Want to hack lots and lots of enterprises? Just develop malware that looks like WannaCry, including the ability to target a now-patched server messaging block flaw in Windows (see Teardown: WannaCry Ransomware).
That's one takeaway from security firm SafeBreach's proactive study of how effective some of today's most-seen attack techniques are when applied to live enterprise networks.
"Instead of just focusing on whether attackers can get into my network, assume they can."
Disclaimer: No enterprise networks or IT administrators were harmed during the course of these studies, SafeBreach says.
Rather, the firm maintains an attack simulation platform that organizations can use to test and quantify the types of cybersecurity risks they face to best optimize the tools and technologies they already own. "We simulate attackers and attacks on a network to prove that these attacks were blocked, and those attackers weren't. And we have thousands of different attack methods that real attackers use," Chris Webber, a security strategist at SafeBreach, tells me.
The organization isn't the only one to offer this type of functionality. It competes with AttackIQ, Cytegic, Ironscales, Skybox Security and Verodin, among others.
Top Infiltration Methods
Testing real-world enterprise networks using "ripped from the headlines" attack techniques can make for interesting findings.
For starters, SafeBreach has tested a number of techniques for infecting PCs, including using the vulnerabilities in Windows systems targeted by WannaCry, hiding malicious code into otherwise legitimate-looking packed executable files as well as the malicious capabilities included in the Carbanak banking Trojan developed by the cybercrime group known as "Anunak."
Based on 7.5 million simulations run by SafeBreach from January to November at its customers' sites, these were the top five most effective attacks it found and their rate of success:
- WannaCry 2.0 ransomware: 63 percent;
- Carbanak HTTP malware transfer: 60 percent;
- Executable file inside a Visual Basic file (.vbs) using HTTP: 57 percent;
- Executable file inside a Microsoft Compiled HTML Help (.chm) file: 56 percent
Top Lateral Movement Methods
The firm also tested how effective hypothetical attackers would be at moving around already penetrated networks.
The lateral movement techniques it studied included simulating EternalRocks, a worm that combines seven exploits leaked by the Shadow Brokers and developed by the Equation Group, which many information security experts believe is the National Security Agency's in-house hacking team.
The exploits included in EternalRocks are ArchiTouch, DoublePulsar, EternalBlue, EternalChampion, EternalRomance, EternalSynergy and SMBTouch. "This worm had widespread infection, but has not yet been weaponized," SafeBreach says. "The author claims to have backed away from the campaign, but an as-yet-unknown amount of machines remain infected, leaving the door open for later attacks."
The group also tested techniques that have been seen in other attacks, including attacks attributed to the Lazarus Group hacking team, which has been tied to North Korea.
Here were the top five most effective lateral movement techniques and their rate of success:
- Malware transfer techniques from the NotPetya ransomware worm via HTTPS: 69 percent;
- EternalRocks - transfer via HTTPS: 69 percent;
- Executable inside Windows script file (.wsf) using HTTP: 67 percent;
- EXE inside JAR [Java package file format] using HTTP: 67 percent;
- Lazarus buffer transfer technique: 67 percent.
Infiltration Techniques on Repeat
Webber says many of the top lateral movement techniques used by today's attackers resemble "regular old infiltration attacks." In other words, the same straightforward techniques that give attackers access to enterprise systems are being reused to hop around corporate networks unimpeded (see Hackers Exploit Weak Remote Desktop Protocol Credentials).
"We often think of lateral movement as pure credential theft or privilege escalation - using techniques just like a system administrator - but we're seeing simple things like newer types malware, or ransomware, are able to move laterally and pretty easily with the same techniques that are used to infect PCs in the first phase of an attack," Webber says.
"Instead of just focusing on whether attackers can get into my network, assume they can, so stop them from traversing your network or stealing data from it."