The intent of this ICER report is to systematically assess the configurations of internet-connected services to make a generalized assessment of current levels of exposure in the United Kingdom.
One of the underlying assumptions we make is that the set of organizations in our analysis are well-resourced and technically capable. Our findings of exposure within this group might suggest that other smaller and less-well equipped groups are likely comparably or more exposed.
The data we collect for this report originates from Project Sonar, which performs internet-wide surveys across numerous services and protocols to identify exposure to common vulnerabilities, as well as Project Heisenberg, which is an unadvertised network of honeypots that should not receive any legitimate internet traffic.
Exposure
Using Sonar, we searched for publicly exposed systems and services in the FTSE 250+ organizations. We found that on average, each organization exposed about 35 services. Each of these exposed services expands the attack surface. When we segmented the data, we also found quite a bit of variation of degrees of exposure across different sectors.
Phishing
Phishing remains one of the most commonly leveraged attack vectors. One method to minimize the threat of phishing is to utilize Domain-based Message Authentication, Reporting, and Conformance (or DMARC). DMARC allows organizations to signal when emails originate from authorized senders and to manage malicious emails. We can examine DMARC records to determine if organizations are in fact using DMARC.
Our analysis revealed that 70% of the FTSE 250+ have not implemented DMARC in any form.
SSL/TLS
In another thread of analysis, we found that 17% of the FTSE 250+ did not automatically upgrade HTTP requests to the more secure HTTPS variant. This potentially leaves visitors exposed to person-in-the-middle attacks. There are a number of issues with this, but one particular issue is the General Data Protection Regulation (or GDPR) does de facto impose an expectation that data transmissions are secured. Allowing visits using HTTP instead of HTTPS potentially allows for unsecured data transmissions.
System Compromise
By examining Heisenberg data, we found evidence of quite a few connections originating from various sectors of the FTSE 250+ - a situation that should not be manifesting unless there are cases of system compromise or misconfiguration. When we dug deeper, we found further evidence suggesting impact by SMB-related malware like WannaCry, DNS denial of service attacks, and credential brute-forcing.
--
We’ll conclude now with some tips for organizations in the UK derived from our analysis of the FTSE 250+ organizations.
First, aim to reduce your attack surface. The fewer exposed services there are, the fewer opportunities there are for malicious actors to exploit. Understandably, some services do need to be exposed, but if so, ensure there are measures in place to minimize risk - such as vulnerability management programs or active monitoring practices.
Second, given the persistent prevalence of phishing, we suggest that organizations implement DMARC as a means to minimize the danger posed by phony, phishy emails. It reduces risk to outside organizations that yours engage with, and it also makes it trickier to spoof your internal emails.
Third, check that visits to your domains are automatically upgraded from unsecure HTTP requests to the more secure HTTPS variant. It’s both good practice and necessary for GDPR compliance.
Fourth, given that our Heisenberg honeypots picked up activity originating from the FTSE 250+, it’s probably worth checking on egress filters that could block undesirable outbound traffic.
--
We covered a lot in this brief Whiteboard Wednesday, but there’s still plenty more detail in the full ICER report.
Hop on over to our website at Rapid7.com if you’re interested in seeing the complete ICER UK report.
If you have any questions, feel free to contact us by email at research@rapid7.com.
Hopefully some of these tidbits are useful to you. We wish you luck in better securing your organization.
