Vulnerability Chaining – Considerations Across the Enterprise
By: Dr. Nikki Robinson, DSc, XLA
Cyber threats are constantly evolving and becoming more sophisticated. The hackers, or bad actors, are getting smarter and more resourceful all the time. Our Red Teamers, ethical hackers, and cyber warriors are aware of many of the tactics used by these malicious actors. They use these same methods to investigate and test organizations’ networks to ensure security controls are in place. But what are our Defenders and partners in IT Operations learning of attack methods? Are Executive leadership aware of the capabilities of these attackers? This conversation needs to be open throughout the organization, from the top to the bottom, to increase the security posture and awareness of methods of attack.
Our Network Defenders and IT Operations are unfortunately, not always taught about the Tactics, Techniques, and Protocols (TTPs) used by attackers. While not every organization may operate like this, does every third-party vendor or contractor you work with know these terms and TTPs? Every opening from one network to another organization could allow a potential vector of attack. We often look at vulnerabilities and security controls as individual issues, and the term “vulnerability chaining” is not used in audit or assessment meetings.
Vulnerability chaining is defined by the Common Vulnerability Scoring System (CVSS) User Guide as a situation where multiple vulnerabilities are exploited in a single attack to compromise a host (FIRST, 2020). A good example of vulnerability chaining would be an attacker enumerating usernames (considered an informational level vulnerability), to then use a tool called Burp Intruder to utilize a weak security question and answer, to then login to the account by resetting the password (considered Low vulnerabilities) (Trustwave, 2019). This type of attack shows how several vulnerabilities scored as Low or even Informational, can be used in combination to create a Critical attack. Defenders however, may only look at missing security controls or vulnerabilities one at a time, especially in a larger environment.
The more software, hardware, and hybrid environments used in an organization makes this a complicated situation. Each application, Operating System (OS), and hardware will have software or firmware updates which need to be managed. Some applications are updated weekly or every other week, making patch management a full-time job. The more complex the environment, the more difficult patch management becomes. This leaves IT Operations groups scrambling to patch and update every application on every device. Blue Teams consist of security analysts who monitor the network for security vulnerabilities and typically provide information back to the IT Operations groups if anomalies are detected.
With the latest use of a SolarWinds dll to create backdoors into untold numbers of networks, the conversation around patching and vulnerabilities needs to extend beyond the Security team. Vulnerabilities cannot be looked at as singular entities but should be looked at as a piece of the puzzle. Each vulnerability could lead to a security misconfiguration, or an administrator who has excessive privileges across the network. The initial malicious dll could lead to a variety of other attacks, including credential theft, other malware drops, or network traversal. Add on top of that any other vulnerabilities or patches missing in the environment, the attacker could leverage those as well once in the system.
There are several ways organizations can work to lessen complexity and increase efficiency with patch management strategies. The first is to consolidate applications, which would reduce patching time of multiple applications and lower the threat profile by having fewer unpatched applications. The second would be to remove end of life (EOL) software, most EOL products are highly exploitable and easy for attackers to use in an attack. The third is to work towards a virtual or mobile environment where images can be patched, instead of OS and applications on mobile devices (laptops or tablets).
Creating a partnership and educational opportunities between Security teams and IT Operations / Engineering groups would create an environment where Security is viewed holistically. If more defenders are taught ethical hacking concepts, vulnerability chaining methodologies, as well as TTP’s, they would have a deeper understanding of why patch management is so essential. Security should be a conversation between all teams in the Enterprise, to help prevent attacks, but also respond to Incidents in an efficient manner.
Headquartered in Vienna, VA, XL Associates, Inc. (XLA) is an IT-enabled Law Enforcement and Security services enterprise principally engaged in providing cybersecurity, data management and analytics, technical solutions, and international program-support services to the Federal government. With more than 30 years of overall experience supporting mission-critical requirements including homeland security, law enforcement, and international development, XLA delivers quality, agile, and cost-effective solutions, as proven by growth and repeat customers. Our Engineers and IT professionals bring a passion for innovation as well as significant experience in information technology and cyber security. We are a company that values ethics, integrity, and teamwork in pursuing exceptional performance in our business activities and in ultimately meeting our contractual obligations. XLA upholds and demands the highest standards in personal and professional conduct at every level of our business activities
FIRST. (2020). Retrieved from Common Vulnerability Scoring System version 3.1: User Guide: https://www.first.org/cvss/user-guide
Trustwave. (2019). Retrieved from Chaining Low/Info Level Vulnerabilities for Pwnage: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chaining-low-info-level-vulnerabilities-for-pwnage/