网络威胁的现实故事：七个案例的安全教训

In the ever-evolving landscape of cybersecurity, attackers are always searching for vulnerabilities and exploits within organizational environments. They don't just target single weaknesses; they're on the hunt for combinations of exposures and attack methods that can lead them to their desired objective.

在网络安全不断发展的领域中，攻击者始终在寻找组织环境中的漏洞和攻击方法。他们不仅仅针对单一的弱点，他们追求暴露和攻击方法的组合，以实现他们所期望的目标。

Despite the presence of numerous security tools, organizations often have to deal with two major challenges; First, these tools frequently lack the ability to effectively prioritize threats, leaving security professionals in the dark about which issues need immediate attention. Second, these tools often fail to provide context about how individual issues come together and how they can be leveraged by attackers to access critical assets. This lack of insight can lead organizations to either attempt to fix everything or, more dangerously, address nothing at all.

尽管存在众多的安全工具，但组织经常面临两个主要挑战。首先，这些工具通常缺乏有效地优先处理威胁的能力，使安全专业人员对哪些问题需要立即关注一筹莫展。其次，这些工具通常未提供有关个别问题如何相互关联以及攻击者如何利用它们来访问关键资产的上下文信息。这种缺乏洞察力可能导致组织要么试图修复一切，要么更危险地不采取任何措施。

In this article, we delve into 7 real-life attack path scenarios that our in-house experts encountered while utilizing XM Cyber's Exposure Management Platform in customers' hybrid environments throughout 2023. These scenarios offer valuable insights into the dynamic and ever-changing nature of cyber threats.

在本文中，我们深入探讨了我们内部专家在2023年使用 XM Cyber的曝露管理平台 在客户的混合环境中遇到的7个真实攻击路径场景。这些场景为我们提供了有关网络威胁的动态和不断变化的本质的宝贵见解。

From intricate attack paths that require multiple steps to alarmingly straightforward ones with just a few steps, our research unveils a staggering reality: 75% of an organization's critical assets can be compromised in their current security state. Even more disconcerting, 94% of these critical assets can be compromised in four steps or fewer from the initial breach point. This variability underscores the need for the right tools to anticipate and thwart these threats effectively.

从需要多个步骤的复杂攻击路径到仅需几个步骤的明显简单攻击路径，我们的研究揭示了一个令人震惊的事实：组织的关键资产中有75% 可以在其当前的安全状态下被妥协。更令人不安的是，94%的关键资产可以在初始侵入点后的四个步骤或更少中被妥协。这种差异强调了需要合适的工具来有效地预测和阻止这些威胁。

Now, without further ado, let's explore these real-life attack paths and the lessons they teach us.

现在，不再拖延，让我们探讨这些真实的攻击路径以及它们所教给我们的经验教训。

案例 # 1

Customer: A large financial company.

客户： 一家大型金融公司。

Scenario: Routine customer call.

情景： 常规客户呼叫。

Attack Path: Exploiting DHCP v6 broadcasts to execute a Man-in-the-Middle attack, potentially compromising around 200 Linux systems.

攻击路径： 利用DHCPv6广播执行中间人攻击，潜在威胁约200个Linux系统。

Impact: Compromise of numerous Linux servers with potential for data exfiltration or ransom attacks.

影响： 对众多Linux服务器的妥协，可能导致数据泄漏或勒索攻击。

Remediation: Disabling DHCPv6 and patching vulnerable systems, along with educating developers on SSH key security.

修复： 禁用DHCPv6并修补易受攻击的系统，同时加强对SSH密钥安全的开发人员教育。

In this scenario, a large financial company faced the threat of a Man-in-the-Middle attack due to unsecured DHCP v6 broadcasts. The attacker could have exploited this vulnerability to compromise approximately 200 Linux systems. This compromise could have resulted in data breaches, ransom attacks, or other malicious activities. Remediation involved disabling DHCPv6, patching vulnerable systems, and enhancing developer education on SSH key security.

在这种情况下，一家大型金融公司面临了由于未保护的DHCPv6广播而受到中间人攻击威胁。攻击者可以利用此漏洞威胁约200个Linux系统。这种威胁可能导致数据泄露、勒索攻击或其他恶意活动。修复措施包括禁用DHCPv6、修补易受攻击的系统并加强开发人员对SSH密钥安全的教育。

案例 # 2

Customer: A large travel company.

客户： 一家大型旅行公司。

Scenario: Post-merger infrastructure integration.

情景： 合并后的基础设施整合。

Attack Path: Neglected server with unapplied patches, including PrintNightmare and EternalBlue, potentially compromising critical assets.

攻击路径： 未应用补丁的被忽视服务器，包括PrintNightmare和EternalBlue，可能危及关键资产。

Impact: Potential risk to critical assets.

影响： 对关键资产的潜在风险。

Remediation: Disabling the unnecessary server, reducing overall risk.

修复： 禁用不必要的服务器，降低整体风险。

In this scenario, a large travel company, following a merger, failed to apply critical patches on a neglected server. This oversight left them vulnerable to known vulnerabilities like PrintNightmare and EternalBlue, potentially jeopardizing critical assets. The solution, however, was relatively straightforward: disabling the unnecessary server to reduce overall risk.

在这种情况下，一家大型旅行公司在合并后未对被忽视的服务器应用关键补丁。这个疏忽使他们容易受到PrintNightmare和EternalBlue等已知漏洞的威胁，可能危及关键资产。然而，解决方案相对简单：禁用不必要的服务器以降低整体风险。

案例 # 3

Customer: A large healthcare provider.

客户： 一家大型医疗服务提供商。

Scenario: Routine customer call.

情景： 常规客户呼叫。

Attack Path: An attack path leveraging authenticated users' group permissions to potentially grant domain admin access.

攻击路径： 利用经过身份验证的用户组权限的攻击路径，潜在授予域管理员访问权限。

Impact: Complete domain compromise.

影响： 完全掌控域。

Remediation: Prompt removal of permissions to modify paths.

修复： 迅速删除修改路径的权限。

In this scenario, a large healthcare provider faced the alarming prospect of an attack path that exploited authenticated users' group permissions, potentially granting domain admin access. Swift action was imperative, involving the prompt removal of permissions to modify paths.

在这种情况下，一家大型医疗服务提供商面临了一个潜在的攻击路径，该攻击路径利用经过身份验证的用户组权限，可能授予域管理员访问权限。迅速采取行动是至关重要的，包括迅速删除修改路径的权限。

案例 # 4

Customer: A global financial institution.

客户： 一家全球性金融机构。

Scenario: Routine customer call.

情景： 常规客户呼叫。

Attack Path: Complex path involving service accounts, SMB ports, SSH keys, and IAM roles, with potential to compromise critical assets.

攻击路径： 涉及服务帐户、SMB端口、SSH密钥和IAM角色的复杂路径，潜在危及关键资产。

Impact: Potentially disastrous if exploited.

影响： 如果被利用，可能具有潜在灾难性。

Remediation: Swift removal of private SSH keys, resetting IAM role permissions, and user removal.

修复： 迅速删除私人SSH密钥，重置IAM角色权限和用户删除。

In this scenario, a global financial institution faced a complex attack path that leveraged service accounts, SMB ports, SSH keys, and IAM roles. The potential for compromise of critical assets loomed large. Swift remediation was necessary, involving the removal of private SSH keys, resetting IAM role permissions, and user removal.

在这种情况下，一家全球性金融机构面临了一个复杂的攻击路径，该攻击路径利用了服务帐户、SMB端口、SSH密钥和IAM角色。潜在威胁可能危及关键资产。迅速采取行动是必要的，包括删除私人SSH密钥，重置IAM角色权限和用户删除。

案例 # 5

Customer: A public transportation company.

客户： 一家公共交通公司。

Scenario: Onboarding meeting.

情景： 入职会议。

Attack Path: Direct path from a DMZ server to domain compromise, potentially leading to domain controller compromise.

攻击路径： 从DMZ服务器到域的直接路径，可能导致域控制器的威胁。

Impact: Potential compromise of the entire domain.

影响： 可能危及整个域。

Remediation: Restricting permissions and user removal.

修复： 限制权限和用户删除。

In this scenario, a public transportation company discovered a direct path from a DMZ server to domain compromise, which could have ultimately led to the compromise of the entire domain. Immediate remediation was crucial, involving the restriction of permissions and user removal.

在这种情况下，一家公共交通公司发现了从DMZ服务器到域的直接路径，这可能最终导致整个域的威胁。迅速采取行动是至关重要的，包括限制权限和用户删除。

案例 # 6

Customer: A hospital with a strong focus on security.

客户： 一家注重安全的医院。

Scenario: Routine customer call.

情景： 常规客户呼叫。

Attack Path: Active Directory misconfiguration allowing any authenticated user to reset passwords, creating a wide attack surface.

攻击路径： 由于Active Directory的错误配置，允许任何经过身份验证的用户重置密码，从而创建了广泛的攻击表面。

Impact: Potential account takeovers.

影响： 潜在帐户劫持。

Remediation: Active directory security hardening and a comprehensive remediation plan.

修复： Active Directory安全强化和全面的修复计划。

This scenario unveiled a hospital's vulnerability due to an Active Directory misconfiguration. This misconfiguration permitted any authenticated user to reset passwords, significantly expanding the attack surface. Remediation necessitated active directory security hardening and the implementation of a comprehensive remediation plan.

这个情景揭示了由于Active Directory的错误配置，医院的脆弱性。这种配置允许任何经过身份验证的用户重置密码，大大扩大了攻击表面。解决措施包括Active Directory安全强化和全面的修复计划的实施。

案例 # 7

Customer: A major shipping and logistics company.

客户： 一家主要的航运和物流公司。

Scenario: Routine customer call.

情景： 常规客户呼叫。

Attack Path: An intricate attack path from a workstation machine to Azure, potentially compromising the entire enterprise environment.

攻击路径： 从工作站机器到Azure的复杂攻击路径，潜在危及整个企业环境。

Impact: Potential compromise of the entire enterprise environment.

影响： 可能危及整个企业环境。

Remediation: User role adjustments and issue remediation.

修复： 用户角色调整和问题修复。

In this scenario, a major shipping and logistics company uncovered an intricate attack path that could have allowed attackers to compromise the entire enterprise environment. Remediation required adjustments to user roles and the thorough remediation of identified issues.

在这种情况下，一家主要的航运和物流公司发现了一条复杂的攻击路径，可能允许攻击者危害整个企业环境。解决措施需要对用户角色进行调整，并全面解决已识别的问题。

The Big Takeaway

重要教训

The common thread in these scenarios is that each organization had robust security measures in place, adhered to best practices, and believed they understood their risks. However, they often viewed these risks in isolation, creating a false sense of security.

这些情景的共同点是，每个组织都有健全的安全措施，遵循最佳实践，并相信他们理解了风险。然而，他们经常孤立地看待这些风险，从而产生了一种虚假的安全感。

Luckily these organizations were able to gain a context-based understanding of their environments with the right tools. They learned how various issues can and do intersect and thus prioritized necessary remediations, to strengthen their security posture and mitigate these threats effectively.

幸运的是，这些组织能够借助合适的工具获得基于上下文的对环境的理解。他们了解各种问题如何相互交汇，因此能够优先处理必要的修复工作，以加强其安全姿态并有效地应对这些威胁。

原文始发于微信公众号（知机安全）：网络威胁的现实故事：七个案例的安全教训