‘Red Teams’ Need to Deliver Context — Let’s Help Them

Working on a Red Team is frustrating. I know, I was on one.

Red Teams work hard penetrating systems, gathering data and presenting findings to senior management only to get strongly dismissive responses- “So what?” This is frequently followed by an order to not to share detailed information with the Defensive Cyber Operations (DCO) teams defending the network. Sometimes the reason is obvious. Sometimes not.

I came to realize that the underlying problem is that the findings don’t include enough information to make an impact on a culture of inertia that comes with the cybersecurity world. I have actually had executive leaders tell me they would lose plausible deniability.

This obviously sub-optimal situation hasn’t changed since my time serving on a Red Team.

The DOD Office of Inspector General just released a new report, “Followup Audit on Corrective Actions Taken by DoD Components in Response to DoD Cyber Red Team-Identified Vulnerabilities and Additional Challenges Facing DoD Cyber Red Team Missions.

This was a check up on the earlier report “Better Reporting and Certification Processes Can Improve Red Teams’ Effectiveness,”  a more easily understandable title.

They investigated three areas to see what had changed in eight years.

  • Did DoD Cyber Red Teams support operational testing and combatant command exercises?
  • Were corrective actions being taken to address DoD Cyber Red Team findings?
  • Did the assessed risks affect the ability of DoD Cyber Red Teams to support DoD missions and priorities?

The results? In a word: No.

The data generated by Red Teams and the teams conducting Defensive Cyber Operations is still not being shared. Worse, even with better procedures, part of the problem is that both the results and the analysis of the results of penetration testing and vulnerability management functions are superficial.

They don’t pass the “so what” test.

But, Red Teams can’t do their job well unless they have an accurate map of the cyber terrain to put information into a larger context. This context is more important for reducing the risk to missions.

Unique in the industry, RedSeal can model and evaluate Layers 2, 3, 4 and now 7 — application-based policies. And, it includes endpoint information from multiple sources.

If both Red Teams and the DCO teams tasked with defending the cyber battlespace can easily analyze 3-4 layers of complex attack depth to connect vulnerabilities exposed to the Internet with pivots and attack paths buried deep in a network’s hybrid infrastructure, their recommendations will be seen as worthy of immediate attention. This will lower the risk to mission in a real way.

Maybe then, senior management will listen, the process will radically improve, and the DOD Inspector General will not have to write a report saying nothing has changed in seven years.

For more information, click here to speak with a RedSeal government cyber expert.

U.S. Not Ready for Online Voting, Stick to Mail-In Ballots

American democracy is resilient. From its rebuilding after our civil war to recovering from the Great Depression, America has been able to overcome the largest of obstacles. However, 2020 gives us unprecedented challenges that will test this resilience. Central to our country’s recovery from this pandemic will be ensuring the foundation of our democracy remains intact: free and fair elections.

Despite the current news cycle, our election system is very resilient because of our forefathers’ design. State and local governments distribute and implement elections individually, leading to different procedures and regulations within each jurisdiction, which creates independent – or segmented — operations.

In the cyber world, segmentation is central to digital resilience. A segmented network can help organizations minimize damage from some of the most advanced forms of cyberattacks by preventing them from overtaking the entire network. The independent orchestration of our elections is very similar. However, COVID-19 presents a conundrum: keeping people physically distant is profoundly challenging with in-person voting.

So, how do we combat this issue?

A few states are beginning to explore online voting to help citizens maintain social distance and ensure their franchise. The CARES Act even allows states to use some of the funds to pursue online voting systems. However, while online voting holds promise, there is simply not enough time to roll out a secure, vetted system before November’s elections. Plus we still haven’t repaired the issues that our 2016 elections revealed about the vulnerabilities of our existing online systems. America’s election process remains extremely vulnerable to cyberattacks. In fact, last December Valimail confirmed only 5% of the country’s largest voting counties are protected against email impersonation and phishing scams. Specifically, this vulnerability was found in Arizona, Florida, North Carolina, Pennsylvania, Michigan and Wisconsin, six key swing states in this upcoming election cycle. This vulnerability opens a door to bad actors that could allow voting data to be stolen, manipulated or deleted in 95 percent of the highest populated counties in the nation.

Luckily, we have a solution that’s already in place, accessible nationwide, resilient and in a sense, “un-hackable”: absentee voting by mail.

For decades, absentee ballots have been the bridge connecting those who are unable to make it to the polls on election day. Now, it can be the cornerstone for everyone. While filing for an absentee ballot can be an arduous process, states are now making it more accessible. For example, Michigan is automatically sending absentee ballot applications to every resident to both encourage social distancing and support democratic participation. This supports secure, offline elections with segmentation still in-play. Additionally, an overwhelming majority of Americans support expanding access to voting by mail. Recognizing that any change is difficult, 16 states delayed their primaries, which illustrates the urgency to act now so we can move onto the general election by November.

In these unprecedented times, we must support all efforts to ensure our elections remain fair, free and guaranteeing each citizen’s franchise. While we have the technology and the ideas necessary to move to completely online elections, that can and should only happen when it’s secure and tested accordingly. In these pressing times, there is no bandwidth to do so. However, the $2 trillion stimulus package  included $400 million for states to prevent, prepare and plan for COVID-19’s impact on the 2020 elections. This amount is a significant step in the right direction, but a full roll-out of voting by mail, let alone ensuring secure online voting would require a much larger investment. I urge lawmakers at both the state and federal level to embrace mail-in ballots. We need to ensure this year’s elections are available to every citizen, whether they are practicing social distancing or fully quarantined and without fear that exercising their franchise will expose them to a deadly illness. We can maintain the resiliency of our country and our elections and our health with mail-in ballot elections. We just need the will to do so.

Change Management Processes are Critical — From Nuclear Submarines to Your Network

How often have you made a network change that didn’t work the way you expected or even created a new issue? The list of configuration changes needed to build, maintain, and secure a network is daunting.  It’s all too easy to act without thoroughly thinking through and considering the impact on the whole network.  Initially it may appear as though quick action to make a small change would save time, but that can be a trap that leads to costly mistakes. Oftentimes changes have complex implications. The wrong change can result in in downtime and millions of dollars in lost productivity or revenue. No one wants to be that person.

Change management is the organizational process to ensure that we stop and consider the impact of change before acting. It’s used in many industries, including IT. Submarine commanders need change management in an environment just as complex as information technology but with more serious, life or death repercussions. In his book, Turn the Ship Around!¸ former submarine commander David Marquet describes “Deliberate Action,”  the process he used to create competency, reduce errors and improve resiliency. It required sailors to stop and think before making a change. Stopping, thinking, and then acting provides an opportunity to review and thoroughly think through the impact of an action.

Marquet got great results:

“Later, when Santa Fe earned the highest grade on our reactor operations inspection that anyone had seen, the senior inspector told me this: ‘Your guys made the same mistakes—no, your guys tried to make the same number of mistakes—as everyone else. But the mistakes never happened because of deliberate action. Either they were corrected by the operator himself or by a teammate.’

He was describing a resilient organization, one where error propagation is stopped.”

A nuclear submarine has highly engineered systems that are tightly coupled, all of which need to work for the whole system to operate properly. Errors can damage valuable and sensitive nuclear reactor equipment or even result in complete system failure and death of an entire crew.

Like a nuclear submarine, IT networks are highly engineered and tightly coupled and need resiliency to avoid catastrophe. Every interconnected system relies on others, as in nuclear submarines. And having a change management process to ensure that everyone stops and sufficiently thinks before acting is just as important. We need to avoid the temptation to bypass the change management process and execute a change quickly, thinking we’re “saving time.” Catastrophe can be lurking around the corner, and none of us wants to be responsible for a Code Red.

The RedSeal platform gives you the ability to quickly think through the impact of change prior to acting. It tells you what you have, how it’s connected, and where your risks are. RedSeal discovers the devices on your network and creates a digital network model of how everything is connected. The model can provide deep insights into the implications and impact of change. On the submarine, the requirement to stop and think not only gives sailors time to process using their own experience and knowledge, but also allows teammates with additional experience and knowledge to think and intervene before mistakes are made. RedSeal is a reliable teammate you can have by your side as you execute change management.  It knows how everything is interconnected and can better show you the impact of a proposed change.

 With RedSeal, you can engineer “Deliberate Action” into your change management. It may seem that stopping and thinking may take time and be expensive, especially during an incident, but errors can be significantly more damaging. RedSeal allows you to stop for shorter periods of time and avoid errors. By automating analysis steps and reducing complexity RedSeal helps you make your network more secure and resilient.

 

Marquet, David L., Turn the Ship Around! Penguin RH 2012. Pg 124

To Recover and Rebuild, Look to Technology

As I write this, our society is amid an economic collapse and social closure the likes of which no one in our lifetime has ever seen. People everywhere are trying to create some kind of certainty so that they can plan their future, get back to their “day job” and feel safe while resuming a normal, active life. While the recovery process will be long and the challenges many, when we emerge on the other side it’ll be our uniquely American characteristics which help us triumph.

A recent op-ed in USA Today perfectly summarized the opportunity this pandemic presents: In recovering and rebuilding, every American should contribute and can do so by utilizing our most unique quality: ingenuity. While many characteristics define us as a nation, ingenuity is the engine which drives our success.

As each industry sector finds ways to contribute, the technology sector has its own unique role to play. Among the many advancements that have proved essential during this time, technology has allowed for productive work away from an office and schooling at a distance, automation has reduced in person interactions and supercomputing has helped model the spread of the disease. It is important that while we adopt new technologies and further embed others ever deeper into our daily lives, we consider how to secure those devices and the networks on which they function. As we apply techniques in the physical world to keep us healthy – handwashing, social distancing – we must also implement cyber hygiene principles to keep our networks healthy.

Implementing cyber hygiene means your organization is less likely to battle common cybersecurity issues. Utilizing a cyber terrain modeling tool like RedSeal as part of regular cyber hygiene practices means executives and business leaders can automatically view and monitor their network and identify potential problems before they manifest. This allows organizations to make better decisions about where to allocate budget and funding and to put greater focus on their primary goals.

Technology can both contribute to solutions and help guard against the challenges we face. Practicing good cyber hygiene keeps businesses healthy so executives and business leaders can focus on what really matters—producing original and inventive ways to improve our society and creating a future we all want to live in.

Know What to Protect and Why

In my last article, I discussed the importance of walking the terrain, or knowing your network. I suggested beginning at the at high level: identify your sites, then group your assets by site or facility. This is a great place to start understanding your network because network controls tend to be fairly static. However, discovering network devices like routers often leads to discovering subnets and previously unknown endpoints.

These this begs two questions: Why should I care about my endpoint inventory? What should I do with this data?

Maintaining accurate endpoint inventory data is a daunting task. In modern environments, endpoints are changing all the time. In fact, endpoint entropy continues to grow exponentially. We need to prioritize. There are two aspects of endpoint inventory security professionals should focus on.

The first is to look at your network through the eyes of an adversary and ask, “What is most valuable?” In a military example this might be a bridge, an airfield, or a key logistics site. In the cyber world this might be your credit card holder data, your intellectual property, or the CFO’s laptop. Consider what an adversary might want to accomplish. Are you concerned about a nation state stealing intellectual property? Might someone want to disrupt your operations? Could organized crime try to extort money after encrypting your systems?

Most security professions believe that “everything is important.” While that’s true, we all have limited resources. We need to prioritize where to apply preventative technologies, which vulnerabilities to patch, and what incidents to investigate. It is imperative to identify the key data or systems in order to identify a control framework to protect them.

The second important aspect of endpoint inventory data is using it to maintain the accuracy of your operational systems. Many key security systems depend on the accuracy of endpoint data. Our customers almost always have a CMDB, vulnerability scanner, EDR agents, and a patching system. The numbers coming from these systems never agree. We see CMDBs that are about “80% accurate;” endpoints that aren’t being scanned; endpoints that are missing agents; and some endpoints that aren’t being patched. Being able to quickly see the difference between these operational systems will identify gaps in your operations. For example, if your EDR count is greater than the one from your vulnerability scanner, you can quickly identify the exact systems that are not being scanned. If the count you’re getting from your vulnerability scanner is greater than the one from your patching system, you can quickly identify systems not being patched. Organizations that operationalize this process aren’t just maintaining an inventory count, they’re ensuring a more accurate use of their key operational systems.

Best Practices for Cyber Resilience: Step One, Walk the Terrain

 

You’ve been asked to defend your organization from a myriad of threats: state sponsored attacks, cyber criminals, insiders. But where do you start?

Many years ago, as a young Marine lieutenant I learned that the first step to establishing a defense is to understand what you’re defending. You must know the terrain. Walk the terrain. Understand the key parts of the terrain and all avenues of approach. Then ask yourself how you would attack the same terrain. You must understand your own terrain better than the enemy.

In information security, we haven’t been given the luxury of understanding what we have — but we need to understand what we have to effectively defend it. Our networks were built to optimize for performance and availability, not for security. Understanding our cyber terrain has become a daunting task – but one fundamental to security.

Today, we rely on current inventory management technologies, but they provide just part of the picture. You get an overwhelming amount of detail and yet still struggle to understand how everything interconnects.

Ideally, you’d like to be able to understand what you have, how it’s all connected, and what’s at risk. Specifically, you’ll want to:

  • Visualize each of your sites and the connectivity between them.
  • Locate and identify devices missing from your inventory management and NCCM solutions.
  • Rationalize data from multiple data sources, including vulnerability scanners, CMDBs and EDRs.
  • Quickly determine where an attacker can traverse to in your network — from any point.

Most organizations begin by trying to get their endpoint or host inventory. This seems logical, since that’s where your applications and data are housed. But without an overall picture of how your network is configured, you have a collection of data points that don’t tell a full story.

The first step needs to be organizing your cyber terrain at the highest level. Identify your sites, then group your assets by site or facility. For example, assign devices to your Austin data center, Denver data center, branch offices, and AWS. Next determine the conductivity within and between these sites. This requires an inventory of networking devices and their configurations. You’ll end up with a model of your network devices, security groups and VPCs and quickly be able to get a picture all the connections and interconnections — intentional and unintentional — in your network. Inevitably, you’ll discover unknown network devices.

Then, with this framework in place, you can add your host information.

Real World Versus Cyber Hygiene

As I watch the drama on the news unfold it is striking to me how similar the tactics for defending against a spreading virus are to cyber defense.

Washing your hands equates almost exactly to cyber hygiene tactics like patching.

Social distancing is nothing more than putting barriers up to prevent the spread of attacks, which is called network segmentation in the cyber world.

What do we do in the cyber world when a system is infected? We quarantine it and try to determine what else could have been infected. Unfortunately for the physical world, there is no automated way to make sure people are practicing proper hygiene, maintaining proper distancing, and isolating infected and vulnerable people. Fortunately, this is not the case for cyber warriors, where RedSeal automates all these arduous tasks.

With RedSeal’s cyber terrain analytics platform and professional services, government agencies improve their resilience to security events by understanding what’s on their networks, how it’s all connected, and the associated risk. RedSeal verifies that network devices are securely configured; validates network segmentation policies; and continuously monitors compliance with policies and regulations. RedSeal continually checks to see if a network’s segmentation is working as designed, ranks end point vulnerabilities in order of risk, and adds knowledge of your network to determine how accessible the vulnerability is to untrusted networks and what it will expose if compromised.

So, when a breach does occur, the RedSeal can tell you exactly what is exposed to an attack and deliver the information needed to contain it.

If only the real world had this capability, I might be able to eat at my favorite restaurant tonight.

Click here to lean more about Cyber Hygiene with RedSeal.

A Resilient Infrastructure for US Customs and Border Protection

The Customs and Border Protection agency recently announced an official 2020-2025 strategy to accomplish their mission to “protect the American people and facilitate trade and travel.”

The strategy comprises only three goals, one of which is to invest in technology and partnerships to confront emerging threats. This includes an IT Infrastructure that provides fast and reliable access to resilient, secure infrastructure to streamline CBP work.

So, of everything CBP wants to accomplish in the next five years, delivering a resilient, secure infrastructure is right near the top.

Both Verizon’s Data Breach Investigations Report and Crowdstrike’s Global Threat Report agree that more than 90 percent of intrusions are due to failures in basic, continuous cyber fundamentals. These include patching, ensuring network devices are deployed securely, and firewall rules and access control lists enforce the network segmentation you intended.

These cybersecurity fundamentals can be tedious and repetitive, but they are the foundation of security and beyond that, cyber resilience.

Cyber resilience has three parts:

  1. Being hard to hit
  2. Having the ability to detect immediately
  3. Responding rapidly.

RedSeal is a solution purpose built to improve and track resilience.

We give you a way to measure resilience and improve the security of your infrastructure.

RedSeal’s cyber terrain analytics platform identifies cyber defensive gaps, runs continuous virtual penetration tests to measure readiness, and helps an organization capture a map of its entire network infrastructure. The RedSeal platform delivers continuous monitoring through the collection and correlation of change, configuration assessment and vulnerability exposure information. Turning these capabilities into cyber resilience measurements gives managers, boards of directors and executive management the understandable and actionable security metrics they need to drive towards digital resilience.

Cyberattack surfaces and complexity are only expanding as all commercial, US government and DOD networks modernize and move to cloud and software defined networks (SDN). Automating the basics so organizations and departments can be digitally resilient continuously in the face of an attack has never been more necessary.

To ensure its IT infrastructure is resilient and secure as it is rolled out, the CBP needs to focus on mastering the cyber fundamentals and measuring that progress by deploying RedSeal’s cyber terrain analytics platform. Click here to learn more.

Security Orchestration and Automation Response Solutions (SOAR) and RedSeal

Over the past few years, Security Orchestration, Automation, and Response (SOAR) tools have emerged as multi-faceted and ever-present components in a Security Operations Center (SOC), enabling security teams to centralize incident management, standardize processes, and reduce response times through automation and artificial intelligence (AI).

The security orchestration, automation and response (SOAR) market, as defined by Gartner in 2017, evolved from three previously distinct technologies: Service Oriented Architecture (SOA), security incident response platforms (SIRPs) and threat intelligence platforms (TIPs).

In 2019, Gartner released their latest and most comprehensive research on the SOAR market to date– Market Guide for Security Orchestration, Automation and Response Solutions. In it, Gartner tracks the growth of the market over the past few years, provides a representative list of SOAR vendors, and delivers advice that security practitioners should keep in mind while procuring SOAR tools.

Moreover, AI security is listed in their Top Ten Strategic Technology Trends for 2020, which says:

“AI and ML will continue to be applied to augment human decision making across a broad set of use cases. While this creates great opportunities to enable hyperautomation and leverage autonomous things to deliver business transformation, it creates significant new challenges for the security team and risk leaders with a massive increase in potential points of attack with IoT, cloud computing, microservices and highly connected systems in smart spaces. Security and risk leaders should focus on three key areas — protecting AI-powered systems, leveraging AI to enhance security defense, and anticipating nefarious use of AI by attackers.”

Gartner states that SOAR tool deployment is now more use-case driven than ever. The use cases depend on the maturity of the organization, the capabilities of the SOAR tool, and the processes most ripe for automation, among other things. According to Gartner:

“SOAR selection in 2019 and beyond is being driven by use cases such as:

  • SOC optimization
  • Threat monitoring and response
  • Threat investigation and response
  • Threat intelligence management”

SOAR Doesn’t Know What It Doesn’t Know.

The problem we see with deploying security automation is the quality of the information put into it. How do you deploy a SOAR tool if you don’t know for sure if the data being used is accurate? Is good enough good enough?

Security solutions based on automation can also have blind spots. How do they know that they can see everything? In fact, they don’t know what they don’t know.

RedSeal data can better refine how a SOAR solution makes its decisions to take or not take actions in the above use cases. RedSeal gives a SOAR tool a deep understanding of the network environment it operates in. It is not enough to identify and react to an indicator of compromise, we need to understand what an intruder can reach from there.

Does the device have access to a high value asset (HVA) or to the key cyber terrain of your environment?

If not, don’t worry and carry on with the automated processes.

If yes, then that is an indication to do more investigation and look at how this access could have happened in the first place.

And during a follow-on, after-action review you can investigate important issues like how the intrusion happened in the first place. Only RedSeal shows you what’s on your network, how it’s connected and the associated risk, so you can better prepare for and contain problems within minutes and not days.

What if RedSeal could improve your understanding? Would that interest you?

If yes, click here to set up a time to speak with a RedSeal representative about how to integrate RedSeal with your preferred SOAR tool.

Ten Cybersecurity Fundamentals to Reduce Your Risk of Attack

Due to escalating tensions with Iran and recent cyber activity against a U.S. Government website, DHS’s Cybersecurity and Infrastructure Security Agency team has issued a bulletin warning organizations to be prepared for “cyber disruptions, suspicious emails, and network delays.” DHS recommends preparing by focusing on “cyber hygiene practices” to defend against the known tactics, techniques and procedures (TTPs) of Iran-associated threat actors.  This warning serves as another reminder that adversaries often compromise organizations through failures in assessing and implementing basic security practices.

Based on recent international activities announced by DHS, expectations of retaliation from a known adversarial nation state are more than likely to occur. This is an immediate risk to all public and private organizations in the United States. Organizations need to be able to assess their current security posture and accurately evaluate their cyber hygiene. They need to know what is on their networks, how it is all connected and the risk associated with each asset.

Whether you are hands-on-keyboard technician or an executive responsible for securing your organization, here are ten cybersecurity fundamentals you can implement.

  1. Identify critical data and where it is housed
  2. Know what assets – physical and virtual – are on your network
  3. Harden your network devices, making sure they are securely configured
  4. Review your endpoint data sources to make sure you have full coverage of all endpoints on your network
  5. Ensure that your vulnerability scanner is scanning every subnet
  6. Factor in accessibility to prioritize your highest-risk vulnerabilities and hosts
  7. Make sure only approved or authorized access is allowed, including any third-party access.
  8. Validate that all network traffic goes through your security stack(s)
  9. Identify unnecessary ports and protocols
  10. Identify rules on your network gear to determine if they are valid and applied appropriately

By focusing on cybersecurity fundamentals, RedSeal helps government agencies and Global 2000 companies measurably reduce their cyber risk. With our cyber terrain analytics platform and professional services, enterprises improve their resilience to security events by understanding what’s on their networks and how it’s all connected.

RedSeal verifies that network devices are securely configured; validates network segmentation policies; and continuously monitors compliance with policies and regulations. It also prioritizes mitigation based on each vulnerability’s associated risk.

We are proud to be trusted as the central cybersecurity platform in our customers’ defense-in-depth strategy.