The Importance of Continuous Monitoring in Cyber Threat Intelligence
by Tim Keeler, on Feb 25, 2016
The more complex technology becomes, the more vulnerabilities it has. Even if you have continuous maintenance on your systems, updating them as soon as patches and updates are available, your systems are still vulnerable to malicious hackers. Your systems are far more secure than servers and networks that are not kept current, but that doesn’t mean your systems are impenetrable. Continuous monitoring is one of the best ways to detect a malicious user early in an attack. From administrative accounts to attachments, there are a lot of things on your system that malicious hackers can use against your system. Monitoring access to different areas and documents can give you a way of tracking potential issues before they become serious breaches.
The Types of Risks
Monitoring is critical for several reasons, but your administrator accounts are easily the area that is the most susceptible to being compromised on your system. These accounts can be particularly risky if you are not able to track who uses them and when.
One of the most dangerous types of malware in recent years has been ransomware, with Microsoft Word being one of the primary ways that malicious hackers target a system. Word is particularly vulnerable because it has so many features that carry over from release to release, and these features typically are not all updated at the same time. This means that some vulnerabilities are carried over from one release of the software to the next. In some cases, the older features make your system an easy target for ransomware. This kind of problem is not solely a problem with Word, but as one of the most popular word processing applications, it is one of the easiest ways for black hat hackers to reuse their attacks against many targets with little to no changes in their approach.
Two Types of Lazy Yet Effective Ransomware Attacks
The WannaCry virus was a cruel introduction to the relatively new malicious attack called ransomware. It was a relatively sophisticated type of attack, the kind of attack that many malicious hackers are not going to take the time to create in most cases. Software like Word makes it easy for malicious hackers to do very little to no work to exploit vulnerabilities for a huge audience – nearly anyone who uses Microsoft Word. Then there are older networks or smaller networks that use third parties to manage access. These frequently have less security, and passwords are reused for the sake of simplicity. However, the easier it is for you, your staff, or paid third-parties to access your server or network, the easier it is for black hats to gain access, too.
One of the most concerning elements of Microsoft Word is the subDoc function. The intention of this function is to make it easy for you to update multiple documents at the same time, making it easier to keep your documentation consistent. You can have one document load into another document and it will update every time you refresh the secondary document. This function can be fantastic, until you learn that with a few changes, a malicious hacker can point a document to one of theirs in a remote location. If they can access one of your Word files, they can then turn this function on and point to a malicious document that will then infect your system. From there, the attack could go to several targets at a time. Computers that support SMB are susceptible to this particular type of attack that can be used to add ransomware to your system.
Remember, Microsoft Word is not the only application that has this problem. Any application that is popular and common in a lot of businesses is an appealing application to malicious hackers. The more often they can reuse code with only a few changes, the less work they have to do to gain access to your system and do a lot of damage.
Another easy way to initiate existing ransomware attacks is to look for a small company that uses a third-party to secure their network. When these companies use generic passwords or provide minimal services, the small company’s data is very vulnerable to attacks. The black hats then use a brute force tactic to gain access through a Remote Desktop Protocol, then access privilege escalation exploits to make themselves administrators. From there, they are able to do anything they want within a relatively short period of time.
Monitoring - Your Best Line of Defense
Both of the lazy, effective ways of installing ransomware could be easily detected through monitoring. If you set up your system to detect access from outside sources, you will be able to act as soon as those malicious hackers enter your network. With immediate notification, you will be able to kick out those trespassing on your network before they can do much harm. You can also more easily see what they did and undo their work faster. Considering the fact that they are going for the easiest score, it is unlikely there will be much for you to clean up on the network.
What will be time-consuming is fixing the vulnerabilities that allowed them to access your network in the first place. Monitoring is meant as a way of stopping an active hacker, but the best way to ward them off is to keep them out. In the event that someone is able to access your data, monitoring lets you know where you are vulnerable so that you can fix it going forward.
There are many things you can do both to prevent an attack and to neutralize one. Establishing a more robust method of managing administrative access can minimize or eliminate the types of lazy attacks used against generic administrative accounts. They also give you a way of tracking who accessed different areas and limit what users have access to based on their roles.
If you don’t have monitoring tools in place, or if you have them but haven’t implemented them, make it a high priority. There will always be vulnerabilities that malicious users will exploit to start exploring your servers and networks. Monitoring access to them is the best way to minimize the time they have on your tools.
In addition to monitoring, ensuring your restrictions are robust and that you have strong firewall protections against remote access can significantly reduce the ability of malicious hackers looking for an easy target. They are not going to keep attacking you if you have support and restrictions in place because there are many other targets that will require less time and work to attack.