You are a Target, even if you Think you are not

Many organizations seem to have this idea that because they’re not a “big target” they’re fine. They aren’t Apple, Google, or Amazon; so…

You are a Target, even if you Think you are not
Thanks to Kevin Ku @ikukevk for making the cover photo available freely on Unsplash 🎁 https://unsplash.com/photos/w7ZyuGYNpRQ

You are a Target, even if you Think you are not (supply chain attack)

Many organizations seem to have this idea that because they’re not a “big target” they’re fine. They aren’t Apple, Google, or Amazon; so, they don’t have anything to worry about. However, there are two flaws with this logic. The issues many people seem to not understand is low-hanging fruit and supply chain attacks.

Organizations also fall into the trap of, “we have never been compromised before” or “we are probably already compromised.” Both; however, show a level of incompetence. These statements show a lack of basic understanding in security and risk assessment, as well as laziness. The former demonstrates an environment that has become too laxed, and either doesn’t know they have been hacked, or can’t accept that they just flown under the radar. The latter shows that the organization has given up, or inexperienced in incident response.

Low-Hanging Fruit

Low-hanging fruit is any vulnerability that is easy for attack. These vulnerabilities may not be easy to find; however, once an attacker finds it, it is relatively easy for an attacker to exploit it. Most of the time these are pre-written attacks. These would be the first vulnerabilities an attacker would go after before attempting any attack that is more complicated. An example would be invalid configuration, which could be mitigated with proper configuration management.

An organization may think, because they are not a target, there is no need to mitigate a vulnerability quickly. However, this is incorrect because they are exposing low-hanging fruit for attackers in their infrastructure. These low-hanging fruits can also be easy to patch, but some organizations don’t prioritize these vulnerabilities.

Low hanging fruit is two-fold. First, you have fallen into this trap of not needing to worry as much about security. Second, you fail to realize that automation of exploitation is a capability. Attackers can automate the process of scanning, identifying, and exploiting vulnerabilities.

It is Automated not Targeted

An attacker doesn’t need to target you, your organization just needs to have low-hanging fruit. Attackers don’t need to search the Internet looking for vulnerabilities, they can setup scripts to automate this process. Furthermore, there are online services that scan the Internet looking for publicly accessible applications. These services collect information about the exposed applications and make it publicly available to everyone. Attackers can then write scripts to pull this data, look for specific information about a new or old vulnerability, and then kickoff automated attacks. This is no different than a CI/CD pipeline.

CI/CD is Continuous Integration and Continuous Deployment. CI would be the process of grabbing data about the servers scanned and looking for the applications and versions the attacker is looking for. CD is the attack; it is the process of exploiting the vulnerability and dropping any payloads on the system. An attacker may not be looking for something specifically, they could instead be looking for a database of vulnerabilities to map to a collection of exploit scripts.

Sometimes an attacker might not, or can’t, write automation for the attack. Instead, an attacker would post this data into a “to-do” like application. They could then look through the list and find targets that look interesting. Or share the data with other attackers.

You are not the Target, your Customer is

Another reason you would be a target is because you supply products or services to the true target. The target might be a bank; however, the attacker might find the organization that provides vending machine services. This company’s product(s) connect into either Ethernet or Wi-Fi network. The attacker could then attack the third-party organization to then install a back door, and pivot into the target network. This is a supply chain attack and is in no way new.

For example, HP had been hacked back in 2014. Later, malware had been found to be used in attacks where it had been signed with HP’s certificate. This allowed attackers to target companies with software that was signed and looked legitimate.

Don’t be a victim just because you don’t think you’re a target. Everyone is a target; you just may be the means to an end.