Commonly Exploited Protocols: Server Message Block (SMB)
The COVID-19 pandemic and the shift to telework environments has changed the way many enterprises do business. The Server Message Block (SMB) protocol – a proprietary Microsoft Windows communication protocol mainly used for file and printer sharing – has made the transition from the workplace to the “home office” easier, by allowing users access to files via remote server.
While attacks on exploitable protocols like SMB have been happening for years, the increase in telecommuting has opened up a whole new playing field for cybercriminals. Poorly secured network protocols and services are basically an open invitation for attackers. And, if there’s one thing that remains the same over time, it’s that cyber-attackers – if given the opportunity – will target what’s easily accessible. It’s a no-brainer.
In response, the Center for Internet Security (CIS) developed guidance, Exploited Protocols: Server Message Block, to help enterprises mitigate these risks.
Server Message Block Attacks
While SMB has many benefits, one of the biggest is the ease of having files in a central location for multiple users to access. This can be helpful for employees who work remotely and need access to files that are maintained or managed on their enterprise’s network. While the convenience of SMB technology is great, security needs to be a priority.
SMB vulnerabilities have been around for 20+ years. In general, most cyber-attacks involving SMB do not occur because an enterprise failed to procure an expensive tool or application, but rather because there was a failure to implement best practices surrounding SMB.
In 2017, EternalBlue, an exploit used against a vulnerability in SMB v1.0, set the stage for some of the most intrusive and impactful malware in cybersecurity history. Among the malware that used the EternalBlue exploit are WannaCry (ransomware) and Emotet (Trojan), both of which can self-propagate throughout a network, causing widespread damage.
While some of these threats may no longer be relevant today, it is important to note that as new threats emerge, they will continue to use similar attack techniques to exploit a system or network. The recent SolarWinds attack is a good example of this, as it too exploited the SMB protocol.
Exploited Protocols: Server Message Block leverages security best practices from the CIS Controls and secure configuration recommendations from the CIS Benchmarks to help enterprises implement and secure the use of SMB.
There are several direct mitigations for securing SMB, many of which are low or no cost to an organization:
- Update and Patch Against SMB Vulnerabilities
- Block SMB at the Network Level
- Restrict and Protect SMB at the Host Level
- Use Secure Authentication Methods for SMB
- Protect Data and Use Encryption for SMB
The guide breaks down each mitigation, explains the importance of securing SMB (from an attack perspective), and introduces related CIS Controls and/or CIS Benchmarks. It also provides additional supportive controls for protecting against and detecting SMB-based attacks.
By implementing the direct mitigations and supporting controls introduced in Exploited Protocols: Server Message Block, enterprises can confidently strengthen their cybersecurity posture while protecting their assets.