Security Experts:

Lessons Learned from Data Breaches and File-names

When it comes to securing our organizations from cyberattack, we can be our own worst enemy. For example, how many users on your network store sensitive information like user names and passwords in files with easy to find labels (passwords.doc)? Unfortunately, it’s likely more than you think. And it takes just one of those users falling victim to even a basic spearphishing attack to allow that information to fall into the hands of an attacker.

Most of the major data breaches in 2014 had two common traits: spearphishing, which involves the sending of targeted emails to employees, and the compromise of third-party contractors who often have access to company resources. With these tested techniques in hand, attackers relied more on compromising user trust than sophisticated nation-state level malware and zero-day exploits. Lesson learned? It doesn’t take the most advanced tools to break into the even the largest corporations on the planet.

Once an attacker establishes an initial foothold, he moves on to additional steps in the attack kill-chain, usually attempting to steal legitimate credentials from a privileged user. Once obtained, they can masquerade as an Admin, moving more easily through the network. Often this can involve an exhaustive search and multiple advanced tools, but sometimes attackers find an unencrypted file that obviously contains sensitive data. Even if these files don’t include login details for a privileged machine, they represent a hundred new attack vectors and ways to maintain access within a compromised network. They could be credentials to internal systems, accounts for third-party services, personal information, etc.

Human behavior being what it is, we will often re-use passwords across multiple services. Lesson learned? Don’t store passwords on your machine, especially not in plaintext. There are a number of secure password management applications available to help manage your credentials.

The above attack flow assumes that a user has been somehow tricked into clicking a malicious link in a spearphishing email, or visits a compromised site with a vulnerable browser. But the attacks also occur when a user mistakenly opens malicious content.

To illustrate, below are real malicious filenames found on enterprise networks:

• “please call me back asap.exe”

• “Copy_of_document_July-31-2014.exe”

• “DeltaTicket.exe”

• “Financial_report.rar.scr”

Looking through hundreds of thousands of suspect files, a few simple trends emerged. First, users do not look at file extensions. Logic would dictate that a supposed copy of a document, or an airline e-ticket would never be an executable.

Executables are an incredibly simple way of delivering malware wrapped up and ready to infect systems. Attackers know this behavior and will craft malware that looks like a PDF, often even including “.PDF” in the filename, when it is really something else. You can’t rely on users to know to not download executables from the internet, or open them in an email, especially when personal webmail is allowed on corporate networks.

The second largest trend is the same exploitation of trust we saw earlier: attackers attempting to blend into common business practices to deliver malware. Yes, there are instances of obviously inappropriate workplace actions, such as employees downloading pornographic files, pirated software, games, or movies – but these make up a relatively small portion of the overall files analyzed. Far more common were faked scanned documents; court notices, an invoice, or travel arrangements. These are all emails or files people would not think twice about opening.

Between user behavior and the types of malicious files attempting to compromise enterprises, there are a few steps you can take to reduce your risk exposure today:

• Educate your users on how to properly store credentials, including using password management tools, never storing them in plaintext, and of course enforcing good policy for all internal systems.

• Use a security solution that can block the download of all Executables from the Internet. This is an incredibly simple way to cut down on 90 percent or more of all malware delivered to your employees, as we saw in the types of malware above. Typically there is limited legitimate use of an .EXE from a website.

• Automate the prevention of threats to take the burden off your users, and security teams. There will always be new malware, and new methods of compromise. User training and remediation can never keep up with the threat landscape as it evolves.

view counter
Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.