Cyber News Roundup

/by

Welcome to our Cyber News Roundup, your go-to source for staying informed about the ever-evolving world of cybersecurity. Staying ahead of the curve is more crucial than ever as cyber threats continue to evolve and adapt at an unprecedented pace.

Each week, we’ll share a curated selection of top stories from around the globe. Whether you’re a seasoned cybersecurity professional, a business owner looking to safeguard your digital assets, or simply someone interested in staying informed about online security issues, our roundup has something for you.

Our team of cybersecurity experts sifts through the noise to deliver concise summaries on the latest in cybersecurity, empowering you to make informed decisions and strengthen your cyber defenses.

 

1. Frontier Communications discloses cyberattack 

US telecom provider Frontier Communications disclosed in an SEC filing yesterday that the company sustained a cyberattack on Sunday, Dark Reading reports. The attack resulted in the theft of personally identifiable information and caused the company to shut down some of its systems. The nature of the attack wasn’t disclosed, but SecurityWeek notes that Frontier’s response to the incident suggests that ransomware was involved. Frontier says it believes “the third party was likely a cybercrime group.” The company added, “As of the date of this filing, the Company believes it has contained the incident and has restored its core information technology environment and is in the process of restoring normal business operations.” (SecurityWeek)

 

2. Texas town repels water system cyberattack by unplugging 

In the face of a cyberattack reportedly linked to Russia that targeted the water system of a small Texan city, one notable action taken was the decision to physically unplug computers from the network. This move, while seemingly simple, played a crucial role in mitigating the impact of the attack and preventing further infiltration into the city’s critical infrastructure. (Bloomberg)

 

3. MITRE’s breach was through Ivanti zero-day vulnerabilities 

The MITRE Corporation is a not-for-profit organization that oversees federally funded research. In a blog post released on Friday the organization stated that it had been breached and reconnoitered by nation-state hackers in January. The group exploited one of its VPNs through two vulnerabilities in Ivanti Connect Secure. In the blog post, MITRE explained that the hackers used a “combination of sophisticated backdoors and webshells to move laterally and harvest credentials.” The organization said, “it followed advice from the government and Ivanti to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure,” adding, “at the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient.” (The Record and MITRE blog post

 

4. SafeBreach researchers disclose vulnerabilities in Windows Defender that allow remote file deletion

At the Black Hat Asia conference, SafeBreach cybersecurity researchers Tomer Bar and Shmuel Cohen disclosed vulnerabilities in Windows Defender that allow remote file deletion on Windows and Linux servers, risking data loss and system instability. By inducing false positives in security systems, they demonstrated the potential to bypass security controls and delete crucial files without authentication. The researchers developed a Python tool to discover unique byte signatures in Endpoint Detection and Response (EDR) systems, exploiting these for remote deletions of significant files, including Windows event logs and Microsoft’s own detection logs. Despite Microsoft’s attempt to fix the vulnerability, SafeBreach found the patch partially effective, leaving some attack vectors open and discovering another vulnerability as a bypass. Microsoft acknowledged the findings, implementing measures to minimize false positives and allowing configurations to quarantine remediation actions by default. (GBHackers)

 

5. The White House and HHS update HIPAA rules to protect private medical data

The Biden administration introduced new rules on Monday aimed at protecting the privacy of abortion providers and patients from conservative legal challenges. These regulations, updated by the Department of Health and Human Services (HHS), prohibit healthcare providers, insurers, and related entities from disclosing health information to state officials involved in investigating or prosecuting patients or providers related to abortion services. The updates to the Health Insurance Portability and Accountability Act (HIPAA), originally established in 1996, now address modern challenges in reproductive rights, particularly for those seeking legal abortions across state lines or under special circumstances like rape. These changes, set to take effect in two months, come amid significant concerns about the misuse of private medical data in the charged post-Dobbs legal environment. The new rule also mandates that any requests for health information related to reproductive health must be formally declared as unrelated to criminal investigations or legal actions. (The Record)

 

6. TikTok ban passes the US House

The bill passed as part of a larger foreign aid package by a vote of 360-58. THe House passed a similar standalone TikTok ban last month by a vote of 362-65, but that currently sits stalled in the Senate. Due to the new bill’s ties to allies in Ukraine and Israel, the Senate will likely vote on it much faster. Senate Commerce Committee Chair Maria Cantwell already signed her support of the legislation. The new bill gives ByteDance potentially up to a year to divest of TikTok prior to a formal ban, up from six months laid out in the earlier bill. If it passes the Senate as-is, President Biden already signaled he would sign it into law. (The Verge)

 

7. CrushFTP exposes system files

Security researcher Simon Garrelou reported a vulnerability in the CrushFTP service. All versions of CrushFPT under 11.1 contain the flaw, which for virtual file system escape and access to full system files. CrowdStrike reports seeing the flaw under active exploitation “in a targeted fashion.” CrowdStrike’s intelligence report indicates these attacks represent politically motivated recognizance. CrushFTP released a patch for the flaw, available through its dashboard. (Infosecurity Magazine)

 

8. Medical diagnostic services disrupted by ransomware

The medical diagnostic and testing services provider Synlab Italia announced it suffered a security breach on April 18th. It took all IT systems offline including email and suspended medical services. This impacted 380 labs and medical centers across Italy. It did not impact the rest of the Synlab group, which operates in 29 other countries. Synlab Italia did not confirm if it lost patient data in the attack. No word on any group taking responsibility for the attack. (Bleeping Computer)

 

9. ArcaneDoor hackers exploit Cisco zero-days to breach govt networks

Hackers utilizing previously undiscovered vulnerabilities in Cisco’s firewall products, executed a sophisticated campaign targeting government entities worldwide. Dubbed ArcaneDoor, this operation has been active since November 2023, and is linked to the threat groups UAT4356 and STORM-1849. These groups deployed custom malware for espionage, leading Cisco to issue urgent advisories for updating affected devices to mitigate risks. (Bleepingcomputer)

 

10. Siemens working to fix device affected by Palo Alto firewall bug

Siemens is rushing to fix a bug we reported last week on Cyber Security Headlines, that is affecting its Ruggedcom APE1808 devices configured with Palo Alto Networks (PAN) virtual next-gen firewalls. The bug in question is a maximum severity zero-day command injection vulnerability (identified as CVE-2024-3400) that affects multiple versions of PAN-OS. Palo Alto said a growing number of attacks are leveraging public proof-of-concept exploit code to deploy a novel Python backdoor. Siemens’ advisory references Palo Alto’s recommendation to disable GlobalProtect gateway and GlobalProtect portal, which they point out are disabled by default in Ruggedcom APE1808 deployments. (Dark Reading)

 

11. Russian hackers claim cyberattack on Indiana water plant

Over the weekend, the threat actor known as the Cyber Army of Russia posted a video on its Telegram channel showing how they hacked systems of the Tipton Wastewater Treatment Plant. Tipton provides the city of Tipton and surrounding areas with electric power, water, and wastewater collection and treatment. An Indiana official confirmed that the plant suffered a cyberattack on Friday evening. Tipton’s general manager, Jim Ankrum, said, “TMU experienced minimal disruption and remained operational at all times.” Security research firm Mandiant recently reported that the Cyber Army of Russia has ties to the Russian state actor, Sandworm, which was responsible for a separate attack on a water facility in Muleshoe, Texas that caused a tank to overflow. (The Record)

 

12. Siemens working to fix device affected by Palo Alto firewall bug

Siemens is rushing to fix a bug we reported last week on Cyber Security Headlines, that is affecting its Ruggedcom APE1808 devices configured with Palo Alto Networks (PAN) virtual next-gen firewalls. The bug in question is a maximum severity zero-day command injection vulnerability (identified as CVE-2024-3400) that affects multiple versions of PAN-OS. Palo Alto said a growing number of attacks are leveraging public proof-of-concept exploit code to deploy a novel Python backdoor. Siemens’ advisory references Palo Alto’s recommendation to disable GlobalProtect gateway and GlobalProtect portal, which they point out are disabled by default in Ruggedcom APE1808 deployments. (Dark Reading)

 

13. Russian hackers claim cyberattack on Indiana water plant

Over the weekend, the threat actor known as the Cyber Army of Russia posted a video on its Telegram channel showing how they hacked systems of the Tipton Wastewater Treatment Plant. Tipton provides the city of Tipton and surrounding areas with electric power, water, and wastewater collection and treatment. An Indiana official confirmed that the plant suffered a cyberattack on Friday evening. Tipton’s general manager, Jim Ankrum, said, “TMU experienced minimal disruption and remained operational at all times.” Security research firm Mandiant recently reported that the Cyber Army of Russia has ties to the Russian state actor, Sandworm, which was responsible for a separate attack on a water facility in Muleshoe, Texas that caused a tank to overflow. (The Record)

 

14. ArcaneDoor hackers exploit Cisco zero-days to breach government networks

Hackers utilizing previously undiscovered vulnerabilities in Cisco’s firewall products, executed a sophisticated campaign targeting government entities worldwide. Dubbed ArcaneDoor, this operation has been active since November 2023, and is linked to the threat groups UAT4356 and STORM-1849. These groups deployed custom malware for espionage, leading Cisco to issue urgent advisories for updating affected devices to mitigate risks. (Bleepingcomputer)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

From Reactive to Proactive: Transforming Healthcare Cybersecurity Post-Change Healthcare Attack

/by

Change Healthcare, a major player in the healthcare technology sector, fell victim to a ransomware attack in February and is quickly heading towards a billion dollars in loss. The breach disrupted its operations and potentially compromised sensitive patient data. The attackers, ALPHV, also known as BlackCat and Noberus, exploited vulnerabilities in the company’s IT infrastructure, likely through phishing emails or other means, to gain unauthorized access to their systems. This breach not only posed a significant threat to patient privacy but also raised concerns about the integrity of healthcare data and the reliability of essential services.

In the landscape of healthcare, where interconnected IT, operational technology (OT), and Internet of Things (IoT) networks are the norm, it’s inhumanly difficult to understand the whole attack surface.  This is why experts and regulators advise adopting a proactive approach to security with best practices including segmentation – keep separate things apart, so that an attacker cannot easily spread from one place to another.  Defenders of healthcare networks need automated assessment of their defensive posture, to uncover gaps and ensure good hygiene ahead of the next attack.

Healthcare administrators must fortify network infrastructure with stringent policies, including robust password enforcement, firewall configurations, and access controls. Vigilant monitoring and configuration of all connected devices, from medical equipment to personal devices, are imperative. Employing strong encryption further enhances data security, deterring cyber intrusions.

Another best practice is implementing a framework such as NIST and MITRE ATT&CK as part of your comprehensive cyberdefense efforts. Take for example another high-growth healthcare organization. Managing 20,000 clinicians and 150,000 medical devices, taking a proactive approach to network visibility and vulnerability prioritization is critical. As cyberattacks have become more sophisticated, healthcare organizations must be proactive and adopt best practices to, as this health system’s cybersecurity expert put it, “prepare the battle space.” In addition to having a dynamic map of their environment, the health system relies on the MITRE ATT&CK (adversarial tactics, techniques, and common knowledge) framework, a comprehensive knowledge base that gives security personnel key insights into attacker behavior and techniques, to help it prevent potential attacks and keep patient information, payment information, and other key data secure.

Click here to read the full case study

Regular attack surface scans are essential for proactive risk mitigation, providing crucial insights for informed decision-making in cybersecurity strategy development. Prioritizing rigorous testing of all software and device updates is crucial to preempt vulnerabilities.

Secure your healthcare network comprehensively with RedSeal. Our network exposure analytics platform offers dynamic visualization of network ecosystems, empowering organizations to identify and address vulnerabilities efficiently. Partnering with leading infrastructure suppliers, we deliver unparalleled network security solutions and professional services, ensuring robust protection against evolving threats.

Reach out to RedSeal or schedule a demo today.

“Is that what you’re going to say to the auditor?”

/by

Today’s tale from the trench is brought to you by Brad Schwab, Senior Security Solutions Consultant.

 

In the high-stakes world of security operations, one question looms larger than most: Are you sure you’re scanning the entire network? It seems straightforward, but for any team dealing with a network of significant scale, answering this question can be a daunting task.

During a pivotal meeting with stakeholders of a large health organization, the focus was squarely on the performance and security of the network. As discussions turned to the scanning program, the head of security operations confidently outlined the procedures in place to ensure comprehensive scanning—scanning that covered the entire network. Wait, scanning that covered the entire network? This is when my skepticism crept in.

“How do you know you’re scanning the entire network?” I interjected, addressing the elephant in the room. The head of security operations deflected to the head of network operations, claiming his assurance. “[Head of network operations] said I could…” she asserted.

Turning to the head of network operations, I couldn’t resist a quip: “Is that what you’re going to say to the auditor? ‘He said I could’?” Though we shared a solid working relationship, I couldn’t let such a critical issue slide with mere assurance. And it was clear that the others in the room shared my same concerns.

With a blend of humor and seriousness, I delved into the complexities and uncertainties inherent in ensuring comprehensive network scanning. Questions rained down from the attendees, making it clear that a deeper exploration of their scanning protocols was necessary to instill confidence in the organization’s security measures. I began to outline critical considerations:

  • Does the scanner have a complete list of all IP space on the network that needs scanned?
  • Are there any overlapping subnets? If so, that overlapped portion of a subnet is not visible to the scanner, thus, creating a possible hiding place for a bad actor.
  • Is there a duplicate IP space in the network? This creates blind spots to any scanner.
  • And finally, the hard part of the answer, does the scanner have logical access to the entire network? Even if the scanner is trying to scan a network subnet, if the network architecture via Access Control Lists and Routing is blocking the access or not granting the access, the scan won’t be complete. On top of that, you will get no indication from the scanner that the scan didn’t work.

Beyond the logical access issue, no one had thought about the other issues. I then explained how RedSeal automatically looks for subnets that have no scan data, thus possibly not part of the IP list giving to the scanner. Also, overlapping subnets and colliding IP space is revealed as a RedSeal finding. Finally, I also explained how a RedSeal Access Query combined with our “show what is missing” feature can give you a list of everything that the scanner can’t reach because of network architecture.

I ended my explanation with “these features will give you comprehensive documentation of complete scanner coverage for your upcoming audit(s)…”

After less than a few days of work, we had provided a list to both network operations and security operations of additions and changes required by both teams to make their vulnerability program complete.

At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure.

Reach out to RedSeal or schedule a demo today.

 

 

The Critical Role of Network Security in Zero Trust

/by

The National Security Agency’s (NSA) Cybersecurity Information Sheet (CIS) entitled “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar” outlines how organizations can enhance their network security within the Zero Trust model. This involves leveraging advanced cybersecurity strategies to mitigate risks of lateral movement by malicious actors within networks.

In a recent SCmagazine article, the creator of the Zero Trust concept, John Kindervag, pointed out the industry’s current overemphasis on identity management, cautioning against neglecting network security’s critical role. This viewpoint complements the NSA’s guidance on implementing Zero Trust within the network and environment pillar, underscoring the need for a balanced approach that values both identity and network infrastructure. Kindervag’s insights advocate for not only recognizing the network as a foundational component of Zero Trust, but also actively engaging in strategies like data flow mapping, macro- and micro-segmentation, as well as leveraging software-defined networking (SDN) for enhanced security measures​​. This balanced focus ensures a comprehensive and resilient Zero Trust model, and RedSeal can address those network-related challenges effectively.

RedSeal can play a crucial role in implementing these strategies:

  • Data Flow Mapping: RedSeal’s capabilities in mapping the network and understanding how data moves across it align with the document’s emphasis on understanding data flow to identify and secure unprotected data flows. RedSeal can help organizations visualize their network paths and flows, which is foundational for recommended effective segmentation and isolation strategies.
  • Macro Segmentation: RedSeal’s Zones and Policies feature directly supports the concept of macro-segmentation, which is about segmenting the network into different security zones to control access and movement between them. By defining and enforcing network policies, RedSeal can help prevent unauthorized access between different parts of the network, such as between departments or between the IT environment and operational technology systems.
  • Micro Segmentation: While the document discusses micro-segmentation’s role in further reducing the attack surface within network segments, RedSeal’s detailed network models and policy management can assist in the detailed enforcement of policies that control access to resources within these segments. RedSeal’s analytical capabilities can help identify where micro-segmentation can be most effectively applied and help manage the policies that enforce this segmentation.
  • Software-Defined Networking (SDN): Although RedSeal itself is not an SDN solution, its network modeling and risk assessment capabilities are complementary to SDN’s dynamic and adaptable network management. RedSeal can enhance SDN implementations by providing a detailed understanding of the network structure and potential vulnerabilities, thereby aiding in the creation of more effective SDN policies.

RedSeal can significantly aid an organization’s efforts to advance its Zero Trust maturity, particularly within the network and environment pillar outlined in the NSA document. By providing detailed network visibility, facilitating effective macro- and micro-segmentation and complementing SDN strategies, RedSeal helps limit potential attack surfaces, enhances network security posture, and supports continuous verification of all elements within the network environment.

You can find out more by getting a demo of RedSeal and attend one of our monthly free Cyber Threat Hunt workshops.

Tales from the Trenches: Network Backdoors — Lions, and Tigers, and Bears…

/by

Today’s tale from the trench is brought to you by Brad Schwab, Senior Security Solutions Consultant.

One of the greatest concerns for professionals in Network and Security Operations is the potential existence of a backdoor in their network—let alone the presence of numerous backdoors! Identifying backdoors can be a daunting challenge, as they might exist beyond the confines of the configured routing table or take a longer path than the optimized routing path typically followed by traffic. Consequently, conventional traffic mapping tools seldom uncover the presence of a backdoor.

RedSeal is unique in its ability to identify and display all paths through a network, regardless of routing protocols and network address translation (NAT)—therefore exposing all potential backdoors.

While working with a power generation company that managed many extremely remote renewable energy sites, I performed RedSeal data collections on network device configurations across the organization, including company headquarters. From there, I began to perform RedSeal data collections on the power generation farms networks. With this data, I was able to model their network and gain visibility into all the access across their network fabric.

Once all data was collected, we initiated an examination of access vectors into the local generating networks. While engaged in this process, one individual began discussing how the heightened global threat levels had prompted the implementation of a company policy mandating a firewall at each site. This measure aims to safeguard Operational Technology (OT) devices and SCADA Systems. SCADA (Supervisory Control and Data Acquisition) is a software application used for controlling industrial processes by gathering real-time data from remote locations to control equipment and conditions.

As we began verifying that access controls were in place, we concluded there were indeed firewalls present with Access Control Lists (ACLs) blocking and filter inbound traffic. However, because RedSeal shows ALL access vectors, we also noticed that each generation site had two available paths to the internal network—one controlled and limited by the firewall and another that was wide open through the on-site router — a backdoor!

Through RedSeal’s security methodology of “Discover, Investigate, Act” we were able to uncover the backdoors and found that though we started with a small sample of sites, we now knew what to look for and each one had backdoors into the power generation network.

During our investigation we discovered that the secondary wide open access had been set in the case of a site lockout on the firewall. I have seen networks set up like this in the past, although not quite at this scale. It is not terribly uncommon in remote locations to set up a backdoor enabling remote access – however, we learned that with this set up even a firmware upgrade would cause problems. I explained how RedSeal could help verify changes before deployment and then verify implementation with ongoing monitoring for the entire generating network to ensure all sites were always in compliance and no backdoors were in place.  I like to think of it as an always on, always up-to-date audit.  Thus, avoiding any “negative compliance drift” between yearly scheduled audits.

In summary, RedSeal was able to show all the paths through the network—not just the ones that traffic is currently traveling on.  For each path of interest, in this case the backdoors, RedSeal shows every device along the path (hops), and all the ports and protocols that are available for traffic to transit.  Finally, such access can be monitored on an ongoing basis to ensure it does not stray from company policy.

At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure.

Reach out to RedSeal or schedule a demo today.

Understanding the UnitedHealthcare Data Breach: The Importance of Good Segmentation

/by

After receiving a call from KCBS to comment on the UnitedHealthcare data breach, I was reminded of the critical importance of cybersecurity measures and proactive solutions like RedSeal in safeguarding sensitive information.

The Impact on Patients and Healthcare Organizations

The repercussions of the UnitedHealthcare data breach extend beyond the confines of the company itself. Patients whose personal and medical information may have been compromised face the unsettling reality of potential identity theft, fraud, privacy breaches, and in this case, health implications with a nationwide outage of some of the largest prescription processors. Moreover, healthcare organizations are left vulnerable to reputational damage, legal liabilities, and regulatory penalties.

The swift response by Change Healthcare to halt the spread of the incident is commendable. By implementing effective containment measures and building segmentation into network design, they demonstrated the importance of proactive cybersecurity strategies especially in mitigating the impact of such breaches.

Segmentation: Building Stronger Defenses

In the face of evolving cyber threats, healthcare organizations must prioritize robust cybersecurity measures to protect sensitive data and maintain the trust of their patients. A critical step, which Change Healthcare executed effectively, is incorporating segmentation into network design. This strategic approach enabled them to isolate and contain potential threats, shutting down access swiftly.

By dividing networks into distinct segments and implementing access controls based on user roles and permissions, organizations can contain breaches and limit the lateral movement of attackers within their infrastructure.

The Importance of Transparency and Disclosure

Another noteworthy aspect of the UnitedHealthcare data breach is the transparency and prompt disclosure of pertinent details surrounding the incident. Unlike in years past, where data breaches were often shrouded in secrecy and only disclosed months or even years later, the current landscape emphasizes the importance of timely and transparent communication.

Moving Forward: Strengthening Cyber Defenses

As the healthcare industry continues to confront evolving cyber threats, proactive measures and collaborative efforts are essential to fortify defenses and safeguard sensitive information.

By embracing cybersecurity solutions and prioritizing segmentation and transparency, healthcare organizations can mitigate risks, protect patient data, and uphold the integrity of their operations. As the adage goes, “good fences make good neighbors,” and investing in robust cybersecurity defenses is paramount to safeguarding the future of healthcare.

RedSeal can play a pivotal role in enhancing security.

RedSeal acts as a vital tool in mapping out defensive boundaries within the network. It provides organizations with a comprehensive overview of their network architecture, allowing them to understand how different segments interact and where potential vulnerabilities lie. With RedSeal, organizations can accurately assess their defensive posture and make informed decisions to block moving threats before they spread.

In times of uncertainty, one thing remains clear: proactive cybersecurity measures and innovative solutions like RedSeal are indispensable allies in the ongoing battle against cyber threats. Let us heed the lessons learned from this incident and collectively work towards a safer and more secure future for all.

Contact us for a demo www.redseal.net

Tales from the Trenches: When Low-Risk is Actually High-Concern

/by

Since 2004, RedSeal has been instrumental in empowering our clients to comprehensively visualize and fortify their intricate networks. While our customers initially grasped the importance of understanding their network architecture, connections, and identifying potential risks, there’s often an enlightening “aha” moment when the true significance becomes unmistakable. These narratives, cherished within the confines of RedSeal, vividly exemplify the practical value of our platform beyond mere theory. In the words of our dedicated field team, who collaborates directly with our clients, this blog series aims to unveil the instances where the theoretical transforms into tangible reality. 

Today’s post is brought to you by Chris Morgan, Client Engagement Director 

 

In the realm of cybersecurity, where threats and vulnerabilities lurk aplenty, RedSeal stands as a beacon of innovation. Pioneers in network security analytics, RedSeal delivers actionable insights, enabling customers to close defensive gaps across their entire network. 

While reviewing a large medical provider’s network, we discovered several high- and medium-severity vulnerabilities within the network. However, it was the low-risk vulnerability we found to be of highest concern.  

Delving deeper into our investigation, we unearthed a situation of seismic proportions. Amidst the chaos of the COVID-19 era, the client’s IT team had inadvertently granted unrestricted access to a seemingly mundane printer. However, unbeknownst to them, and visible now only because of RedSeal, this printer served as direct access to more than 14,000 hosts within the client’s expansive network, opening access that could enable bad actors to directly invade much of the network. RedSeal’s comprehensive approach, merging risk and access, empowers genuine prioritization for clients. 

With a fresh eye toward restricting access, we worked with the medical provider to remediate the exposure immediately, tightening access controls for printers and implementing access logs, securing them for the future.  

At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure. 

Reach out to RedSeal or schedule a demo today.

 

Tales from the Trenches: My network hasn’t changed!

/by

Since 2004, RedSeal has been instrumental in empowering our clients to comprehensively visualize and fortify their intricate networks. While our customers initially grasped the importance of understanding their network architecture, connections, and identifying potential risks, there’s often an enlightening “aha” moment when the true significance becomes unmistakable. These narratives, cherished within the confines of RedSeal, vividly exemplify the practical value of our platform beyond mere theory. In the words of our dedicated field team, who collaborates directly with our clients, this blog series aims to unveil the instances where the theoretical transforms into tangible reality.

Today’s post is brought to you by John Bays, Senior Security Solutions Consultant, Federal

MY NETWORK HASN’T CHANGED

Imagine navigating the landscape of a government entity, where a dedicated administrator went about their daily routine, firmly believing that a single login to the server was all it took to keep things ticking. Little did they know, a significant issue had quietly brewed beneath the surface – the network had remained unchanged for a considerable six-month stretch.

Approaching the situation with curiosity, I gently posed some questions.

  • How might they have overlooked the network’s lack of growth?
  • What led them to believe that everything was running smoothly without addressing potential issues?

This unfolding scenario morphed into a journey of understanding, aiming to uncover misconceptions and illuminate the broader responsibilities at hand.

Misunderstanding a role’s responsibility happens. At RedSeal, we know this and help ensure misunderstandings are laid to rest. Taking a supportive approach, I guided them through various aspects of the platform, emphasizing the value of active involvement. As the pieces fell into place, a realization dawned on this client – our exploration revealed numerous devices being added and removed from the network. This revelation painted a richer picture, demonstrating that their role was more intricate than they had initially perceived.

This experience turned out to be a valuable lesson for all involved, highlighting the importance of staying engaged and adapting to the ever-changing dynamics of the network environment. It wasn’t about fault-finding; rather, it underscored the need for continuous learning and awareness in the evolving tech landscape. After all, even the most dedicated administrators can benefit from a broader perspective on their responsibilities.

At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure.

Reach out to RedSeal or schedule a demo today.

Keeping an Eye on IPv6 in Your Hybrid Network

/by

IPv6 has its advantages

With the proliferation of connected devices, organizations everywhere are making the transition to Internet Protocol version 6 (IPv6). Beyond having astronomically more usable addresses than its IPv4 predecessor (2128 vs. 232), IPv6 has several other advantages, including:

  • Easier administration: IPv6 simplifies address configuration through Stateless Address Autoconfiguration (SLAAC) and DHCPv6 (Dynamic Host Configuration Protocol for IPv6). This reduces the likelihood of misconfigurations and makes it easier for organizations to manage their networks securely.
  • Improved routing efficiency: IPv6 eliminates the need for Network Address Translation (NAT), a practice used in IPv4 to conserve address space. NAT can introduce complexities and potential security vulnerabilities. With IPv6, devices can have globally routable addresses without the need for NAT.
  • Enhanced security: IPv6 incorporates security features that were not present in IPv4. For example, IPsec (Internet Protocol Security) is mandatory in IPv6, providing a framework for securing communication at the IP layer. IPsec can be used to encrypt and authenticate data, ensuring the confidentiality and integrity of network communications.

Overall, IPv6 tackles the many limitations and challenges of IPv4 while providing a scalable, efficient, and secure foundation for the future growth of the internet and the proliferation of internet-connected devices.

But the transition can be tricky

While the goal is to eliminate the use of IPv4 entirely, many corporations and governments are expected to maintain dual-stack networks—using both IPv4 and IPv6—for the foreseeable future. The U.S. Office of Management and Budget (OMB) has mandated that 80% of IP-enabled assets on federal networks must be operating in IPv6-only environments by the end of its 2025 fiscal year. Meanwhile, IPv6 has been growing unchecked in corporate networks for years, right alongside IPv4.

For too long, organizations have been able to put off the IPv6 transition as a challenge for tomorrow, but the pressure is now on. Cloud adoption is driving up IPv6 use, and unexpected IPv6 pathways are rife with risk. In the worst cases, firewall bypasses can spring up due to unintentional differences between old IPv4 and new IPv6 fabric. Ultimately, IPv6 adoption means bigger networks and more connections—and risks—to manage. Who’s keeping an eye on IPv6 in your network?

IPv6 intelligence for your evolving network

Wherever your organization may be on its journey to an IPv6-only network, you need the ability to answer fundamental questions about IPv6 in your network, and RedSeal can help:

  • What percentage of my total network assets are in IPv6-only environments?
  • Is this subnet truly IPv6-only?
  • What does this IPv6-only subnet look like?
  • Which specific devices need to be upgraded to IPv6?
  • How are IPv6 subnets connected to other parts of my network?
  • Has the introduction of IPv6 created security gaps in my network?

RedSeal delivers the visibility and network context you need to understand where and how IPv6 is being used in your network and what impact it has on your security and compliance initiatives.

Contact us for more details

For more information about how RedSeal can help you minimize risk and maximize resilience in your IPv6 and dual-stack networks, download our IPv6 datasheet and then schedule a demo with one of our cyber-savvy product experts today.

 

Additional IPv6 resources:

Strengthening the Fortress: Best Practices for Incident Response

/by

As the digital age continues to see rapid change, cyber threat looms over businesses, organizations, and individuals even more than before. And, as technology advances, so do the capabilities of cybercriminals. With today’s digital environment, more than ever before, crafting a robust cybersecurity incident response plan isn’t a recommendation—it’s a critical necessity.

What does this mean? It’s a matter of when—not if—a network is compromised. Companies can no longer assume that security frameworks offer invincibility from evolving cyberattack trends. Instead, businesses need a strong incident response program designed to help them quickly react—and in the worst-case scenario come out stronger on the other side.

Designing a sophisticated incident response framework

A cybersecurity incident response plan establishes a structured framework for teams to adhere to when facing a cyber incident or attack. As defined by Gartner, a cyber incident response plan is “formulated by an enterprise to respond to potentially catastrophic, computer-related incidents, such as viruses or hacker attacks.” Gartner research extends to projections for 2026, suggesting that organizations invest at least 20% of security funds in resilience and flexible programs to halve their recovery time.

In crafting a cybersecurity incident response plan tailored to the specific needs of your organization, key considerations and common components include:

1. Defining objectives and scope. Objectives could include, but aren’t limited to:

  • Impact minimization
  • Business continuity
  • Protecting sensitive information
  • Regulatory compliance
  • Identifying and understanding threats
  • Outline for timely recovery
  • Response efforts
  • Future improvements for cybersecurity posture
  • Post-incident analysis

2. Establishing an Incident Response Team (IRT). Assemble a dedicated team responsible for executing the response plan. The team should be comprised of members of the organization from IT, security, legal, communications, and any other relevant business teams. Roles and responsibilities should be clearly identified to ensure a coordinated and timely response.

3. Developing an incident classification system with procedures. A system for classifying incidents based on severity and impact can help guide the response process and help the IRT prioritize actions. We recommend creating a detailed response playbook with step-by-step guidance for various incidences can help a team contain and recover from the incident effectively and efficiently. Playbook should include communication procedures to ensure employees and appropriate external stakeholders are notified.

4. Implementing incident detection and reporting. Employing an effective detection and reporting system is critical for early identification and response to a cybersecurity incident. Examples include, but are not limited to:

  • Endpoint protection
  • Firewall and network monitoring
  • Email security systems
  • Security and awareness training for employees

5. Conducting regular training and simulation. Training for the incident response team should be set up regularly through simulations and exercises. Each month, RedSeal hosts a Cyber Threat Hunting Workshop. Through our workshop, you will use the RedSeal platform and threat hunt within a pre-built virtual network model. You’ll assess the network’s overall cybersecurity posture while refining your skills in risk and vulnerability assessment, cyber hunting, and incident response. At the completion of the session, you will have learned how to:

  • Identify potential attack vectors that bad actors could use to exploit existing vulnerabilities
  • Optimize resources by leveraging risk-based vulnerability prioritization
  • Easily identify devices on the network that pose the most risk to your enterprise—those with network access and exploitable vulnerabilities
  • Quickly visualize where bad actors can pivot following system compromise and traverse a network
  • Coordinate with other teams to minimize the impact of an event while enhancing your organization’s digital resilience
  • Use network context to develop mitigation strategies and implement your run-book plays

Preventing unauthorized access into, out of, or within a network requires understanding how that network is built– a difficult, tedious, and time-consuming task.

6. Post-incident analysis. Outline and conduct a comprehensive post-incident analysis to understand the root causes of the breach and to identify areas in need of improvement. Lessons should be documented, and the incident response plan should be updated accordingly.

Designing a robust incident response plan is just the tip of the iceberg.

The most important aspect of incident response could be what comes next—evaluation and improvement. Cybersecurity resilience requires constant monitoring and evolution. Regular updates and adaptions to the plan are imperative to effectively address the ever-evolving landscape of cyber threats. The journey to securing your network for good is an ongoing process, demanding an unwavering commitment to visibility, refinement, and optimization. At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure.

 

Interested in learning more?

Download our in-depth look into incident response planning today!

Reach out to RedSeal or schedule a demo today.