The Biggest Lessons about Vulnerabilities at RSAC 2021

Last week’s RSA Conference covered a litany of network security vulnerabilities, from developing more robust tokenization policies and to addressing UEFI-based attacks, and non-endpoint attack vectors. Preceding the conference, the United States experienced its biggest cyberattack on critical infrastructure to date with ransomware hitting Colonial Pipeline.

The general message on vulnerabilities at the conference is that cybersecurity is a constant game of preparing for the latest and most dangerous tactics, techniques, and procedures (TTP).

We look at three RSAC 2021 sessions and some of the most daunting vulnerabilities presented by the SANS Institute, Cybersecurity and Infrastructure Security Agency (CISA), and Varonis Systems.

Also Read: And the Winner of the 2021 RSA Innovation Contest is…

SANS: Five dangerous new attack techniques and vulnerabilities

The SANS Institute presentation, “The Five Most Dangerous New Attack Techniques,” is an RSAC staple by this point. This year’s featured vulnerabilities were:

Testing Software Integrity

To kick off the session, SANS Fellow and Director Ed Skoudis touched on the software integrity conundrum. Citing Ken Thompson’s 1984 paper, “Reflections on Trusting Trust,” Skoudis pointed out that there is no amount of source-level verification that can protect an organization from untrusted code. Yet, that’s precisely the predicament. Software distribution prioritizes speed over trust, and the result is a sea of potential vulnerabilities. Attacks, where developers are the target, can impact entire communities when compiling code is the prerogative.

To address software integrity vulnerabilities, Skoudis encourages organizations to:

Excessive Access by Tokens

Presenting two of the most dangerous attack techniques, SANS DFIR Curriculum Lead and Director of Digital Intelligence Heather Mahalik first hit on the question of identity and access management in an era of work-from-home. As described in our guide to OAuth, tokens are the basis for how applications, APIs, and browsers work to provide users extended access.

Also Read: Remote Work Security | Top Priorities & Projects for 2021

The truth is that solutions like single sign-on (SSO) and multi-factor authentication (MFA) can spell disaster if initial access is all a malicious actor needs to traverse the network’s resources. For token administrators, the job becomes configuring access to mitigate excessive access. Without the user even realizing it, attackers can hijack access tokens.

Using Vulnerable Crypto for Application Access

In the same vein as software integrity vulnerabilities, developers find themselves stuck between meeting impatient consumer demand and optimizing security. The result is organizations and token generators using cryptography with known vulnerabilities. Though users may have access to the application faster, the organization is more vulnerable as a consequence. Organizations must validate their application access systems to ensure malicious actors aren’t capable of cracking the crypto.

Machine Learning Ups Adversary Skills

SANS Dean of Research Johannes Ullrich’s presentation highlighted why machine learning (ML) is terrific but not without its vulnerabilities. Malware detection has long been a game of signature detection. With ML and artificial intelligence (AI) using thousands of strains to train algorithms, one would surmise that the ability to detect malware is only improving.

Sadly, advancements in cybersecurity extend to malicious actors as much as they do to industry professionals. Hackers are using the same ML and AI technology to avoid using recognized malware. The result is a wealth of adversaries capable of evading detection and networks unprepared for a zero-day threat. Ullrich notes organizations can’t rely on static models and must prioritize training data to see more than the known.

In another RSAC session, security technologist Bruce Schneier discussed how malicious AI may not be distributing malware just yet, but a future where it’s possible isn’t entirely science fiction. In a call to action, Schneier emphasized AI needs to be controlled now to avoid seeing its destructive abilities down the road.

Also Read: Types of Malware | Best Malware Protection Practices for 2021

Ransomware: Encryption, Exfiltration, and Extortion

Ransomware perpetrators of the past presented a problem of availability through encryption. The new normal among ransomware families is the addition of exfiltration and extortion. SANS Senior Instructor and Director of Intelligence Katie Nickels touched on the process hackers take, including 1) initial access, 2) reconnaissance, 3) lateral movement, 4) exfiltration, and 5) encryption. Using legitimate file-sharing tools like RClone and MegaCmdServer to mask activity, malicious actors can go undetected while downloading your network’s data.

While the rate of returned data when organizations pay the ransom has been high in the past, there’s no honor among thieves.

Conti, Netwalker, and Sodinokibi are all recent ransomware strains that re-extorted victims or published network contents after the ransom had been paid. Nickels suggests organizations follow this guidance:

Also Read: How Zero Trust Security Can Protect Against Ransomware

Old wayNew way
PreventRely solely on offline backupsDisallow unnecessary file sharing
DetectFocus on encryptionAssume exfiltration
RespondAssume you’ll get data backDon’t trust adversaries

CISA: Vulnerabilities below the operating system (VBOS)

The newest agency in the U.S. Department of Homeland Security is the Cybersecurity and Infrastructure Security Agency (CISA), charged with being the nation’s risk advisor for cyber and physical risk and working to strengthen national security resilience. At RSAC, agency officials from the Vulnerability Management division included Associate Director Boyden Rohner and Methodology Branch Chief Thomas Ruoff in the presentation, “DHS CISA Strategy to Fix Vulnerabilities Below the OS Among Worst Offenders.”

Software: What Lies Beneath the Surface?

Consumers up to industry professionals struggle to see software beyond its operating system (OS) and application layer. Much like an iceberg, seeing beneath the surface and understanding the software’s entirety is almost impossible currently. CISA debuted the newest cybersecurity acronym with vulnerabilities below the operation system (VBOS). From BIOS and firmware to UEFI code, VBOS is an attack vector that requires more attention.

Current Target: VBOS

While the design of a unified extensible firmware interface (UEFI) overcame BIOS limitations, both components critical to computer operation are an increasing target. Recent UEFI attacks include a 2015 attack on a Ukrainian power grid and a 2018 attack where threat actors used a UEFI rootkit to drop additional malware in an extended episode. While still in the minority of attacks, firmware vulnerabilities are rising year over year.

Tools once exclusive to nation-states are now in the hands of rogue agents and advanced persistent threats (APT) with no state affiliation. Detecting their presence can be incredibly difficult.

Good news

In evaluating VBOS, the news from CISA is that vulnerability mitigation techniques – like ASLR, STACK, and CFG – above the OS are constantly being added to networks and improved upon. The highest of which is Data Execution Prevention (DEP) at 90% implementation in commercial products.

Bad news

On the reverse side, developers might just be coming around to mitigation techniques that started almost two decades ago. The current need is addressing mitigating VBOS with little progress to show. Add to this; vendors have a reputation of being less compliant in the design of existing memory protections (NX) – the mechanism that blocks shellcode injection.

Decision Making with Full Visibility

IT and OT systems face compromise because organizations lack visibility into vulnerable software, malicious and reused code, and modular dependencies. To successfully mitigate VBOS, CISA envisions a future where software undergoes scrutiny similar to other consumer products.

From easiest to most difficult to attain, goals include:

  1. Requiring vendors to provide an SBOM that list all components and component purposes
  2. Mandate vulnerability mitigation development for UEFI code
  3. Report publicly on the capabilities of software products
  4. Craft risk indication mechanism to confirm software fulfills stated capabilities
  5. Test reports publicly available for risk assessments
  6. Discourage, prohibit, and ban products from worst offenders

As of now, the information security industry is at the outset of implementing SBOM for software products. While CIOs, CISOs, and purchasing managers often make a faith-based decision on software, greater accountability in software development starting below the OS can lead to more data and risk-driven decisions.

Also Read: Cybersecurity Becomes A Government Priority

Varonis: Non-endpoint attack vectors and vulnerabilities

Rounding out our look into vulnerabilities discussed at this year’s RSAC is “Fighting Where They Aren’t: How Attackers Avoid Endpoints in Modern Attacks,” by cybersecurity software company Varonis Systems. Leading the discussion were Field CTO Brian Vecci and Director of Cybersecurity Snir Ben Shimol.

Endpoints for some time now have been the priority vector for protecting network security, but the reality is that attackers are increasingly attacking outside of endpoints. As is the nature of the cybersecurity landscape, Varonis appropriately used Sun Tsu’s “Attack him where is he unprepared, appear where you are not expected,” before diving into rising trends in non-endpoint vulnerabilities.

Also Read: PowerShell Is Source of More Than a Third of Critical Security Threats

Gateway Compromise

Whether it’s a VPN, firewall, or remote access server, unauthorized entry via network gateways is a problem. Initial access methods for gateways dominate the Dark Web market, with 45% using traditional initial access like RDP, VPN, and RCE. Significant gateway vulnerabilities include MS Exchange’s ProxyLogon, SonicWall’s Pulse VPN flaw in 2019, and an SQL injection vulnerability in early 2021.

With initial access to a gateway, hackers can move laterally to an on-premises server, leading them to the internal DNS and Active Directory.

Also Read: How to Prevent DNS Attacks

Supply Chain Attacks

In supply chain attacks, malicious actors target entry points of software providers responsible for providing and updating a universe of solutions. When attackers compromise a vendor’s internal server, access to the AD, on-premises data, and the internal DNS gives the perpetrators complete visibility for reconnaissance. Through a forward proxy, the hacker can access the update server and distribute malicious code to the vendor’s entire customer network.

Perhaps no better recent example displays this vulnerability than the SolarWinds breach and Solorigate saga.

Malicious Cloud Applications

While phishing is one of the oldest TTPs in the hacker playbook, it still works – and, thanks to social engineering, continues to evolve. This vulnerability plays alongside a growing consumer reliance on applications because it displays itself as a legitimate cloud application. Appearing as an Azure application making permission requests, attackers trick victims into granting access to their 365 suite and more.

By configuring MS Graph API permissions in the application’s code, malicious actors can leverage the access unknowingly granted by users. Depending on the permissions granted, hackers can access sensitive data and modify files applicable to the user.

Insider Threats

Last but not least is the vulnerability owed to an organization’s staff. Most vulnerability mitigation related to personnel involve training, raising awareness, and being mindful of human error. This reality makes it imperative that network administrators are active patchers to fill in the gap. But how do you mitigate the prospect of an employee intentionally launching an attack?

In late 2020, a new hire started a position at Tesla and records show he almost immediately began uploading files and scripts to his Dropbox account. These instances occur more often than reported, and the loss of intellectual property can be profound. With access to way more data than needed on day one, organizations need to be smart about how staff and data resources interact.

Also Read: Top Data Loss (DLP) Solutions

Sam Ingalls
Sam Ingalls
Sam Ingalls is an award-winning writer and researcher covering enterprise technology, cybersecurity, data centers, and IT trends, for eSecurity Planet, Tech Republic, ServerWatch, Webopedia, and Channel Insider.

Top Products

Related articles