Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Today, Nobody is Going to Attack You.

Published: 2020-10-07
Last Updated: 2020-10-07 13:52:06 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Chances are, nobody is going to bother attacking your network today. Even if you go home, leave the users to browse at will, and return tomorrow well-rested, your network and data will still be fine.

Wait? Really? Has Johannes finally lost it? Aren't you the one telling us that the "Survival time" of a network is in the range of minutes? How can you tell me we are not under attack? I just upgraded my SIEM license to deal with even more events.

This diary is a bit of a "mental health" post. If you have been around in this industry for a while, you probably have developed a bit a similar approach to security, or you would have burned out. We do have a skill shortage. And I love to teach more people about intrusion detection and web application security as they enter the field. But I think it is also essential to keep people in this field and not burn out by leaving them in never-ending crisis mode.

Let's look at some of our data to explain:

1 - Most attacks do not matter

The vast majority of attacks doesn't matter. Someone scanning you on port 23 using a list of well-known default passwords? If you are reading this post, "Mirai" should not be a problem for you. WordPress attacks hitting your webserver a few hundred times a day? Are you using WordPress? And even if you do: Do you have the plugin installed that the exploit is attacking?

Even better: Many of the attacks you are seeing will not work, even if you are vulnerable. For most Mirai style attacks hitting our honeypot, the malware they are attempting to download no longer exists. These "un-dead" botnets are not causing any damage anymore.

At the age of 14, my dog finally realized it is perfectly safe to sleep through the mail delivery. While the mail does trigger several indicators (fence gate opens, a person approaching house), and her trusted threat sharing group at the dog park did confirm these as indicators of an imminent intrusion, she has learned that the mail isn't a threat. sleeping dog

2 - Read "Security News" with caution.

At least in the US, it is election season. And many of you probably already turned out of the daily news shows. Just like "normal news" is often presented to entertain and not to inform, many security news outlets have the same problem. Vendors actually write much of the news you are seeing. We do get offers probably daily from vendors to provide us with "free" content.

In some cases, they even offer to pay (in case you wonder: $1Million in cash... small unmarked bills... left at my front door... may get you considered). Luckily, we do have a team of trusted volunteer that will write about issues that they see in their existing networks. The downside is that you may often not see our content featured on larger network security websites.

Don't get me wrong: You should stay up to date, and you should follow security news. But if you read about a new attack that is being discussed, ask yourself these questions:

  • Is this new? Many attacks are being re-discovered. For example, about once every six months, someone will make big news that you can exfiltrate data via DNS. The same is true for other attacks. Iran was reported to have used the Citrix vulnerability to breach corporations in February and then again in September. The attention span of the security community is about six months. Marketers have figured this out and will re-release a story every six months.
  • Is it relevant? Did you realize someone can watch your keystrokes by hovering a drone outside your window? Or by observing how fast your fan spins? Should you worry? Probably not. If a drone starts hovering outside my window, I am probably going to stop typing. There are many "neat" exploits like this. They make for attention-grabbing headlines and capture an audience during a talk but provide little actionable information.
  • Is it relevant to me? A new Mirai variant? Exposed RDP servers are a huge issue these days. But are you using RDP? Focus on what is relevant to you.
  • Trust but verify. Sadly, a lot of security news is outright wrong. If an article passed all the tests about: Test it yourself if you can and test mitigations. Sometimes these inaccuracies are just a matter of you running a different configuration then the author.

3 - Security Tools are There to Confuse You

No security vendor will survive if their tool doesn't produce alerts. As a result, they tend to create more alerts than you need. The early Windows security tools I played with (BlackICE and ZoneAlarm) displayed a popup message each time they blocked a packet. Of course, they quickly stopped doing that as bots/worms became more common. Take firewall logs as a more generic example: An inbound firewall log entry indicates that the firewall took care of the attack. Stop looking at them. Remove that number from your dashboard. (yes... outbound may be a different story). Most out-of-the-box dashboards are useless and only designed to show off the tool ("Oohh... now we can do donut graphs") and not designed to provide actionable data.

In my opinion, an ideal dashboard is "empty" and only comes to live if something actionable happens.

So how do I "Survive" in Cyber?

It is ok to take a break. Go for a walk. Pet the dog (leave the cat alone! she likes it that way). Take some time to experiment and "play" with the tools. Try out something different (e.g. a new dashboard). And most of all: Prioritize.

That is probably the main mistake a lot of people make. It is not your job to prevent every breach (if it is: sorry. You have an impossible job). Your #1 job is to stay in business (meaning: keep your job). 

Of course, how to prioritize depends on your organization. At this point, I guess for most organizations; ransomware is the #1 threat. How does ransomware get into your network? The most damaging ransomware is often deployed via weakly protected RDP servers and other "choke points" (e.g., VPN vulnerabilities). This fact isn't "news." The NSA released a document with details just about a year ago [1]. But since our six months news cycle is up again, you will see this "news" currently. 

Scanning and securing/monitoring these entry points isn't easy, but not the most challenging part.

I will leave the other step up to the reader as an exercise. But something like credential management and endpoint protection probably comes next. Do not worry too much about gaps in specific tool's capabilities. Is it manageable? Does it cooperate with what you have? I like the idea of "buying an API," not a tool. In the end, a tool is useful if it provides meaningful protection against a relevant threat at an acceptable cost. Tools are never perfect.

So relax. Your network will be fine. Most alerts you are seeing are harmless—safe your energy for the real incident that will come eventually but not today.

[1] https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1982939/nsa-cybersecurity-advisory-malicious-cyber-actors-leveraging-vpn-vulnerabilitie/

[2] https://healthitsecurity.com/news/3-key-entry-points-for-leading-ransomware-hacking-groups

Disclaimer: Dog paragraph and picture added for social media optimization.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

5 comment(s)
Diary Archives