A cynical look at the standard approach for building infrastructure resilience against cyber-attacks

Despite existing regulations, implemented (or at least declared) security measures in organizations, an increasing number of organizations are falling victim to cyber-attack. These attacks come in all "shapes" and "colours". From compromises of publicly available services to business email compromise, exfiltration of sensitive data, to ransomware and cyber espionage or sabotage of critical infrastructure. The vectors of successful attacks are wide ranging: from simple "password stuffing", to exploiting a publicly available service through a known vulnerability, phishing or spearphishing email, to a chain exploit of a zero-day vulnerability in various technologies at current patch levels.

The naive expectation is that the attacks with the greatest impact are carried out through the most sophisticated methods and using an elite APT team using a large amount of malicious code and tools and exploits from a Hollywood movie enthusiast's dream. In fact, many even publicly known (either directly or through their secondary consequences) cyberattacks have been and are being carried out through trivial techniques that are known in principle to a graduate of almost any penetration testing and ethical hacking course or training.

In our presentation, we demonstrate the most common trivial vulnerabilities that have led to the compromise of organizations and infrastructures of significant importance, pointing out the most common real vulnerabilities that cause infrastructure compromise, which are often not mentioned at all in penetration test or audit reports, or are of medium, low, or informational severity.

At the same time, we will look at cyber-attacks from an organization's perspective and highlight logical flaws in security architects' thinking when designing infrastructure security, particularly in the context of maintaining regulatory compliance and integrating infrastructures with the public cloud.

We conclude the paper by suggesting methods, procedures and mementos that we have identified during our practice as differential measures on a statistically significant sample of our solved cases.

Lukáš Hlavička

Lukáš Hlavička, CISSP, GCFA, GXPN, currently serves as the CTO of IstroSec. Previously, he held the positions of Director of DFIR, Director of a governmental CSIRT, and forensic expert. Lukáš has over 15 years of experience in cybersecurity, including leading a government analytical team in a European country CSIRT. He has served as the director of a governmental CSIRT team in a European country. He is goal-oriented and consistently seeks to assist clients in enhancing their security. His professional interests include digital forensic analysis specializing in targeted cyber attacks, incident response, penetration testing of infrastructure, and Red Team activities. He holds various certifications including CISSP, GCFA, GCFE, GXPN, CFR, among others.