According to F-Secure’s The State of Cyber Security 2017 report, criminal hackers perform most cyber-attacks using basic, scriptable techniques against poorly maintained infrastructure. This will continue as long as there are loads of attack scripts and plenty of poorly secured networks.
The number of attack scripts is climbing as elite hackers continue to create these scripts and sell them to others, says Itzik Kotler, CTO and Co-Founder, SafeBreach. There doesn’t seem to be any stopping this trend.
CSO examines scriptable attacks and the part of the problem that you can control: getting your infrastructure in shape to shrug off these breaches.
So what’s a script?
Scriptable attacks simply use scripts. “A script is a series of commands or computer tasks that execute automatically,” says Michael Cook, Team Lead, CERT Division, SEI, Carnegie-Mellon University. Scripts enable attackers to orchestrate many simultaneous attacks where they would otherwise have to perform each one by hand, one at a time.
Attackers select their scripts from several scripting languages including Bash, Ruby, Python, PowerShell, Visual Basic, JavaScript, and others. The language of choice can be the one they find most familiar, the one best suited to the necessary steps along the attack path, or the one that is compatible with the system they plan to attack, says Cook. For this reason, attackers will use multiple scripting languages in their attacks. An attacker can also use a wrapper to make a script work in an environment where it is not otherwise compatible, explains Cook.
An attacker can automate every phase of an attack using scripts. Some scripts are scanners that perform ping sweeps to determine whether a range of IP addresses is live and connected, says Kotler; scanners also do port scanning to discover what kinds of services are running. If the version of the running service is vulnerable, explains Kotler, a script can even launch the appropriate exploit to attack that vulnerability.
Scripts have more capabilities. Scripts can enumerate potential targets using DNS enumeration—a process that identifies DNS servers and collects server information—, executes bruteforce attacks, or logs in remotely using common usernames and passwords on SSH or remote desktop tools, according to Kotler.
There are many web resources for security professionals who want to stay on top of scriptable attacks. You can find notices of new attacks at CERT and also follow exploits. The OWASP publishes custom web application attacks. You can use CVE Details to follow new vulnerabilities. You can follow conversations on Twitter and IRC channels and projects and project talk on GitHub, says Kotler. “SafeBreach maintains a Hacker’s Playbook that tracks the latest techniques that hackers use,” adds Kotler.
Black hat hackers’ intentions
Scriptable techniques enable even the script kiddies to orchestrate the entire life cycle of a cyber-attack, including the identification of potential victims, the orchestration of attacks, reconnaissance, the identification of the next victim, exfiltration of data, and post-attack cleanup, says Dennis Moreau, senior engineering architect at VMware. “The San Francisco MUNI attack contained examples of defacement (at the ticket terminals), ransomware (extortion to recover functionality), and employee information theft and exploitation,” illustrates Moreau.
Dennis Moreau, senior engineering architect at VMware
Scripts are adequate for compromising machines and building out botnets for use in DDoS attacks, for collecting credit card information or other PII, or for encrypting important files and systems in a ransomware attack, says Cook. “Attackers maximize the value of their objective by successfully accessing large numbers of systems after expending the fixed cost of writing the attack script,” notes Cook.
Black hats can easily customize their scripts. When constructing their script-based onslaughts against the enterprise, criminal hackers can top off their attacks with new elements. “By embedding these automation techniques and adding a new, unpatched vulnerability, i.e., a zero-day attack on top of it, black hat hackers can create new self-propagating worms,” explains Kotler.
Get your infrastructure in shape to withstand scriptable attacks
To get your infrastructure in shape, says Kotler, use the same process that the criminal hackers are using—automation. “By automating and simulating the adversary, companies can understand the attackers’ point of view and proactively identify issues beforehand, then monitor whenever fixes are not possible,” affirms Kotler.
To get ready for scriptable attacks, first know your network, says Cook. Uncover vulnerabilities by using frequent security scans, network mapping, audits of account permissions, and penetration testing. Resolve weaknesses using thorough patch management, proper configurations, and system hardening; reset permissions to allow only the least privileges necessary for the user or device to do their job.
All this enables the organization to close security holes, reduce vulnerabilities, identify network issues, and generate valuable context with which to make smart security decisions using its limited resources, says Cook.
Further steps include knowing what your systems, components, and services should and should not do and using this understanding to realize a least-privilege security posture at the firewall, IPS, and web application firewall as a fundamental aspect of cyber hygiene while regularly verifying this posture, says Moreau.
You should also segment your data center to prevent a single successful exploit from becoming a data-center-wide compromise, says Moreau. Use this compartmentalization as a basis for establishing visibility and control over the lateral traffic within the data center (east/west traffic). “The resulting visibility will expose anomalous behavior during an attack that avoids/defeats your endpoint protections; leverage security analytics solutions to compare exposed network behavior to normal behavior, and to potentially malicious behavior patterns,” says Moreau.
Solid websites with more information for combating scriptable techniques include the CIS benchmarks page with its secure (hardened) configurations for various platforms. Other useful sites include CERT with its free security assessment, Carnegie Mellon with articles about new attacks, and the IEEE with papers about cybersecurity implementations.
There are resources and there are resources
All the information resources in the world and all the tools won’t give you a sufficient number of security team members to get the job done. With the resources, the tools, and a full complement of disciplined, well-trained security staff, you can make nearly bulletproof infrastructure security a reality. People who know their priorities, work together as a well-lubricated mechanism, and spend the allotted time closing and checking every potential gap one after another can do it.