This is one of the main ideas I came away with after attending the Mandiant/FireEye webinar yesterday. The webinar, “From the Front lines: What really happened at MIRcon” (Mandiant Incidence Response Conference) summarized some of the main talks from that conference. Mandiant was acquired by FireEye in January and, together, they are recognized as one of the leaders in cyber security. Thus, whatever ideas they think are important, must be taken seriously.
As one of Mandiant’s experts admitted, “Determined hackers will always find a way”. This forms the foundation of the company’s philosophy. They consider such a stance a starting point to highlight the need for companies to think beyond attack prevention to hack detection and recovery; both of which should make up the security architecture for any enterprise. With this in mind, a company’s best alternative is to make life as difficult, and costly, to the hacker as possible.
Many attackers install malware on a network device in an area that few users will ever think of checking. They utilize little known programs that come with the operating systems to mask their activities. One of the popular programs for such clandestine attacks is Windows Powershell. The program starts automatically and could be used as a platform to launch attacks. Simply disabling the program can thwart a number of APT attacks. Similarly, Windows Script Host and WMI (Windows Management Instrumentation) can also offer hackers avenues into your network and places to hide once your network is compromised. They, too, can be disabled or reconfigured to thwart attackers. In other words, you don’t need expensive software to improve your security.
In one presentation, Zubair Ashraf reported on how susceptible Android endpoints can be to attack. He found how to use a vulnerability to bypass MDM restrictions. Your MDM controls can be fooled into thinking all is well when, in fact, you have been compromised. Once again, this is bad news for all those companies interested in implementing BYOD on their networks. For those who are interested in the more technical details of this exploit, you can read about them here.
Many attacks are launched from compromised or intentionally-designed-to attack websites. IOC or Indicators of Compromise tools are available free of charge and many are web-based. These can be used to check the reputation of a website before actually going to it. Much can be learned from the domain registry that can lead one to be suspicious. For example, where was the domain registered? The point here is that many diagnostic and forensic tools are available free of charge which will make your network much more difficult for attackers to infiltrate. Mandiant, itself, offers a number of free tools in this regard. FireEye’s free tools are here.
One of my favorite ideas was developed by Ronnie Tokazowski who used programs to attack the malware users themselves. In one case, Tokazowski back engineered a phishing email to torment the sender. It is an interesting concept, attacking the attacker, and one that I hope is developed more in the future. Again, some free tools for back engineering malware are available, such as REMnux.
In short, I found the webinar very informative. It showed me that it is possible for companies to tighten their security for free and make hackers miserable in the process. What else could one ask for?