So it is late in January, with a new firewall installed my Cybersecurity issue is resolved…
Right?
In the Cybersecurity field pictures are hard to come by, so we resort to ancient castle pictures:
So you just installed a moat around your castle and now you think the castle is safe??? (i.e. just installed the new firewall)
Constantinople had the largest, thickest walls, had a good strategy of sea and land defense, but they did not anticipate a new technology which destroyed the walls relatively quickly from a distance and thus their defense was rendered impotent once the new weapon was on the battlefield:
the image above is from Wikipedia.org¹ The cannon was developed and now instantly all castles were not as safe as before.
In the digital realm new defenses and attacks are constantly being developed.
As a new technology is developed the old methods of defending are not good enough anymore.
So can there be a method of defeating the NGFW? What is this “new” weapon?
As the defense one must always be willing to find the cracks in the defense, so to find the cracks one must be willing to attack the defense with new technologies and techniques.
While listening to a YouTube video of one of the cyber conventions last year I heard that using Powershell one can bypass the Anti-Virus and even Palo Alto firewall (which is one of the better NGFW’s)
at Derbycon 2015 Tyler Halfpop² who is a threat researcher at Fidelis cybersecurity
“Powershell enabled malware”
What does malware want to do to defeat the AV and NGFW among other things:
- Download and execute code
- interact with C^2 (command and control systems)
- persist
- Hide
- Steal
Powershell can do all of this
.lnk contains Powershell in properties
Vawtrak (which is an Office macro) Since a phish with an Office macro can be used to social engineer a user to open the macro button on their computer.
Also add password on a word file to “protect it”
With a specific Vawtrak attack it can obfuscate and bypass some of the informational messages. You can create a fileless malware – and even if you do not have Powershell it will install it.
Ransomware can be embedded into a .ps1 executable file. the executable will create encrypted files with a specific RSA key (making it very difficult to unencrypt)
And then all the files will be renamed as well.
Then there are also Powerworms which use Office macros and Powershell.
Sometimes the malware will create some Tor traffic to obfuscate it’s Command and control connections. Or the traffic will run over https which encrypts the communications.
Also the Powershell can be run in hidden mode on the local infected computer.
Because the diagram is so small to see I created a larger image with the same information:
So in a nutshell Powershell malware properly constructed can run under the new firewall inspection.
The defenders have to know that there is no foolproof solution – the NGFW is nice and will cover more attacks, but there are always new attacks that will bypass even the NGFW system.
What can be done to find even the “new” Powershell malware?
Remember security is never solved, just mitigated.
Contact Us to discuss your defense strategy.
