Ready For IT 2022: Back to attacks on new digital uses

Written by Arnaud Pilon - 08/06/2022 - in CSIRT - Download
Thanks to Ready for IT organizers so we can shared a feedback regarding our incident response services (CSIRT Synacktiv) and red team activities. Below is a summary of the intervention.

The 2019 COVID crisis has accelerated some IT projects in ways that no consulting firm could have imagined before. The most significant impact is the prevalence of mobility and the convergence of new paradigms: applications must be easily accessible remotely (no more unnecessary round-trip), administration tasks should be able to reach laptops at home or on-the-go, there can no longer rely on the local or wifi network to help for synchronize. The effect of such an evolution is still visible in 2022 and for sure in the next two years. 

Massive adoption of the (misunderstood) multi-Cloud

Except some heavily regulated sector (mostly in Europe), most companies are turning to public cloud providers in two ways:

  • fast adoption of the SaaS version of some outdated on-premises applications (email / video conferencing / CRM, etc.). As a result some users have gained access to new applications with rich new features. The default configuration of most SaaS application remained unchanged and was ultimately delegated to the user: this security delegation model is what most cloud models are based on; 
  • lift-and-shift physical servers into an IaaS so that the application appears reachable from anywhere. Unfortunately, the security and technology debt is also moving to the cloud.

For a small number, cloud providers are taking the time to help companies understand their legacy so they take leverage of the cloud. Of course, such a move is easier and more effective for recent or mid-size companies. Large companies had already started such a project or sometimes were simply better prepared to move in the cloud. The security implications of such a move was immediate: some internal bad practices were exposed on the Internet & IT runs out of visibility.

Sharing a document with the wrong permission on an internal share can only be accessed by an internal employee or contractor: this could lead to an investigation to figure out who read the document. In such case, an outside attacker must penetrate the internal network. Even though the perimeter is a fragile line of defense, most companies still rely on a firewall and share permissions to protect data. In the cloud, such a misconfiguration could lead to a catastrophic leak: folders could be shared with anyone knowing the link, at worst being able to browse the drive online. Already in 2018, a small cyber community created a shodan like web application indexing misconfigured AWS S3 buckets making data publicly available. Other bad practices such as password re-use could lead to compromise of the SaaS application. If the authentication process has not been hardened, the user’s password is sufficient for an attacker to gain access to the mailbox.

Moving to IaaS provider is somehow different to on-premises infrastructures. Most of the operations are delegated to the cloud provider and the key concepts like IaaC (Infrastructure as a Code) or the cloud provider’s security model are unknown due to lack of time to train the system operators. Such a shift has deep consequences: IT has less control of what happens on the network. If some on-premises weak signals or some well-known tools were enough to troubleshoot or suspect security incidents, in the cloud you should use and understand the cloud provider’s API. Then a security incident could remain in the cloud undetected for a longer period of time than before (if detected once).

Some SaaS applications are great, well designed and increase the average security level compared to some older applications, but this is somewhat a new paradigm and users need to be trained to mitigate mentionned risks. In the same way, the cybersecurity industry is responding quickly with dedicated tools (CASB / CSPM) to fill these new gaps: new tools require dedicated training and integration in the existing corporate landscape.

Security of the laptop: the old new thing

The security of the laptop is a long history in infosec. Digital transformation has added a new layer of complexity with the usage of mobility, requiring adoption of new tools & processes. First an increasingly new norm is to work without permanent VPN access and assume applications run outside the data center. Some users do not hesitate to widely use SaaS applications without the agreement of the IT department (WeTransfert, FileTransfertIO, …) - this situation is in addition to applications installed on the desktop without IT agreement. We have noticed that most new laptops used for remote work or road warrior tasks lack security updates (some might say this was already true before ;) or antivirus updates because they can't reach the internal update server or most often all aspects of device management. VPNs often permit direct Internet access from home and bypass corporate proxy filtering: again the IT department lacks visibility into Internet traffic. This is one of the technical reasons why new security products work in the cloud (EDR, Web gateway, etc) and are focused on laptop activity more than centralized or edge monitoring.

Phishing still works even if mentioned email providers are very effective at detecting fake authentication login forms. But as SaaS applications are the new norm: phishing is moving to fake business applications (such as CRM or ITSM) and the security product. In other words EDR phishing is the new way to be domain administrator.

Information security is (still) about tools and processes

Since 2000, Bruce Schneier’s adage is still meaningful: a security product needs processes and procedures to be efficient. As the landscape becomes complex, the security product is often the only way for some people to solve security problems, mainly because it is easier than solving the root of the problem itself. We still encounter too many beliefs that products solve problems. Even if the security engine is well designed or effective to detect a threat, it needs to be fully integrated in the enterprise landscape. As a result,  we often see relevant security alerts lost in a full mailbox or never picked. In the same category, some network security devices are configured by default with no logs and no detection rules actived. The best kept companies combine mastered (security) products and monitoring processes.

 

While it's easy to identify gaps, it's more difficult to solve problems and vulnerabilities, especially for large companies. A common target is the authentication process: identity management should be one of the most important avenues. MFA-based authentication and a cloud-based identity provider (IdP) significantly increase the security of the user’s account. That’s the new first line of defense, as opposed to firewall-based defense. In addition, it enhances the traceability of the logging system, so that logs are consistent with a single authentication database.

Endpoint security is a hot topic in the cyberdefense industry: such a product should be fully integrated into the detection process and once the number of alerts stabilizes, any weak signal should be processed as a potential threat from an attacker. Evaluating an EDR product is quite challenging, the marketing vocabulary moves faster than the threats themselves ;) Evaluation criteria are often underestimated, the use-case approach is better than following non-reproductible statistics about detection rates: what kind of feature do you really need ? How did the tool fit into your current organization ? Keep in mind that phishing, VPN access compromise and supply chain attack are the most common scenarios for large-scale attack.