2018 Breach Data | Eric Alexander

December 26, 2018

2018 Breach Data

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. -Sun Tsu, The Art of War

Some advice on preventing about 70% of the incidents I see over in /r/securitybreach, a sub reddit started to help answer the questions: What’s the enemy after? How do they go about trying to get it?

Account Compromise

Approximately 30% of the incidents I’ve seen stem from an Account Compromise: Credentials were compromised and now there’s unauthorized access to data.

The tactics are basic password spraying: Grab a combo list like Exploit.in and spray those creds across multiple targets.

There’s plenty of ways to mitigate. If I could only recommend 1 way, hands down, it would be MFA. U2F > TOTP > Any MFA > no MFA. Don’t over think MFA, just enable it everywhere you can.

Broken Access Control

“Nobody wants to hack us”

About 20% of incidents are due to broken access control, yet there’s more to the story and the motivation is possibly more interesting. The majority of broken access control incidents I’ve seen are schadenfruede motivated.

Maybe you don’t process credit cards or crypto currency. Maybe you don’t store any personal data. Doesn’t matter, there’s a company or consultant out there looking for press and they’d love to find your open S3 bucket, elastic search db, or mongodb.

How are you doing on those SANS Critical Security Controls? Number 1 is inventory. You can’t protect what you can’t see. Simply running Scout2 and acting on that insight would prevent 50% or more of the Broken Access Control incidents I see.

Insufficient Logging & Monitoring

Over 40% of incidents are money related and about 30% are after credit card data. Magecart actors have found a chink in the PCI armor and it’s called javascript includes. How does it work? Simple: Compromise javascript included on a checkout page and siphon off credit card data.

This one, sorry, I don’t have concrete insight into Magecart tactics. I’ve got a hunch that there’s not a strong culture of peer reviews or CI/CD in the victim environments.

The 3 Rs create an environment that’s inhospitable to unauthorized changes and a culture of peer reviews ensures a minimum of 2 people understand the change.

At the least, make sure you have sufficient logging & monitoring in place to know when a change happened, authorized or not.

APT Tactics

APT, maybe a nation state figured it out but now every script kiddie knows how to do it. I find APT tactics interesting, partially due to the asymmetric problem of defense, partially because – thanks to open source tooling – the methods are easy to execute, and mostly because it’s a great example of turning your enemies strength (Active Directory) into their weakness.

Side note: The Art of War is possibly the best security book written. OK, back to APT.

The one thing I’d recommend: Run through it yourself in your environment. Once you see how it’s done you will “know the enemy” and can leverage what you know about your environment – know thyself – to implement IOCs.

Here’s a simple receipe:

  • Use Metasploit as your C&C
  • Use Unicorn to generate a payload with a good chance of avoiding AV detection.
  • Find a list of targets on LinkedIn.
  • Phish your list. Email them a link to your Unicorn payload and a simple message to trick them into running.
  • Now you’re on the network. Use powershell empire to find a logged in domain admin.
  • Game over

What’s that sound?

It’s old hats – grey beards? – grumbling: Nothing new here, old news. Maybe, but if it’s old news then why’s it still effective? Incident trend data shouldn’t be the domain of marketing teams trying to push the next silver bullet. Help me out over in /r/securitybreach.

The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand.

© Eric Alexander 2017