Fighting automated cybersecurity attacks with manual tools

By December 13, 2018Blog, Legacy, Patching, Zero Day

December cybersecurity trends make it clear, it’s time to fight back

December 2018 has been a tough month in the cybersecurity community.  In the span of a few days, we’ve been reminded that more often than not, cybersecurity teams show up to battle with the technology equivalent of knives to a gun fight.  Consider what’s happened since 30th November:

  • Two of the largest security breaches in history;
  • The US Congress declared the 2017 attack against credit reporting agency Equifax as “entirely preventable”; and,
  • A new variation of a ransomware is targeting servers with well-known vulnerabilities on common platforms.

The common theme in all of these events is the increasing level of automation and sophistication employed by attackers while InfoSec and DevOps teams struggle to keep pace.

It’s still too early to tell how Marriott and Quora were breached, exposing more than 600 million records.  In the case of Marriott, there are indications the four-year long attack was Nation/State sponsored.  No matter who is responsible, it’s highly likely the entry point was a known vulnerability that was discovered via an automated scanning tool.

Cybersecurity Automation

That’s exactly what happened to Equifax in 2017 according to the findings of a year-long investigation by the US House of Representatives.  While the politicians who ordered the investigation can’t agree on a fix, they do agree on the root cause:  an unpatched, but well-known Struts 2 bug (CVE 2017-5638) resulting in a failure “to implement an adequate security program to protect this sensitive data.”   The missed patch was compounded by an expired cert – for 19 months! – on the IDS system that could have detected the intrusion had it been fully operational.

Lost in all the noise created by the above is the announcement of what could be a significant escalation in how ransomware operates and how it is deployed.  Discovered by independent researchers, the “Lucky” virus is the latest variant of the “Satan” worm.  Only this time, Lucky attacks servers via one (or more) known CVEs that have not been patched rather than the more common attacks against OS vulnerabilities.

Enterprise applications are much more difficult to patch (see above for proof) and are ripe for exploitation by automated and autonomous hacker tools.  The prospect of self-propagating ransomware that spreads without human invention via known, but unpatched CVEs is both a significant new threat and a reason to accelerate the deployment of automated tools to fix flawed code without downtime or source code changes.

All of this begs the question:  If the bad guys are relying more and more on automation – why don’t we?


John Adams

Author:

John K. Adams is the CEO of Waratek, a leading application security company used by the largest companies around the world.

print

Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead. Waratek is one of CSO Online’s Best Security Software solutions of 2017, a winner of the RSA Innovation Sandbox Award, and more than a dozen other awards and recognitions.

More posts by Waratek