In a year chock full of juicy network security headlines, two of the biggest so far have been WannaCry and the Equifax breach. Here’s a quick refresher:
WannaCry broke out in May (fizzling shortly thereafter), taking advantage of a known vulnerability in the SMB protocol and utilizing an exploit attributed to a group linked to the NSA (the Equation Group) via tools posted by a different group with ties to Russia (the Shadow Brokers). So much intrigue … You can’t make this stuff up.
The Equifax breach was a little more straightforward. It all started with the exploit of an outdated web server running an unpatched version of Apache Struts software.
So, what do these two breaches have in common? They both started with known vulnerabilities that remained unpatched, and were exploited from external networks. No need for drive-by downloads, clever watering hole websites, or sophisticated phishing email attacks. Turns out that even with sexy malware and ransomware releases stealing recent headlines, good ol’ inbound exploits are still a thing.
The obvious retort here is, “Have a consistent patch and update procedure. Follow it, and make double-darn sure it includes all publicly accessible systems.” Well, duh. The problem is that this plan involves people, and even the most well-intentioned people using the most sophisticated automation aren’t perfect.
This is where some old-fashioned layered security can really shine. First, any inline IPS device worth its salt would’ve detected and stopped these inbound exploits, particularly since these were known vulnerabilities. This should be true of dedicated IPS hardware (like, say, us) or an IPS module properly configured on a UTM device.
There is another tool to consider: Utilizing threat intelligence gathered from outside sources that have identified networks associated with these exploits, network admins can actively block these bad guys before they even have a chance to probe their networks for these vulnerabilities. Ideally, utilizing threat intelligence to actively block bad guys is a consistent, automated process – something we do for our Sentinel customers. We call it “active” threat intelligence, because it’s doing the work for you, not just alerting you to a potential issue.
It’s easy in this business to fixate on the latest shiny device, buzzword, or exploit, but 2017 is proving that some of the old enemies can still pack a punch, and that some old-school tricks of the trade are still effective network security tools.