How to stop attackers getting a toehold on the corporate network

Donato Capitella, head of training at MWR InfoSecurity, examines some of the basic ways in which attackers can be prevented from getting a toehold on the corporate network

In a connected world, security breaches are almost inevitable. Organisations need to face the fact that determined attackers will eventually get in. It may be because of a vulnerability in the network perimeter, maybe a zero-day exploit - or a combination of phishing emails carrying custom malware and social engineering - or maybe even through gaining physical access. But equally, a single compromise should never mean game over for the organisation.

But attackers tend to follow certain patterns, which means there are a number of opportunities for organisations to identify them before it becomes a headache.

For instance, a typical attack starts with the attacker gathering information on the organisation to enable them to conduct a targeted phishing campaign and compromise employees' workstations to get an initial toehold. They can then leverage this position to move laterally into the network by compromising other user accounts and systems. From the attacker's desired position within the network, data exfiltration/modification and finally sabotage via a denial-of-service (DoS) attack can take place.

Once these common attack patterns are understood, it is possible to focus security efforts. The application of prevention and hardening measures combined with effective intrusion detection and incident response can slow attackers down, force them down known paths and essentially make them "noisy" and more easily caught.

Gone phishing

Take phishing, for example. Phishing is essentially a form of social engineering and an important defence against this is simply greater user awareness. This can be achieved via a training programme coupled with periodic "training" phishing campaigns to assess users' susceptibility to such attacks and keep them alert. One key point is to instruct users to report any suspicious email, as this will allow the security team to detect and respond to similar emails.

It is also important to put in place solutions to filter email content. For example, Sender ID or Sender Policy Framework (SPF) can be used to check for spoofed emails. Email content can also be inspected to look for typical phishing patterns and, in particular, for links and attachments. Such links and attachments can be automatically analysed within sandboxes to see if they expose suspicious behaviour and can be stopped before reaching the end user.

As far as host hardening is concerned, some controls can be implemented to raise the bar and make it more difficult for the attacker to gain control of a user's workstation. Phishing emails will often contain a piece of malware in the form of an attachment, or link to a malicious website that will enable the attacker to perform a drive-by download. In this way, they can establish a command and control channel.

Anti-virus software, although useful against generic attacks, won't provide effective protection against targeted attacks, as attackers usually rely on custom malware that's been specifically engineered to bypass anti-virus software detection. An effective control that can be implemented, though, is application white-listing: this will prevent users from running unwanted software that's not been authorised, including executables and scripts attached to emails. Other control examples that can be implemented include restricting the types of attachments that are allowed, thus preventing executables.

However effective, application white-listing is no silver bullet and, indeed, there are other methods attackers can use to get round it. For instance, by sending a document containing active content, such as Microsoft Excel spreadsheets with a malicious macro, or apparently legitimate documents that exploit flaws in commonly used software, such as Adobe Acrobat Reader.

Sensible precautions

To further raise the bar, such active content could be disabled altogether or its execution limited to trusted/signed components. In the case of Microsoft Office, this can be achieved by removing the Visual Basic for Applications (VBA) component from an Office installation or by restricting macro execution to macros stored in a trusted location. For Acrobat Reader, it is a sensible precaution to turn off JavaScript if it is not required for any internal applications.

One final weapon attackers can use to bypass these controls is to exploit vulnerabilities in client-side software, such as document readers, email clients and browsers. So, it is paramount to ensure that such software is kept up-to-date. One further step is to implement generic exploit mitigation techniques that will make it harder for attackers to use zero-day exploits.

Some of these controls, such as address-space layout randomisation and data-execution prevention, are offered by modern operating systems as standard. In certain situations it might be possible to build exploits that bypass these controls; for this reason, further exploit-mitigation techniques have been devised, such as those offered by Microsoft's Enhanced Mitigation Experience Toolkit, which are much harder to defeat.

In these various ways it is possible to diminish the number of entry points for an attacker, but history has shown us that there still may be the odd successful attempt; therefore, the next article in this series will look at the ways to limit lateral movement by attackers within the organisation, should their attempts be successful to infiltrate the network, and how to prevent data exfiltration.

Donato Capitella is a security consultant and head of training at MWR InfoSecurity. He also performs penetration tests and security assessments of critical applications within corporate infrastructures.