The Nightmare After Christmas

Share and earn Cybytes
Facebook Twitter LinkedIn Email

This past year was a brutal one for cybersecurity professionals, between mega-credential dumps, massive breaches, increasingly sophisticated and rapidly changing attacker techniques, the web (and routers!) awash in cryptocurrency miners, content delivery network (CDN) takeovers enabling at-scale card skimming, nigh unstoppable and continuously evolving banking trojans, and scads more internet-connected devices becoming drones in planetary-wide botnets.

As you read through that list, you likely said in your best CISO Scrooge voice, “Speak comfort to me, hrbrmstr!”

To wit, I would reply in my best Marley voice, “I have none to give.”

In this, I feel a bit like Jack Skellington in “The Nightmare Before Christmas”:

I’m sick of the scaring, the terror, the fright.

I’m tired of writing ’bout groups that do hack in the night.

I’ve disdain for attackers who are just out of reach.

There must be more to life than just yelling, “Breach!”.

Alas, unlike the Pumpkin King, I’m not allowed to commit the serious felonies of kidnapping a magical toymaker/distributor and stealing their identity to make myself feel better. But what I can do is share some of said dismay with you to help you prepare for 2019 (aka the Nightmare After Christmas). Even if you’ve seen the animated feature, you may not be aware that it stemmed from a poem by Tim Burton. While we won’t do a reprise of 2016’s featurette, I will draw upon some of that Burton prose to scare prepare you for what’s to come.

Act I: Prepare for the phishing onslaught

‘Twas the nightmare after Christmas, and in all the orgs,

Not a CISO was peaceful, but nor were they bored.

Their servers delivered emails here and there,

That when opened this day would cause quite a scare!

According to data from the Anti-Phishing Working Group, we can expect to deal with increased levels of phishing attacks in the first part of the new year. In fact, it’s a bona-fide seasonal trend:

Phishing is still the primary means of entry for attackers, and until those economics change, you’ll need to continue to focus on crafting clever attacker awareness messaging, teaching employees and contractors in your care how to spot a phish, and bolstering your email phishing defenses.

Act II: Leave the IoT at home and watch out for IoT bots

Unaware that these Things could be misdirected,

Employees gifted gadgets, each internet-connected.

Both CEO Susie and CIO Dave;

brought their Echos to work (voice commands they did crave).

And CFO Neeman was all in a rush

To set up corporate WiFi on his connected toothbrush;

Facilities said it was time to replace

All displays, corporate-wide, yes, all over the place;

So they yanked out the old and substituted with new

“Smarter” ones (with Netflix and Hulu).

At Rapid7, we talk a lot about the IoT (which we try to call “internet-enabled devices/tech”), and for good reason: People are adding microphones, cameras, CPU, memory, networking, and full-fledged operating systems to everything from personal care products to dinner table utensils to shoe inserts.

Shadow IT was bad enough when it was just employees violating corporate acceptable use policies and using their favorite personal apps and cloud services at work. Now, you’d be hard-pressed to find an office anywhere in the modern world without multiple voice assistant smart speakers, one or more smart televisions (most of which have sensors and mics and likely run some bygone version of Android OS), smart watches, and more connected to the corporate WiFi (or, if you’re lucky, “just” guest WiFi).

Internet-connected “things” are almost invisible inside an organization, and attackers get tons of practice finding and compromising these devices on the public internet. Take Hikvision products, for example. Our latest Sonar scan found over 1.5 million of these cameras/surveillance systems on the internet:

Vast numbers of them are deployed with very weak configurations, and these devices have had their share of vulnerabilities over the years.

While cameras are an easy target to pick on ever since Mirai hit the scene back in 2016, “weak” would be a good word to describe mostly any internet-connected “thing” you stick in your home or workplace (even the industrial-scale ones).

You should run discovery scans for these devices regularly and watch for egress connections to well-known networks and cloud providers associated with them. Watch out for devices with microphones and cameras, especially in workplace areas where sensitive matter may be discussed.

Finally, the Hikvision chart should give you some pause. That’s just one type of internet-enabled device with a widespread internet presence, of which a large portion serves dual masters: those who want to look at their surveillance cameras and the bot operators who really own them. These bots are using denial-of-service (DoS) attacks and spam/phishing campaigns (among many other nefarious things). Don’t contribute to these toxic internet wastelands by wittingly (or unwittingly) putting your own weak kit out there.

Act III: Duck and cover

There were packets of terror, CISO Jack did not glance,

For he was much too involved with PCI compliance;

Jack finally peered thru the cyber-teams’ window

And saw the commotion; monitors all aglow!

“Why, they’re celebrating, it looks like such fun!

They’re pleased with all the SOX control work we’ve done!”

But what he thought was elation and patting of backs

Were malware infections combined with DoS attacks.

There’s no question you’re going to be busy in 2019. It’s highly likely you’ll be dealing with the following:

Continued battling against cryptominers in-browser and in-deviceFurther and rapid evolution of the Emotet trojan, which is already pretty advancedSignificant increases in CDN takeovers (aka Magecart) that go beyond payment card data as targetsAttackers aiming at far more under-the-radar protocols in use by myriad under-the-radar devices/services to hide/mine/moveA resurgence of breaking and entering and exfiltrating, especially if cryptocurrency markets keep bottoming outBottom-feeders with advanced digital weaponry as the time delay between hand-me-downs from nation-states to script kiddie ratchets down to nigh 0

This is a lot to deal with, but perhaps there are some words of comfort I can leave you with.


To end on a high[er] note, while the attackers still clearly have the advantage, we defenders have real evidence that focusing on the fundamentals works. We finally have a usable, meaningful, and tangible knowledge base of adversary tactics and techniques based on real-world observations. We have massive amounts of threat data, threat information, and—dare I even say—threat intelligence that we finally need to start sharing better in 2019. Armed with this tool chest, we should be able to make great strides in the coming year and begin to turn the tide together.

There’s a lot more, blog reader, that I’d like to say,

But now I must hurry, for it’s almost Christmas day.”

So as I :wq! on this tome, with a wink of an eye,

I say “Merry Christmas,” and bid ye goodbye.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Rapid7
Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.
Promoted Content
30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR
Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate. From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network. InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?