Current p2p trends threatening enterprise security
The TrendLabs Security Intelligence blog has been talking about ransomware and CryptoLocker threats for the better part of this and the last decade. In his August 2015 post, Macro Threats and Ransomware Make Their Mark: A Midyear Look at the Email Landscape, Maydalene Salvador, noted that the number of spammed messages in 2014 was nearly 200 billion emails.
“But not all spammed messages related to macro threats had attachments. Other emails contained links that led to legitimate file hosting websites like Dropbox, where the malicious file is hosted,” Salvador wrote.
Whether the files are encrypted and held for ransom or injecting malware that can then steal credentials, users continue to click on and share these virulent attachments. These massive campaigns continue to benefit the bad guys by granting them access or earning them a payload.
Chase Cunningham, director of cyber threat research, and Jeff Schilling, CSO, of Armor spoke about today’s common p2p threat, the CryptoLocker campaign. Schilling said, “Individual computer threat actors are sending phishing emails to victims. That crypto software sees what protocols are open across your network. Then they lock up the files, encrypt them, and hold them for ransom.”
[ ALSO ON CSO: Peer-to-peer, wireless network could help in disasters ]
Criminals have now entered the server arena, said Schilling.
“It used to be botnets five years ago, but they made the switch to web servers which gives them more power. If you don’t have a lot of p2p protocols, they can compromise one server and then gain deeper access,” he continued.
Cunningham added, “From a technical perspective, if your infrastructure is not seeing what is going on in the network, you’re not going to see the p2p traffic. If your organization is not actively engaged in collecting targeted threat intelligence, you don’t know what may show up in your network.”
There is almost no regulation in the p2p file sharing software industry, said Schilling, “So who’s to say what ports and protocols are in there”
One solution is to monitor for it, all the way down the entire stack. “You need to have threat intelligence. Most organizations are lucky if they have antivirus and anti-malware,” said Schilling, but they need consistent monitoring.
A common monitoring problem, said Schilling, is that most network traffic is monitored from north to south. Observing the east to west connection between the server in our environment and other servers will unveil different threats.
“Most organizations don’t put the sensors in between the servers to pick up that p2p activity. We had a customer last year who had a botnet enter into the corporate environment, and it spread to one server in our environment, but we blocked it because we were monitoring east to west and had a white listing,” said Schilling.
While there are multiple tools on the market that map out network and IT professionals about all the connections, “A lot of people don’t want to invest in those tools,” said Schilling. “They don’t because they really don’t want to know how bad it is.”
Cunningham and Schillling said that CryptoLocker remains another p2p problem, “It’s something that is really taking off this year, and the vulnerabilities on their personal laptops and devices are from not shutting down those p2p protocols,” Schilling continued.
Once criminals gain access to one machine, they can see all ports and protocols in that network. “Very few should be open,” Cunningham said. “People are doing file shares or they are mapped to network drives and the malware migrates and encrypts those network drives.”
Avoiding these threats has a lot to do with network design and creating network access control systems so that when a computer connects to a network, only certain traffic is allowed. “All ports and protocols are locked down. Many users can do all the business they need to do from guest networks which are segmented from the corporate network,” said Schilling.
In addition, “Segment the users who are using their own devices away from the corporate network. Treat that user population as if they are already compromised,” Schilling continued.
Michael Taylor, lead applications developer at Rook Security, said that depending on the nature of the attack coming from the p2p, avoiding threats can be very difficult. “Instead of coming from a few servers or hosts, they are outsourcing those onto many, many hosts. Using firewalls is not going to block all of that traffic.”
Botnets from p2p applications are popular and more sophisticated in their communication methods, and eradicating them requires eliminating the herd, which is different from a traditional botnet threat with a command center.
“When you have a botnet, you have to have some of the servers telling the other servers what they should be doing. If you can isolate your network from the command and control servers, the conductor of the botnet can’t get to the control setting,” said Taylor.
If you have those few command and control servers that are static, it is easier to isolate that traffic.
“You can basically cut off the instructions from the person who is operating the botnet, then it will allow you to have some time for remediation, but with the p2p setting, the more decentralized the botnet is, the more difficult it is to isolate that communication,” Taylor explained.
[ MORE: Botnet trafffic in 2015 - the invisible force that wants to eat the Internet ]
The threats from these botnet range from DDoS to spam emails to using them to infiltrate a network by compromising a work station within an environment. Once they have access, they can then pivot onto a server where there is confidential information stored.
"You can also use those hosts for extended phishing attacks, identifying executives or other targets for spear phishing or whaling campaigns, or targeting employees with ready access to the data you are after,” said Taylor.
Data is most often the primary target for criminals. “That’s been a fairly lucrative attack vector for these bad actors where the executives seem to be fairly easy prey. They have authorized wire transfers or had their own hardware compromised because of the amount of data executives have access to,” said Taylor.
Depending on how the network has been segmented, it might not be the case that a criminal could go directly from a single work station to the enterprise crown jewels, but the attacker might be able compromise credentials that would allow them to navigate that network.
Having the signatures at the perimeter of the network as well as the internal network, said Taylor, “You would be able to see traffic coming from the outside of the network and then when someone started trying to access others on the inside.”