One sheet of understanding of vulnerabilities with chains: meaning, risk, use cases and relief recommendations

The vulnerability uses the chain (also known as a vulnerability chain) to use a plurality of vulnerabilities to use a combination of network attacks to hazard the target. Compared with a single entry point, online criminals prefer to use them to destroy the equipment or system to achieve greater damage or impact.

Forrester analyst Steve Turner said that the vulnerability uses chain attacks to get the kernel / root / system level access to destroy the system to perform attack activities. Vulnerabilities Using chain allows attackers by using vulnerabilities in the normal system process, bypassing many defense mechanisms to quickly raise themselves, integrating into the organization.

Although vulnerabilities use chain attacks typically require more time, energy and professional skills of online criminals, but use a combination of vulnerabilities to allow malicious behavior to perform more complex and difficult to repair attacks, depending on the length of the vulnerability sequence. And complexity.

Vulnerability utilization chain risk

The risk that the vulnerability to use the chain will be huge. Turner Introduction, the performance of the vulnerability is often very fast, and most organizations do not configure the correct policies, processes, and tools to actively block or contain such threats.

Ortal Keizman, head of Vulcan Cyber ??Research Team, said that unfortunate reality is that the IT security team has such a fact that almost all vulnerabilities utilize the use of known vulnerabilities and vulnerabilities, and these vulnerabilities have not been alleviated by various reasons. It can be said that vulnerability management is a large-scale ‘playing mouse game “facing today IT security industry, at least 56% of enterprise organizations lack fast, large-scale repair vulnerabilities to protect their business.

It can reasonably assume that most network security leaders are still viewing a list of vulnerabilities for NIST reports or CISA known exploit, because they don’t firmly understand their risk trends. In this regard, Keizman said that if the risk is not measured, talk about how to reduce the risk, if the risk priority is not consistent with the specific organization or the custom risks of the business unit, the risk priority will be meaningless.

Vulnerability uses chain use cases and examples

The following vulnerabilities use the chain attack scenario either in the real world, or it is assumed (but it is likely to occur).

Solarwinds attack

In the real world, one of the best examples of vulnerabilities use chain attacks is Solarwinds vulnerability, which shows us a powerful destructive destructive destructive rear door that utilizes multiple (need repair) vulnerabilities and multiple (need protection) supply chain. In this event, an attacker first uses a key layer of the software supply chain to develop a senior sustained threat, which allows remote access and promotion of privileges within private networks. Once the rear door is opened to the software factory, the attacker ensures that the conceptual verification (POC) vulnerability is used by known (but due to various reasons have not yet alleviated) vulnerabilities further penetrate target system.

Vulnerability to mobile devices

NetENRICH Chief Threat Hunter John Bambenek found that vulnerabilities utilize chains are most commonly used for mobile devices. In view of the nature of the mobile phone architecture, multiple vulnerabilities need to be used to obtain root access to perform the operations required to move malware. The research of the safe company LOOKOKOUT confirmed this, and the study introduced a variety of Android monitoring tools.

Vulnerability to browsers

The use of the browser vulnerability also exists likebusivity, the member of the TripWire vulnerability and exposed research team, the attacker can use the network fishing email to boot the user to the webpage, then launch “Road-by” (Drive-by) Attack to use browser vulnerabilities. Then link them with the second vulnerability to perform the sandbox escape, then the third vulnerability is enhanced.

In this scenario, an attacker wants to use a vulnerability to spread and enter a specific system throughout the network. Reguly added, “When I think the vulnerability is used to use the chain, a picture will always emerge:” Old Friends “Russen, the scene of the ‘rotor (pivot)’. Attacker wants to use their vulnerability to create a chain to create Pivot point to move in the system and network. “

Vulnerability uses toolkit using leakage software attackers

Turner said that as part of the commodity vulnerability used by the Lesso software attacker and other attacker groups, the vulnerability utilization chain becomes more common. Two popular examples are zero clicks vulnerability to use the chain, and users don’t need to do anything; and things like Proxylogon, attackers can use a series of vulnerabilities to get administrator access to administrators to do what they want Any code.

Lesso Software Tissue often uses this method to quickly stand firm in the environment to steal data, then lease organization. Turner added, “We are very confident that the attacker will use the well-known RCE vulnerabilities (such as log4j vulnerability) to create additional vulnerabilities utilizing toolkits, using a series of vulnerabilities with links together to quickly get the system they want. / Nuclear level access. “

Vulnerability Utilizing Chain Attack Defense Suggestions

When talking about reducing the risks of vulnerabilities, Reguly emphasizes that it is necessary to remember that the most important thing is that you can destroy any of the “chain”. Some damages may have been caused, but there can be further potential damage to any loop. A powerful and mature network security program can implement effective technologies, strategies, and procedures (TTP), destroy each of the “chains”, providing the maximum number of potential mitigation or protection to resist each possible attack. If this is not in the organization, you can think about the “network killing chain” and you can stop it, it is also a good suggestion. Although the vulnerability uses a chain to make people feel daunting, if you can detect something (whether in using the chain or in other attacker behavior), the responder can understand the problem and resolve it.

For Keizman, the positive resolution of the vulnerability utilization chain requires a coordination effort between large-scale open source communities and closed source software vendors. Open source software development practices will have also provide a great help, but now is the best time to develop camps in business and open source software.

As for the Chief Information Security Officer, Keizman supports implementation based on risk-based integral network hygiene, rather than blindly solving them when each vulnerability occurs. Enterprises must formulate strategies to solve it before threat, and sorted according to their own specific business needs, otherwise this game will be lost.

This article is translated from: Please indicate the original address.