The case of The Shadow Brokers, the group responsible for the disclosure of hacking tools created by “The Equation Group,” impacts the enterprise through the disclosure of hacking tools. These tools were repurposed by other hackers and resulted in several other cyberattacks, including WannaCry. The disclosed tool set includes exploits, windows, Linux and router/firewall tools. In essence, the tools are a hacking how-to for wannabe hackers, making even less sophisticated hackers more sophisticated.
Hacking tool proliferation
The Shadow Brokers series of disclosures has started a fascinating conversation around the concept of hacking tool proliferation. However, hackings tool proliferation is nothing new. In fact, it dates all the way back to @stake and Foundstone. Each of these companies produced some of the earliest and most widely available penetration testing tools of their time. Security professionals and hackers alike quickly adopted their use into their everyday operations.
Since the early 2000s and through as late as 2012, the Poison Ivy Remote Access Tool (RAT) was the most prolific and arguably successful hacking tool around. In 2013, FireEye named Poison Ivy the AK-47 of RATs. Since 2013, the Poison Ivy RAT began to cede popularity to a newer, more advanced RAT known as PlugX. Frighteningly, more than 50 different hacking groups were at one point using PlugX in their cyber operations. Following the US government’s Office of Personnel Management (OPM) breach, PlugX became a major target for security vendors and enterprises alike. As a direct result, its use waned and a new contender, Cobalt Strike, began to proliferate. Today, Cobalt Strike, an offensive pen testing tool, is used not only by pen testers, but also by countless hacking groups to cause irreparable damage to enterprises.
But what about zero-day exploits? Most hacking operations do not even use zero-day exploits. Why would they when they aren’t even required to succeed in attacking an organization? For instance, zero-day exploits are expensive to purchase and take significant time to develop and prepare for usage. The fact is, most organizations struggle to patch their hosts properly. As IDT Corporation can attest, patching systems is challenging, even when running so called “next-generation” detection and management solutions to do exactly that.
There is no way to put the genie back in the bottle. Legislation that prohibits vulnerability sharing or attempts to block the sharing of any security information not only is a free speech issue, but also simply won’t stop knowledge transfer effectively. In the early 1990s, the US Department of State embarked on an effort through the International Traffic in Arms Regulations (ITAR) to block the exportation of encryption technology from the United States. The result? Twenty years later, most websites are encrypted anyway. In the age of global knowledge sharing, it is simply no longer possible to stop the flow of information.
So, how should the enterprise respond to these disclosures? While vulnerabilities can be patched, the majority of the disclosed tools cannot be patched out. In fact, many are “features” of the operating systems in which they run.
However, mitigation can be performed through effective defense-in-depth. The key areas are patch management, proper network segmentation (DMZ, Internal and Management), centralized logging, multi-factor authentication, password security policy, web proxy (inbound and outbound), endpoint detection and response, and anti-phishing technology.
As technology continues to evolve, so do attacks. Over the last five years, remotely exploitable zero-day vulnerabilities continue to fall while credential harvesting, password weakness and ineffective patch management continue to rise. Only a thorough and comprehensive strategy can stop highly targeted and damaging cyber attacks.