FINCSIRT

Beyond Common vulnerabilities

Information Security is a rapidly advancing domain where we consider minutes rather than days. Whatever happened in the past, we can adopt to secure it. Yet, the next moment it will be a total different incident and the solution will be quite different to the previous one. Therefore, information Security analysts should be up-to-date and vigilant on the changes happening over the infrastructure. Contrary to the popular belief, tools can only provide us with little help on defending ourselves against these threats. Serious attackers are not into using tools that we normally think of.

Hacking by definition is a process that is used to find alternate process to normal behavior of an application, process or a device. Therefore even in security, if we are to apply common security process to secure our infrastructure, attackers will try to alter that process in order to find a weakness in our security measures as well. We are trained to find vulnerabilities in software, devices or in an application that reside in our infrastructure and patch them for better security. Yet, these are not considered as high security measures in year 2017. All these are basic requirements in an infrastructure that needs to exist even without a security analyst. As information Security professionals, we need to look beyond these procedural tasks as what we are after will not exists within normal alerts that we get from our existing defenses. For an example, it is common to get SSH brute force attacks to our perimeter devices and we are currently equipped with defensive mechanisms like IDS/IPS, UTM devices, Web Application Firewalls against them. Most of the time these attacks will end without any success and within minutes they will be just a single line of alert from the vast number of alerts that we receive throughout the day. Most of us would not drill deep to these incidents as they are identified and acted automatically from our existing defenses. What we fail to understand is that we need to pay more attention to those breadcrumbs of events occurred within the same time duration. Successful SSH connection from an internal system administrators’ workstation to the server is not considered as a high-risk alert. Also, a MySQL service restart is an acceptable behavior in our day-today operations. Nevertheless, what if the attacker compromised a system administrators’ workstation and connected to the server legitimately. And he just configured the MySQL to accept connection from a system administrators’ workstation IP rather than the application server. What if the attacker then connects to MySQL legitimately as now the configuration allows it. Suddenly the brute-force attack seems like noise to mask a carefully planned attack.

Thus, we need to identify these insignificant events and should be able to think and correlate on the security impact to the overall infrastructure. In this case, we should verify that whether there was any reason for the administrator to connect to a production system at that time. Further, is there any proper approval to restart the system services in the production systems. To answer these questions, we need to have all the proper workflow procedures / policies or otherwise there won’t be any information that we can use to verify the events. At the same time, our staff will do things without any approvals and therefore we won’t be able to distinguish from malicious actions to legitimate actions.

Finally to conclude, above are the glimpse of reasons why there are many policy requirements stated in the secure standards we follow such as; BSS (Baseline Security Standard), ISO 27001, PCI DSS etc.. They are not mere checklists that we should follow, whereas those are the pillars of our next-gen security infrastructure. Further, as security professionals, we need to have an in-depth understanding of our infrastructure and what happens throughout the day. The checks and balances should be there for every small action that we do. It is not about the buffer overflow or the XSS anymore.