Heuristic Security Weekly Weather Report for WE 8/17/2019

Welcome to the first of the Heuristic Security Weekly Internet Weather Reports. This report does not attempt to analyze the state of attacks and attackers across the entire internet, rather it discusses what I see on my company’s firewalls from my vantage in Colorado and discusses general attack trends and recommended preventative measures based on this viewpoint.

Since so many of the attacks today are driven by automated bots scanning the internet for open ports, I believe that the trends I observe locally can be broadly extrapolated to consumer and small business networks across the US. However, as always, the best indication of what is impacting your company’s systems are the results you get by monitoring your own networks. To the extent that you see significantly different results for your network, that may be indicative of a targeted attack on your business (or perhaps on mine?).

Weekly Attack Analysis

The first table, Weekly Attacks and Attackers, summarizes the number of attacks from the top 10 countries originating these attacks, and the number of unique attacking IPs per country. In this week’s summary, there were 38,142 attacks originating from 121 countries for the 7 day period ending with Saturday midnight – on average every 15 seconds across this period.

Items of note: While attacks originating from the US were #1, Russia was a close second, with Netherlands #3 and China #4. The Netherlands has been cited in other reports as a top tier source of internet attacks. Not something I would have suspected before I started researching attack trends. This also highlights how pervasive attacks originating from Russia and China are. Both of them together exceed attacks from US sources. Also interesting are the relatively few numbers of attacking IPs from Russia, relative to the number of attacks. More targeted attacks perhaps, different bots?

The second table, Weekly Attack Targets, summarizes and sorts the attacks by most frequently targeted port and protocol. Telnet (23) is the top target by far, with SSH (22) at #3. Also interesting was NetBios Name Service (137) at #4 and Microsoft RDP at #7.

I certainly expected RDP to be in the Top 10 considering both the BlueKeep vulnerability in the RDP protocol from earlier this year as well as the two critical RDP vulnerabilities that were patched in the latest Patch Tuesday release. As for the others I mentioned above, all I can say is this is a hunt for the ignorant. Why anyone would allow any of these services to be exposed to the public internet is beyond me – however, Shodan reports that millions of systems on the internet are exposing them. No wonder that data breaches and thefts are so frequent – companies (and individuals through their use of insecure IoT devices) are exposing themselves to attack.

Finally the third chart, Weekly Attacker Trend Report, is a trend report on changes in attack frequency for the top 5 attacking countries. What I find of interest is the significant uptick in attacks from Russia starting on Monday, and the Netherlands, starting on Wednesday. Whether the drivers behind this are geopolitical or technical I don’t know, but it will be interesting to see if this trend persists.

Recommendations

So what does this mean? One, that attacks are pervasive, constant and diverse in origin and target. If you expose it, expect it to be attacked. And if whatever you expose has any vulnerabilities (and what doesn’t these days), expect that they will be exploited as an entree into your network to steal information, steal resources (cryptojacking), extort money (ransomeware) or perhaps all of the above.

So what should you do? My recommendations are:

  1. Scan your public IPs to see what ports you may have exposed. Two free tools you can use are the Shields Up! scanner from Gibson Research, as well as the informative Shodan tool. Of course, don’t scan an IP address you do not own.
  2. If you discover open ports, unless you have a legitimate business reason for them to be there (for example 443 open for your website), close them in your firewall after confirming what internal system they are forwarding to! If you are scanning a consumer IP, it may be that your router is configured to allow UPnP, which means that your IoT devices (your baby cams, alarm systems, internet-connected toaster, etc.), may be reconfiguring your firewall to open ports for themselves (convenient for them, dangerous for you). Disable UPnP in your router unless you like to live dangerously!
  3. Also, if you have the acumen and a commercial firewall, implement egress filtering in your firewall, in addition to ingress filtering. The SANS Institute Information Security Reading Room has a great paper on Egress Filtering. I highly recommend reading it and implementing it’s recommendations on your firewall – assuming you have the skills and technology to do so. Most consumer routers will not have this functionality.
  4. Finally, make sure your systems are patched! The 100 vulnerabilities addressed in the latest Microsoft Patch Tuesday release, combined with their criticality, just goes to show how vital it is to keep your systems patched and up to date.
  5. If you would like to do further research on IPs that are shown in this report (or from your own network’s firewalls), two resources I recommend are the Wikipedia List of TCP and UDP port numbers and the Internet Storm Center as good starting points.

About Me

I am an expert in addressing the information security and privacy challenges of complex and fast-paced organizations as both a CISO and adviser to management and the board, in roles ranging from security architect, to risk management, to virtual or permanent CISO. Contact me to discuss how I can help you and your organization achieve your security, risk and privacy objectives.

Please feel free to share or distribute this report. If you have questions on its contents, please feel free to contact me to discuss. And, if you would like to subscribe to have these weekly updates emailed directly to you each Monday, you can do so by signing up on the heuristicsecurity.com website.

%d bloggers like this: