Today’s IT security threat landscape is rapidly changing, and organisations everywhere are struggling to keep up with ever-determined hackers. More worrying is the sophistication of techniques used by modern cybercriminals to penetrate the network edge and wreak havoc – many of which are unknown to organisations, leading to glaring security holes that they are often oblivious to.
We have watched many methods of attack evolve over the years, from phishing to spear phishing and so forth. There seems to be a constant drive to increase the probability of successful entry points by using more reliable, realistic tactics that dupe unsuspecting network users into becoming a weak link.
But, as we generally become more IT security savvy – and most of us can spot a bogus phishing attempt from a mile away – how are attackers identifying and exploiting the potential entry points that enable them to deliver a malicious payload?
An interesting tactic is the use of marketing and tracking information to gather as much detail on potential targets as possible. These tools are known to users, and the majority have accepted that there will be some level of information-gathering during each browsing session – but this is on the assumption that it would lead to more targeted marketing campaigns and nothing more.
While this type of traffic may first appear to be harmless, an astute hacker can quickly and easily leverage the information to facilitate a high-probability attack vector.
Whenever a user surfs the internet, tools used by marketing and ad-tracking services identify various traffic patterns – if you checked a Gmail account, ordered stationery for the office or indulged in some personal online shopping, perhaps. This is somewhat moot as a standalone activity, but when you look deeper, it is enabling a third party to see exactly what types of traffic an organisation lets out – whether that be a marketer or a cybercriminal.
This activity could provide a potential hacker with a map of what your egress policies are as an organisation, and in doing so, expose the external attack surface of your organisation – essentially which windows you’ve left cracked open or which doors you’ve left ajar.
The method goes a step further in that it also shows the attacker which sites are getting high use from the organisation. Armed with this valuable information, would-be attackers can quickly rank which sites would be most lucrative to target, and then lay a trap for unsuspecting users visiting those sites. The probability of success is significantly higher given that traffic is allowed to regularly go to the site.
Once this discovery is complete, attackers can strategically place malware on those frequently-visited sites and once a user visits, it can quickly become a stepping stone to a full-blown espionage attack on the target organisation.
Obviously, I am not saying that the only solution is to impose a somewhat Draconian ban on all web browsing for all employees, but as malicious attacks continue to develop in complexity and scope, it is very important that organisations take certain steps to combat the growing threat.
As a first port of call, they absolutely need to get better visibility into the tracking activities described above, and evaluate the risks of these themselves. By doing this, companies can better assess how much egress mapping is externally visible, and how much is fed to questionable tracking services.
Once this is established, organisations should look for traffic flowing to known botnet and “command-and-control” networks, in order to identify potential attack points or areas that have already been compromised. Finally, implementing methods to track data payloads in and out of the organisation, along with advanced malware detection and heuristics, can protect against both inbound malware execution and data exfiltration.
Data has become a valuable currency, and it is critical to protect it at all times. In the instance of ‘watering hole’ attacks such as this, it is important to take time to understand how seemingly innocent data and usage tracking can be leveraged for darker means and be used against your organisation.
The frenzy around “intelligence” has led to an environment where the user no longer even needs to click on anything in their browser to have the network discovered – these days, automated tracking services kick in as soon as employees venture out onto the internet and visit a site. Given this, it would seem prudent to know how much tracking is going on and who this information is being fed to.