RedSeal and DHS CDM DEFEND

/by

This year, the big news in government cybersecurity is the DHS CDM DEFEND program and task orders being announced by various federal departments. The DHS CDM DEFEND, which stands for Continuous Diagnostics and Mitigation (CDM) Dynamic and Evolving Federal Enterprise Network Defense, task orders are awarded under the General Services Administration’s Alliant 1 Unrestricted contract. GSA and the Department of Homeland Security (DHS) jointly run CDM to secure civilian agency “.gov” networks from cyber attacks.

RedSeal and Government Cybersecurity

RedSeal has a history of support for federal government cybersecurity initiatives. The company’s network modeling and risk scoring platform is installed in numerous defense, intelligence, and civilian organizations for continuous monitoring.

At the highest level, RedSeal delivers three core security controls:

  • Visibility: Automated network mapping and situational awareness
  • Verification: Continuous comparison of network security architecture against desired posture
  • Prioritization: Analysis of vulnerability scan data and network architecture to identify the highest risk vulnerabilities that must be remediated immediately

These controls apply to both legacy deployments and new architectures. In legacy deployments, RedSeal allows you to understand the existing environment and identify security control gaps. In new architectures, RedSeal validates that the network is built and operated as designed. And in all situations, RedSeal increases the value of scanning and penetration testing by prioritizing those vulnerabilities that are the most dangerous cybersecurity threats – based on how each network is put together.

The objective of the DHS CDM DEFEND program is to discover, assess and plan for 100% agency network coverage and provide context for prioritizing the closure of coverage gaps. Winners of task orders must discover all networked assets in an agency – including perimeter, cloud and mobile environments. Plus, they must develop a plan to protect all environments within six months of work commencing, and on a continuous basis after implementation. What’s more, merely visualizing what’s on the network isn’t enough, but vendors must prioritize fixing the worst problems first.


How Does RedSeal Fit with DHS CDM DEFEND Solution Requirements?

RedSeal supports six of the eight DHS CDM DEFEND solution requirements.

Hardware Asset Management: RedSeal’s complete network map and network device inventory provides a framework for hardware inventory processes and discovery. The solution also provides a complete inventory of in-scope Layer 2 and Layer 3 network devices.

Configuration Settings Management: RedSeal automatically analyzes individual device configurations to see if they are secure. This includes password policies for firewalls, routers, load balancers, and wireless controllers, services enabled, logical port configurations, and networking parameters. You can also create custom checks and be notified automatically about any deviations from baselines.

Vulnerability Management: At the highest level, vulnerability management consists of two tasks: vulnerability scanning and remediation. RedSeal can determine if you have any gaps in your vulnerability scan coverage and identify the device blocking it. In addition, RedSeal has a unique ability to prioritize remediation by identifying the vulnerabilities that pose the highest risk—in each network. RedSeal combines results from top scanners (such as Rapid7 InsightVM, Tenable Nessus, and Qualys) and centralizes scoring and prioritization. Then, it overlays its detailed knowledge of all network paths to prioritize the specific systems and vulnerabilities that could be used to do the most damage if they were exploited. Without this, organizations waste huge amounts of time remediating “high priority” vulnerabilities that could wait, because the potential damage from an exploit is very limited. And they ignore “low priority” vulnerabilities that are actually dangerous because they can be used to pivot into higher value targets in a network.

Boundary Protection: Effective boundary protections are typically based on network architecture and access policies on routers, switches and firewalls. In practice, it is extremely difficult to operationalize this control, especially in multi-vendor environments. However, RedSeal Is able to analyze networks continuously and evaluate possible connectivity against desired policy. This enables even the largest organizations to implement boundary protections on multi-vendor networks in an operationally efficient manner. And this, in turn, makes it realistic to implement multi-layer segmentation policies, where assets can be isolated from the rest of the internal network to better protect sensitive data, and limit the ability of malware to spread after initial compromise.

Incident Response: Many information sources and technical disciplines must work in concert for effective incident response. Once an indicator of compromise is identified by a SIEM, RedSeal brings network topology and reachability information to help determine how significant the risk is and what systems may be at risk. Normally this is a manual and time-consuming process, relying on traceroutes and network maps that are often out of date. Staff must comb through configurations to piece together the potential malware exploit paths. This delays an organization’s ability to respond appropriately to the event, increasing both risk and the eventual overall damage. RedSeal automates this entire network investigation process, providing incident response teams with accurate information about network exploitation paths so their response can be quicker and more focused.

 

  RedSeal Capabilities
CDM DEFEND Requirements Hardware Config Vuln Mgmt Boundary Response
Rapid Assessment Yes Yes Yes
Boundary Architecture Changes Yes Yes Yes Yes
Evaluate multiple CDM states Yes
Vuln Mgmt and Triage Yes Yes Yes Yes Yes
Change Control & L2/L3 Auditing Yes Yes Yes Yes
Incident Response Yes Yes Yes Yes

 

Summary

The federal government’s DHS CDM DEFEND program is a response to today’s cybersecurity reality. By encouraging organizations to rely less on auditing static preventive measures but instead on implementing CDM, the program better positions agencies to ensure their defenses are well established at all times. The program also encourages agencies to put in place procedures to detect, evaluate, and respond to incidents, no matter when they occur.

RedSeal provides a substantial contribution to the CDM framework by delivering a unique control set for boundary protection, situational awareness, vulnerability mitigation prioritization, and configuration management.

RedSeal is a “must-have” part of any CDM team currently bidding for DHS CDM DEFEND task orders.

Want to learn more about RedSeal’s integration with cybersecurity tools and its integral part of any CDM program? Click here to connect with RedSeal today.

The Only Cybersecurity Metric That Matters for Digital Resilience

/by

While the focus on cybersecurity has never been higher, the cybersecurity community – a combined team of solution providers, CISOs, boards and others– haven’t been able to stop most attacks from being successful.

Why?

We have focused too much of our efforts on network perimeters, working to detect and prevent cyber attacks. We haven’t done enough to build resilience INSIDE the network, the part of the equation we can control and quantify with a security metric.

Organizations need to build resilience into their infrastructures and adopt an end-end digital resilience strategy to survive and thrive.

How big is the problem? There are 1400+ vendors focused on cybersecurity. Nearly $100B was spent on information security just in 2016. Yet billions of records have been compromised.

The reason is we have not addressed fundamental issues inside the network. Companies need to build resilience into their infrastructure and adopt a corporate-wide digital resilience strategy with a corporate-wide security metric.

A few years back, RedSeal gathered 800 surveys during the RSA Conference. We learned that:

  • Practitioners are drowning in data
  • They can’t measure the performance or impact of their security efforts
  • Current solutions can’t turn data into action
  • They need useful cybersecurity metrics

The problem with measuring security is that security is the absence of something. You can’t report how often you were NOT on the cover of Washington Post. Many people start by counting what they are doing. But this measures busy-ness, not business. How can you show actual improvements in cybersecurity?

The Shifting Terrain and Digital Resilience

According to the 2016 TechCrunch CIO Report, 82% of global IT leaders report significant labor shortages in cybersecurity. This, combined with issues such as software defined everything, digital transformation, hybrid datacenters, IoT, and shadow IT, means a big shift in thinking is required. We don’t have enough people to throw at the problem.

Digital resilience is a comprehensive strategy across all IT functions and business processes to minimize the impact of cyber attacks and network interruptions. It’s a different way of thinking.  Being resilient means simultaneously striving to minimize each attack and being able to recover quickly from a strike. Resilient organizations have fewer, smaller incidents, understand and respond to them faster, and can rapidly return to normal operations afterwards.

It’s not enough to see the devices in your “as-built” infrastructure – you have to really understand how they are configured and automatically get a list of vulnerabilities.

And that list of vulnerabilities is a problem; there are too many to act on. Even knowing asset value and vulnerability severity aren’t enough to fully understand the risk. You need to understand if they can be accessed. A high value asset with a vulnerability that is segmented behind a firewall is not as big a risk as one that is slightly lower in value, but has an open path to the internet.

RedSeal’s Digital Resilience Score

Resilient organizations must focus on three main areas—being hard to hit, being ready for an attack when it comes, and being able to recover quickly.

RedSeal helps these organizations identify defensive gaps, run continuous penetration tests to measure readiness, and map their entire network infrastructure.

From these capabilities, RedSeal calculates one unified number, so managers, boards of directors and executive management have the understandable and actionable cybersecurity metric they need to drive towards digital resilience.

RedSeal’s Digital Resilience Score focuses on three essential questions:

  • Do you have defects that are easy to hit? RedSeal evaluates how weaknesses from incorrectly configured devices and third-party software could impact you.
  • Can an attacker reach your valuable assets? RedSeal evaluates how well your network is structured, identifying attack pathways and chains of vulnerability that reduce your ability to withstand and recover from attack.
  • Is your network understanding complete? By identifying previously unknown parts of your network, RedSeal evaluates how well you know what your digital infrastructure looks like. With a complete picture, you can be sure you’re managing all assets on your network. During an attack, you’ll be able to understand where an attacker can reach. And, you’ll be able to recover much more quickly.

Instead of getting stuck in an ineffective focus on measuring activity, resilient organizations use RedSeal’s Digital Resilience Score (DRS). This cybersecurity metric works like a creditworthiness score, deducting pointing for defensive gaps, weaknesses revealed by attack simulations, and blind spots in your network awareness. A higher score means there is a higher likelihood that your business can withstand an incident and keep running.

It’s the cybersecurity metric that matters for digital resilience.

Vulnerabilities Age Like Dynamite

/by

In NSA: The Silence of the Zero Days, published in Data Breach Today, Mathew Schwartz discusses hackers’ rapid response to newly discovered flaws and/or exploits.

I was struck by a quote from David Hogue, the head of the NSA’s Cybersecurity Threat Operations Center (NCTOC). “Within 24 hours of a vulnerability or exploit being released, it’s weaponized and used against us.”

Vulnerabilities don’t get worse; they just get better for malicious actors. Like dynamite, they get more dangerous with age. Over time hackers develop new and more damaging ways to leverage known vulnerabilities. They become part of malware campaigns like WannaCry and NotPetya, which were based on existing vulnerabilities identified in the NSA leaked Eternal Blue exploit.

He also said, “… the existing state of network defenses wasn’t robust enough to make attackers have to rely on secret exploits that might get burned once used. ‘If you can live off the land, so to speak, you don’t need to dip into your toolkit.’”

The whole article is an excellent read and I recommend you do so. I have three main takeaways for government cyber leaders.

Worry about known vulnerabilities.

Rather than fret over exotic zero-day threats, focus on basic cyber hygiene. RedSeal can help by modeling your “as-built” network, including those in the cloud, by calculating all the ways data—and intruders—can move from one point to any other. Leveraging this knowledge of access, RedSeal ranks identified vulnerabilities based on the true risks to the organization, so your team’s effort is focused and maximized.

When zero days are identified, stay ahead of the onslaught.

When a zero-day exploit is made public, every hacker will be scanning for unpatched machines. RedSeal will identify the systems at the greatest risk and help identify the best course of action for each — whether applying a network change or patching the exposed systems.

Streamline and automate NSA’s Cybersecurity Threat Operations Center (NCTOC) best practices in your environment.

Applying NCTOC’s Top 5 SOC Principles to your organization, means using RedSeal to automate processes and free up humans to engage in high impact activities. RedSeal’s network modeling and risk scoring platform provides actionable intelligence for rapid investigation by identifying exposed assets and prioritizing actions.

Do you have a problem identifying and managing your network’s vulnerabilities? Click here to set up your free trial of RedSeal and choose the better way.

Warren Buffett’s Take On Cyber Insurance

/by

Warren Buffett recently made clear how risk-averse his business is when it comes to cyber insurance. Addressing his annual shareholder meeting, he summarized the state of play like this: “I think anybody that tells you now they think they know in some actuarial way either what [the] general experience is like in the future, or what the worst case can be, is kidding themselves”.

These are wise words, from a famously far-sighted individual. However, the question is: What are we going to do about this? Certainly, at RedSeal, we do not think this is acceptable. Businesses rely on insurance providers for several critical things. It starts with the basic concept of insurance: you hand your premiums over to an insurer so that you’ll get some protection against the financial downsides of hard-to-predict and catastrophic events. But the relationships between insurers and those who buy insurance has a symbiotic, mutually beneficial aspect to it as well (as Warren Buffett knows). The two groups aren’t adversaries (despite the frictions that result when it’s time to pay up); they have the same long-term interest in reducing the cost and number of catastrophic events. Think of the way our car safety has improved over the last few decades. Some of that improvement was driven by government regulation, but more of it is a result of insurers offering price breaks for things like raised, central brake lights, or ABS, or alarm systems. Insurers investigate accidents in detail, and have learned which car features cause or prevent accidents. When they price that knowledge into their products, they motivate car buyers, who in turn motivate car makers. You might think car makers should just know what makes cars safer, but they don’t really know how people will behave behind the wheel or how much safety people are willing to buy. The process works well over the long haul because of insurance companies’ critical role in gathering data, quantifying cost/benefit, and pricing that into policies that people can understand.

So how do we make this work for cyber insurance? Today, the market for cyber insurance is growing rapidly. Companies want the product, insurers are selling large numbers of policies, and there is still more demand than insurers can comfortably supply. The main thing holding insurers back is the ability to correlate good or bad security behavior against real incident rates. We’re close – the security industry knows a lot about good security, in much the same way that car makers know how to make a car safer, but they aren’t sure about the cost/benefit for any given action. This means we’re spring loaded – there’s market demand, there’s a lot of knowledge about security, but the last critical ingredient is the ability for actuaries at insurance companies to compute the hard-quantified payoffs (change in “Annualized Loss Expectancy” would be the technical term).

This is why RedSeal is working with XL Catlin on innovative ways to measure the cyber practices of companies buying insurance. It’s an exciting time – something we don’t get to say often about the insurance business!

New Study: Closing the Gaps in Cybersecurity Resilience at U.S. Government Agencies

/by

“Closing the Gaps in Cybersecurity Resilience at U.S. Government Agencies,” a new survey of civilian, defense and intelligence agencies, suggests that the cybersecurity threat landscape is evolving quicker than they can respond.

Two-thirds of federal IT executives say their agency‘s ability to withstand a cyber event, and continue to function, is moderately to highly mature.

However, a number of gaps in cybersecurity resilience remain. 6 in 10 defense or intelligence agency IT executives — and 55% at civilian agencies — say their agencies “don’t have all the tools and resources needed to detect and respond to cyberthreats.”

Conclusions

Cyber Incident Response

While about 2 in 3 federal IT officials claim their agency can detect cybersecurity incidents — and more than half claim they can respond — within 12 hours, officials stress the need for more skilled cybersecurity help to confirm there aren’t deeper, undiscovered threats lurking in networks.

Cybersecurity Resilience

Federal IT executives are very or somewhat confident that their agencies can absorb a cyberattack and continue to function. But more than half of civilian executives — and 6 in 10 at defense/ intelligence agencies — say their agencies don’t have all the tools and resources needed to meet their security objectives

Evolving Threat Landscape

The majority of IT executives believe the threat landscape is evolving quicker than their agencies can respond. More than 6 in 10 agreed if their agency could automate more monitoring and mitigation activities, it would be more secure.

Obstacles and Priorities

Executives are investing most heavily in fiscal 2019 into data and network protection tools and threat intelligence. But more than 3 in 4 agree there’s more that their agency could do to fortify their cyber resilience. They also need help overcoming a talent shortage and conflicting funding priorities.

 

The Study

The survey included more than 100 federal government IT, cybersecurity and mission, business and program executives. All respondents are involved either in identifying IT and network security requirements, evaluating or deciding on solutions and contractors, allocating budgets, or implementing or maintaining cybersecurity solutions. The study was completed in the first quarter of 2018, released May 1st by CyberScoop and FedScoop, and underwritten by RedSeal.

CyberScoop is the leading media brand in the cybersecurity market with more than 350,000 unique monthly visitors and 240,000 daily newsletter subscribers, reporting on news and events impacting technology and top cybersecurity leaders across the U.S.

Download the report, Closing the gaps in cybersecurity resilience at U.S. Government agencies, for detailed findings and guidance on how prepared agencies are to continue operating during an attack

Federal Civilian Agency Saves the Day

/by

Two years ago, a federal government civilian agency had a problem.

Nation state actors were targeting the agency, creating numerous cyber events and breaches every day. The media was all over the story. They faced enormous pressure to change the cybersecurity status quo.

The agency’s cybersecurity team knew that they were in reaction mode. They had a gut feeling that they didn’t know as much about their networks as they needed to. Vulnerability scanners were in place, patching was done on schedule, yet incidents kept happening. Were the scanners accurate? Were there missing components on their networks?

After extensive review and testing of the cybersecurity analytics tools on the market, the agency selected RedSeal—initially to manage the findings of the vulnerability scanners and to determine what to fix first, based on risk to high value assets. After expanding the program to thirteen locations, the agency integrated RedSeal enterprise-wide for network mapping and vulnerability prioritization.

The audit team manager said, “Just last week, using RedSeal, we conducted an assessment of a location with 1,500 endpoints and correlated 5,000 vulnerabilities. Further automated analysis by RedSeal showed that only four were a critical threat and should be prioritized for remediation. Normally, the local network engineering staff would have been overwhelmed by 5,000 findings. We saved them a massive amount of work, lowered the risk of a breach and gave them an accurate model of their network for the first time.”

The agency’s Cybersecurity Assessment Team found that with RedSeal the team’s functionality, speed and accuracy was significantly improved. Intuitively, the team members are able to set up RedSeal instances and map the network with a minimum of training and outside consultants. They are also able to easily create reports customized to the needs of each site’s particular mission and responsibilities. “RedSeal is the must-have tool for any cybersecurity assessment team,” was the agency’s conclusion.

Do you have a problem with your time consuming and inaccurate manual vulnerability assessment program? Click here to set up you free trial of RedSeal and choose the better way.

 

Finding Devices Vulnerable and Exposed to CVE-2018-0101 with RedSeal

/by

Summary

Cisco has disclosed a critical CVSS 10 vulnerability in ASA that can allow an uncredentialled user to take over the vulnerable device and change access rules. RedSeal has published a custom best practice check for customers to detect vulnerable devices that have the offending service (WebVPN) enabled.

Quick Links:

What is it?

On January 29th, 2018, Cisco disclosed a critical vulnerability (CVE-2018-0101: Cisco Advisory, NVD Link) in the Cisco ASA software that runs on Cisco firewalls and other network devices. On January 30th, the advisory was updated to reflect the newly issues severity score of CVSS 10 – the highest possible score. The vulnerability is in the WebVPN feature of ASA. An uncredentialled attacker with access to the WebVPN portal can exploit the vulnerability to take over the device and execute arbitrary code, or force the device to restart.

What is the impact?

This WebVPN service is often exposed on firewalls, particularly on edge devices mediating access from untrusted networks into organization’s private networks. A successful exploit of this vulnerability can allow the attacker to take over the device, changing any routing or access rules on it to open access from untrusted networks leading to infiltration of the corporate network. Alternatively, the exploited device can be forced to restart resulting in a denial of service for anyone that depends on access which goes through the device.

Impacted Devices:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

Mitigation and Remediation – How can RedSeal help?

Cisco is currently rolling out patches to the impacted devices. RedSeal has developed a custom best practice check and made it freely available to customers to quickly identify vulnerable devices anywhere on their network with the WebVPN service enabled. This CBPC can be manually imported into RedSeal to quickly and accurately identify which devices are vulnerable and in need of patching or other mitigation.

Network Segmentation, Security and RedSeal

/by

Over the last few decades, many network security architecture products have come to market, all with useful features to help secure networks. If we assume that all of these security products are deployed in operational networks, why do we still see so many leaks and breaches?

Some say the users are not leveraging the full capabilities of these products – which is true.

Other say the users are not fully trained on how to use the product. Also true, and probably why they’re not using the full capabilities of their products.

Instead, we might benefit from remembering a basic truism: We humans are lazy.

Most of us, if offered a button that simply says “fix,” will convince ourselves that it will fix any network problem. We’ll buy that button every day of the week.

Our belief in fix buttons has led to a situation where many of us aren’t following standard security practices to secure our networks. When a network is designed or when you inherit a network, there are some basic things that should be done.

One of the first things to do is isolate, or segment, your network.  Back in the 1990s, network segmentation was done more for performance reasons than security. As we moved from hubs to large, switched networks, our networks have become flat, with less segmentation. Today, once attackers get in, they can run rampant through a whole enterprise.

If we take the time to say, “Let’s step back a second,” and group our systems based on access needed we can avoid much trouble. For instance, a web server most likely will need access to the internet and should be on a separate network segment, while a workstation should be in another segment, printers in another, IoT in one of its own, and so on.

This segmentation allows better control and visibility. If it’s thought out well enough, network segmentation can even reduce the number of network monitoring security products you need to deploy. You can consolidate them at network choke points that control the flow of data between segments versus having to deploy them across an entire flat architecture. This also will help you recognize what network traffic should and should not be flowing to certain segments based on that network segment’s purpose.

This all seems to make sense, so why isn’t it done?  In practice, network segmentation is usually implemented at the start. But, business happens, outages happen, administrators and network engineers are under enormous pressure to implement and fix things every day. All of this causes the network design to drift out of compliance. This drift can happen slowly or astonishingly fast. And, changes may not get documented. Personnel responsible for making the changes always intend to document things “tomorrow,” but tomorrow another event happens that takes priority over documentation.

Network segmentation only works if you can continuously ensure that it’s actually in place and working as intended. It is usually the security teams that have to verify it. But, as we all know, most security and networking teams do not always have the best partnerships. The network team is busy providing availability and rarely has the time to go back and ensure security is functioning.

Even if the security teams are checking segmentation in large enterprises, it is a herculean effort. As a result, validating network segmentation is done only yearly, at best. We can see how automating the inspection of the network security architecture is a clear benefit.

RedSeal enables an automated, comprehensive, continuous inspection of your network architecture. RedSeal understands and improves the resilience of every element, segment, and enclave of your network. RedSeal works with your existing security stack and network infrastructure (including cloud and SDN) to automatically and continuously visualize a logical model of your “as-built” network.

RedSeal’s network modeling and risk scoring platform enables enterprise networks to be resilient to cyber events and network interruptions in an increasingly digital and virtualized world, and to overcome one of the main enemies of cybersecurity – human nature.

Leading Federal Cybersecurity Experts Agree: Federal Agencies Need Integrated and Automated Approach

/by

Recently RedSeal hosted its annual Federal Customer Forum. One of the panels featured a discussion with several luminaries in the federal government cybersecurity ecosystem. The topic: the importance of the integration and automation of cybersecurity operations.

Those present were:

  • Wayne Lloyd, RedSeal (Moderator)
  • Kevin Phan, Splunk
  • Tim Jones, ForeScout
  • Wade Woolwine, Rapid7
  • John America, Mystek Systems

The following questions and answers were lightly edited for better comprehension:

Why is integration and automation important in defending against cyberattacks?

Not enough time to manage cybersecurity. The mundane tasks use up all the people and there is stuff to do afterwards. Humans need to focus on high level actions. Let the tools talk together and that will increase speed to resolution and limit damage. Attacks are automated by hackers, so defense needs to be automated, too.

Are security vendors doing enough to integrate with each other to support their customers’ needs? If so what have you seen work well? If not, what should we as an industry be doing better?

No. No one vendor does it all, and often have trouble integrating with others, so customers need to do a better job integrating solutions from different vendors or hire a managed security services provider.

When it comes to securing IoT devices, where does responsibility lie? Is it with the manufacturer, the user, or both?

Most say that there should be shared responsibility. Devices should be patchable and upgradable. “Know your network” is hard with IoT. There are many, many more endpoints to worry about. Organizations need to develop safe processes for adding IoT to the networks, and segment them onto less secure networks. Organizations need to develop a patching strategy generally, but specifically for IoT devices.

There was a recent example where drones were purchased by the DOD. It turns out that the chips had been white-label manufactured by Huawei in China. These drones were exfiltrating data without user’s knowledge to parties unknown. This kind of supply chain issue is going to be a bigger problem going forward.

If you were to go into an organization that is standing up a new, from scratch, security stack, what capabilities would you recommend they choose?

Detection is important, but how do you trust the decisions that the software makes? You need to get to the raw, unfiltered data. Also, the key is to set up network segments to prevent intruders from roaming freely across your infrastructure. Third, you need to set up hunt teams to proactively search for those intruders. Fourth, setting up a continuous config management process that inventories unpatched software is mandatory now. Penetration testing is useful, but penetration testers usually quit after they find a way in. What about the other thousands of vulnerabilities that they didn’t find?

Good cybersecurity teams are always looking to tear down silos. Bad ones stick to themselves. Hackers are known for sharing code, tools and vulnerabilities, so it seems obvious that cybersecurity teams should do the same. NOCs and SOCs are starting to talk more, which is a good thing, however cloud and dev ops teams seem to be still off on their own. Executive priorities still drive decision making, and no one can prevent those decisions from creating security issues. Cyber teams need to be stewards of data. Implement CIS 20 and set up a risk management framework.  Use table top exercises to train and improve execution, rather than focus on checkboxes and processes.

It appears that you cannot truly protect yourself if you are not using integrated products. Does it make sense to keep buying solutions piecemeal or should security teams look for packages that already integrate?

Most systems integrators do a good job integrating various cybersecurity tools in government. The private sector is much less advanced in this area. Most commercial companies get technologies then push them to a managed services provider.

Do you see threat intelligence playing a big role with federal customers in protecting their networks?

It’s notable that the same old threats pop up all the time. What is unknown is the scary part of the day. For threat detection, we need a faster and faster process of identification, integration and remediation. Hackers share data. We need a better understanding of where the whole threat environment is coming from. That said, we need to protect high value assets (HVA) first. That means mapping out access from HVAs. The average detection time nowadays is 170 days, so you had better set up your organization for maximum resilience. Attacks are now coming from POS systems and, famously, a fish tank in a Las Vegas hotel.

Being Digitally Resilient in the Face of HIDDEN COBRA

/by

Watch Video: RedSeal and Hidden Cobra Overview, Use Cases and Demo

Introduction

On November 17th, the United States Computer Emergency Ready Team (US-CERT), in conjunction with the FBI, released a pair of advisories about the North Korean hacking and espionage campaign code named HIDDEN COBRA. The latest advisories describe two pieces of malware called Volgmer and FALLCHILL, which have been actively used to attack enterprises and other commercial entities in the US. Since 2013, organizations in the aerospace, telecommunications, and finance industries have been targeted with spear phishing campaigns.

The US-CERT advisories provide both a detailed analysis of how the underlying malware packages function as well as the detection signatures and the observed IP addresses of the command and control (C2) infrastructure. This data can be used to detect the malware on your network and sever access to its controllers (Volgmer C2 IP Addresses: CSV STIX; FALL CHILL C2 IP addresses: CSV STIX). US-CERT’s previous HIDDEN COBRA advisories from June also reveal several vulnerabilities (CVEs) that North Korean threat actors are known to target and exploit.

This article will describe how the Volgmer and FALLCHILL malware operate, what they target, how they infect those targets, the potential impacts of these infections, and effective mitigation and remediation strategies to protect your enterprise.

Summary of Suggested Actions:

  1. Identify and eliminate outbound network traffic to the C2 infrastructure.
  2. Perform a risk-based prioritization of vulnerabilities to patch on accessible and high-risk endpoints
  3. Run RedSeal’s incident response query to efficiently isolate and contain any observed indicators of compromise.

About the Volgmer and FALLCHILL Malware

Both malware packages are Windows binaries consisting of executable files and DLL counterparts able to be run as a Windows service. The primary method of attack has been through targeted spear phishing campaigns that trick victims into opening malicious attachments or clicking links leading to malicious websites exploiting browser-based vulnerabilities.

Volgmer

The Volgmer package contains four distinct modules, a “dropper”, two remote administration tools (RATs), and a botnet controller.

  • The Volgmer dropper, a Windows executable, creates a Windows registry key containing the IP address of external C2 servers. It then installs its payload (either a RAT or the botnet controller), achieving stealthy persistence by overwriting an existing Windows service DLL with the payload. Finally, it can clean up after itself and remove all traces.
  • The RAT payload, after achieving persistence on the infected Windows machine, communicates back to its C2 infrastructure over ports 8080 or 8088. The RAT enables the attacker to take over the infected computer, executing arbitrary code and exfiltrating data.
  • The botnet controller can direct the activity of other compromised computers to orchestrate DDoS attacks.

FALLCHILL

The FALLCHILL malware is a remote administration tool demonstrating a heightened degree of sophistication in its ability to remain hidden, as well as an advanced communication mechanism with its C2 infrastructure. FALLCHILL masquerades as a legitimate Windows service randomizing across seemingly innocuous service names. It generates fake TLS traffic over port 443, hiding the C2 commands and communications in the TLS packet headers, which then get routed through a network of proxy servers.

Figure 1: US-CERT visualization of how FALLCHILL communicates with HIDDEN COBRA threat actors

 

How the Malware Spreads and Impact of Infection

Although both malware packages are primarily distributed via targeted spear phishing campaigns, they have also been observed on malicious websites. This increases the chances for opportunistic drive-by-download infections. These targeted attacks have been seen in the US aerospace, telecommunications, and financial services.

A successful infection will result in the HIDDEN COBRA threat actors having persistent access to and control over compromised computers. The remote administration tools allow them to modify the local file system, upload files, execute files or any arbitrary code, as well as download anything on the file system. The result is that attackers will have a hidden backdoor to your system and can execute any arbitrary code. Thus, in addition to being able to exfiltrate local files such as documents directories or Outlook databases, the infection establishes a beachhead into the rest of the network from which future breaches can be staged.

General Mitigation Advice

Enterprise security organizations can take several steps to mitigate the risk of a successful spear phishing or drive-by-download infection. In the past few years, attackers have, with increasing frequency targeted end user workstations to exfiltrate local data and establish a beachhead into the rest of the corporate network. As a result, it is increasingly important to expand vulnerability management programs to include regular scans of workstations and laptops followed by timely patching of any discovered vulnerabilities. Employees, particularly executives and those exposed to sensitive or proprietary data, should be trained on practicing good email hygiene and being vigilant for possible phishing attacks. User workstations should be configured according to the principle of least privilege, avoiding local administrator level access where possible. Additionally, the US-CERT also advises limiting the applications allowed to execute on a host to an approved whitelist, to prevent malware masquerading as legitimate software.

RedSeal Can Increase Resilience and Decrease Risk

RedSeal users can decrease their risk of exposure by identifying, closing, and monitoring access from their networks to the HIDDEN COBRA C2 infrastructure. Moreover, in the event of a detected IOC, RedSeal allows you to accelerate incident investigation and containment to mitigate the impact of an infection.

1. Identify and close any existing outbound access to the C2 infrastructure

The first step is to make sure you eliminate or minimize outbound access from your networks to the HIDDEN COBRA C2 infrastructure. Since the C2 IP addresses point at proxies across the world that relay commands and data to and from the threat actors, many are associated with legitimate entities whose servers have been exploited, or commercial hosting providers whose servers have been rented. To locate access from the inside of your network to any given C2 address from the advisory, use RedSeal’s security intelligence center to perform an access query from an internal region to the internet, and in the IPs filter box, enter the IP address from the US-CERT data.

 

Figure 2: Running an Access Query from the Security Intelligence Center from internal to C2 Infrastructure

 

Figure 3: Access query results shown on map, showing existing access from internal assets to external THREAT COBRA infrastructure

 

With the results of the access query, the next step is to create additional controls such as firewall or routing rules to block access to the relevant IP address at your perimeter. To decide where to introduce such controls, you can run a RedSeal detailed path query to generate a visual traceroute of the offending access path(s) and identify which devices are along those paths and can be used to close access.

 

Figure 4: Detailed Path result identifying all network devices and relevant config locations mediating access from an internal asset to the HIDDEN COBRA infrastructure

 

2. Verify vulnerability scan coverage and perform a risk-based prioritization of vulnerabilities

The HIDDEN COBRA campaign has been known to use a set of five CVEs (CVE-2015-6585; CVE-2015-8651; CVE-2016-0034; CVE-2016-1019; CVE-2016-4117) as the vector for infection. These CVEs include several browser-based vulnerabilities for the Adobe Flash and Microsoft Silverlight plugins as well as a Korean word processing application. It is important to note that while these are the vulnerabilities known to be targeted in the wild to deliver Volgmer or FALLCHILL, any known or unknown Windows-based vulnerability that allows arbitrary code execution and/or privilege escalation can be used as part of a future spear phishing campaign. While it is crucial to locate and remediate the above CVEs first, it is important to perform a vulnerability scan of user workstations for all such vulnerabilities, not just the five enumerated ones.

 

Figure 5: Using the Security Intelligence Center to execute a Threat Query to reveal which vulnerable assets are directly exploitable from the Internet

 

After importing the results of a vulnerability scan, vulnerability managers can first verify whether the scanner’s coverage was complete and identify any areas on the network missed by the scanner. This is accomplished by looking for all “Unscanned Subnets” model issues (MI-7) within your RedSeal model. A subsequent detailed path query from the scanner to the unscanned subnet will reveal whether and why access is blocked.

Next, you can perform a risk-based prioritization of the vulnerable hosts to ensure that the highest risk vulnerabilities are remediated first. The CVEs known to be actively exploited by the HIDDEN COBRA threat actors should be patched or otherwise mitigated first. A good start is to target the vulnerabilities that are on hosts that are accessible from untrusted networks, such as the Internet or a vendor’s network.

Since the malware attempts to establish a hidden Windows service with RAT capabilities, the next vulnerabilities to target for remediation are those that are directly or indirectly accessible and exploitable from any potentially compromised host. To find them, a RedSeal threat query can reveal all vulnerable hosts exploitable from a compromised endpoint on your network.

 

Figure 6: Visual results showing direct (red) and indirect (yellow) threats to the rest of the enterprise from a compromised host.

 

Figure 7: Threat Query results identifying vulnerable hosts threatened by the compromised endpoint


3. Investigate and contain existing IOCs

Finally, you can achieve greater resilience by accelerating your response to detected indicators of compromise and contain compromised systems while working to eliminate the infection. UC-CERT released several detection signatures to identify potentially compromised systems. By leveraging RedSeal’s incident response query directly or from our integrations with major SIEMs like QRadar, ArcSight, and Splunk, you can quickly assess the potential impact of a compromise and identify the mitigating controls necessary to isolate and contain it. The query allows incident responders to rapidly discover and prioritize by value all assets that are accessible from the vulnerable endpoint. A subsequent detailed path query between the vulnerable endpoint and a downstream critical asset will reveal all network devices mediating access and where controls such as firewall rules can be deployed to reduce downstream risk.

 

Figure 8: Incident Response query showing accessible groups and assets from the source of an indicator of compromise

 

Summary

The HIDDEN COBRA campaign is sophisticated, recently showing increases in intensity and variety of methods used. Defenders need to be resilient to minimize enterprise risk, efficiently mitigate damage, and recover from a successful compromise.  RedSeal can help you achieve resilience in the face of these changing threats — by assessing ways to block outbound access to C2 nodes, by locating vulnerable and high risk internal machines, and by speeding the investigation of any detected indicators of compromise.

____________________