Everybody is talking about email, browsing, and phishing as the main attack scenarios organizations should care about. However, in the real world, determined attackers use a variety of additional techniques that are in many cases under the radar of enterprise security teams.
There are many of those attacks out there, and they’re gaining popularity. Here are just five non-phishing user-centric attacks you should definitely be prepared for.
1. Malicious networks
Your users use their laptops at home, in coffee shops, at the airport, abroad, etc. Malicious actors can easily set up WiFi hotspots in these locations and use them to target the operating system on the user’s laptop. When the device connects to a compromised/malicious network, the attacker can attempt DNS spoofing, leverage DHCP vulnerabilities in Windows, or try the good old man-in-the-middle attacks to try to impersonate popular websites or software update servers. Rogue WiFi captive portals can also take part in these attacks. A zero-trust network infrastructure, despite the hype, isn’t enough to prevent the damage from this type of attack.
Always-on VPN solutions can help mitigate some of this risk but may result in a degraded user experience in which the user cannot connect to some legitimate WiFi networks.
2. Malicious external devices
Handing out thumb drives as free gifts is a classic way to get users to run malicious executables on their machines. However, external devices go beyond USB disks. Almost any external device, including smart cards, webcams, keyboards, and other human interface devices can leverage operating system vulnerabilities and own the user’s machine. One commoditized example of that is the rubber ducky ($50): “... the attacker walks up to a computer, plugs in a seemingly innocent USB drive, and have it install a backdoor, exfiltrate documents, steal passwords or any number of pen test tasks. All of these things are done with many well-crafted keystrokes in seconds. The USB Rubber Ducky does this in seconds.”
To mitigate these attacks, consider using group policy to block unknown external devices, but take into account your users and whether they connect to docking stations and to all kinds of peripherals like external keyboard/mouse devices.
3. Sophisticated insiders
We all heard about insiders, but they are getting more and more sophisticated. It’s no longer just about plugging a large capacity USB disk and downloading all the files in a file share. These sophisticated insiders, in many cases IT staff, can write scripts, use the latest malware, leverage privilege elevation vulnerabilities, etc. This allows them to carefully leak data without raising any alarms, for financial or any other motive. They can also go on a vendetta and plant a scheduled script that would bring down the organization’s production servers when it’s least convenient.
To mitigate this risk, you have to consider all the methods that insiders can use to deliver malicious content into privileged environments and try to prevent or limit them. You should also take into account all the ways insiders leverage to get data out of the organization, including network-based and peripheral-based exfiltration.
4. Getting infected by any other app
It’s true that we’re already in 2020, but we’re not yet in the post-PC era. Beyond using a browser and an email client, employees use a wide variety of other desktop apps including: conferencing apps like WebEx, Zoom, and TeamViewer; messaging apps like Slack, WhatsApp, and Teams; file sharing apps like Dropbox, Google Drive, and OneDrive; and many other legacy applications built by an unknown IT department in the organization in the late '90s and somehow survived to this day and age. These apps are far from being perfect and are actually a more ripe target for vulnerability hunting than the well-known browser/email clients.
To mitigate this risk, you have to consider operating system isolation technologies that take the entire operating system with its variety of apps (and their vulnerabilities) and isolate them in a virtual machine or to a separate physical machine, as Microsoft recommends. Of course, to make it practical, consider how users will get access to the apps in these virtual machines and how to optimize their experience, both at the office and remotely.
5. Tampering with the laptop
When we say laptop tampering, we refer to scenarios like the “Evil Maid Attack,” a term coined in 2009 by security analyst Joanna Rutkowska. In this type of attack, a malicious actor gains physical access to the device. This could be happening in hotel rooms when people leave their laptops unattended. The attacker can try to simply boot from an OS on a thumb drive to tamper with the operating system on the laptop, injecting malware or simply to steal all the data. The attacker could also try compromising the firmware on the laptop.
To mitigate these attacks, you must implement a full disk encryption solution that leverages the Trusted Platform Module (TPM) and Secure Boot features available in modern laptops, as well as mandate users to type in a PIN code on boot to prevent DMA attacks. You should also consider a system that allows you to remotely wipe or lock the laptop in case it is stolen.
Tal Zamir is the Founder and CTO of Hysolate.