There are many types of cyber-attacks used by criminals today. Financial institutions should employ a layered approach to defending against these attacks. These layers are often thought of in terms of tangible entities like users, workstations, connections, or applications. An alternative way to think about cybersecurity layers is in terms of tactics an attacker can use.
The MITRE ATT&CK Framework is used by many security professionals to help identify tactics and techniques used in cyber-attacks. The framework logically organizes attacks into 12 “tactics” which an organization can use to assess and strengthen its controls. This week, we will start to look at the “Initial Access” tactic, which identifies ways that an attack can be launched on an organization.
According to MITRE ATT&CK, there are 11 techniques used to gain initial access to the internal systems in an organization (these exclude attacks on mobile devices, for which MITRE has an entirely different matrix). We will describe the techniques and mitigating controls of the first 4 of these techniques this week and the remainder next week:
- Drive-by Compromise: A drive-by compromise is when employees of an institution visit a legitimate website that has been compromised. The site executes a script that looks for vulnerabilities on the employee system and exploits the vulnerabilities. If successful, the attacker can gain full control of the employee PC. Mitigations against this kind of attack at the workstation level include timely patching, browser security features, adblockers, and script blocking. A good endpoint protection tool installed on workstations can also detect and stop attacks once they start. At the network level, firewalls, web gateways, and intrusion prevention systems can help detect and block these types of attacks.
- Exploit Public-Facing Application: Internet-facing websites and applications can contain vulnerabilities which can be used by an attacker to gain access to institution systems. To protect against these attacks, Internet-facing applications should be on systems isolated in a DMZ so that an attacker cannot use the system to gain access to internal systems and data. Application isolation can be used to further distance the application from other applications. Finally, any externally-facing application should be regularly scanned for vulnerabilities with any found weaknesses remediated quickly.
- External Remote Services: Most institutions have a number of remote services available to employees and/or vendors. These can include VPN capabilities, Email interfaces, VDI services such as Citrix or RDC, among others. Attackers will try to use these systems to gain access as a legitimate user. Institutions should configure their firewalls to block employees from configuring remote services on their workstations or other internal systems. Institutions should limit remote access to allowed services to just those that need it and should ensure that multifactor authentication is required to access any of these systems.
- Hardware Additions: An attacker can add network components, computers, or computer accessories that give them a gateway into the network. This type of attack can be mitigated proactively by implementing network access control solutions that limit network connections to only known devices and by implementing endpoint protection systems that block any unknown accessories from being attached to a computer. Reactively, a solution that regularly scans institution networks and systems and alerts if any new devices are present can be used.
Next week, we will continue this discussion by looking at the remaining 7 techniques used to gain initial access to internal systems.
If you want to dig deeper into creating a security program that protects against all of the different tactics used by attackers, please contact us at support@bedelsecurity.com.