Cyber Security Tip:
Detecting Attacks Over Low-Traffic Ports
Last year, cyber security experts witnessed an increase in the number of encrypted web application, highly targeted phishing and ransomware attacks.
IoT (Internet of Things) attacks also increased by 217.5 percent when compared with 2017 numbers.
In the wake of vulnerabilities like Spectre, Meltdown, Foreshadow, and PortSmash, threat researchers have identified processor vulnerabilities as a major security concern for hardware and software technologies. Even more worrisome is the rise in the number of attacks delivered via non-standard ports. Cybercriminals are increasingly trying to penetrate networks via low-traffic ports — ports that are seldom monitored and rarely used by web applications. Attackers use such ports to anonymize their attacks and conceal malicious payloads upon delivery.
The Rise of Attacks via Non-standard Ports
Based on a study of over 700 million malware attacks, the SonicWall Cyber Threat Report shows that 19.2 percent of malware attacks now use non-standard ports. The number of attacks targeting non-standard ports increased from 10.3 million in 2017 to 32.7 million in 2018, indicating that cybercriminals are increasingly using non-standard ports to disguise their payloads.
The targeting of non-standard ports is an increasingly popular tactic for attackers. For instance, WannaCry, one of the worst ransomware attacks in history, aggressively took advantage of a non-standard port (SMB port 445, which was openly exposed to the Internet) to launch attacks and infect other devices on a compromised network.
Why Traditional Proxy-based Firewalls Need an Upgrade
Traditional proxy-based firewalls are usually configured to focus all their attention on frequently used, high-traffic ports such as port 80 and port 443, the standard ports for web traffic. As such, they have their hands full trying to detect and prevent attacks via these ports. On the other hand, organizations rarely dedicate/configure resources to monitor the traffic on non-standard ports as diligently as they do standard ports.
With the widespread adoption/deployment of SaaS applications and IoT devices that increasingly use non-standard ports, cybercriminals are exploiting this weakness to mount attacks via these ports, thus ensuring that their payloads are concealed upon delivery. They now disguise their C2 traffic in areas where traditional firewalls can’t monitor them.
Using non-standard ports to deliver malware is also in vogue because standard security solutions don’t watch UDP ports (used for streaming data such as audio and video transfers) and can’t stop data transfers mid-stream.
What to do: How to Detect, Prevent and Mitigate Attacks via non-Standard Ports
With a growing number of attackers using non-standard ports to mask payloads, organizations should deploy next-gen firewalls that enforce application-specific policies, regardless of the port being used. Such solutions must assume that applications can run on any port and be able to classify traffic by application on all ports at all times.
Next-gen firewall (NGFW) solutions can identify and control applications (including apps using HTTP or other protocols) on any port, not just standard ones. This is because developers no longer use standard protocol-port-application mapping.
A large number of applications (especially SaaS apps and IoT devices) now use non-standard ports or have the ability to change ports, as is the case with instant messaging apps, VoIP and peer-to-peer file sharing.
Deploying a robust network detection/prevention solution that leverages network signatures to detect traffic for particular types of malware can also help detect attacks via non-standard ports. Network data should be analyzed for uncommon data flows, for instance, a client that sends significantly more data that it receives from a server. Doing this will also help detect unknown processes or processes that usually do not have access to or use network communication. Packet contents should also be analyzed to detect communications that do not adhere to standard protocol behavior for the particular port being used.
Another way to mitigate the impact of cyberattacks by unconventional means is to properly configure proxies and firewalls to limit outgoing traffic to only necessary ports. Behavioral threat and data protection solutions utilize port visibility to monitor data transfers and detect anomalous network traffic. Once identified, transfer activities are halted. This allows security experts to analyze suspicious outbound communications and stop sensitive data from leaving the network.
Forward-thinking organizations are implementing stricter parameters and deploying NGFW solutions to monitor/mitigate threats via non-standard ports. With networks containing over 131 thousand ports and most standard security solutions focusing only on HTTP/HTTPS traffic that use ports 80 and 443, today’s sophisticated cybercriminals are beginning to use non-standard ports that aren’t being watched to disguise their C2 traffic.
To survive this latest move in the ongoing cyber warfare, organizations must use proper security tools, solutions, and services to protect their data and customers. Evaluate in-house security solutions and strategies to ensure they’re versatile, intelligent, layered and integrated. Most importantly, you should employ a cyber security strategy that integrates all security point solutions to form a real-time, automated breach detection and protection platform that links reporting, management, analytics, intelligence, and security.