Network Segmentation, Security and RedSeal

Over the last few decades, many network security architecture products have come to market, all with useful features to help secure networks. If we assume that all of these security products are deployed in operational networks, why do we still see so many leaks and breaches?

Some say the users are not leveraging the full capabilities of these products – which is true.

Other say the users are not fully trained on how to use the product. Also true, and probably why they’re not using the full capabilities of their products.

Instead, we might benefit from remembering a basic truism: We humans are lazy.

Most of us, if offered a button that simply says “fix,” will convince ourselves that it will fix any network problem. We’ll buy that button every day of the week.

Our belief in fix buttons has led to a situation where many of us aren’t following standard security practices to secure our networks. When a network is designed or when you inherit a network, there are some basic things that should be done.

One of the first things to do is isolate, or segment, your network.  Back in the 1990s, network segmentation was done more for performance reasons than security. As we moved from hubs to large, switched networks, our networks have become flat, with less segmentation. Today, once attackers get in, they can run rampant through a whole enterprise.

If we take the time to say, “Let’s step back a second,” and group our systems based on access needed we can avoid much trouble. For instance, a web server most likely will need access to the internet and should be on a separate network segment, while a workstation should be in another segment, printers in another, IoT in one of its own, and so on.

This segmentation allows better control and visibility. If it’s thought out well enough, network segmentation can even reduce the number of network monitoring security products you need to deploy. You can consolidate them at network choke points that control the flow of data between segments versus having to deploy them across an entire flat architecture. This also will help you recognize what network traffic should and should not be flowing to certain segments based on that network segment’s purpose.

This all seems to make sense, so why isn’t it done?  In practice, network segmentation is usually implemented at the start. But, business happens, outages happen, administrators and network engineers are under enormous pressure to implement and fix things every day. All of this causes the network design to drift out of compliance. This drift can happen slowly or astonishingly fast. And, changes may not get documented. Personnel responsible for making the changes always intend to document things “tomorrow,” but tomorrow another event happens that takes priority over documentation.

Network segmentation only works if you can continuously ensure that it’s actually in place and working as intended. It is usually the security teams that have to verify it. But, as we all know, most security and networking teams do not always have the best partnerships. The network team is busy providing availability and rarely has the time to go back and ensure security is functioning.

Even if the security teams are checking segmentation in large enterprises, it is a herculean effort. As a result, validating network segmentation is done only yearly, at best. We can see how automating the inspection of the network security architecture is a clear benefit.

RedSeal enables an automated, comprehensive, continuous inspection of your network architecture. RedSeal understands and improves the resilience of every element, segment, and enclave of your network. RedSeal works with your existing security stack and network infrastructure (including cloud and SDN) to automatically and continuously visualize a logical model of your “as-built” network.

RedSeal’s network modeling and risk scoring platform enables enterprise networks to be resilient to cyber events and network interruptions in an increasingly digital and virtualized world, and to overcome one of the main enemies of cybersecurity – human nature.

Leading Federal Cybersecurity Experts Agree: Federal Agencies Need Integrated and Automated Approach

Recently RedSeal hosted its annual Federal Customer Forum. One of the panels featured a discussion with several luminaries in the federal government cybersecurity ecosystem. The topic: the importance of the integration and automation of cybersecurity operations.

Those present were:

  • Wayne Lloyd, RedSeal (Moderator)
  • Kevin Phan, Splunk
  • Tim Jones, ForeScout
  • Wade Woolwine, Rapid7
  • John America, Mystek Systems

The following questions and answers were lightly edited for better comprehension:

Why is integration and automation important in defending against cyberattacks?

Not enough time to manage cybersecurity. The mundane tasks use up all the people and there is stuff to do afterwards. Humans need to focus on high level actions. Let the tools talk together and that will increase speed to resolution and limit damage. Attacks are automated by hackers, so defense needs to be automated, too.

Are security vendors doing enough to integrate with each other to support their customers’ needs? If so what have you seen work well? If not, what should we as an industry be doing better?

No. No one vendor does it all, and often have trouble integrating with others, so customers need to do a better job integrating solutions from different vendors or hire a managed security services provider.

When it comes to securing IoT devices, where does responsibility lie? Is it with the manufacturer, the user, or both?

Most say that there should be shared responsibility. Devices should be patchable and upgradable. “Know your network” is hard with IoT. There are many, many more endpoints to worry about. Organizations need to develop safe processes for adding IoT to the networks, and segment them onto less secure networks. Organizations need to develop a patching strategy generally, but specifically for IoT devices.

There was a recent example where drones were purchased by the DOD. It turns out that the chips had been white-label manufactured by Huawei in China. These drones were exfiltrating data without user’s knowledge to parties unknown. This kind of supply chain issue is going to be a bigger problem going forward.

If you were to go into an organization that is standing up a new, from scratch, security stack, what capabilities would you recommend they choose?

Detection is important, but how do you trust the decisions that the software makes? You need to get to the raw, unfiltered data. Also, the key is to set up network segments to prevent intruders from roaming freely across your infrastructure. Third, you need to set up hunt teams to proactively search for those intruders. Fourth, setting up a continuous config management process that inventories unpatched software is mandatory now. Penetration testing is useful, but penetration testers usually quit after they find a way in. What about the other thousands of vulnerabilities that they didn’t find?

Good cybersecurity teams are always looking to tear down silos. Bad ones stick to themselves. Hackers are known for sharing code, tools and vulnerabilities, so it seems obvious that cybersecurity teams should do the same. NOCs and SOCs are starting to talk more, which is a good thing, however cloud and dev ops teams seem to be still off on their own. Executive priorities still drive decision making, and no one can prevent those decisions from creating security issues. Cyber teams need to be stewards of data. Implement CIS 20 and set up a risk management framework.  Use table top exercises to train and improve execution, rather than focus on checkboxes and processes.

It appears that you cannot truly protect yourself if you are not using integrated products. Does it make sense to keep buying solutions piecemeal or should security teams look for packages that already integrate?

Most systems integrators do a good job integrating various cybersecurity tools in government. The private sector is much less advanced in this area. Most commercial companies get technologies then push them to a managed services provider.

Do you see threat intelligence playing a big role with federal customers in protecting their networks?

It’s notable that the same old threats pop up all the time. What is unknown is the scary part of the day. For threat detection, we need a faster and faster process of identification, integration and remediation. Hackers share data. We need a better understanding of where the whole threat environment is coming from. That said, we need to protect high value assets (HVA) first. That means mapping out access from HVAs. The average detection time nowadays is 170 days, so you had better set up your organization for maximum resilience. Attacks are now coming from POS systems and, famously, a fish tank in a Las Vegas hotel.

Being Digitally Resilient in the Face of HIDDEN COBRA

Watch Video: RedSeal and Hidden Cobra Overview, Use Cases and Demo


On November 17th, the United States Computer Emergency Ready Team (US-CERT), in conjunction with the FBI, released a pair of advisories about the North Korean hacking and espionage campaign code named HIDDEN COBRA. The latest advisories describe two pieces of malware called Volgmer and FALLCHILL, which have been actively used to attack enterprises and other commercial entities in the US. Since 2013, organizations in the aerospace, telecommunications, and finance industries have been targeted with spear phishing campaigns.

The US-CERT advisories provide both a detailed analysis of how the underlying malware packages function as well as the detection signatures and the observed IP addresses of the command and control (C2) infrastructure. This data can be used to detect the malware on your network and sever access to its controllers (Volgmer C2 IP Addresses: CSV STIX; FALL CHILL C2 IP addresses: CSV STIX). US-CERT’s previous HIDDEN COBRA advisories from June also reveal several vulnerabilities (CVEs) that North Korean threat actors are known to target and exploit.

This article will describe how the Volgmer and FALLCHILL malware operate, what they target, how they infect those targets, the potential impacts of these infections, and effective mitigation and remediation strategies to protect your enterprise.

Summary of Suggested Actions:

  1. Identify and eliminate outbound network traffic to the C2 infrastructure.
  2. Perform a risk-based prioritization of vulnerabilities to patch on accessible and high-risk endpoints
  3. Run RedSeal’s incident response query to efficiently isolate and contain any observed indicators of compromise.

About the Volgmer and FALLCHILL Malware

Both malware packages are Windows binaries consisting of executable files and DLL counterparts able to be run as a Windows service. The primary method of attack has been through targeted spear phishing campaigns that trick victims into opening malicious attachments or clicking links leading to malicious websites exploiting browser-based vulnerabilities.


The Volgmer package contains four distinct modules, a “dropper”, two remote administration tools (RATs), and a botnet controller.

  • The Volgmer dropper, a Windows executable, creates a Windows registry key containing the IP address of external C2 servers. It then installs its payload (either a RAT or the botnet controller), achieving stealthy persistence by overwriting an existing Windows service DLL with the payload. Finally, it can clean up after itself and remove all traces.
  • The RAT payload, after achieving persistence on the infected Windows machine, communicates back to its C2 infrastructure over ports 8080 or 8088. The RAT enables the attacker to take over the infected computer, executing arbitrary code and exfiltrating data.
  • The botnet controller can direct the activity of other compromised computers to orchestrate DDoS attacks.


The FALLCHILL malware is a remote administration tool demonstrating a heightened degree of sophistication in its ability to remain hidden, as well as an advanced communication mechanism with its C2 infrastructure. FALLCHILL masquerades as a legitimate Windows service randomizing across seemingly innocuous service names. It generates fake TLS traffic over port 443, hiding the C2 commands and communications in the TLS packet headers, which then get routed through a network of proxy servers.

Figure 1: US-CERT visualization of how FALLCHILL communicates with HIDDEN COBRA threat actors


How the Malware Spreads and Impact of Infection

Although both malware packages are primarily distributed via targeted spear phishing campaigns, they have also been observed on malicious websites. This increases the chances for opportunistic drive-by-download infections. These targeted attacks have been seen in the US aerospace, telecommunications, and financial services.

A successful infection will result in the HIDDEN COBRA threat actors having persistent access to and control over compromised computers. The remote administration tools allow them to modify the local file system, upload files, execute files or any arbitrary code, as well as download anything on the file system. The result is that attackers will have a hidden backdoor to your system and can execute any arbitrary code. Thus, in addition to being able to exfiltrate local files such as documents directories or Outlook databases, the infection establishes a beachhead into the rest of the network from which future breaches can be staged.

General Mitigation Advice

Enterprise security organizations can take several steps to mitigate the risk of a successful spear phishing or drive-by-download infection. In the past few years, attackers have, with increasing frequency targeted end user workstations to exfiltrate local data and establish a beachhead into the rest of the corporate network. As a result, it is increasingly important to expand vulnerability management programs to include regular scans of workstations and laptops followed by timely patching of any discovered vulnerabilities. Employees, particularly executives and those exposed to sensitive or proprietary data, should be trained on practicing good email hygiene and being vigilant for possible phishing attacks. User workstations should be configured according to the principle of least privilege, avoiding local administrator level access where possible. Additionally, the US-CERT also advises limiting the applications allowed to execute on a host to an approved whitelist, to prevent malware masquerading as legitimate software.

RedSeal Can Increase Resilience and Decrease Risk

RedSeal users can decrease their risk of exposure by identifying, closing, and monitoring access from their networks to the HIDDEN COBRA C2 infrastructure. Moreover, in the event of a detected IOC, RedSeal allows you to accelerate incident investigation and containment to mitigate the impact of an infection.

1. Identify and close any existing outbound access to the C2 infrastructure

The first step is to make sure you eliminate or minimize outbound access from your networks to the HIDDEN COBRA C2 infrastructure. Since the C2 IP addresses point at proxies across the world that relay commands and data to and from the threat actors, many are associated with legitimate entities whose servers have been exploited, or commercial hosting providers whose servers have been rented. To locate access from the inside of your network to any given C2 address from the advisory, use RedSeal’s security intelligence center to perform an access query from an internal region to the internet, and in the IPs filter box, enter the IP address from the US-CERT data.


Figure 2: Running an Access Query from the Security Intelligence Center from internal to C2 Infrastructure


Figure 3: Access query results shown on map, showing existing access from internal assets to external THREAT COBRA infrastructure


With the results of the access query, the next step is to create additional controls such as firewall or routing rules to block access to the relevant IP address at your perimeter. To decide where to introduce such controls, you can run a RedSeal detailed path query to generate a visual traceroute of the offending access path(s) and identify which devices are along those paths and can be used to close access.


Figure 4: Detailed Path result identifying all network devices and relevant config locations mediating access from an internal asset to the HIDDEN COBRA infrastructure


2. Verify vulnerability scan coverage and perform a risk-based prioritization of vulnerabilities

The HIDDEN COBRA campaign has been known to use a set of five CVEs (CVE-2015-6585; CVE-2015-8651; CVE-2016-0034; CVE-2016-1019; CVE-2016-4117) as the vector for infection. These CVEs include several browser-based vulnerabilities for the Adobe Flash and Microsoft Silverlight plugins as well as a Korean word processing application. It is important to note that while these are the vulnerabilities known to be targeted in the wild to deliver Volgmer or FALLCHILL, any known or unknown Windows-based vulnerability that allows arbitrary code execution and/or privilege escalation can be used as part of a future spear phishing campaign. While it is crucial to locate and remediate the above CVEs first, it is important to perform a vulnerability scan of user workstations for all such vulnerabilities, not just the five enumerated ones.


Figure 5: Using the Security Intelligence Center to execute a Threat Query to reveal which vulnerable assets are directly exploitable from the Internet


After importing the results of a vulnerability scan, vulnerability managers can first verify whether the scanner’s coverage was complete and identify any areas on the network missed by the scanner. This is accomplished by looking for all “Unscanned Subnets” model issues (MI-7) within your RedSeal model. A subsequent detailed path query from the scanner to the unscanned subnet will reveal whether and why access is blocked.

Next, you can perform a risk-based prioritization of the vulnerable hosts to ensure that the highest risk vulnerabilities are remediated first. The CVEs known to be actively exploited by the HIDDEN COBRA threat actors should be patched or otherwise mitigated first. A good start is to target the vulnerabilities that are on hosts that are accessible from untrusted networks, such as the Internet or a vendor’s network.

Since the malware attempts to establish a hidden Windows service with RAT capabilities, the next vulnerabilities to target for remediation are those that are directly or indirectly accessible and exploitable from any potentially compromised host. To find them, a RedSeal threat query can reveal all vulnerable hosts exploitable from a compromised endpoint on your network.


Figure 6: Visual results showing direct (red) and indirect (yellow) threats to the rest of the enterprise from a compromised host.


Figure 7: Threat Query results identifying vulnerable hosts threatened by the compromised endpoint

3. Investigate and contain existing IOCs

Finally, you can achieve greater resilience by accelerating your response to detected indicators of compromise and contain compromised systems while working to eliminate the infection. UC-CERT released several detection signatures to identify potentially compromised systems. By leveraging RedSeal’s incident response query directly or from our integrations with major SIEMs like QRadar, ArcSight, and Splunk, you can quickly assess the potential impact of a compromise and identify the mitigating controls necessary to isolate and contain it. The query allows incident responders to rapidly discover and prioritize by value all assets that are accessible from the vulnerable endpoint. A subsequent detailed path query between the vulnerable endpoint and a downstream critical asset will reveal all network devices mediating access and where controls such as firewall rules can be deployed to reduce downstream risk.


Figure 8: Incident Response query showing accessible groups and assets from the source of an indicator of compromise



The HIDDEN COBRA campaign is sophisticated, recently showing increases in intensity and variety of methods used. Defenders need to be resilient to minimize enterprise risk, efficiently mitigate damage, and recover from a successful compromise.  RedSeal can help you achieve resilience in the face of these changing threats — by assessing ways to block outbound access to C2 nodes, by locating vulnerable and high risk internal machines, and by speeding the investigation of any detected indicators of compromise.


Uber Hack: A Bad Breach, But A Worse Cover-Up

The Uber hack is a public lesson that a breach may be bad, but a cover-up is worse.  (See Nixon, Richard.)  It was a foolish mistake to try to hide an attack of this scale, but then, the history of security is a process where we all slowly learn from foolish mistakes.  We live in an evolutionary arms race – our defenses are forced to improve, so the attackers mutate their methods and move on.  Academically, we know what it takes to achieve ideal security, but in the real world, it’s too expensive and invasive to be practical.  (See quantum cryptography for one example.)  Companies rushing to grow and make profits (like Uber) aggressively try to cut corners, but end up finding out the hard way which corners cannot safely be cut.

It’s likely that the stolen data was, in fact, deleted.  Why?  On the one hand, we would likely have seen bad actors using or selling the data if it were still available.  That is, from the attacker’s point of view, data like this is more like milk than cheese – it doesn’t age well.  Many breaches are only detected when we see bad guys using what they have stolen, but nobody has reported a series of thefts or impersonations that track back to victims whose connection is that they used Uber.

But we can also see that the data was likely deleted when we think about the motives of the attackers.  Our adversaries are thoughtful people, looking for maximum payout for minimum risk.  They really don’t care about our names, or trip histories, or even credit card numbers – they just want to turn data into money, using the best risk-reward tradeoff they can find.  They had three choices: use the data, delete it, or both (by taking Uber’s hush money, but releasing the data anyway).  The problem with “both” is thieves are worried about reputation – indeed, they care more about that than most.  (“To live outside the law, you must be honest” – Bob Dylan.)   Once you’ve found a blackmail victim, the one thing you don’t do is give up your power over them – if the attackers took the money but then released the data anyway, they could be sure Uber would not pay them again if they broke in again.  The cost/benefit analysis is clear – taking a known pot of money for a cover-up is safer and more repeatable than the uncertain rewards of using the stolen data directly.

What Equifax Tells Us About Cybersecurity

What Equifax Tells Us About Cyber Security

By Richard A. Clarke

This month it is Equifax. Previously it was Yahoo and before that Target. Each new breach seems to set a new record of how many pieces of personal identifiable information have been compromised. It is easy to get inured to these news stories, especially since the media generally does not deduce any lessons from them. Many people come away thinking that data breaches are just something that we have to accept. But do we? What are we to take away from these recurring stories about huge hacks?

I have been working on cybersecurity for two decades now, initially from the White House and now in the private sector. Here is what I think should be our reaction to the Equifax story and similar breaches.

First, it is not impossible to secure major networks. Some companies and government agencies have quietly achieved sufficiently secure networks that they do not experience major data losses. It is, however, not easy to achieve.

Second, the essential ingredient to securing a network is not software or hardware. It is people – trained and skilled people. This country has an extreme shortage in such personnel. Despite the good salaries that are available in cybersecurity, there is a mismatch between what colleges are producing and what is needed. Colleges are simply under-producing cybersecurity graduates. There are hundreds of thousands of vacant jobs and even more positions that are being filled by under qualified staff.

Most colleges produce computer science majors or have graduate programs, however, they do not require education in cybersecurity as a condition for obtaining those degrees. Although it is sometimes derided by computer science faculty as too much like a “trade” and insufficiently academic, the truth is that cybersecurity is more difficult than basic computer science. Cybersecurity skills are built on top of knowledge about computer science.

In the absence of a focused and funded national initiative to significantly increase the number of cybersecurity trained graduates, corporations and government agencies will continue to fail at securing sensitive data.

Third, securing networks is expensive. Most companies spend only 3-5 percent of their Information Technology budget on security. These are the companies that get hacked. Most corporations have never properly priced in the cost of cybersecurity to their overall cost of doing business. There is a popular misconception in the business world about what it costs to run a major network. The original cost of security for a network was relatively low in the 1990s when most companies began building out their information technology infrastructure. The threat environment was significantly more benign then than it is now. Moreover, the security products available in the 1990s were limited to relatively inexpensive anti-virus, firewalls, and intrusion detection/prevention systems.

Today’s large networks require encryption, network discovery, threat hunting, data loss prevention, multifactor authentication, micro-segmentation, continuous monitoring, endpoint protection, intelligence reporting, and machine learning to detect and prioritize anomaly alarms. Corporations can no longer accurately be described in categories such as airlines, banks, or hospitals. They are all more accurately thought of as computer network companies that deal in aircraft, money management, or patients. If your company cannot do its business when your network goes down, then you are first and foremost an information technology company, one that specializes in whatever it is you do.

Fourth, because almost every American has now had their personally identifiable data stolen in one of these breaches, it should no longer be acceptable to use (or request) social security numbers, dates of birth, mother’s maiden names, and other publicly available identifiers to authenticate a user. Stop using them. Alliances of corporations should develop other, more advanced forms of identification that they would all use. In the jargon of the tech world, what we need are federated (more than one company employing it), multi-factor authentication. Even the government could use one or more of such systems, but if the government creates it there will be push-back from those fearing government abuse of civil liberties.

Finally, many companies and executives in them will continue to mismanage corporate cybersecurity and divulge sensitive data in the absence of significant penalties for failure. Today, even CEOs who are dismissed because of data breaches walk away with eye watering bonuses and severance packages. They do not suffer personally for their failure as managers.

Former White House cybersecurity official Rob Knake has observed that oil companies only got serious about oil spill prevention when they began to be fined based on the number of gallons that they spilled. He suggests that we hit companies that lose personally identifiable data with a heavy penalty for each bit of data compromised. In addition, companies should be required by federal law (not by the existing hodge-podge of conflicting state laws) to notify the government and individuals promptly when data has been compromised.

In sum, major cyber breaches do not have to be a regularly occurring phenomenon. They can be significantly reduced if we as a nation have a program to produce many more trained cybersecurity professionals, if corporations appropriately price in the cost of security, and if there are real financial consequences for companies that spill personal data into the hands of criminals and hostile nations.

Richard A. Clarke was Special Advisor to the President for Cybersecurity in the George W. Bush Administration and is the author of eight books including CYBER WAR.

Protecting PHI, Challenges and Solutions for Healthcare

Protecting PHI, Challenges and Solutions for Healthcare

What is data worth? On the surface, it is just a bunch of 1s and 0s on a hard drive. Most users don’t think about or even fully understand data. Their cell phones work, email is at their fingertips, and a friend is just a video chat away. But, enormous companies are built using data. Data is a big driver of economy, advertising, and business decisions. On the darker side, data is a target for attackers, who find a large market for it.

When it comes to personal data, is your credit card or your health information worth more? According to the Ponemon Institute[i], health records have sold for $363 per record — more than the price of stolen credit cards and service account credentials combined! 2015 was known for healthcare mega-breaches. It’s estimated that half of US citizens’ medical information is available for purchase, with 112 million records becoming available in 2015. Supply and demand works here, too. Due to the large number of records available on the black market, the price has dropped significantly in recent months. This doesn’t mean the healthcare industry is out of the woods. According to McAfee Labs[ii], healthcare attacks are increasing even though the average price per record is dropping.

Personal health information (PHI) is attractive because it lasts longer and is more difficult for victims to protect. Unlike the credit card industry, the healthcare industry hasn’t come up with a good way to stop and prosecute fraudulent charges. If you see your credit card is used by someone else, you can call up and have the charges reversed and a new card issued. This isn’t the case with your PHI. Likewise, it is more difficult to see if your PHI was used to buy drugs or equipment. How often do you check your medical bills compared to your credit card statements? Additionally, PHI opens the door for attackers to steal victims’ identity, or buy and sell medical equipment and drugs with the stolen information. Because they have such valuable information, healthcare organizations must take an active role in protecting their data, yet not close it down so tightly they can’t remain in business.

Recently, I went on Shodan, a search engine that scours the internet and gathers information about all connected devices. It isn’t secret; anyone can use it to search for vulnerable devices. In the US alone, I found hundreds of devices belonging to organizations that handle sought-after health information. These organizations used insecure protocols, services, and software with known exploits — illustrating the seriousness of this problem.

The healthcare industry must overcome the same challenges other industries face. It is only unique in the value of its data. Lack of finances, expertise, and time all compound the problem. I call this the Security Triangle (a spinoff of the Project Triangle). You have expertise, time, and finances and you only get two. RedSeal can help healthcare organizations balance out this security triangle. When a healthcare organization installs RedSeal, the automation it provides will free up their experts to handle other pressing issues.

RedSeal will parse through the configurations of multiple vendors and visualize all paths from the internet to the inside of your network. RedSeal offers a single pane of glass for your network, vulnerabilities, best practice checks, and policies, to simplify the understanding of information flows. You can set up RedSeal to alert you if your organization is at risk from an insecure protocol being accessible to the web. Without RedSeal, this process is painstakingly manual, requiring a great deal of time and resources to fully understand.

With RedSeal in your network, you can ensure that your organization’s policies are followed. If there are any changes that increase the risk to the organization, the dashboard will alert you. Organizations that keep medical data can set up policies to alert them if internet devices can directly access medical records, or if they can leapfrog into the network through some other server. Normally this requires a plethora of tools or manual labor, making the process complex. Once configured, RedSeal will automatically check policies to ensure access to critical systems remain as configured. If new access is introduced, the dashboard will alert you — saving time and resources, and freeing up your experts to more urgent tasks.

Healthcare organizations using RedSeal can automate manual tasks and improve security, freeing up their resources to take on more urgent matters — saving lives.



Keep Up with the Basics

RedSeal Blog - Keep Up with the Basics

I just came across a WSJ Pro article titled “Inside the NSA: Companies Need to Follow the Basics,” and figured I could offer an “amen.” The NSA gets points for seeing things clearly – but then, I suppose that is their job, whether we like it or not! The area they discuss isn’t easy to write about; in fact, it’s similar to the challenge that investment magazines face. Every month, they have to write about what’s new and interesting as if it will help readers make money, when the best advice is rather boring — buy and hold.  What are these magazines supposed to do?  Make another cover article out of “Indexing – Still the Great Deal It’s Always Been?”

The same thing happens in network defense. Props to Rob Sloan, the author (and WSJ Pro) for making news out of the point that what we need to do is go back to the basics, and do them well … and then do them well again.  The biggest challenge we face in defending our networks is just getting around to doing all the things we already know how to do. Our enemies don’t need to be James Bond villains in super-secret lairs with super-weapons – we leave out many “Welcome to Our Network” mats in the form of unpatched systems and easily evaded perimeters.

The article clearly lays out what we need to do to up our defensive game: first, we have to pay attention to the basics. Second, we have to pay attention to the basics. And yes, third, we have to pay attention to the basics (just like “location, location, location” for real estate). We’re all overwhelmed, but as the article points out, 98% coverage for any given issue isn’t good enough. We need to prioritize and find the 2% we missed, by gathering all our inventory, not just most of it, and testing every asset.

And then, after all that preventative work, we still need to plan for digital resilience. Resilience starts from all that inventory, and mapping of how your business functions and what is critical in your infrastructure. After that, it’s about hardening. And after that, it’s about testing your readiness so you can bounce back from the inevitable assaults. This is exactly what the RedSeal Digital Resilience score measures. We directly quantify the quality of your inventory, then look at hardening, and then at attack readiness.

So, I value the NSA’s perspectives, as reported in the article. The folks at NSA are among the government’s thought leaders for digital resilience. While government execution of cyber ideas isn’t above criticism, their networks are some of the very biggest, and their adversaries are some of the most motivated.  For folks in the intelligence community, it’s not paranoia – people really are out to get them, and they plan accordingly.  We should listen to their advice.

Vulnerabilities: The Weeds of Your Digital Terrain

RedSeal Blog - Vulnerabilities - The Weeds of Your Digital Terrain

In the warmer months when I’m not traveling I often get up early and wander my property pulling and spraying weeds. This is an endless and thankless task, yet a necessary evil to preserve my investment and maintain appearances. I am amazed how quickly weeds grow and by the places they find purchase. In just a few days, given the right conditions whole beds can be overtaken.

A few days ago I was meandering about my yard wondering why I don’t have a gardener when it struck me. My own personal battle for yard supremacy provides a great parallel to the efforts of cybersecurity professionals. It occurred to me that vulnerabilities are the weeds of the digital terrain. They are constantly popping up in the strangest places; you can never seem to get them all; and they can quickly get out of hand if you let your attention slip.

Just like weeds, all vulnerabilities are not created equal. Their type, and more importantly their location, are factors we need to consider. The poison ivy at the far end of the property where no one goes is a concern, but far less of one than the poison ivy on the kids’ play set. In the digital terrain, this is the equivalent of vulnerabilities on assets that don’t provide access to critical data verses those that do — whether directly or via pivot attacks. So, it’s not the type of vulnerability that’s important, it’s the exposure that vulnerability delivers to critical resources that is the true cause of risk. The common practice of focusing on CAT1 vulnerabilities is inherently flawed, since the severity of the vulnerability has little to do with the risk it causes for the organization.

People have been fighting weeds since the first crops were sown sometime around 9000 BC. We know weeds and have developed many tools to fight them, yet they persist. We pull them, spray them and set up lines of defense for them to cross. Sound familiar? This is akin to patching, firewalls, and micro segmentation.

I’m making two points here: first and most importantly I need a gardener, but also it is worth reminding ourselves that vulnerabilities aren’t going away anytime soon. Regardless of how much effort you put in, you’ll never have the necessary resources to patch them all. A better strategy is to prioritize what you patch based on the actual risk it causes for your organization. A CAT1 vulnerability isolated by firewall rules provides little risk, but that CAT3 vulnerability exposed directly to the internet may provide a beachhead that exposes your most important data and systems. To quote the old adage, we need to work smarter not harder. For cyber, that means moving from a patch-based methodology to one that focuses on risk.

Advice from Hackers at Black Hat

At the recent Black Hat USA conference, CIO asked 250 self-identified hackers for their opinion on security solutions. The answers are a good indicator for what works to protect your organization. Of all the technologies out there, the responders identified multi-factor authentication and high-level encryption as the two that are hardest to get past – 38 and 32 percent, respectively – making them the two best tools an organization can use to thwart attackers. The lesson? Your organization should invest in multi-factor authentication and strong encryption for data at rest and data in motion to make the attackers’ job much more difficult.

Another surprising revelation – more than 90 percent of respondents find intrusion prevention systems, firewalls, and anti-virus easy to overcome. This is because attackers use technologies to encode their payload (i.e. disguise their software so it isn’t detected). They also realize that it is much easier to ‘hack’ the weakest link, the human element. Let’s say an attacker shows up and tells the receptionist she has an interview. Then the attacker explains, with an exasperated look on her face, that she didn’t have time to swing by a print shop to print her resume. The attacker then asks the receptionist to print it. As human beings, we feel empathy and we want to help. The receptionist sticks the USB drive into a computer, finds the resume, and prints it – firing off the payload attached to the USB document.

Does this mean that the money and man hours spent on firewalls, intrusion prevention systems, and antivirus is wasted? The answer is no. These technologies help thwart the most basic and greatest number of automated attempts at breaking into your organization. The example I used above is called a social engineering attack. Attackers will put together payloads and either email them out, attach them to resumes and apply for jobs, or physically go to your location and drop USBs on the ground. In fact, 85 percent of those surveyed prefer these types of attacks because of how successful they are. Each of these attacks makes your perimeter security useless. CIOs and ISOs need to harden the internal security of their organization as well. They need to train their employees for these types of attacks, tell them what to look out for, and breed an environment where it is okay and even expected to challenge people.

Understanding your network and the actions that attackers take to compromise your environment will help your organization develop contingency plans. These contingency plans will help your organization maintain a resilient network. You can’t just protect your network and expect that to be enough anymore. The question all leaders in security should be asking is, “what do we do when an attacker gets in and how do we lessen the damage done to our organization?”

That is the beginning of building a resilient network.

Defense Medical Communities Face Digital Resilience Challenges

Last week in Orlando, I attended the Defense Health Information Technology Symposium (DHITS) conference. This is one of the best attended, most cohesive trade shows I have been to in years. One of the eight break-out tracks was entirely devoted the challenges of securing defense health networks and the medical devices that connect to them. It was overdue proof that the Defense Health Agency (DHA) community is recognizing the importance of cybersecurity.

The seven cyber sessions were:

  • Risk Management Framework
  • Cybersecurity- Decisions, Habits and Hygiene
  • Are You Cybersecurity Inspection Ready?
  • Incident Response: Before, During and After the Hack- How
  • MHS Medical Device Integration and Security: Details Matter
  • RMF Requirements and Workflows for Medical Devices with the DOD
  • Security for Connected Medical Devices

Clearly, the defense health community is paying a lot of attention to medical devices as a source of vulnerabilities.  According to a DHA presentation at the conference, 80% of all successful cyber incidents can be traced back to poor medical device user practices, poor network and management practices, and poor implementation of network architecture.

Medical devices are easy to access on internal networks and device owners are not sure how to secure the devices or the networks.

Everyone tries to lock down the devices. There are thousands of devices in a large hospital. They can’t be 100% secure. They need networks that are digitally resilient, that find devices and non-compliant configurations. Only then can they mitigate the risk to defense health systems. Even though the Defense Health Agency is a new organization, it’s slowly taking over the IT responsibilities of various defense health organizations. As these networks are consolidated into a new network, Med-COI, there has been a tendency to focus on “getting the job done.” To avoid future issues, DHA needs to prioritize understanding what current risks they’re bringing into this new network.

The good news is that all the attendees I spoke with and who dropped by RedSeal’s booth agreed that these were challenges that needed to be addressed.

For more information on how RedSeal can assist with building digital resilience in the Defense Health community, please contact Matt Venditto at