Attackers are hiding in plain sight: Palo Alto Networks
By Digital News Asia June 5, 2014
- 99% of all malware logs were generated by a single threat using UDP
- Many network administrators are unaware of what applications on their networks
New research by Palo Alto Networks has found that attackers are hiding in plain sight, using existing applications on an organisation’s network and traditional exploit techniques in innovative ways to mask dangerous threat activity.
“Our research shows an inextricable link between commonly used enterprise applications and cyber threats. Most significant network breaches start with an application such as e-mail delivering an exploit.
“Then, once on the network, attackers use other applications or services to continue their malicious activity – in essence, hiding in plain sight,” said Sharat Sinha (pic), Palo Alto Networks’ vice president for Asia Pacific.
Findings of the 2014 edition of the Networks Application Usage and Threat Report are based on analysis of traffic data over a 12-month span collected from network traffic assessments performed worldwide in more than 5,500 organizations where 2,100 applications, 16,000 unique threats and billions of threat logs were observed.
It found that common sharing applications such as e-mail, social media, and video remain favoured vehicles for delivering attacks but are often the start of multi-phased attacks rather than the focus of threat activity.
In addition, 99% of all malware logs were generated by a single threat using User Datagram Protocol (UDP); attackers also use applications like File Transfer Protocol (FTP), Remote Desktop Protocol (RDP), Secure Sockets Layer (SSL), and NetBIOS (Network Basic Input/Output System) to mask their activities.
The report also found that 34% of applications observed can use SSL encryption; many network administrators are unaware of what applications on their networks and use unpatched versions of OpenSSL, which can leave them exposed to vulnerabilities such as Heartbleed.
“Our data shows many examples of cyber threats using applications as their infiltration vectors, exhibiting application-like evasion tactics, and using common network applications for lateral communications and exfiltration of data as cyber criminals work to exploit our networks,” Sinha said.
He added that knowing how cyber criminals exploit applications would help enterprises make decisions that are more informed when it comes to protecting their organizations from attacks.
“Some of this is old news. But like your dad used to tell you: work smarter, not harder. Attackers know that the use of any application at any time in the enterprise is pervasive and they know that an unprecedented level of trust has been established by common sharing applications.
“These elements mean that bad guys can more easily achieve their malicious goals,” he added.
In addition to the findings, the report includes actionable intelligence that security teams can use to better protect their networks, such as:
Deploy a balanced safe enablement policy for common sharing applications - key to the success of this recommendation is documentation of the policies, education of users, and periodically updating the policy.
Effectively control unknown traffic - every network has unknown traffic: small in volume, averaging only 10% of bandwidth we observed, but high in risk. Controlling unknown UDP/TCP (Transmission Control Protocol) will quickly eliminate a significant volume of malware.
Determine and selectively decrypt applications that use SSL - selective decryption, in conjunction with enablement policies outlined above, can help businesses uncover and eliminate potential hiding places for cyber threats.
To access the full report, click here.