What’s worse than Heartbleed? Your core IT

Flashy bugs like Heartbleed and ominous-sounding malware like Gameover Zeus, written by shadowy Eastern European cyber criminals, get all the headlines while more serious bugs and architectural flaws, available to be exploited far more often, remain in place.

Thing is, Heartbleed is concentrated on one area, one surface and it can be patched. What if there are serious vulnerabilities around that have existed for years, and which are not likely to go away because removing them would be too disruptive?

There are a number of scenarios where a business-critical system is insecure or weak by design and that puts security staff in a very difficult position.

Take the Windows “Pass the Hash” (PtH) [PDF] authentication weakness as an example: if an attacker gets hold of sufficiently elevated logon credentials on an organisation’s network, thanks to the oh-so-convenient concept of single sign-on, it could have free run of any and every system that it can reach without even needing to know the actual password.

Example of lateral movement PtH attack; Source: Microsoft

With local credentials captured and the mathematically-derived hash or fingerprint of the user password at hand - and this is less difficult than it may seem - lateral movement to compromise other machines on a network is possible.

Privilege escalation with PtH attack. Source: Microsoft

Servers storing sensitive information and other higher-value targets can also be accessed through privilege escalation.

Better yet, for attackers at least, PtH attacks are hard to detect. Microsoft notes that “it is very difficult to distinguish activity by attackers using stolen credentials from authorised activity”.

“If system and event logging is enabled, all authentication activity, malicious or not, will appear as normal logons,” Microsoft says.

In other words, PtH attacks are invisible to admins. How much sensitive information has been leaked this way is anyone's guess.

Unlike exploits and malware, PtH is intentional in its design and is included in Windows up until version 8.1 and Server 2012 R2.

As an aside, it’s not certain that PtH has been fixed in the two most recent versions of Windows, at least not in more complex networked system setups, and this interesting thread on Reddit is worth a read.

What do you do then? Well, resorting to further penetration testing and reinforcing the perimeter to prevent the initial intrusion isn’t going to keep you safe for long, suggests Adam Boileau of consultants Insomnia Security.

Boileau says that attackers will usually find a way in to the network through methods that change over time.

These can include social engineering, new and existing vulnerabilities in software and hardware, or even brute-force attempts.

“It’s an arms race that you’re unlikely to win, and infosec specialists who suggest you play that game are not going to help prevent their customers from getting owned,” he says.

After the initial intrusion what happens next pretty much stays the same. Here, prevention isn’t so much the key as detection and reaction. To detect threats, use intelligence, heuristics and statistical analysis of activity, Boileau says.

Seeing how an intrusion happens is key to understanding what to do next for security staff.

“Take firemen: they conduct drills. They exercise; they set things on fire, and then put it out. Infosec people just sit around going ‘ooh, guess nobody’s hacked us!” Boileau says.

“That’s the kind of stuff (running drills) that actually improves an organisation’s security posture, as opposed to not checking for random vulnerabilities and then relaxing when the right patches have been applied,” he says.

According to Boileau, the strategy that’s gaining traction with some savvier organisations is to focus on detecting misuse internally as well as externally along with containing and evicting adversaries. 

In fact, some have even given up on the perimeter notion completely, and treat internal and external networks as equally hostile.

There will be more big name vulnerabilities like Heartbleed, but good housekeeping and being prepared for the inevitable moment when your network is compromised is what really matters, not how fast you can upgrade OpenSSL on an organisation’s web servers.