In this Expert Insight, Dave Glover of Netwitness, talks about an often overlooked in cyber investigations: EoCs or Enablers of Compromise and why enterprises should be paying more attention to the EoCs in their environments.
Security analysts and threat hunters know the importance of IOCs – indicators of compromise – as the marker of nefarious activity in an enterprise infrastructure. IOCs are observable things such as atypical behaviors, uncommon activities, unique connections, or unrecognized files. These and other IOCs are breadcrumbs, clues that must be assembled and decoded in pursuit of stealthy attackers. IOCs are the “what” in the detection and investigation process.
EOCs -Enablers of Compromise
Just as important are EOCs – enablers of compromise – that constitute the “how” in the detection and investigative process. An EOC is any environmental condition that increases the possibility or magnitude of a cyber-attack. EOCs have both proactive and reactive value; finding an EOC before an adversary does allows you to harden or mitigate it, and an EOC mindset helps identify and understand an exploit more quickly and completely when it’s attempted.
Adversaries have always displayed a penchant for “working smarter, not harder,” looking for the attack vectors within corporate environments which are most easily exploited. To best protect employees, data, and reputations, organizations must uncover the areas within their environment that may unnecessarily put them at greater risk.
Examples of enablers of compromise include but are not limited to:
- Extensive use of legacy protocols such as Server Message Block 1.0 (SMBv1), older versions of SSL/TLS, or NTLMv1
- Weak password policy
- Presence of vulnerable unpatched internal and external facing systems
- Disabled network security devices (AV, IDS/IPS, Host and Network-based firewalls, etc.)
- Unmanaged, unmanageable, or rogue endpoint computing devices
- Important application and log sources that are misconfigured or not being captured
Once identified, EOCs can help cyber defenders pinpoint the weakest areas during threat hunting exercises. They can also help incident responders quickly recognize how attackers may attempt to access and move around their environments. For security operations teams, EOCs give a greater understanding of where they are most vulnerable and allow for a more informed strategy when mitigating associated risks.
EOCs for enterprise cybersecurity?
As discussed earlier, knowing your EOCs allows businesses to prepare for a wide range of attacks. But in practice, why is it important to identify and correct the environmental risks associated with these EOCs? Here’s a look at three recent examples where poor cybersecurity practices made companies easier targets for attackers:
- The Log4j vulnerability, CVE-2021-44228, was disclosed in December 2021. Although a patch was available shortly after its disclosure, multiple agencies and companies have disclosed that the Log4j vulnerability was exploited against public facing VMware systems, software known to be vulnerable to Log4j attacks. Specifically, the Conti ransomware group has been seen scanning the internet for systems vulnerable to Log4j, potentially signaling a shift in tactics for the delivery of its ransomware.
- In August of this year, Atlassian disclosed a remote code execution vulnerability in its source code repository Bitbucket (tracked as CVE-2022-36804), affecting all versions released after 6.10.17. This Remote Code Execution (RCE) is exploitable by any attacker with access to a public repository or with ready access to a private repository. Like Log4j, there has long been a patch, yet there continues to be public scans to identify vulnerable repositories. Due to its easily exploitable nature, and with several POCs publicly available, exploitation attempts have begun popping up on honeypot sensors across the Internet.
- In September of this year, Australian telecommunications company Optus reported that in August they were the victim of a massive data breach. The cyber-attack, which affected over two million current and former customers, included several pieces of Personally Identifiable Information (PII) such as phone numbers, email addresses, dates of birth, and in some instances, driver’s licenses and Medicare ID numbers. Optus has not stated the exact method of initial access, but early reports suggest repeated web requests to public API endpoints that did not require authentication.
The constantly evolving digital ecosystem is causing organizations now, more than ever, to take a different approach to bolstering their security postures. Through the lens of their EOCs, security solutions teams have a better view of the activity in their environments to which threat actors seek to infiltrate. They can then put stronger security solutions and controls in place that are necessary to keep up with sophisticated threats.
Two important thoughts to remember when thinking about enablers of compromise: Finding them and mitigating them has the strong potential to prevent or lessen the cost of a future intrusion –but the hunt for EOCs should not be a one-time event. Your organization’s environment is constantly changing. New and changing people, business processes, technology can always introduce unexpected enablers, so you must make sure to hunt and mitigate your EOCs regularly.