All posts by Jeff Petters

Kerberos Authentication Explained

Kerberos

According to myth, Kerberos (you might know him as Cerberus) guards the Gates to the Underworld. He’s a big 3 headed dog with a snake for a tail and a really bad temper.

In the modern world, MIT Computer Scientists used the name and visual of Kerberos for their computer network authentication protocol. Kerberos uses symmetric key cryptography and requires trusted third-party authorization to verify user identities. Since Kerberos requires 3 entities to authenticate and has an excellent track record of making computing safer, the name really does fit.

What is Kerberos?

Kerberos authentication is currently the default authorization technology used by Microsoft Windows, and implementations of Kerberos exist in Apple OS, FreeBSD, UNIX, and Linux.

Microsoft introduced their version of Kerberos in Windows2000. It has also become a standard for websites and Single-Sign-On implementations across platforms. The Kerberos Consortium maintains Kerberos as an open-source project.

Kerberos is a vast improvement on previous authorization technologies. The strong cryptography and third-party ticket authorization make it much more difficult for cybercriminals to infiltrate your network. It is not totally without flaws, and in order to defend against those flaws, you need to first understand them.

Kerberos has made the internet and its denizens more secure, and enables users to do more work on the Internet and in the office without compromising safety.

What is the difference between Kerberos and NTLM?

Before Kerberos, Microsoft used an authentication technology called NTLM. NTLM stands for NT Lan Manager and is a challenge-response authentication protocol. The target computer or domain controller challenge and check the password, and store password hashes for continued use.

The biggest difference between the two systems is the third-party verification and stronger encryption capability in Kerberos. This extra step in the process provides a significant additional layer of security over NTLM.

NTLM systems can get hacked in a matter of hours these days: it’s simply older technology, and you shouldn’t rely upon NTLM to protect sensitive data.

How do you authenticate with Kerberos?

a simple Kerberos authentication diagram

Here are the most basic steps taken to authenticate in a Kerberized environment.

  1. Client requests an authentication ticket (TGT) from the Key Distribution Center (KDC)
  2. The KDC verifies the credentials and sends back an encrypted TGT and session key
  3. The TGT is encrypted using the Ticket Granting Service (TGS) secret key
  4. The client stores the TGT and when it expires the local session manager will request another TGT (this process is transparent to the user)

If the Client is requesting access to a service or other resource on the network, this is the process:

  1. The client sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the client wants to access
  2. The KDC verifies the TGT of the user and that the user has access to the service
  3. TGS sends a valid session key for the service to the client
  4. Client forwards the session key to the service to prove the user has access, and the service grants access.

Can Kerberos Be Hacked?

Yes. Because it is one of the most widely used authentication protocols, hackers have developed several ways to crack into Kerberos. Most of these hacks take advantage of a vulnerability, weak passwords, or malware – sometimes a combination of all three. Some of the more successful methods of hacking Kerberos include:

  • Pass-the-ticket: the process of forging a session key and presenting that forgery to the resource as credentials
  • Golden Ticket: A ticket that grants a user domain admin access
  • Silver Ticket: A forged ticket that grants access to a service
  • Credential stuffing/ Brute force: automated continues attempts to guess a password
  • Encryption downgrade with Skeleton Key Malware: A malware that can bypass Kerberos, but the attack must have Admin access
  • DCShadow attack: a new attack where attackers gain enough access inside a network to set up their own DC to use in further infiltration

possible Kerberos hacks

Is Kerberos Obsolete?

Kerberos is far from obsolete and has proven itself an adequate security-access control protocol, despite attackers’ ability to crack it. The primary advantage of Kerberos is the ability to use strong encryption algorithms to protect passwords and authentication tickets. With today’s computers, any brute force attack of the AES encryption protocol used by the current version of Kerberos will take approximately longer than this solar system has left to survive. Suffice to say: Kerberos is going to be around for a while in one form or another.

What is going to replace Kerberos?

There are no real contenders to replace Kerberos in the pipeline. Most of the advancements in security are to protect your password or provide a different method of validating who you are to Kerberos. Kerberos is still the back-end technology. Kerberos excels at Single-Sign-On (SSO), which makes it much more usable in a modern internet based and connected workplace. With SSO you prove your identity once to Kerberos, and then Kerberos passes your TGT to other services or machines as proof of your identity.

The weakest link in the Kerberos chain is the password. Passwords can be brute-force cracked or stolen by phishing attacks. For this reason, Multi-Factor Authentication (MFA) is becoming more popular to protect online identities. With MFA, you need the password and something else – a randomized token, mobile phone, email, thumbprint, retina scan, facial recognition, etc. – to prove that you are in fact who you are telling Kerberos you are.

How does Varonis monitor Kerberos?

Varonis monitors Active Directory domains for Kerberos attacks, privilege escalations, brute force attacks, and more. Our security analytics combines user events, security events, and perimeter telemetry – to detect and alert on potential attacks and security vulnerabilities.

Sample Varonis threat models that help detect Kerberos attacks include:

  • Potential pass-the-ticket attack: access to a resource was requested without proper authentication, bypassing the Kerberos protocol.
  • Failed privilege escalation detected via vulnerability in Kerberos: an attacker tried to elevate their privileges via Kerberos vulnerability.
  • Potential brute-force attack targeting a specific account: an unusual amount of authentication failures from a single IP address by a single user has occurred.
  • Security certificate activity by non-administrators: Activity was detected on certification files by a user who is not an administrator – potentially indicating an attacker trying to steal signatures.
  • …and that’s just the beginning!

Discover how Varonis detects Kerberos attacks for real with a 1:1 demo today – and get in touch to learn out more about our threat models.

Kerberos Attack: Silver Ticket Edition

Kerberos Attack: Silver Ticket Edition

With a name like Silver Ticket, you might think it’s not as scary as its cousin the Golden Ticket – you’d be horribly mistaken. A Silver Ticket is just as nasty and invasive, and even stealthier.

Important technical note: Kerberos uses authentication tokens, or tickets, to verify identities of Active Directory entities. This includes users, service accounts, domain admins, and computers. All of those entities have a password in Active Directory (AD), even though you might not have actually created or changed it manually.

What is a Silver Ticket?

A Silver Ticket is a forged service authentication ticket.

A hacker can create a Silver Ticket by cracking a computer account password and using that to create a fake authentication ticket. Kerberos allows services (low-level Operating System programs) to log in without double-checking that their token is actually valid, which hackers have exploited to create Silver Tickets.

If you really want to deep dive into Kerberos authentication hacking, Sean Metcalf gave an excellent talk at BlackHat a few years ago. In the simplest terms, a Silver Ticket is a forged authentication ticket that allows you to log into some accounts.

Silver Tickets are harder to detect than Golden Tickets because there is no communication between the service and the DC – and any logging is local to the targeted computer.

Usually Kerberos tickets are verified by the 3rd party Privileged Account Certificate (PAC). Service accounts, for some reason, aren’t always checked, which is ultimately what makes this attack work. Services are low-level applications like CIFS, Windows Firewall, or Print Spooler.

With a Silver Ticket in hand, hackers can use a pass-the-ticket technique to elevate either their access or use the service’s privileges to obtain further access. While more limited than Golden Tickets, with a little modern ingenuity, an attacker can still use a Silver Ticket to do some major infiltration.

How a SIlver Ticket Attack works

SIlver Tickets bypass the Kerberos authentication to the DC.

What Can Attackers Do With a Silver Ticket?

Let’s imagine that an attacker jacked your domain with a Golden Ticket. Despite best efforts to clean up after the attack, the attacker still has access to one computer, and they have PowerShell.

This is what can happen next:

  1. The attacker uses a couple of hacking tools to export the hash of a computer account password
  2. They crack the CIFS service account password to log into the CIFS service account
  3. With the CIFS service account, they steal the SYSVOL directory from C$
  4. They use the files in SYSVOL to access the HOST service account password hash
  5. They crack the HOST service account password
  6. Then they use the cracked service account to create a new scheduled task on the computer
  7. Which allows them to grab the hash of the KRBTGT account
  8. And then they create… Another Golden Ticket!

If you thought changing all the user passwords, all the service account passwords, and the KRBTGT password twice was enough to recover from the first Golden Ticket attack…now you get to do it all over again.

Another important technical note: This is a major oversimplification – if you want to play with this technique, you can do so on your own.

How to Defend Yourself from a Silver Ticket Attack

How to defend your network from a Silver Ticket attack.

  • Patch all servers and images for CVE-2014-6324
    • This is the vulnerability that lets a Silver Ticket become a Domain Admin account
  • Set all admin and service accounts to “Sensitive and cannot be delegated”
    • This will prevent an attacker from lateral movement by delegating their hacked account to other services or computers
  • Make sure that computer accounts are not members of administrator groups
  • Change computer account passwords every 30 days

How Varonis Can Stop Silver Ticket Attacks

Varonis gathers and analyzes activity data from Active Directory, data storage, and the perimeter defenses and analyzes all of this data to detect abnormal behavior and track behavior patterns that could be cyberattacks.

Varonis security analytics discover many kinds of attacks and alert on abnormal activity throughout the kill chain – including lateral movement and privilege escalation, which are key activities in a Silver Ticket attack.

Attackers will use computer accounts to access services or computers to gather data files or scout for their next foothold.

Varonis Threat Model: Abnormal computer behavior: computer account attempted to access a personal device for the first time

How it works: A computer account is trying to access a personal device, which is certainly not expected behavior of any computer account
What it means: This means that an attacker is using a computer account to move around the network, probably looking for greater privileges to steal
Where it works: Directory Services

To create the Silver Ticket, the attacker will need to use one of the aforementioned hacking tools. Varonis maintains a database of known hacking tools – and can alert you when an attacker accesses one of them.

Varonia Threat Model: Penetration testing and hacking tools accessed

How it works: Someone accessed a tool used by hackers or pentesters on monitored data storage. Attackers may use file servers to create Silver Tickets, and if they use a file that is in our database Varonis will trigger an alert.
What it means: 99.9% of users have no reason to run mimikatz or kerberoast. If someone is using tools like that on your data storage, it’s a good indication that there’s an attack in progress.
Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS

Since the attackers are using Silver Tickets, they will be using service accounts to gather data. Varonis is able to automatically discover accounts and categorize all accounts as user, service, privileged, or executive. Varonis analyzes activity for each of these categories differently and compares current activity to past behaviors.

Varonis Threat Model: Abnormal service behavior: access to atypical files

How it works: Service accounts are expected to repeat the same activity over and over again, so when service accounts access different data this alert is triggered.
What it means: Someone is using this service account incorrectly, and it could be an attacker.
Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, One Drive, Dell FluidFS

Getting notice of a potential attacker inside your network is key to preventing data breaches and responding to the cyberattack before they can steal data: Varonis can help investigate anomalies, reduce security vulnerabilities, and prevent future attacks.

Get a free risk assessment to see where you may be vulnerable to security breaches, including a Silver Ticket or pass-the-hash attack – and sign up for a 1:1 demo to see how to detect abnormal behavior that indicates an attack-in-progress, and defend against cybersecurity threats.

What is DCOM (Distributed Component Object Model)?

macro image on skyscrapper

DCOM is a programming construct that allows a computer to run programs over the network on a different computer as if the program was running locally. DCOM is an acronym that stands for Distributed Component Object Model. DCOM is a proprietary Microsoft software component that allows COM objects to communicate with each other over the network. (Network OLE was the precursor to DCOM if anyone remembers seeing that in Windows 3.1.)

An extension of COM, DCOM solves a few inherent problems with the COM model to better use over a network:

Marshalling: Marshalling solves a need to pass data from one COM object instance to another on a different computer – in programming terms, this is called “passing arguments.” For example, if I wanted Zaphod’s last name, I would call the COM Object LastName with the argument of Zaphod. The LastName function would use a Remote Procedure Call (RPC) to ask the other COM object on the target server for the return value for LastName(Zaphod), and then it would send the answer – Beeblebrox – back to the first COM object.

Distributed Garbage Collection: Designed to scale DCOM in order to support high volume internet traffic, Distributed Garbage Collection also addresses a way to destroy and reclaim completed or abandoned DCOM objects to avoid blowing up the memory on webservers. In turn, it communicates with the other servers in the transaction chain to let them know they can get rid of the objects related to a transaction.

Using DCE/RPC as the underlying RPC mechanism: To achieve the previous items and to attempt to scale to support high volume web traffic, Microsoft implemented DCE/RPC as the underlying technology for DCOM – which is where the D in DCOM came from.

illustration dcom solves problems with com model

How Does DCOM Work?

In order for DCOM to work, the COM object needs to be configured correctly on both computers – in our experience they rarely were, and you had to uninstall and reinstall the objects several times to get them to work.

The Windows Registry contains the DCOM configuration data in 3 identifiers:

  • CLSID – The Class Identifier (CLSID) is a Global Unique Identifier (GUID). Windows stores a CLSID for each installed class in a program. When you need to run a class, you need the correct CLSID, so Windows knows where to go and find the program.
  • PROGID – The Programmatic Identifier (PROGID) is an optional identifier a programmer can substitute for the more complicated and strict CLSID. PROGIDs are usually easier to read and understand. A basic PROGID for our previous example could be Hitchiker.LastName. There are no restrictions on how many PROGIDs can have the same name, which causes issues on occasion.
  • APPID – The Application Identifier (APPID) identifies all of the classes that are part of the same executable and the permissions required to access it. DCOM cannot work if the APPID isn’t correct. You will probably get permissions errors trying to create the remote object, in my experience.

A basic DCOM transaction looks like this:

  1. The client computer requests the remote computer to create an object by its CLSID or PROGID. If the client passes the APPID, the remote computer looks up the CLSID using the PROGID.
  2. The remote machine checks the APPID and verifies the client has permissions to create the object.
  3. DCOMLaunch.exe (if an exe) or DLLHOST.exe (if a dll) will create an instance of the class the client computer requested.
  4. Communication is successful!
  5. The Client can now access all functions in the class on the remote computer.

If the APPID isn’t configured correctly, or the client doesn’t have the correct permissions, or the CLSID is pointing to an old version of the exe or any other number of issues, you will likely get the dreaded “Can’t Create Object” message.

DCOM vs. CORBA

Common Object Request Broker Architecture (CORBA) is a JAVA based application and functions basically the same as DCOM. Unlike DCOM, CORBA isn’t tied to any particular Operating System (OS), and works on UNIX, Linux, SUN, OS X, and other UNIX-based platforms.

Neither proved secure or scalable enough to become a standard for high volume web traffic. DCOM and CORBA didn’t play well with firewalls, so HTTP became the default standard protocol for the internet.

what is corba illustration

Why is DCOM necessary?

DCOM didn’t win the battle to become the standard protocol for the internet, but it remains integrated into the Windows OS and is how many Windows services communicate – like Microsoft Management Console (MMC).

Since DCOM can run programs on other computers, hackers can leverage it for lateral movement attacks through your network, gaining access to more data. This activity can be difficult to detect because it’s not malware or hacker tools: all it takes to access DCOM is PowerShell.

The good news: even if the hacker can access your sensitive data using DCOM, Varonis will help detect (and stop them) as they try to access your data. Varonis monitors the activity on your core data stores, and analyzes that activity for abnormal user behavior and suspicious activity. See how Varonis fits into your data security strategy with a customized 1:1 demo.

Endpoint Detection and Response (EDR): Everything You Need to Know

pink and purple lights in a dark city

Endpoints are a favorite target of attackers – they’re everywhere, prone to security vulnerabilities, and difficult to defend. 2017’s WannaCry attack, for example, is reported to have affected more than 230,000 endpoints across the globe.

What is Endpoint Detection and Response (EDR)?

Endpoint detection and response (EDR) platforms are solutions that monitor endpoints (computers on the network, not the network itself) for suspicious activity. Coined by Gartner analyst Anton Chuvakin in 2013, EDR solutions focus on end-user devices – laptops, desktops, and mobile devices.

EDR solutions provide visibility and monitoring for suspicious activity like malware and cyberattacks on those end-user devices.

Why is EDR Important?

Every device that connects to a network is a potential attack vector for cyberthreats, and each of those connections is a potential entry point to your data. With the rise of BYOD (bring your own devices), mobile attacks and sophisticated hacking techniques have only increased your risk of data breaches.

EDR solutions help protect those points of entry into your network by monitoring your endpoints for many modern threats that anti-virus software is unable to detect.

EDR solutions can help monitor and protect against Advanced Persistent Threats (APT), which often use malware-free hacking techniques and security vulnerabilities to gain access to a network. Older anti-virus software is able to detect malware only when there is a matching signature, and is unable to determine that an attacker has access to a computer just by monitoring their activity.

Endpoint security is not just an enterprise tool: there are consumer versions of EDR out there these days as well. A few differences in how endpoint security differs for consumers and enterprises include:

  • Remote management and central storage:
    • Enterprises typically provide remote management options so security administrators can configure the appropriate settings. Each endpoint sends audit data to a central repository for audit and analysis.
    • Consumers don’t need the same centralized administration.
  • Auto-updates vs. distributed patches:
    • Enterprises need to adhere to change management processes, which requires the enterprise to distribute patches during those windows.
    • Consumers usually allow the EDR to auto-update per the vendor’s release schedule.

edr solutions map

9 Elements of EDR Solutions

Endpoint detection and response solutions can have a range of features – but there are a set of core elements that are essential to EDR:

  1. Console Alerting and Reporting: A role-based console that provides visibility into the organization’s endpoint security status
  2. EDR Advanced Response: Advanced analysis and response capabilities of EDR solutions, including automation and detailed forensics about security incidents
  3. EDR Core Functionality: The capability to detect and report on security threats and vulnerabilities on the endpoint
  4. EPP Suite: Basic functionality that was available in the previous generation of endpoint security software including anti-malware, anti-phishing, and anti-exploit capabilities
  5. Geographic Support: An EDR vendor’s capability to support a global enterprise – because information security is mission critical
  6. Managed Services: The EDR’s ability to feed data to a Managed Security Service or Managed Detection and Response vendor to further augment the security team’s capabilities
  7. OS Support: In order to be effective, an EDR needs to support all of the operating systems in use by your organization,
  8. Prevention: It’s not enough to simply detect a threat – effective EDRs need to provide preventative measures as well, to help mitigate and enable teams to take action.
  9. Third-Party Integration: A comprehensive data security strategy often requires integrating with multiple products: EDRs should have APIs or built-in integrations with other solutions to complement and deliver on a layered security approach.

Endpoint Security vs. Anti-Virus Software

As noted in the list above, anti-malware is still a key component of EDR solutions. Older generations of anti-virus software detect threats by a signature, needed in advance in order to be able to detect the malware. The next generation of EDR solutions includes predictive analysis and advanced threat detection to better protect users.

Additional features found in EDR solutions that are not included in traditional AV solutions include:

  • Malware removal based on matching signatures and analytics
  • Antispyware protection
  • Local firewall
  • Intrusion detection and intrusion prevention warning systems
  • Application control and user management
  • Data control, including portable devices
  • Full Disk Encryption
  • Data Leak Prevention
  • Application Whitelisting

While an EDR solution protects the endpoints on your network, they’re limited in what type of activity they can monitor and limited in what type of malware or cyberattacks they can detect. Varonis is designed to protect enterprise data from zero-day attacks beyond the endpoint – putting perimeter telemetry in context with file activity and user behavior from your core data stores.

Some behaviors that might look normal on an endpoint – a user logging in with a valid user and password, for example – wouldn’t necessarily raise a red flag with an EDR alone. However, that login event might be suspicious if it logs in from multiple locations within a short time. Varonis DatAlert and Edge analyze file activity, user events, and perimeter telemetry to identify abnormal behavior with added context: so that even seemingly harmless activity is considered in context to get the bigger picture.

See how EDR and Varonis can work together – click here for a 1:1 demo and see how a layered security strategy works in your environment.

NIST 800-171: Definition and Tips for Compliance

security cameras on a white wall

Do you or does a company you work with deal with the Federal Government? The National Institute of Standards and Technology (NIST) has some important information regarding your important information.

NIST 800-171, interchangeably referred to as NIST SP 800-171, went into full effect December 31, 2017: even if you don’t fall under the jurisdiction of NIST SP 800-171, the core competencies are still good data security guidelines.

What is NIST 800-171?

NIST itself is a non-regulatory Federal agency responsible for establishing guidelines that apply to Federal agencies on many topics – including cybersecurity. NIST 800-171, a companion document to NIST 800-53, dictates how contractors and sub-contractors of Federal agencies should manage Controlled Unclassified Information (CUI) – it’s designed specifically for non-federal information systems and organizations.

NIST SP 800-171 began its life as Executive Order 13556 signed by President Obama in 2010, directing all Federal agencies to safeguard their CUI and establishing a unified policy for all agencies to follow for data sharing and transparency.

After a few data breaches in Federal agencies, – USPS, NOAA, and OPM – NIST and the Federal government started to focus more on cybersecurity: in 2014 Congress passed FISMA, NIST followed up with NIST 800-53, and later, NIST 800-171.

what is nist 800 171

What’s the Purpose of NIST 800-171?

NIST 800-171 standardizes how federal agencies define CUI: data that is private and sensitive but not classified per federal law. We aren’t talking about the list of BlackOps operating in enemy territories – different laws govern national security stuff – but data that is covered by SOX or HIPAA, for example. Each agency is responsible for providing the details of what kind of data is CUI to the National Archives and Records Administration, the agency charged with enforcement of EO 13556.

NIST SP 800-171 controls apply to federal government contractors and sub-contractors. If you or another company you work with has a contract with a federal agency, you must be compliant with this policy. Federal agencies may include specific requirements in their contracts, however, if you don’t have those clauses in your contract, that won’t stop NIST 800-171 from applying to your agreements.

Here are a few agencies or organizations that need to comply with NIST 800-171.

  • Contractors for Department of Defense (DoD)
  • Contractors for General Services Administration (GSA)
  • Contractors for National Aeronautics and Space Administration (NASA)
  • Universities and research institutions supported by federal grants
  • Consulting companies with federal contracts
  • Service providers for federal agencies
  • Manufacturing companies supplying goods to federal agencies

Like NIST 800-53, NIST 800-171 provides a list of controls that explain the compliance requirements.

  1. Access Control (Who has access and are they supposed to?)
  2. Awareness and Training (Did you train your staff about CUI?)
  3. Audit and Accountability (Do you know who is accessing CUI?)
  4. Configuration Management (Are you following the RMF guidelines to maintain secure configurations and manage change?)
  5. Identification and Authentication (Are you managing and auditing access to CUI?)
  6. Incident Response (What happens when there is a data breach?)
  7. Maintenance (See #4)
  8. Media Protection (How are backups, external drives, and retired equipment handled?)
  9. Physical Protection (Who can access the place where your CUI lives?)
  10. Personnel Security (Is your staff trained to identify insider threats?)
  11. Risk Assessment (Have you done a risk assessment? Do you have scheduled pentesting exercises?)
  12. Security Assessment (How do you verify the security procedures are in place?)
  13. System and Communications Protection (Are your communications channels secure?)
  14. System and Information Integrity (Is the process to address new vulnerabilities or system down situations defined?)

Benefits of NIST 800-171

Some of the benefits of implementing the NIST 800-171 controls include:

Varonis helps maintain compliance with NIST 800-171: the Data Classification Engine is the first step to identify and classify your CUI across your core data stores (including email). DatAdvantage helps map folders and permissions, with full reporting and auditing on who can (and who should access that data), while DataPrivilege enables data owners to manage and audit access to their data. Automation Engine streamlines the process to remove Global Access Groups, and Data Transport Engine can quarantine, migrate, or delete unsecured CUI.

NIST 800-171 Compliance Best Practices

Not only is it important to be compliant, but you need to be able to demonstrate compliance to avoid having contracts revoked or fines levied. Follow these steps to get started:

nist 800 171 compliance best practices

  1. Define what CUI you have to manage. You might have guidance from the agency you work with, but you might also have to figure out what applies to you on your own. Even if you have no guidance, you should identify and classify all possible PII so you can secure and protect sensitive data from data breaches. Examples of CUISocial security numbers, bank routing numbers or account numbers, credit card numbers, permanent resident status
  2. Map your folders and permissions and implement a least privilege model for your data. NIST requires that you manage who can access CUI: implement a least privilege model to get there, and make sure you can report on who can – and who does – access CUI data.
  3. Audit and alert on changes made to your CUI. NIST requires that you monitor CUI and respond to security incidents. Make sure you can audit all activity on your CUI data, and alert on abnormal activity.
  1. Get in touch with our Federal Team to see how Varonis maps to NIST in your environment – and how Varonis helps you get to (and maintain) NIST compliance.

What is a Whaling Attack?

What is a Whaling Attack?

A whaling attack is essentially a spear-phishing attack but the targets are bigger – hence whale phishing. Where spear-phishing attacks may target any individual, whaling attacks are more specific in what type of person they target: focusing on one specific high level executive or influencer vs a broader group of potential victims.

Cybercriminals use whaling attacks to impersonate senior management in an organization, such as the CEO, CFO, or other executives, hoping to leverage their authority to gain access to sensitive data or money. They use the intelligence they find on the internet (and often social media) to trick employees – or another whale – into replying with financial or personal data.

These attackers want to use the authority and influence of the whale to convince people not to look at or question the fraudulent request. When employees don’t look too hard at the email address or websites and just follow directions, cybercriminals can make out like bandits.

Whaling Attack Statistics

The FBI reported that companies lost nearly $215 million in 2014 as a result of phishing attacks. In 2016, the Verizon DBIR reported 61 phishing attacks targeting finance teams. That number rose to 170 in 2017 – nearly a 200% increase!

whaling attack statistic

How do Whaling Attacks Work and Why Are They Successful?

Whaling attacks demand more research and planning than standard phishing and spear-phishing attacks. To impersonate a high-value target, they need to take the time to figure out the best way to sound like their target, find a way to approach their target, and figure out what kind of information they can get from the victims.

Cybercriminals look at social media and public company information to establish a profile and plan of attack. They can also use malware and rootkits to infiltrate the network: an email that comes from the CEO’s account is much more effective than a spoofed email account. And when these emails include details to make the attacks seem like they’re coming from trusted entities? Even better.

Emails are by far the most effective phishing (including whaling) method: 98% of all phishing attacks use email. In the past, phishing emails focused on including links or attachments with malware; more recently, successful whaling attacks have made a single request that seems plausible to the target.

Whaling Attack Examples

In 2016, an employee at Snapchat disclosed all of the company’s payroll data to a scammer – the employee had responded to an email that looked to be from the CEO and responded promptly. HR and payroll teams are frequent targets of whaling attacks because they have access to sensitive personal data.

In another whaling attack, an employee at a commodities firm wired $17.2 million in several installments to a bank in China, as requested by what looked to be emails from the CEO. The company was planning to expand their business into China at the time, so the request seemed plausible enough.

In both of those incidents, the victim failed to identify the whaling attack or ask questions to validate the request. It’s critical to train executives and staff to be vigilant and on alert for any phishing scams.

Tips for Avoiding a Whaling Attack

Avoiding a whaling attack uses the same tactics as avoiding a standard phishing attack. The only difference is the high value of the target.

5 tips for avoiding a whaling attack in list form

  • Educate employees about whaling attacks and how to identify phishing emails.
    • Train employees and executives to think with a security mindset and ask questions.
    • Check reply-to email address and validate that it’s legitimate.
    • Call to confirm unusual or urgent requests.
  • Flag all emails that come from outside of the organization – this helps highlight potential scam emails.
  • Discuss use of social media with the executive team as it relates to whale phishing.
    • Social media is a goldmine of information cybercriminals can use in their whale phishing scams.
    • Security experts recommend that members of the executive teams enable privacy restrictions on their personal social media accounts to reduce exposure of information that can be used in a social engineering scam.
  • Establish a multi-step verification process for internal and external requests for sensitive data or wire transfers.
  • Exercise data protection and data security policies: Monitor file and email activity to track and alert on suspicious behavior, and implement layered security to protect your company against whale – and any kind – of phishing.

Want to learn more? Find out how Varonis can help you prevent and defend against whaling attacks – and protect your data and your money from being stolen.

Kerberos Attack: How to Stop Golden Tickets?

Kerberos Attack: How to Stop Golden Tickets?

The Golden Ticket Attack, discovered by security researcher Benjamin Delpy, gives an attacker total and complete access to your entire domain. It’s a Golden Ticket (just like in Willy Wonka) to ALL of your computers, files, folders, and most importantly Domain Controllers (DC).

There’s some instances where an attacker may have had a Golden Ticket for several years: there’s no telling what the attackers were able to steal. They got in through a single user’s PC, installed mimikatz, and the rest is history.

How Does a Golden Ticket Attack Work?

In Active Directory, accounts sign in with a username and password, maybe some other form of authentication, and they then get back a Kerberos ticket that contains their authentication token.

The Golden Ticket is the Kerberos authentication token for the KRBTGT account, a special hidden account with the job of encrypting all the authentication tokens for the DC. That Golden Ticket can then use a pass-the-hash technique to log into any account, allowing attackers to move around unnoticed inside the network. How much sensitive data do you have on the network that is “locked down?” Is it locked down to a user with Domain Admin credentials?

In order to create and use a Golden Ticket, an attacker needs to find a way into the network:

  1. Infect the target computer with malware that allows attackers to leverage user accounts to access other network resources (often via a phishing email or some other vulnerability)
  2. Get access to an account with elevated privileges with access to the Domain Controllers (DC)
  3. Log into the DC and dump the password hash for the KRBTGT account to create the Golden Ticket. The attacker will use mimikatz or a similar hacking application to dump the password hash
  4. Load that Kerberos token into any session for any user and access anything on the network – again using the mimikatz application

The Golden Ticket attack is really clever – but not trivial to execute.

How odes a Golden Ticket Attack Work

The most insidious part about this attack is you can change the password for the KRBTGT account, but the authentication token is still valid. You can rebuild the DC, but that authentication token is still valid.

It’s incredibly difficult to clean up after a Golden Ticket is created for your domain.

How to Defend Yourself from a Golden Ticket Attack

The good news: protecting yourself from a Golden Ticket attack is not all that different from protecting yourself any other malware or infiltration attack. Ultimately, an attacker needs privileged access to create the Golden Ticket in the first place – so the more difficult it is for them to steal credentials, the better you’re protected.

  • Train users to recognize bad links (and not to click on them)
  • Enforce a least privilege model
    • Limit user access to only what they need
    • Limit Admin and Domain Administrator access
    • Use Admin accounts sparingly and only for approved changes
  • Install endpoint protection to block attackers from loading modules like mimikatz
  • Create a choke point for access to your DCs, adding another layer of protection
    • Create a Terminal Server that can only talk to the DCs
    • Configure the DCs to only accept administrative connections from that Terminal Server
  • Monitor file activity and user behavior
  • Alert on known behavior that indicates Golden Ticket attacks

How Varonis Can Help You Discover and Stop Golden Ticket Attacks

Varonis leverages security analytics to discover and alert on security vulnerabilities and potential attacks. Our threat models are engineered from the ground up to detect activity and potential attacks throughout the kill chain.

The first thing the attacker needs to do is to infiltrate a user account with some malware that gives them access to the PC through a Command and Control network. Varonis analyzes perimeter telemetry and correlates that data with the data we collect from Directory Services. In this case, we’ll recognize the attempt to log into a user’s credentials from a previously unknown IP address in a foreign location. A security team has plenty of time to remove the RAT from the user’s computer and change the user’s password long before the attacker has time to get a foothold in your organization.

Threat Model: Abnormal behavior: activity from new geolocation to the organization
How it works: Any activity that originates outside of known geolocations will trigger this threat model.
What it means: Someone attempted to reach into the network through the VPN from a new geolocation.
Where it works: VPN

If they’re already in the network, one option to take over a privileged account is with a brute force attack, which Varonis can detect with this threat model:

Threat Model: Abnormal admin behavior: accumulative increase in lockouts for individual admin accounts
How it works: DatAlert detects statistically significant increases in lock-out events over time – and can identify an unusual amount of lock-out events on an admin account compared to their typical behavior.
What it means: It means that the account is trying to login and failing repeatedly. This could be a misconfigured password for a valid user, or it could be an attempt to brute force or guess the password by an outsider. This account is probably the target of a gradual brute-force attack aimed at stealing admin credentials or denying access.
Where it works: Directory Services

If an attacker tries to use mimikatz to start working on their Golden Ticket, Varonis sends this alert during the attempt – before it’s too late:

Threat Model: Exploitation software created or modified
How it works: Varonis detects a file create or file modify operation for a file that matches a list of known hacker tools (i.e., mimikatz).
What it means: An attacker has infiltrated the network and they are trying to establish further capability to move around undetected and steal data.
Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, One Drive, Dell FluidFS, Nasuni

If an attacker is already in the system and has successfully created a Golden Ticket, you’ll be able to spot them when they use that Golden Ticket to log into an account with their full domain access privileges:

Threat Model: Potential pass-the-ticket attack
How it works: Varonis detected that a user account accessed a resource without authentication, meaning they bypassed the Kerberos protocol, possibly a successful Golden Ticket attack.
What it means: An attacker succeeded in a pass-the-hash attack, they might have a Golden Ticket, and they are logging in with those credentials right now.
Where it works: Directory Services

With this kind of immediate notice you will be able to take steps to reset all the passwords, the KRBTGT you need to change twice, invalidate any current Kerberos authentication tokens, and create new tokens for your users. You can close the security breach and disable the attacker’s access into your network.

Get a free risk assessment to see where you may be vulnerable to security breaches, including a Golden Ticket attack – and sign up for a 1:1 demo to see how to detect abnormal behavior that indicates an attack in-progress, and defend against a golden ticket attack.

The State of CryptoWall in 2018

office building lit up at night

CryptoWall and its variants are still favorite toys of the cybercriminals that want your Bitcoin. In fact, according to the 2018 Verizon Data Breach Investigation Report, ransomware incidents now make up about 40% of all reported malware incidents! Some reports say CryptoWall 3.0 has caused over 325 million dollars in damages since it first came on the scene.

CryptoWall first appeared in the wild around 2014: since then, cybercriminals have updated and iterated on it several times to make it even harder to detect and remove.

The CryptoWall virus is cheap and easy to use, spreads fast, and people continue to pay the ransom hoping to get their files back. (Tl;dr: Don’t.) It’s important to maintain constant vigilance to protect data from the CryptoWall virus and all its variants – along with all types of cyberattacks.

What is CryptoWall?

CryptoWall is a particularly nasty form of ransomware. It does much more than just encrypt your files and prompt you to pay for the key: it tries to hide inside the OS and adds itself to the Startup folder. Worse still, CryptoWall deletes volume shadow copies of your files – making it difficult (or in some cases impossible) to restore your data. And while it’s there, it’ll try to get your passwords and Bitcoin wallets for good measure.

CryptoWall 3.0 is by far the most lucrative version so far. It uses strong RSA-2048 encryption to lock your files and try to get you to pay the ransom.

CryptoWall v4 introduced a new feature to encrypt both the files and the filenames, meaning that you can’t simply look at the filename to check (and restore) if you have a backup. The ransom notes got a lot sassier as well, just to pour salt on the wound of your encrypted data.

CryptoWall v5.1 is the latest version based on the HiddenTear malware. It uses a different AES-256 encryption, which doesn’t follow with the previous versions. It’s possible that the developers used the CryptoWall name, but not any of the original code.

There are several variants of CryptoWall: CryptoDefense is one of those variants, for example. For the most part, you can treat them similarly.

tips to prevent ransomware attacks

How CryptoWall Works

There are several different methods to spread CyptoWall and infect devices:

  • Phishing Email: CryptoWall is most often triggered by the end user via a phishing email. Phishing emails try to trick users into clicking a link which downloads malware onto their computer.
  • Exploit Kits: The next most common attack vector is as part of an exploit kit, which take advantage of security vulnerabilities to deploy malware needed to execute the attack. Known vulnerabilities can be in the operating system, in applications you use, or in websites you visit, like WordPress.
  • Malicious Ads: Cybercriminals purchase or hack internet advertisements to deliver malware to you through your browser. Hacked ads often try to run javascript in your browser to download the malware without you noticing.

NOTE: Code injection is a common hacking technique, and it does not always have to take advantage of a bug or be malicious.

Once it’s on your computer, CryptoWall injects new code into explorer.exe (based on the version of Windows installed) and restarts explorer.exe. This special version of explorer.exe installs malware, deletes the volume shadow copies, disables windows services, and spawns a new svchost.exe process with more injected modules.

If, for some reason, it fails to inject code into explorer.exe, CryptoWall will use svchost.exe to spawn a new explorer.exe it can inject the code into. This instance of svchost.exe is also responsible for network communication to home base, file encryption, and removing the malware once it’s finished.

CryptoWall installs itself into the registry and your startup folder: restarting won’t clear things up – if you don’t remove all of the CryptoWall software while you are in Safe Mode, it will start right back up when you log in again.

CryptoWall needs to communicate with a Command and Control server(C&C) to continue the ransomware attack. The C&C sends CryptoWall the encryption key that it will use to encrypt your files. CryptoWall then runs through all of your files, both locally and on any connected networks, and encrypts your most personal data, for example, your documents, presentations, code, music files, and pictures, music files, and pictures.

The encryption locks the contents of your files, and the only way to get them back is with the encryption key.

filetypes vulnerable to cryptowall encryption

What CryptoWall Tells You to do

Once the encryption is complete, you’ll get a ransom note with instructions on how to make payment: often about $1000 worth of Bitcoin. After the ransom note is issued, the malware deletes itself.

The attackers might offer to decrypt a file or two for free to demonstrate good faith: don’t fall for it. There is no guarantee that you will get your files back: only 19% of users that pay the ransom get their files back.

How to Protect Against CryptoWall?

It’s unlikely that you’ll get your files back: in this case (and most ransomware cases), prevention is better than a cure.

Tips to prevent (or disarm) potential ransomware attacks:

  • Keep your computer patched and up to date
    • Malware uses known vulnerabilities in software to move to new computers. If you leave those vulnerabilities unpatched, you’re effectively leaving an open door for the cybercriminals to enter. If you keep the OS and all of your applications patched to the latest releases, you stand a better chance of avoiding malware infections.
  • Use an anti-virus scanner
    • Anti-virus solutions, when updated regularly, can protect you from several kinds of malware attacks. They quarantine known malware programs and prevent them from executing
  • Use a firewall
    • A local firewall can protect you from some connections that malware uses, like to the Command and Control server. The CryptoWall ransomware, in particular, depends on a connection to home base to continue the attack. A local firewall may be able to prevent the malware from making that connection and killing the attack.
  • Don’t click the links
    • Don’t click links or download files from suspicious emails. If you click a malicious link or download a malicious file, you’re inviting the cybercriminal and their malware into your home.
  • Practice safe browsing habits
    • Make sure your browser is up to date, use the most encryption you can, and turn off ads and JavaScript by default. Be selective in what ads you allow to run – and make sure those are from trusted sources
  • Back up your files
    • Always keep a backup copy of your files. It works for a hard drive failure or for ransomware. There are plenty of online cloud storage options of varying security levels and cost. You can also setup a local SAN or USB hard drive to back up your important files.

If CryptoWall slips past your defenses and infects your computer, remove CryptoWall before you use your computer again:

  1. Boot your computer into Safe Mode with Networking
  2. If you have a recent and clean System Restore point, you can restore, if not:
  3. Download and install a malware removal application.
  4. Run malware removal app and scan all of your files

If you’re planning an enterprise-wide security strategy to protect against ransomware attacks, there are a few other items to consider on top of the end user items above.

Maintain a least privilege model: When you maintain a least privilege model, users only have access to the files absolutely necessary to do their job – and if hit by CryptoWall, the ransomware can only encrypt those files. By enforcing a least privilege model, you’re limiting the scope of the ransomware attack by a lot. And with a good backup plan, it’s a simple recovery process.

Leverage security analytics to protect your files from ransomware: Varonis monitors your enterprise data stores, mailboxes, proxies, DNS, and VPNs – with threat models specifically designed to catch ransomware attacks in progress.

A ransomware attack can be devastating to an organization: lost productivity, potentially leaked, stolen, or lost data, recovery fees and resources, and more. Get a custom demo to see how we can protect your valuable data and help stop CryptoWall infections.

What’s The Difference Between a Proxy and a VPN?

What’s The Difference Between a Proxy and a VPN?

The Internet can be a scary place: we’re under near constant attack from ransomware and botnets – on work computers, personal devices, even smart home devices like thermostats and baby monitors.

If you’re security conscious, you might be thinking about setting up a Virtual Private Network (VPN) or a proxy server.

Proxy and VPN Defined

Both VPNs and proxies enable a higher degree of privacy than you might otherwise have, allowing you to access the internet anonymously by hiding your IP in various ways. But how they do that is quite different.

A proxy acts as a gateway – it’s ideal for basic functions like anonymous web browsing and managing (or circumventing) content restrictions. Proxy servers excel at IP masking and misdirection, making them good for viewing geographically limited content. They allow users to bypass content restrictions and monitoring, or enforce website content restrictions – so that you can’t log into certain web pages on company time.

proxy vs vpn

A VPN client on your computer establishes a secure tunnel with the VPN server, replacing your local ISP routing. VPN connections encrypt and secure all of your network traffic, not just the HTTP or SOCKS calls from your browser like a proxy server.

VPNs are great when you need to use the WIFI at a local coffee shop: using a VPN instead of the potentially completely unencrypted local WIFI adds another layer of privacy – who knows who is lurking on that network, just sitting in the corner sipping coffee and waiting to steal your credit card digits?

Proxy and VPN Drawbacks

If you’re using proxy servers to mask your internet activity, you might see performance issues that prevent you from streaming or downloading the thing you are trying to get. High ping times and other traffic on the proxy server can cause web pages to load slowly. For this reason, some users pay for a private proxy server which limits the number of users that access it, speeding up your connections.

Proxies are also vulnerable to security exploits: they can be open to attack, allowing the bad guys to infiltrate networks or steal private data. Some proxies can still track (and store) your browsing habits, as well as recording usernames and passwords – rendering that promise of anonymity null.

VPNs can also suffer from performance issues, depending on proximity to the VPN server you’re connecting with. VPNs use a local client to create the connection to the VPN server, so any local CPU or memory issues will slow down the connections. VPNs are typically more expensive to use (and maintain) than a proxy server, and they are often more complex to manage.

Just like proxy servers, VPNs can’t guarantee anonymity while browsing. Neither of these services will always encrypt your traffic all the way to the web server. A VPN only guarantees an end-to-end encrypted connection if you use the HTTPS protocol when you go to a new web address. Your data will be encrypted to the VPN, but from that point on, it could be unencrypted to the web server. For some sites, this may be irrelevant: an information-only webpage with no login or payment options for example, but for any sites that require a login or online payments – or any sensitive data – make sure the website is enabled to use HTTPS. Remember, the S stands for moderately more secure.

Proxy and VPN Benefits

The biggest argument to use a VPN instead of a proxy is the total encryption for all traffic you get with the VPN. Dollar for dollar, a VPN is more secure than a similarly priced proxy. VPN providers maintain their own networks and you use their IP addresses for your connections. The top VPN providers advertise a logless policy, which means they don’t have data to provide to anyone about your browsing habits.

If you’re an IT business owner charged with the security of data and users, there are advantages to both, and you likely have both configured for your company. For users in the network, you might route traffic through a proxy server to log web traffic, protect the organization from malware or other attacks, and enforce a web content policy.

When users are operating out of the office, you will want to use a VPN to create a secure connection to access the company resources (email, internal shares, etc.).

Proxy vs VPN: Which is Right for me?

Privacy and security matter these days, regardless of if it’s your company data or your own personal data you need to protect. Make sure you’re investing time and money into the correct tools for your security goals: both proxies and VPNs add an additional layer of security and privacy to your data.

If you want to enable your team to work remotely with secure access to the company resources, set up and maintain a VPN users to access the network with the VPN.

If your concerns are more around “what websites are my users hitting,” a proxy server is a better tool.

To get the most bang for the buck (and to protect your data as a security-aware citizen), sign up for a well-regarded VPN service. For the most part, VPN services allow you to use servers in different locations to work around content restrictions. If you need to use a free proxy server occasionally for that purpose as well, just be aware of the risks.

If you’re just starting to implement your data security strategy on an enterprise level, there are more complex attack vectors to account for. Insider threats, APTs, privileged account escalations – along with plain old social engineering – are just as dangerous to your data as an unencrypted data stream.

Neither a proxy nor a VPN will protect you from 100% of the cybersecurity threats your company will encounter: they won’t stop an insider from stealing personal data, a ransomware attack, or a coordinated infiltration effort.

Varonis Edge adds perimeter telemetry to security analytics – monitoring proxy, VPN, and DNS to help bridge that gap: you’ll be able to see when an attacker breaks through a VPN, get alerts when sensitive data is uploaded to external websites, more. See how it works with a 1:1 demo – and discover how Varonis helps secure your data from perimeter attacks.

What is a Proxy Server and How Does it Work?

What is a Proxy Server and How Does it Work?

The actual nuts and bolts of how the internet works is not something a people often stop to consider. The problem with that is the inherent danger of data security breaches and identity theft that come along with the cute dog pictures, 24 hour news updates, and great deals online.

But what actually happens when you browse the web? You might be using a proxy server at your office, on a Virtual Private Network (VPN) or you could be one of the more tech-savvy who always use a proxy server of some kind or another.

What’s a Proxy Server?

A proxy server acts as a gateway between you and the internet. It’s an intermediary server separating end users from the websites they browse. Proxy servers provide varying levels of functionality, security, and privacy depending on your use case, needs, or company policy.

If you’re using a proxy server, internet traffic flows through the proxy server on its way to the address you requested. The request then comes back through that same proxy server (there are exceptions to this rule), and then the proxy server forwards the data received from the website to you.

what is a proxy server

If that’s all it does, why bother with a proxy server? Why not just go straight from to the website and back?

Modern proxy servers do much more than forwarding web requests, all in the name of data security and network performance. Proxy servers act as a firewall and web filter, provide shared network connections, and cache data to speed up common requests. A good proxy server keeps users and the internal network protected from the bad stuff that lives out in the wild internet. Lastly, proxy servers can provide a high level of privacy.

How Does a Proxy Server Operate?

Every computer on the internet needs to have a unique Internet Protocol (IP) Address. Think of this IP address as your computer’s street address. Just as the post office knows to deliver your mail to your street address, the internet knows how to send the correct data to the correct computer by the IP address.

A proxy server is basically a computer on the internet with its own IP address that your computer knows. When you send a web request, your request goes to the proxy server first. The proxy server then makes your web request on your behalf, collects the response from the web server, and forwards you the web page data so you can see the page in your browser.

When the proxy server forwards your web requests, it can make changes to the data you send and still get you the information that you expect to see. A proxy server can change your IP address, so the web server doesn’t know exactly where you are in the world. It can encrypt your data, so your data is unreadable in transit. And lastly, a proxy server can block access to certain web pages, based on IP address.

Why Should You Use a Proxy Server?

There are several reasons organizations and individuals use a proxy server.

  • To control internet usage of employees and children: Organizations and parents set up proxy servers to control and monitor how their employees or kids use the internet. Most organizations don’t want you looking at specific websites on company time, and they can configure the proxy server to deny access to specific sites, instead redirecting you with a nice note asking you to refrain from looking at said sites on the company network. They can also monitor and log all web requests, so even though they might not block the site, they know how much time you spend cyberloafing.
  • Bandwidth savings and improved speeds: Organizations can also get better overall network performance with a good proxy server. Proxy servers can cache (save a copy of the website locally) popular websites – so when you ask for www.varonis.com, the proxy server will check to see if it has the most recent copy of the site, and then send you the saved copy. What this means is that when hundreds of people hit www.varonis.com at the same time from the same proxy server, the proxy server only sends one request to varonis.com. This saves bandwidth for the company and improves the network performance.
  • Privacy benefits: Individuals and organizations alike use proxy servers to browse the internet more privately. Some proxy servers will change the IP address and other identifying information the web request contains. This means the destination server doesn’t know who actually made the original request, which helps keeps your personal information and browsing habits more private.
  • Improved security: Proxy servers provide security benefits on top of the privacy benefits. You can configure your proxy server to encrypt your web requests to keep prying eyes from reading your transactions. You can also prevent known malware sites from any access through the proxy server. Additionally, organizations can couple their proxy server with a Virtual Private Network (VPN), so remote users always access the internet through the company proxy. A VPN is a direct connection to the company network that companies provide to external or remote users. By using a VPN, the company can control and verify that their users have access to the resources (email, internal data) they need, while also providing a secure connection for the user to protect the company data.
  • Get access to blocked resources: Proxy servers allow users to circumvent content restrictions imposed by companies or governments. Is the local sportsball team’s game blacked out online? Log into a proxy server on the other side of the country and watch from there. The proxy server makes it look like you are in California, but you actually live in North Carolina. Several governments around the world closely monitor and restrict access to the internet, and proxy servers offer their citizens access to an uncensored internet.

Now that you have an idea about why organizations and individuals use a proxy server, take a look at the risks below.

Proxy Server Risks

You do need to be cautious when you choose a proxy server: a few common risks can negate any of the potential benefits:

  • Free proxy server risks 
    • You know the old saying “you get what you pay for?” Well, using one of the many free proxy server services can be quite risky, even the services using ad-based revenue models.
    • Free usually means they aren’t investing heavily in backend hardware or encryption. You’ll likely see performance issues and potential data security issues. If you ever find a completely “free” proxy server, tread very carefully. Some of those are just looking to steal your credit card numbers.
  • Browsing history log
    • The proxy server has your original IP address and web request information possibly unencrypted, saved locally. Make sure to check if your proxy server logs and saves that data – and what kind of retention or law enforcement cooperation policies they follow.
    • If you expect to use a proxy server for privacy, but the vendor is just logging and selling your data you might not be receiving the expected value for the service.
  • No encryption
    • If you use a proxy server without encryption, you might as well not use a proxy server. No encryption means you are sending your requests as plain text. Anyone who is listening will be able to pull usernames and passwords and account information really easily. Make sure whatever proxy server you use provides full encryption capability.

Types of Proxy Servers

Not all proxy servers work the same way. It’s important to understand exactly what functionality you’re getting from the proxy server, and ensure that the proxy server meets your use case.

Transparent Proxy

  • A transparent proxy tells websites that it is a proxy server and it will still pass along your IP address, identifying you to the web server. Businesses, public libraries, and schools often use transparent proxies for content filtering: they’re easy to set up both client and server side.

Anonymous Proxy

  • An anonymous proxy will identify itself as a proxy, but it won’t pass your IP address to the website – this helps prevent identity theft and keep your browsing habits private. They can also prevent a website from serving you targeted marketing content based on your location. For example, if CNN.com knows you live in Raleigh, NC, they will show you news stories they feel are relevant to Raleigh, NC. Browsing anonymously will prevent a website from using some ad targeting techniques, but is not a 100% guarantee.

Distorting proxy

  • A distorting proxy server passes along a false IP address for you while identifying itself as a proxy. This serves similar purposes as the anonymous proxy, but by passing a false IP address, you can appear to be from a different location to get around content restrictions.

High Anonymity proxy

  • High Anonymity proxy servers periodically change the IP address they present to the web server, making it very difficult to keep track of what traffic belongs to who. High anonymity proxies, like the TOR Network, is the most private and secure way to read the internet.

Proxy servers are a hot item in the news these days with the controversies around Net Neutrality and censorship. By removing net neutrality protections in the United States, Internet Service Providers (ISP) are now able to control your bandwidth and internet traffic. ISPs can potentially tell you what sites you can and cannot see. While there’s a great amount of uncertainty around what is going to happen with Net Neutrality, it’s possible that proxy servers will provide some ability to work around an ISPs restrictions.

Varonis analyzes data from proxy servers to protect you from data breaches and cyber attacks. The addition of proxy data gives more context to better analyze user behavior trends for abnormalities. You can get an alert on that suspicious activity with actionable intelligence to investigate and deal with the incident.

For example, a user accessing GDPR data might not be significant on its own. But if they access GDPR data and then try to upload it to an external website, it could be an exfiltration attempt and potential data breach. Without the context provided by file system monitoring, proxy monitoring, and Varonis threat models, you might see these events in a vacuum and not realize you need to prevent a data breach.

Get a 1:1 demo to see these threat models in action – and see what your proxy data could be telling you.

What is Spear Phishing?

spear phishing hero

According to the 2018 Verizon Data Breach Report, phishing and pretexting are the two favorite tactics employed in social engineering attacks, used in 98% and 93% of data breaches respectively. And last year, the IRS noted a 400% surge in spear phishing against CEOs.

What is Spear Phishing?

Spear phishing is a targeted attack where an attacker creates a fake narrative or impersonates a trusted person, in order steal credentials or information that they can then use to infiltrate your networks. It’s often an email to a targeted individual or group that appears to come from a trusted or known source.

Spear Phishing vs. Phishing

Spear phishing is a subset of phishing attacks. The end goals are the same: steal information to infiltrate your network and either steal data or plant malware, however the tactics employed by the two are different.

Phishing attacks cast a wide net: phishers are throwing hunks of bread into a lake, and they don’t care what kind of fish they catch – as long as you take the bait, they can get into the network. They’re not personalized attacks: they’re typically distributed to a wide group of people at a time, using something that looks vaguely legitimate in hopes that enough people will click on their link so that they can get more information or install malware.

Spear Phishing, on the other hand, targets a specific individual or group. They lure their victims with information that makes it seem like they’re a trusted or familiar source, with as much personal information as possible to make their approach look legitimate.

spear phishing definition

Spear Phishing Examples

The Russian cyber espionage group Fancy Bear allegedly committed one of the more famous spear phishing campaigns: using spear phishing techniques to infiltrate the Democratic National Convention to steal emails. They first obtained an updated contact list and then targeted high-level party officials, which lead them to Podesta’s Gmail account. They stole 50,000 emails in one day, and the rest is recent history.

Fancy Bear also allegedly used spear phishing to infiltrate Bundestag, part of the German Parliament, and Emmanuel Macron’s campaign in the French election.

Spear phishing is one of the more reliable social engineering methods employed by blackhats – which is what makes the defense against spear phishing both important and challenging.

Tips for Avoiding a Spear Phishing Attack

  • Be skeptical: If you want to avoid being scammed you have to ask questions – both to the potential scammer and to yourself. As a general rule, don’t immediately comply with the first request you get. Ask a question, “why do you need that?” “What are you going to do with this data?” “No, I won’t buy you a Walmart gift card.”
  • Be aware of your online presence: Spear phishers depend on a certain amount of familiarity with their target. The more information you share with the public, the more ammunition a spear phisher has to convince you to give them something.
  • Inspect the link: Visually inspect the links in your emails by hovering over them. Scammers are pretty good at masking URLs or making them look similar enough to trick our human brains into thinking they are ok. If a domain looks like it’s overpromising, it probably isn’t legitimate.
  • Don’t click the link: Instead of clicking a link in the email, use your browser and manually navigate to the destination. Avoiding a link sent in a spear phisher’s email should guarantee that you aren’t going to a malicious website. Make it a habit of going to the websites you trust instead of clicking a link, use https as much as possible, and use your bookmarks to keep track of your known good web destinations.
  • Be smart with your passwords: We all know a modern computer can easily crack a short password. You should be using passphrases that are at least 16 alphanumeric characters long: write it down, or use a password manager service. Change passwords regularly, and practice basic internet security to keep your data safe.
  • Keep your software updated: Security researchers and malware distributors are in an arms race, and we are caught in the middle. Security researchers do their best to update their Anti-virus and security software to match the most recent known attacks and patch vulnerabilities. Malware distributors are doing their best to find the next best hack, application, or vulnerability they can use to steal your data. As consumers, it’s important to stay up to date: patch vulnerabilities, and update security settings and software.
  • Implement a company-wide data security strategy: If 1 out of every 100 spear phishing attempts is successful, it’s more than likely that some of your data will be compromised. One compromised users can lead to lateral movement, privilege escalation, data exfiltration, and more. Implement a layered security technique to protect against spear phishing on an enterprise level – and never underestimate the value of educating employees with security awareness training.

tips for avoiding a spear phishing attack

There are many ways to enhance your data security strategy to defend your users from phishing and spear phishing attacks. You can configure strict SPF rules to check and validate who is sending the emails. Implement a Data Security Platform to protect and monitor your data, and leverage security analytics to alert your team of suspicious behavior.

Want to learn more? Find out how Varonis can help prevent and defend against spear phishing attacks – and protect your data from being compromised or stolen.