3 types of attacks feared by companies
When exchanging with CISOs and CIOs about the actions to be taken to ensure optimal security of their information systems, user awareness and the implementation of good security hygiene practices are frequently discussed. It is undeniable that the human factor often plays a decisive role in the compromise of information systems. While raising awareness among employees and partners is essential, it is common to observe decision-makers adopting a fatalistic view of the situation and considering that security through the use of technical solutions is a failure.
Are they right? In an attempt to provide some insights in this article, we address three well-known techniques that attackers employ to hack enterprise computer systems, and against which security services must fight.
1 - Zero-day vulnerabilities within network applications exposed on the internet
We start with this one, which is often the nightmare of CISOs. Even by working relentlessly to achieve a high level of cybersecurity maturity, it remains difficult today to fight against this type of attack, which can be targeted or opportunistic. For certain systems, the choice is made to expose business applications, sharing services, administration, and even entire application environments to facilitate remote access. For others, this widespread exposure represents too much risk, and the decision is made to only make applications accessible through an exposed VPN gateway or a bastion.
Whether in one case or the other, these points of exposure remain entry points to the company's network, and unknown vulnerabilities to vendors are, de facto, the weak point of the most secure systems.
The attack methodology is simple. If it's opportunistic, the attacker knows a zero-day vulnerability that affects a network application in a given version and holds the corresponding software exploit. By scanning the internet or using online tools like Shodan, the attacker easily obtains a list of vulnerable candidates. It is then enough to select targets to potentially compromise them.
In the case of a targeted attack, the methodology differs: the attacker will seek to list the exposure points of the target and determine the underlying technologies and solutions. What VPN is used and in which version? What web server runs this business application, with which backend language and which libraries? Once this information is obtained, the attacker will choose the component on which to perform vulnerability research, set up a local testing environment, use fuzzing or source code auditing methods, and once a vulnerability is identified, develop the corresponding software exploit.
Note that the exploitation of targeted zero-day vulnerabilities is much less widespread than their opportunistic counterparts. Indeed, it often requires resources and means that only certain actors, such as states, can afford.
These attacks are seen as inevitable: something that cannot be effectively fought against and for which there is no other choice but to accept the risk.
Thus, the defense tends to consider this intrusion vector as a sword of Damocles and will prefer to concentrate its efforts on other aspects of security: since we cannot prevent intrusion, let's accept it but focus on detection, network segmentation, or the response capabilities of the teams. But can't we really avoid this type of intrusion?
2 - Spear phishing sur les applications d’entreprise
Let's stay in the realm of application exposure, but this time, let's set aside software vulnerabilities and focus on the human factor.
Unlike the previous one, this technique is exclusively used in targeted attacks.
Traditional spear phishing involves identifying a target and using highly specific social engineering methods to obtain confidential information, particularly to facilitate an intrusion. Most of the time, the attacker will attempt to obtain access credentials for email accounts.
Spear phishing on enterprise applications, therefore, involves the attacker listing the business applications and various services exposed on the internet of their target during the discovery phase, to determine authentication targets where they can attempt to retrieve valid credentials through phishing.
Unlike the previous one, this technique is much more accessible to attackers with limited means: no software vulnerabilities to discover, but only finding an attack surface and valid credentials.
By combining information gathered through network scanning, OSINT (Open-Source Intelligence), and phishing, this can sometimes be sufficient to gain access. On the defensive side, the highest level of caution can be achieved by implementing MFA (Multi-Factor Authentication) on the application if possible, making the use of a simple username/password insufficient to authorize access, and thus requiring validation through an additional factor (e.g., an app on the user's smartphone or a code sent via SMS).
Most of the time, this measure is sufficient, but not always. Faced with a motivated attacker, the MFA mechanism can be bypassed through certain social engineering methods.
For example, the attacker's system can position itself between the user and the final service to intercept the exchanges and, therefore, the MFA codes entered by the victim with the fraudulent service instead of the legitimate company service. Another method (e.g., in the case of access validation through push notifications on a smartphone) involves manipulating the user to accept the connection request, as was done in the attack on Cisco that we mentioned in our article "10 Cyber Attacks Exploiting the Exposure Principle".
Ultimately, the success of this type of attack seems to rely solely on a user error, and as a result, it may be tempting to think that user awareness alone can protect against such compromise. But in reality, the attack relies on another essential element: the attacker's ability to discover and access the authentication targets of the company's business applications. If these applications are not exposed, then the company automatically safeguards itself against all attacks falling into this category. Thus, in this case, a technical solution, such as using a VPN or, even better, ZTNA, can provide protection.
3 - Supply Chain Attacks
This third technique will not involve exposure on the internet. Many companies work with subcontractors, and some of them need to provide access to a part of their IT system to these subcontractors. VPN access is one of the most commonly used methods for this need.
In general, companies provide VPN access to their subcontractors to enable them to reach the business applications they need to operate. However, the major disadvantage of such a method is that it opens access to the company's network or a part of the network that hosts the applications. As a result, an attacker who manages to compromise a subcontractor's machine will then be able to access the applications and also a part of the company's network. If strict micro-segmentation principles are not applied, this can have serious consequences for the security of the IT system.
These supply chain attacks are often targeted.
Here's an attack scenario: A hacker wants to infiltrate a large company's IT system. The company has a very high level of cybersecurity maturity. However, like many large companies, it works with subcontractors and allows them remote access to a part of its information system via a VPN. The subcontractor is a small company with little awareness of cybersecurity.
Through social networks, the attacker learns about the relationship between the two companies. Consequently, the attacker decides to target the subcontractor, for example, by sending an email containing malware as an attachment that, once executed, allows the attacker to take control of the employee's machine. Once connected to the workstation, the attacker will conduct a network discovery phase: they will detect the network of the small company and also the part of the network of the large company to which the subcontracting company has access through a VPN tunnel.
In this way, the attacker will be able to discover the services in the network zone to which the subcontractor has access, but also applications that the subcontractor should not have access to. Being connected to the network, the attacker will be able to execute common attacks found within internal networks (Man-In-The-Middle, IP Spoofing, TCP session hijacking) to attempt to bounce to other network zones within the targeted company.
How to protect yourself?
These techniques use different tactics to succeed, such as attacking services exposed on the internet, phishing, social engineering towards employees or subcontractors, and weaknesses in network segmentation methods employed. User awareness is undoubtedly a critical aspect that cannot be overlooked.
However, restricting security to just user awareness would be a mistake. Moreover, it is possible to protect against the aforementioned attacks by employing technical solutions, without solely relying on user caution. Implementing solutions like ZTNA (Zero-Trust Network Access) is an effective way to avoid exposing enterprise services on the internet, thus protecting against attacks that exploit zero-day vulnerabilities on such services by external attackers.
These solutions also safeguard against spear phishing attacks on enterprise applications hosted by the company. Additionally, they enable fine-grained user-to-service access without providing network access, thereby enhancing protection against internal threats.
To learn more, visit our website.
Don't miss out on the upcoming articles; subscribe to the newsletter!