Battling Second Stage Compromises

Friday, July 16, 2010

Brent Huston


Right now, most organizations are fighting a losing battle against initial stage compromises. Malware, bots and client side attacks are eating many security programs alive. The security team is having a nearly impossible time keeping up with the onslaught and end-user systems are falling left and right in many organizations.

Worse, security teams that are focused on traditional perimeter security postures and the idea of “keeping the bad guys outside the walls” are likely unaware that these threats are already active inside their networks.

There are a number of ways that second stage compromises occur. Usually, a compromised mobile device or system comes into the environment via remote access, VPN or by being hand carried in by an employee or consultant.

These systems, along with systems that have been exploited by client-side vulnerabilities in the day to day network represent the initial stage compromise. The machines are already under attacker control and the data on these machines should already be considered as compromised.

However, attackers are not content with these machines and their data load. In most cases, they want to use the initial stage victims to compromise additional workstations and servers in whatever environment or environments they can ride those systems into. This threat is the “second stage compromise”. The attackers use the initial stage victims as “pivot points” or bots to attack other systems and networks that are visible from their initial victim.

Commonly, the attacker will install bot-net software capable of scanning other systems and exploiting a few key vulnerabilities and bad passwords. These flaws are all too common and are likely to get the attacker quite a bit of success.

The attacker then commands the bot victim to scan on new connections or at designated times, thus spreading the attacker’s presence and leading to deeper and deeper compromise of systems and data.

This pattern can be combated in a number of ways. Obviously, organizations can fight the initial stage compromise. Headway has been made in many organizations, but the majority are still falling quite short when it comes to protecting against a growing diverse set of attack vectors that the bot herders and cyber-criminals use.

Every day, the attackers get more and more sophisticated in their campaigns, targeting and approach. That said, what can we do if we can’t prevent such attacks? Perhaps, if we can’t prevent them easily, we can strengthen our defenses in other ways. Here are a couple if ideas:

One approach is to begin to embrace enclave computing. This is network and system trust segregation at the core. It is an approach whereby organizations build their trust models carefully, allowing for initial stage compromises and being focused on minimizing the damage that an attacker can do with a compromised workstation.

While you can’t prevent compromise, the goal is to create enough defensive posture to give your team time to detect, isolate and respond to the attack. You can read more about this approach in our 80/20 rule of Information Security.

A second idea is to use HoneyPoint decoy hosts on network segments where exposures and initial stage compromise risks are high. These decoy hosts should be dropped where they can be easily scanned and probed by infected hosts. VPN segments, user segments, DMZs and other high exposure areas are likely candidates for the decoy placement. The idea is that the systems are designed to receive the scans.

They offer up services that are fake and implemented just for this purpose. The decoy systems have no other use and purpose than to detect scans and probes, making any interaction with them suspicious or malicious.

Decoy services, called HoneyPoints, can also be implemented on the servers and other systems present in these network segments. Each deployed HoneyPoint Agent ups the odds of catching bots and other tools deployed by the attacker in the initial stage compromise.

Both of these strategies can be combined and leveraged for even more defense in depth against initial stage compromises. If you would like to learn more about how these tools and techniques can help, drop us a line or give us a call. We would be happy to discuss them with you.

In the meantime, take a look at how your team is prepared to fight initial stage compromises. What you find may be interesting, especially if your team’s security focus has been on the firewall and other perimeter controls.

Cross-posted from State of Security

Possibly Related Articles:
Enterprise Security
Post Rating I Like this!
Mister Reiner A few things that can be done to address second stage attacks include:

1. Installing network intrusion detection systems inside the network on core switches and in front of servers.

2. Ensuring that every device is properly "firewalled" (at the host or switch) to only allow initiating connections on certain ports and protocols. Be sure to collate the firewall logs from each device to a central logging server for review.

3. Ensure that groups of workstations (i.e. each department) and each server has a different local administrator password.

Tom Caldwell Additional layers (ones that integrate instantly with no major changes/risk) are still needed on the perimeter as chasing down infected workstations is very expensive to companies, not to mention the cost of Microsoft's suggested fix (via support) that of [full reformatting, and a backup restore after re-installation of Windows].

Botnets, which includes trojans that perform the sending of malicious data [spam/virus], also spread through multiple 'secondary attack' methods as Brent mentioned, however we must admit, as many wouldn't like, to those infections which are caused primarily through 'human error'. The "initial attack stages' are mainly delivered via e-mail [highest rate], infected URL/scripting/HTTP or web (e-mail or web URL links) [secondary] and of course external media devices like USB drives [third].
Note: ['initial attack' data vectors according to forensic data reports which concur from three security vendors [two besides Idalis] and one industry research firm.

While more security focus needs put on the end user to prevent or protect them from common mistakes, preventing the 'initial' penetration through the perimeter will significantly reduce the amount of accidental mistakes end users can make [reduced exposure to initial attacks]. One, or even two hardware products on the gateway perimeter including end user security suites is not enough to effectively protect from these new and constantly changing threats which fool users into executing the infection leading to Brent's "second attack" methods.

Proactive implementations are the best approach, and there is no denying that additional protection is needed at the gateway (initial) and end user (inital and secondary) to provide "two stage" security to mitigate all the destruction/losses that come with botnet trojans.

We see users releasing malicious e-mail, phishing, and other well crafted and engineered attacks from their quarantines and into the inbox, which inevitably can lead to a click, infection, and additional attacks. Only so much purging can be performed to maintain accuracy and keep users from making mistakes on 'initial stage attacks' at the gateway, so secondary protection is needed, to block the URL or script/attachment.

To solve the human error [via security products] is to solve a large portion of security flaws in the home and business/government sectors!

So, I agree with your post, but would also add that additional proactive layers at the network gateway help prevent 'human error' and then 'second attack stages' by limiting the exposure to the 'initial/first attack stage' or delivery (no e-mail pun intended).
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.