular panel is held annually and brings together a group of experts from the SANS Institute. It’s moderated by SANS Institute Research Director and Founder Alan Paller and describes the current threats his team identifies in their research, along with recommendations for mitigating the associated risks.

Here are our notes about these five attack techniques from the session.

1) Manipulating domain naming infrastructure

Adversaries are using credentials they’ve stolen to log into DNS providers and registrars to manipulate the DNS records. That’s according to Ed Skoudis, a SANS instructor credited with creating the penetration testing program there. For example, an attacker will manipulate email records so that messages intended for your organization are redirected through a server the attacker controls which allows them to intercept the message.

With email intercepts, they are able to apply for Transport Layer Security (TLS) certificates and use the links in intercepted email messages to verify domain ownership. He points to Krebs on Security, among other sources that have documented these attacks against government, law enforcement and commercial enterprises.

Some of the recommendations Mr. Skoudis suggests are:

>>> Implementing multi-factor authentication for changes made to the DNS infrastructure;

>>> Deploying DNS security including both signed and validated records;

>>> Revoke any illegitimate certificates that currently exist; and

>>> Monitor for public changes to DNS records and digital certificates associated with your organization.

2) Domain fronting

Domain fronting is a technique used by adversaries to obscure their geographic location. It was the second attack technique in the session and was also presented by Mr. Skoudis. This enables an attacker to hide the origin of his or her command and control (C2) and build a reliable channel to exfiltrate data to an unidentifiable location.

One of the challenges with these attacks is that some security pros believe the issue has been fixed. This is because Google and Amazon have limited domain fronting on their content delivery networks (CDNs). Yet the problem remains because there are other CDNs where domain fronting it still works.

He unpacks how this attack unfolds in four steps:

a) The adversary uses a compromised server – with undetected malware – on an internal network to send a DNS request to a trusted website on a CDN where the attacker has also set up customer accounts;

b) The server sets up a TLS connection to that trusted site;

c) The malware on the server sends an HTTP 1.1 request with a Host: Header asking for something other than that trusted site. Usually, this requests the ‘customer account’ the attacker has set on the CDN (network defenders typically can’t see what inside the requests because the traffic is encrypted, but this technique can help); and

d) The trusted site on the CDN then sends the request to the attacker’s instance, which in turn forwards that request to the attacker’s server of origin. The result, Mr. Skoudis, says, is an attacker has built an exfil channel that looks to defenders like a trusted site on a CDN.

This vector isn’t likely to go away because this has shown attackers how to “disappear into the cloud.” This is because organizations that use cloud-based services effectively use those services as if they are part of their infrastructure. The cloud vendors can’t simply shut it down for risk of denying access to those services, and so adversaries can “launder” their activity from cloud to cloud.

Among the recommendations Mr. Skoudis made are:

>>> Implement TLS Interception at the network boundaries;

>>> Encrypt data in the cloud and store the encryption keys elsewhere; and

>>> Consider tools to spot beaconing through domain fronting such as a free one called Real Intelligence Threat Analytics (RITA) provided by Black Hills Information Security. 

Read more: 5 Emerging Vectors of Attack and Recommendations for Mitigating the Risks

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Bricata
Bricata is a cybersecurity solutions provider that combines a powerful network threat hunting platform into a comprehensive threat detection and prevention solution to help determine the true scope and severity threats. Bricata simplifies network threat hunting by identifying hidden threats using specifically designed hunting workflows that use detailed metadata provided clearly and eases your transition from the known to unknown malicious activities in conjunction with an advanced threat detection and prevention platform which detects zero-day malware conviction.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?