Zero Day Exploit – A recent flaw discovered, that is leveraged by a hacker or “threat actor” before a patch or preventative measure can be made available by the manufacturer of the system or software. The bugs or flaws are unknown, go on undetected, and can continue to be exploited for many weeks, months or potentially years. Some security researchers will responsibly report such flaws to the company responsible, giving them enough lead time to pinpoint and resolve any such issues with software updates before going public with the information. Keep up with system patches, and make sure to look for network and traffic anomalies in your security management consoles.
Man-in-the-Middle – MitM for short, is an attack where the victim believes they are communicating directly with their intended target or destination, but their traffic is actually being intercepted by an adversary and altered before being sent to its final destination. Receiving a certificate error while attempting to connect to a secure webpage or VPN portal is almost certainly a sign that you are not able to trust your credentials to the page you’ve landed on. When a self-signed certificate is used, the same error is presented to the end-user making it very difficult to differentiate the good sites from the bad sites. Always protect company assets with valid, trusted SSL certificates. Train end users not to simply click through certificate warning messages as they can pose a real danger to end user systems and sensitive company data.
Exfiltration – Is the unintended, unauthorized leaking of data from a computer system. It doesn’t need to be the result of a hack or compromised host; insider threats or disgruntled employees are more likely to be the root cause. Transmitted over a common protocol such as FTP, data loss can occur just about anywhere firewall rules allow unrestricted access out of a business network. Know your network and what applications and protocols should be permitted, not only inbound but also outbound. Establish a baseline for network traffic, set alerts based on a sudden shift in bandwidth usage, or spike in uploaded data. Correlation rules can be used here to send out an alert based on certain criteria, such as traffic and protocols outside the normal profile for your network.
Botnet – A collection of computers under the control of an individual or group of individuals with malicious intent. Unknown to each owner their PC sits idle and waiting for commands, often times the impact to the infected PC is minimal as it is not the intended target. Infections can go on undetected for long periods of time, and often times persistent backdoors can be setup allowing the attacker alternate means of communicating and taking control should the primary foothold be lost. Once your PCs are joined to the Botnet, they can be used in conjunction with thousands of other infected systems to flood traffic to intended target. The attacks are sometimes politically motivated, and might involve nothing more than a constant refreshing of the victims website intended to overwhelm the server. It’s important to note that entire Botnets can be bought and sold on the dark web, so they could easily be reused for more malicious activities. Keep up on AV and Anti-Malware scanning. IDS and IPS systems can be deployed to detect shutdown the command and control traffic these botnets rely on heavily for communication.
Phishing Attack – Most commonly spread by Email, these specially crafted messages attempt to masquerade as being sourced by a legitimate company. In closer inspection, hyperlinks in the Email may actually redirect users to a malicious website under the control of an attacker. Sometimes the domain name you are visiting is misspelled in such a way that it’s easy to overlook. In some cases simply hovering your cursor over the link before clicking it will reveal the true destination. As a precaution, educate users to never click links in unsolicited emails or popup advertisements. If you didn’t go looking to update your software or login to your favorite online retailer, best to steer clear of clicking anything further. Content/DNS inspection, and SPAM filtering network appliances can be deployed to block malicious content before it reaches your user’s inbox.
Advanced Persistent Threat – A highly motivated and highly skilled attacker, attempting to infiltrate a network or organization in a subtle and stealthy manor. Once they are in, they often sit and wait for many months, even years silently gleaning information. They aren’t making much noise because they are looking for other weakness and attempting to establish footholds to ensure they are able to connect again and again. Stealing proprietary information and secrets is the name of the game, and it can be financially rewarding for them to go on undetected. Sophisticated attacks are their entry point, through any number of methods. Detection for them would mean being ousted from the network, so encrypted channels and use of compromised user credentials is a key element in ensuring their persistence in your network. Network segmentation here is also useful in defending against an APT, use of internal firewalls and access-controls is a must. Allowing an internal system to communicate freely to any other internal system, regardless of its use or function means that same open access can be exploited to a great degree during an APT. Use technologies such as data center firewalls, internal IDS/IPS systems, even VLANs and ACLs can help keep a threat contained. There is no substitute for a solid network design where security takes a front seat, rather than being an afterthought.
Malvertising – This is a technique where malware and other java, flash or browser exploits can be embedded into advertisements served on an ad sponsored website. Because of the nature of advertising networks, and the lack of inspection these malicious ads have even surfaced on legitimate websites. Hackers move quickly, loading exploits and purchasing ad space in an effort to infect as many systems as possible before detection forces the ads to be taken down.
Next Generation Firewall (NGFW)–As threats evolve so much your means of defense. Compared to a traditional firewall that typically can only enforce traffic by IP, port and protocol an NGFW adds things like Application Visibility, User Identity and Intrusion Prevention Services. By layering in these additional features a much higher degree of security and control can be achieved.
Attack Surface – Any networked device, server, PC etc. has the potential to contribute to your exposure. Use a firewall to limit access to untrusted networks, public Internet and guest networks where unknown malicious devices may lurk. Locking down firewall rules, disabling unnecessary services and keeping up on system firmware and security patches are critical. Any unpatched and exposed system that can be probed likely will, exploitation is a matter of when, not if.
Intrusion Prevention Services (IPS) – Monitors network traffic in an attempt to catch and prevent known attack patterns. Just as quickly as a new attack or exploit is exposed, manufactures of an IPS race to release a signature to match the known attack. Because there are very specific patterns of data sent for a given attack, a match can accurately be made and a block or deny put in place by the IPS, keeping company assets protected.