Sunday, 31 July 2016

What is a attack vector and what is the attack surface area

In this post I am aiming to explaining some of the common terms (such as attack vector, attack surface area) used when discussing cyber attacks in the way non-technical people can understand. In this post I'm using an example of a malicious PDF attack to explain the terms.

The scenario is an attacker sends an email with an attachment that is a malicious PDF the contains executable code if viewed on Adobe Reader, in this scenario the code will cause a denial of service.

The attacker will create a malicious payload in this scenario it is a PDF file that contains code that will take advantage of (exploit) the discovered vulnerability in a number of Adobe products. The PDF file is attached to an email which is then sent to the victim (could be a known individual in a targeted attack or to a large group of email addresses the attacker has obtained). The recipient would receive the email and the attacker is hoping that the PDF file will be opened by the recipient using a version of one of the affected Adobe products allowing the code to execute and cause a denial of service attack.

For the more technical I have based this on a actual reported vulnerability CVE-2016-1009 which affects Adobe Reader and Acrobat before 11.0.15, Acrobat and Acrobat Reader DC Classic before 15.006.30121, and Acrobat and Acrobat Reader DC Continuous before 15.010.20060 on Windows and OS X and allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. [https://www.cvedetails.com/cve/CVE-2016-1009/] [https://helpx.adobe.com/security/products/acrobat/apsb16-09.html]

The scenario is illustrated in the diagram below.


The threat agent, attack, attack vector, vulnerability, exploit and attack surface area relating to this scenario are described in the table below.

Term
Definition
Example
Threat agent
an individual or group that can manifest a threat. It is fundamental to identify who would want to exploit the assets of a company, and how they might use them against the company
Attacker
Attack
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself
Denial of Service
Attack vector
is a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome.
email
Vulnerability
Weakness in an information system, system security procedures, internal controls, or  implementation that could be exploited or triggered by a threat source.
Adobe Reader DC Classic (v15.006.30119)
Exploit
a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behaviour to occur
Malicious PDF containing executable code that exploits CVE-2016-1009
Attack surface area
is the sum of the all vulnerabilities where an attacker can try malicious activity
All instances of the vulnerable version of Adobe Reader DC Classic (v15.006.30119)

Hopefully the scenario and the examples of what the terms mean in the context scenario help explain the usage of the terms by cyber security professionals.

In this scenario to defend themselves the victims need to identify if they are vulnerable and the attack surface area and then implement controls to remediate the vulnerability.

In order to identify if there are vulnerable organisations would need to know the software and version installed on all their assets (workstations, laptops, tablets, servers) and then monitor security feeds such as those from CERTS or Adobe to identify vulnerabilities within the assets as part of their vulnerability management programme. Alternatively they can conduct internal vulnerability assessments of their assets to identify vulnerabilities within them. This relies on the tool being able to identify the vulnerability (up to date signatures) and access rights to the assets to scan the installed software. A build review looking at security will only detect vulnerabilities within the build and not within software installed or updated by users after the build has been deployed.

Once a vulnerability has been discovered the attack surface area for that vulnerability can be identified by examining all assets for affected software.

This attack can be remediated by implementing the following

  • Software patching programme to ensure all security patches and updates are installed as soon as possible after release by vendors but after testing to ensure no unforeseen side affects
  • A vulnerability monitoring programme to identify when vulnerabilities become publicly notified
  • The use of anti-malware software with updated signatures and scanning engine to scan all incoming attachments.
  • User education to ensure users are aware of the danger of viewing attachments on unexpected emails.

These are covered by the CIS Critical Security Controls

CSC 2: Inventory of Authorized and Unauthorized Software
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 8: Malware Defenses
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 19: Incident Response and Management






Monday, 25 July 2016

Amazon phishing scheme

Amazon phishing scheme

In this morning's email were a couple from Amazon, all but one where legitimate. The one that caught my eye was one of those that is "Too good to be true" style phishing attempts.

It was offering a chance of winning £650 of Amazon gift cards.

It has all the classic warning signs of a scam

Below I have run through some simple checks on the email and the originating domain.

The email headers below show the originating server

Return-Path: <prime@programnotice.com>
Delivered-To: ************@*****.*****
Received: from serv1-lon.mx.************.net.uk (unknown [***.1.150.142])
by mail.************.co.uk (Postfix) with ESMTP id 7C5385610F20
for <***********@*****.*****>; Mon, 25 Jul 2016 08:55:10 +0100 (BST)
Received: from pxy.b.mx.************.co.uk (pxy.b.mx.************.co.uk [***.207.220.216])
by serv1-lon.mx.************.net.uk (Postfix) with ESMTP id 6E6EC82BE83
for <************@*****.*****>; Mon, 25 Jul 2016 08:55:10 +0100 (BST)
Received: from helping.programnotice.com (unknown [142.0.69.40])
by pxy.b.mx.************.co.uk (Postfix) with ESMTP id EBA392379B8
for <************@*****.*****>; Mon, 25 Jul 2016 08:55:09 +0100 (BST)
From: "Prime Shop" <prime@programnotice.com>
To: "************@*****.*****" <************@*****.*****>
Message-ID: <CDBC2FA6.7795183@programnotice.com>
Date: Mon, 25 Jul 2016 00:55:09 -0700
Subject: Please claim your Amazon Prime shopping credit
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

The domain programnotice.com is registered in Panama as shown below

WHOISGUARD PROTECTED
WHOISGUARD, INC.
P.O. BOX 0823-03411
PANAMA
PANAMA
00000
Panama

The email server is based in Netherlands

Meppel
KG
7942
Netherlands

An interesting point is the time stamp on the email shows a 7 hour time difference where as the Netherlands are a hour ahead and Panama 5 hours behind UTC

Whilst none of this is really informative, it is hopefully interesting enough to help people be aware of the risk from emails.

Saturday, 2 July 2016

Surviving the turmoil of brexit (surviving the cybercriminals attack)

In the wake of the Brexit vote and the result for the leave campaign they has been an explosion in news reports on the UK and world economy and how companies and the markets are reacting to the vote decision along with stories of racism and harassment of individuals.

As with any news worthy event; and this is ranking at the top end of such events; the ‘proper’ media along with social media has exploded with stories and headlines capturing the eye of the individual. The result is that for the cyber-criminal there is a wealth of material to use to convincing individuals to fall for malware laden emails, drive by downloads and other attacks and both the individual and the employer is at increased risk of loss due to cyber-attack.

The material that is being generated as a result of the Brexit vote is being used as a hook to engage the individuals with the attack and what normally would be considered outlandish and ignored is now being responded to.

Attacks such as
  •  Pretexting, pretextual, blagging
  • Phishing, whaling, spear phishing, IVR and phone phishing
  •  Baiting
  • Quid pro quo
  •  419, Nigerian scams, advance fee scams

Can all be made more believable by referencing stories from or purported to be from the fallout of the Brexit vote. How many of your employees would look at an email reporting to continue information on the relocation of corporate headquarters to another European capital, or would individuals fall for news on the banking struggling to meet foreign currency demands or having sufficient funds to cover cash withdrawals.

Any such emails, news site, social media article could be well meaning or be part of a cyber-attack. Organisations and individuals can protect themselves by ensuring their or they employees are aware of the types of attacks and the risks from them.

For the organisation they should establish security frameworks of trust aimed at the employee/personnel level (i.e., specify and train personnel when/where/why/how on how social engineering attacks should be handled).

These frameworks should cover
  •  Identifying how social engineering attacks are committed
  • The type of headlines and information used to make them believable; focusing on current affairs.
  • The incident response procedures for handling such attacks, especially if they think they fell for an attack

The employees should be trained in the security frameworks, the frameworks should be tested through a strategy of both announced and unannounced, periodic tests of the security framework and the framework should be continuously reviewed as no solutions to information integrity are perfect.