In February of this year Mandiant/FireEye released its M-Trend’s 2016 report. This is a great report that is split into three different sections. The first section chronicles the top three newest breach trends that occurred in 2015, the second looks at past trends that have turned constant, and finally the report discusses the top three observations Mandiant’s Red Team has seen when performing penetration test for clients. In each section of the report there are great examples of why protecting identity is so crucial for organizations.
Newest Breach Trends
Starting with the newest breach trends, we see there has been a rise in targeting network devices. The report explains that network devices are often overlooked by penetration testers and incident responders and that there are several reasons for targeting network devices: Traffic Monitoring, Reconnaissance, Subversion of security controls, etc. Examples of the latest attacks include modification of Cisco router images (replacing the normal images with malicious images) and exploiting a cross-site scripting vulnerability on unpatched Cisco VPN concentrators. Mandiant’s top tactical recommendation for preventing these types of attacks is strong authentication utilizing out-of-band second factor techniques such as SMS or Smart Phone applications. They go on to recommend other controls such as patch management and system integrity verification but strong authentication should be top of list for protecting network equipment within the enterprise. Most network equipment supports RADIUS, which enables integrations with authentication vendors like SecureAuth.
Trends Turned Constants
The Trends Turned Constants section of the Mandiant report highlights the continued use of outsourced serviced providers (OSP) by attack groups. These are any managed service provider that maintains a site-to-site connection to different customers to provide services. Attackers who compromise a OSP are then able to potentially gain access to the multiple different companies that the OSP does business with. Mandiant’s top recommendation for guarding against this risk is requiring any OSP that you do business with to utilize jump servers with multi-factor authentication when accessing their environments. This ensures that if the credentials the OSP personnel utilize are compromised because of a breach within the OSP network, it prevents the stolen credentials from being used to simply pivot into the customer’s network. Solutions such as SecureAuth’s credential provider are a good fit for scenarios such as this.
Top Observations from Mandiant’s Red Team
The last section of Mandiant’s report focuses on the results of RED team penetration tests they have performed for clients throughout 2015. Mandiant provides their observations on the top 3 areas that customers should focus on improving. Not surprisingly the number 1 observation is “Credentials, in general”. The report discusses the need for the simplest of changes such as password complexity and history policies. Many organizations not only utilize only passwords for access into applications, they even allow users with elevated access to utilize password that are easy to determine. Theft of cached credentials remains an issue as well, the toolkits for dumping any passwords that are in memory are a prevalent technique used to target users with elevated credentials. Finally, the report notes the persistent use of single factor authentication, particularly on external facing applications such as web mail, VPN and virtual desktop environments, as a major vulnerability. “This architectural flaw has been discussed and addressed for a long time, yet we continue to see organizations expose OWA, Citrix, SAP, and even VPN to the Internet behind single factor (and often Active Directory-integrated) login pages.” A vendor like SecureAuth that can integrate with applications, such as these, to provide multi-factor authentication would be highly advisable. Layering in adaptive authentication techniques to provide a better user experience can help to provide better adoption of strong authentication techniques.
Companies certainly need to apply multiple layers of security technology within their environments. The M-Trends reports shows us the importance of protecting identities and the priority organizations should place in establishing stronger identity controls.