Common Entry Points #6 – Open Ports and Services

During significant weather events like hurricanes or blizzards, government officials and meteorologists strongly advise residents to remain indoors unless it’s absolutely essential to venture out. This precaution is grounded in a straightforward rationale: the dangers posed by such storms are substantial, and without a compelling reason, exposing oneself to these risks is unwarranted. Despite these warnings, some individuals still choose to take the unnecessary risk of venturing out into severe weather. While some may manage to navigate these conditions safely, others unfortunately end up as cautionary tales reported in the news. The current internet threat landscape is akin to a storm that is frequently underestimated or ignored.

Exposing Yourself to Unnecessary Internet Risk

Most businesses naturally avoid unnecessary risks that could jeopardize their operations. However, many still leave themselves vulnerable to external threats by maintaining open internet access. This vulnerability manifests in two ways: incoming and outgoing traffic.

Not every system requires internet connectivity. For example, users logging onto a Windows domain controller have no need for internet access. Activities like browsing websites or checking web-based email should be restricted to workstations. The same privileges required to log onto a domain controller can also be inadvertently exploited by malware if downloaded by that user, leading to potential security breaches. While Windows servers do require Windows updates, this can be performed via a WSUS server which keeps Windows update traffic local. Like the weather, there are few situations that justify outgoing internet access for a critical server.

Although outgoing internet access may be discretionary for numerous servers, for certain essential servers like SMTP, FTP, and web application servers, exposure to incoming internet traffic is often inevitable. However, this applies to ‘some’ critical servers, not all. It’s crucial to conduct a risk assessment to identify which assets require internet exposure and to devise strategies for their adequate protection.

The Vulnerability of Default Configurations

Knowing what your adversary is doing in advance makes it a lot easier to strategize against them. Unfortunately, hackers can easily predict what port an internet facing service, protocol or application is using when the default port is utilized. Some ports are known to be popular amongst attackers due to their widespread use, accessibility, potential for data exposure, and historical vulnerabilities that can be exploited for malicious purposes. Services such as RDP (3389), MSSQL (1433), SMB (445) are leading the list of attractive entry points but are also very easily blocked since none of them should be accessible from the internet at all.

Adhering to these default configurations undermines your security measures in several ways:

  • It exposes your network to a higher risk of automated attacks, with bots relentlessly scanning for open default ports.
  • It makes it difficult to distinguish between legitimate traffic and potentially malicious activity.
  • Relying on default configurations may reflect a broader tendency towards complacency in security practices.

Whether it be a sports competition or a cyberattack, an adversary is attacked at its weakest point of position. Default ports are a common weak link in the chain of many security postures. Consider the risk if every remote or mobile employee used a default password for their VPN connection. While not identical in risk level, employing default ports similarly lowers the barrier for attackers seeking network access. To draw from a sports analogy, using default ports is the equivalent of spotting the other team five points in a pickup game of basketball.

A Couple of Classic Example

At CYREBRO, we frequently encounter incidents in which a significant security lapse within organizations is attributed to an avoidable internet-facing service or port. It’s well-known that threat actors aim for sensitive data, often making databases their prime targets.

  • In one notable case led by CYREBRO’s DFIR Team Leader, Eden Naggel, our Digital Forensic and Incident Response (DFIR) team found that the MSSQL service on a client’s internet-facing application server was set to receive inbound traffic via its default port, 1433. This risk was further heightened by a weak database administrator password, creating an opportunity for a threat actor to successfully carry out a brute force attack on the local administrator password and gain access to internal data.
  • In another case, unrelated to the above, CYREBRO faced an incident involving a successful brute force attack on a client’s internet-facing server, specifically targeting the domain Administrator account. Upon deeper examination of Firewall and Windows Event logs, it was identified that SMB, accessible through port 445, remained open for inbound connections from the internet. Seizing this vulnerability, an attacker exploited the open service, launching a brute force attack on various generic accounts. Their persistence bore fruit as they successfully gained entry to the domain Administrator account, capitalizing on a weak password.

Strategies to Embolden Your Security Posture

Certain servers have no business being accessible from the internet. Those that must be, should be fortified by implementing security strategies can very easily prevent the first step to a hash incident.

  1. Employing a robust firewall strategy is a fundamental element of a comprehensive cybersecurity approach to safeguard against external threats. For any internet-facing service or port, it is crucial to implement a firewall that utilizes rules and policies to control and restrict incoming traffic to the necessary least privilege level, avoiding reliance on default settings.
  2. Implementing conditional access policies offers an additional layer of protection for your corporate network. These policies can enforce measures such as Multi-Factor Authentication (MFA) integration or geolocation restrictions, which automatically block access attempts from specified regions. Both can significantly fortify your network against unauthorized access.
  3. Another method is the use of default whitelisting that only allows pre-approved software and applications to run. This can significantly reduce the risk of malware infections. This proactive approach blocks unauthorized programs by default, narrowing the attack surface and providing a robust defense against external threats and zero-day exploits.

Leveraging MDR and Outside Expertise

Unfortunately, cyberattacks are going to be lodged against you despite your best efforts. Managed Detection and Response (MDR) can detect external attacks by continuously monitoring network traffic, login attempts, and system behaviors for patterns indicative of such attack. This includes repeated failed login attempts from a single IP address or across multiple accounts. Utilizing advanced analytics, AI, and threat intelligence, MDR solutions can quickly identify and alert on anomalous activities, enabling rapid response to mitigate potential breaches and safeguard against unauthorized access attempts.

However, not all businesses possess the in-house expertise or budget to implement and maintain a SOC backed MDR system. Consequently, many turn to external security providers like CYREBRO for support. Proficient in MDR and SOC operations, CYREBRO excels in continuous security monitoring and implementing the latest security practices. We adeptly identify potential risks and attacks, enabling quicker threat neutralization and enhancing your cybersecurity posture.

Conclusion

Maintaining vigilant oversight of your infrastructure is a relentless, 24/7 task, as attackers only require a brief lapse (like an overlooked internet facing port) to breach your defenses. Implementing a robust defense-in-depth strategy, which includes firewall configurations, web application firewalls (WAF), and endpoint security solutions, is crucial for thwarting unauthorized access. This comprehensive approach, reinforced by an MDR’s continuous monitoring and detection that also handles all incoming alerts and investigation, forms the cornerstone of a winning strategy to safeguard your business.

Sign Up for Updates