Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 7

In this blog series I am covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:

• CSC 1: Inventory of Authorized and Unauthorized Devices
• CSC 2: Inventory of Authorized and Unauthorized Software
• CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• CSC 4: Continuous Vulnerability Assessment and Remediation
• CSC 5: Controlled Use of Administrative Privileges
• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs

CSC 7: Email and Web Browser Protections

The Control

Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

The Attack

Phishing is the number one way that the bad guys can gain access to your network. Phishing is the lowest cost, least technical, and easiest way to breach an enterprise’s external perimeter defenses and gain access to user credentials on the network. Phishing and spam emails have become so commonplace, that we expect to receive some unsolicited email from time to time. When spear phishing is leveraged, and specific companies and targets are selected, attackers have found that it is often easy enough to convince some users to click a phishing email.

Below is an email that was drafted for a spear phishing campaign. In this campaign, I have created a fake acceptable use policy and crafted an email originating from a domain similar to the client’s name. For example, if the domain was example.com, we could try things like examp1e.com or example.org. The email below leverages a few social engineering tactics in order to lure victims to the site:

• Time sensitive (end of week)
• Consequences (access revoked)
• Spoofed name (examp1e.com)

Figure 1 - Example spear phishing message

Once users click the link to the acceptable use policy website, they are directed to a website with a similar design to that of the organization’s format. Often attackers will just clone and modify existing pages. In the example below, a custom form was created to encourage users to download the acceptable use policy.

Figure 2 - Cloned website with modifications for acceptable use policy downloads

Depending on the victim’s browser, things may look different. However, Internet Explorer users would be presented with an automatic popup asking them to open the file AcceptableUseDocument.hta. This file is actually an HTML application which is designed to execute PowerShell in order to receive a remote connection from the infected computer.

Figure 3 - Malware attempting to download

Once the victim clicks open on the malware, they are given a security warning about running untrusted files from websites. Typically people are jaded to these type of alerts and have become accustomed to just clicking through in order to get things to work.

Figure 4 - Security warning to only open trusted files

If the victim clicks accept, the remote connection is established and attackers have command line access to the infected machine along with the access to the user account who opened the malware.

Figure 5 - Remote connection established from the malware

The Solution

Unfortunately, the biggest weakness in any organization is the end user. It is critical that organizations do everything technically possible in order to minimize the amount of damage end users are exposed to. This means that the organization will need to implement a series of technical controls to harden end point workstations against the risk of phishing.

The first thing organizations should do is create a standard email and web browsing application suite. If the organization is going to use and support Internet Explorer and Outlook, ensure that the applications are running the latest supported version. Once the standard is defined, disable the use of all other browsers to ensure that only supported patched applications are being used.

Within the browser and endpoint, there are several hardening settings that can be enabled. Organizations can determine which scripting languages are required for business activities and disable the languages that are not being used. For example, if ActiveX is not required, it should be disabled.

Several server and network side mitigation controls exist as well, such as using a web proxy and performing URL filtering on specific categories of websites. If organizations are able to block uncategorized pages, for example, any fresh phishing site setup will not be accessible from the network. Email server hardening should also be performed in order to reduce the amount of spam and phishing messages that arrive in end users’ inboxes. 

If organizations institute a strong policy protecting endpoints as well as put mitigation controls in place on the network and email servers, the risk from email phishing is reduced, but it will never be eliminated. It is important to couple all of the technical controls instituted in this critical security control along with security awareness training in order to have the best defense against phishing.

The next post will cover CSC 8: Malware Defenses.