Three Threat Vectors to Watch for in H2 of 2024
Cyber attacks, like most phenomena, tend to follow what is available, popular, and trending. Implementing proper security controls for emerging weaknesses often requires significant planning, rearchitecturing, and investment.
This is where deception can provide great value. Watching for popular attack vectors and deploying deception-based tactics can yield great results for overall risk reduction.
In this blog post, we highlight a few critical threat vectors that security teams should be acutely watching for in the second quarter of the year, and make suggestions about deception-based detection controls for them.
Active Directory Certificate Services (ADCS)
Active Directory Certificate Services (ADCS) can be a highly valuable target when exploiting vulnerabilities in an Active Directory environment. ADCS can be exploited in multiple ways to acquire domain administrator privileges. The gold standard writeup on ADCS exploitation is SpectreOps’ Certified Pre-Owned document, which anyone looking to understand and secure ADCS should internalize. ADCS exploits are most often labeled using the ESC denotation.
Here are some common ADCS vulnerabilities and their exploitation techniques:
ESC1: This vulnerability allows an attacker to specify a Subject Alternative Name (SAN) in a certificate request, effectively impersonating another user. Tools like Certipy can be used to exploit this.
ESC3: This vulnerability enables an attacker to request a certificate on behalf of another user, leading to privilege escalation.
ESC8: This vulnerability involves manipulating certificate templates to allow unauthorized users to enroll for certificates, potentially leading to domain compromise.
NTLM Relay Attacks: These attacks can coerce a machine to authenticate to an attacker’s NTLM relay server, which can then relay the authentication to a domain controller, enabling the attacker to request a certificate for a privileged account.
ADCS Deception Opportunities
Deception opportunities involve setting up deceptive ADCS infrastructure. An attacker enumerating and trying to exploit these weaknesses can be easily trapped alongside legitimate ADCS infrastructure. This doesn’t need to be restricted to AD objects themselves; adjacent tactics like credential-based decoys can also supplement the AD detection strategy.
Infostealers
Infostealers are a class of malware designed to steal sensitive information from compromised systems, including login credentials, IP addresses, and machine-specific data. They are often used to gain unauthorized access to various resources and assets, and can be particularly pesky to detect as in the right circumstances it is a completely legitimate-looking access vector for adversaries into your infrastructure.
This is also what has lead to the recent Snowflake-related breaches. The stolen data is sent to an attacker-controlled server and often sold on the dark web to other threat actors.
Infostealer Deception Opportunities
Deception can offer great signal fidelity here, through implement honey credentials (for example, using the Defused Windows agent) to instantly detect access attempts to sensitive credential storages. Defused alerts also record metadata related to the interaction, for instance enabling defenders to quickly locate the malware in question.
Edge Vulnerabilities
No, we don’t mean Microsoft Edge!
In 2024, there has been a significant increase in the exploitation of vulnerabilities in edge devices and software, particularly in VPNs. Various types of hackers, including state-sponsored groups, have been exploiting zero-day vulnerabilities in multiple products, by vendors like Cisco, Progress, Atlassian, and Ivanti, to gain unauthorized access and carry out adversarial activities.
These attacks more often than not involve the exploitation of vulnerabilities, and presents a particularly problematic attack vector, as allowing public access to these resources can often be the backbone of business operations, such as in the case of VPNs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) runs a great resource to track the most important vulnerabilities, known as the Known Exploited Vulnerabilities (KEV) catalog.
Edge Vulnerabilities Deception Opportunities
Deception-based countermeasures can offer a lot of help here: for example, cloud decoys mimicking popular edge devices and software (potentially reflecting actual assets that you run in production) can actively pick up exploit attempts against these devices. For instance, deploying a similar number of VPN decoys to the actual amount you run can help detect suspicious activity when an attacker is doing reconnaissance against your edge infrastructure. Since much edge exploitation is bulk activity, rapid blocklisting via integration with firewalls could be an effective measure.
Many emergent problem areas can be difficult to secure in the instant term and often require architectural overhauls to fully address risk, however deception can provide instant relief in multiple areas with a non-intrusive and fast deployment.
Ready to try Defused?
With over 150 deception capabilities, Defused makes it easy for security teams to deploy high-fidelity detection in areas where coverage gaps may exist. For the above capabilities, please connect with us for a demo, or visit https://console.defusedcyber.com/signup/ to sign up for the Free plan.