Twenty Organizations Were Analyzed in a Recent Study; All 20 Were Already Unknowingly Compromised
While most of the security industry is looking forward and making threat predictions for 2017, one vendor has stopped to analyze what has been happening in 2016 — and the reality is, we aren’t even aware of what is happening in our networks today.
Breach detection firm SS8 used its BreachDetect platform to analyze 20 different organizations across multiple industry sectors. BreachDetect was developed for and is used by law enforcement agencies conducting forensic examinations. None of the 20 organizations analyzed were known to be compromised before the analysis — but all 20 were found to have indicators of compromise. The results were published in a blog post last week.
“The findings,” Faizel Lakhani, President and COO of SS8, told SecurityWeek, “are based on the analysis of data from more than 5 billion high definition records (HDRs) of network activity gathered during a two-week risk assessment by SS8 using our sensors at ingress and egress points at enterprises, across five industries. The compromised devices were discovered by SS8. All the networks evaluated by SS8 (100%) showed some evidence of traffic tunneling.”
Lakhani pointed out that this alone does not necessarily mean that the entire network has been compromised, “since the attack could be at any stage, including reconnaissance. With many companies adopting application aware or next generation firewalls,” he added, “it has become difficult for hackers to get into the network through ports that used to be generally open (80, 443, 22,etc ). As a result, they have started to tunnel traffic over protocols that are allowed by the firewalls to get in, and if successful, get out with the data.”
However, all 20 organizations also showed signs of DNS-related exfiltration, and had evidence of malformed protocols in outbound traffic. The associated report (PDF) warns that many organizations are ill-prepared for DNS-based attacks. DNS exploit attacks, it says, “often use UDP traffic, which is generally trusted by firewalls and other preventative security tools. As such, they are unlikely to detect data exfiltration over DNS.”
It gives the use of an encrypted session without a certificate as an example of malformed protocols. “Using this evasion technique,” it says, “the data remains encrypted, but the endpoint is not validated. This indicates the traffic, while encrypted, may not be going to the intended recipient.”
While all 20 analyzed organizations showed these signs of potential compromise, many also displayed more specific indicators. Seventy-seven percent had one or more compromised devices beaconing out to a remote server. Eighty percent had applications built on top of bittorrent platforms.
Perhaps the two most surprising discoveries, however, is that 30% were infected with audio-recording malware; and 70% had compromised non-essential devices on the network.
The report compares the audio malware to the type of malware that hijacks webcams on laptops and desktops to capture login and other information; but in this case is used to eavesdrop and/or record conversations in real-time. “This type of attack is more common in the federal sector, where it can be especially harmful when used in state-sponsored attacks to gather intelligence,” it says.
The biggest warning for the future is that 70% of the organizations analyzed have compromised ‘non-essential’ devices. These are IoT devices, like smart TVs that display company information. If an IoT device is contained within a sandboxed or segmented part of the network, then the attacker cannot move laterally and the harm is limited. But, “most companies do not place these devices in a sandboxed network,” said Lakhani.
“What these findings demonstrate,” he told SecurityWeek, “is the network doesn’t lie. Most networks are actively breached and none of the companies in this study were aware that they were compromised until after we presented the results from our risk assessments. SS8’s network analytics and retrospection capabilities allow us to detect devices of interest that are exhibiting behaviors of compromise, which traditional network monitoring technologies cannot.”