It’s safe to say that the security teams at the US Central Intelligence Agency are busy assessing the damage to their cyber surveillance capabilities now that Wikileaks has dumped what is believed to be the Agency’s hacker toolkit into the wild. For any Nation-State, it’s a devastating event to have their secret weapons suddenly made public for all to see and use.
Every malicious hacker dreams of getting their hands on the CIA’s tools. While the popular press has focused on the ability to turn IoT devices into surveillance tools and the privacy risks that represents, the real danger here is the potential for a tidal wave of Zero Day attacks aimed at enterprises, especially enterprise web applications.
But, for every person’s dream, there is a companion nightmare scenario. While network security gets all the attention, malicious hackers' number one attack target is applications which more often than not contain known and unknown software flaws. The release of an entire library of previously unknown attack vectors means that under-resourced and over-worked application (and network) security teams must prepare for the inevitable – tools intended for government intelligence being directed at businesses of all sizes.
Unplugging your Amazon Echo and smart TV fixes the issue for most consumers who are concerned. However, it will take enterprise security teams and software vendors months, weeks, or years to address the new exploits headed their way over the next year or longer (Data thieves are a notoriously patient lot and are more likely than not to drag out the release of these exploits for years).
Simply put, the good guys are about to be outgunned. There are, though, steps enterprise security teams can take today and in the coming weeks to prepare for what could be a prolonged period of never-seen-before attacks.
- Stop blindly trusting your software. Software flaws don’t just occur in the code your team writes and you should be looking for and protecting against vulnerabilities in every part of your software stack, including the platform itself. Add security controls throughout your software supply chain and software stack, and perform security code reviews on all code that receives user input.
- Prioritize patches. For most organizations, the vulnerability find-to-fix ratio is 5-10:1. In larger enterprises, that can represent tens of thousands of vulnerabilities across hundreds of applications and instances. Finding the flaws is not the issue – protecting against them as fast as possible without service disruption is. Look to virtual patching as a means to provide immediate protection while you prioritize the flaws that need to be physically patched.
- Harden your applications. Virtually every web application includes unused and unneeded APIs and other software code that your team did not develop. You can reduce the attack surface by turning off the software elements you don’t need. This will dramatically improve your defense against any Zero Day attack arising from Vault 7.
- Add deterministic-based defenses, not heuristics. There is a public policy debate in the US about whether the government should require/request software firms to include undisclosed backdoors that may now be open to exploitation. While that debate rages above all of our pay grades, security teams can address many of these issues by imposing a rules-based approach to security instead of the current guesswork-based heuristic defenses. That’s a longer-term approach, but worthy of immediate evaluation.
- Separate privileges and run the software using the lowest privileges. In most cases, attackers escalate their privileges after initial access to cause more damage to the compromised system and access restricted information/functionality. To avoid such scenarios the system must be compartmentalized, its trust boundaries and data flows must be identified, and separate privileges need to be defined for each trust boundary. This usually requires an in-depth architectural analysis of the software system, but software tools can help automate this task.
Each of the past five years has set records for the number and severity of attacks. Thanks to the Vault 7 breach, 2017 may be the worst yet.