Tag Archive for: Thought Leadership

Advice from Hackers at Black Hat

At the recent Black Hat USA conference, CIO asked 250 self-identified hackers for their opinion on security solutions. The answers are a good indicator for what works to protect your organization. Of all the technologies out there, the responders identified multi-factor authentication and high-level encryption as the two that are hardest to get past – 38 and 32 percent, respectively – making them the two best tools an organization can use to thwart attackers. The lesson? Your organization should invest in multi-factor authentication and strong encryption for data at rest and data in motion to make the attackers’ job much more difficult.

Another surprising revelation – more than 90 percent of respondents find intrusion prevention systems, firewalls, and anti-virus easy to overcome. This is because attackers use technologies to encode their payload (i.e. disguise their software so it isn’t detected). They also realize that it is much easier to ‘hack’ the weakest link, the human element. Let’s say an attacker shows up and tells the receptionist she has an interview. Then the attacker explains, with an exasperated look on her face, that she didn’t have time to swing by a print shop to print her resume. The attacker then asks the receptionist to print it. As human beings, we feel empathy and we want to help. The receptionist sticks the USB drive into a computer, finds the resume, and prints it – firing off the payload attached to the USB document.

Does this mean that the money and man hours spent on firewalls, intrusion prevention systems, and antivirus is wasted? The answer is no. These technologies help thwart the most basic and greatest number of automated attempts at breaking into your organization. The example I used above is called a social engineering attack. Attackers will put together payloads and either email them out, attach them to resumes and apply for jobs, or physically go to your location and drop USBs on the ground. In fact, 85 percent of those surveyed prefer these types of attacks because of how successful they are. Each of these attacks makes your perimeter security useless. CIOs and ISOs need to harden the internal security of their organization as well. They need to train their employees for these types of attacks, tell them what to look out for, and breed an environment where it is okay and even expected to challenge people.

Understanding your network and the actions that attackers take to compromise your environment will help your organization develop contingency plans. These contingency plans will help your organization maintain a resilient network. You can’t just protect your network and expect that to be enough anymore. The question all leaders in security should be asking is, “what do we do when an attacker gets in and how do we lessen the damage done to our organization?”

That is the beginning of building a resilient network.

Cybersecurity’s Ceiling

Dark Reading | August 14, 2017

Security spending and staffing are rising, but restrained resources are tempering market growth.

The IT security market is often painted as a non-stop growth curve with no end in sight. But many analysts who have studied market trends say despite recent increases in spending and hiring, the market paradoxically is being slowed by a shortage of resources.

In some cases, upper management is putting a cap on spending and hiring. In the recently published 2017 Black Hat Attendee Survey, most security professionals say they are increasing hiring and spending. Yet, some 71% of security professionals do not feel they have enough people to handle the threats they will face in the coming year. Fifty-eight percent say they don’t have enough budget.

Counting the Cost of Mega Cyber Risk

Computer Business Review | August 10, 2017

It’s clear that corporations want to buy insurance to reduce their exposure to losses from cyber-attacks, and insurers have responded to the need.  However, most buyers are dissatisfied – the coverage amounts are low, and the covered events are too narrow.  From the insurer’s point of view, it had to be this way, due to historic challenges with visibility into cyber risk and liability.

When everyone wants the same kind of policy, the insurer has to think about the systemic risk, and if that systemic risk is poorly understood, each individual policy has to stay small.  Think of everyone in a Medieval town wanting to buy fire insurance at the same time – individually, they all want the same thing, but the insurer can’t take on the combined risk without understanding whether the houses are all in the same town, or made of the same flammable material.

Time For CFOs to Get Serious About Cybercrime Prevention

TechTarget | July 31, 2017

Payment risks and email scams are too complex to pass off to an insurance provider. They call for C-level involvement in making sure the entire trading partner network is secure.

Some CFOs and corporate treasury managers lack a sense of urgency about the need for cybercrime prevention and about the financial hits that could come from cybercrime attacks. Scanning conference rosters, I see an emphasis on cyberinsurance, which ostensibly transfers the risk of loss to someone else, all for the price of a policy. But an effective cybercrime prevention strategy requires much more than that. It requires CFOs to be proactive about making their networks secure.

Business Agility And Security Automation (Or, How The Government Sometimes Gets It Right)

Forbes | July 11, 2017

By Dr. Mike Lloyd, RedSeal CTO

A healthy, growing business is a risky business. Why? Modern businesses must innovate, change and grow continuously to stay ahead of the competition. Normally, we look at business agility as a good thing — a differentiator; a challenge to be embraced; a way to shake the invisible hand that drives our world. But from a security viewpoint, all this change is a problem, especially for cybersecurity.

RedSeal CEO Joins Cheddar TV’s “Closing Bell” to Talk Petya, Cyberattack Impact on Business

Cheddar | July 6, 2017

 

RedSeal CEO Ray Rothrock joined Cheddar TV’s “Closing Bell” show to discuss the impact of cyberattacks on sales and stock prices, and our own government’s ability to be resilient.

Ray’s segment starts at the 1:25:24 mark of the video.

Digital Resilience Helps Mitigate or Prevent the ExPetr/NotPetya/ GoldenEye Malware


What is it?

The most recent malware campaign hitting Ukraine and the rest of the world is a wiper style malware which is packaged with several propagation mechanisms including the same weaponized Windows SMBv1 exploit utilized by WannaCry.  What was initially thought to be a variant of the 2016 Petya ransomware has now been shown to be a professionally developed cyber-attack masquerading as run-of-the-mill ransomware gone wild. In fact, security researchers have demonstrated that, despite demanding a ransom payment, the payload irreversibly wipes the hard drives of infected systems with no way to decrypt even if a ransom is paid to the specified wallet.

Purpose & Impact

The motivation behind the attack appears to be one of destruction and disruption. Indeed, it has had a devastating impact on enterprise’s operations world-wide as it is designed to rapidly spread throughout corporate networks, irreversibly wiping hard drive in its wake. The initial infection is believed to have targeted Ukrainian businesses and government, managing to wreak havoc in the country’s financial, manufacturing, and transportation industries. Even Chernobyl radiation monitoring systems were impacted, forcing technicians to switch to manual monitoring of radiation levels. ExPetr managed to quickly spread worldwide to thousands of computers in dozens of countries with significant disruption to major enterprises across industries as varied as shipping, pharmaceuticals, and law. Over 50% of the companies being attacked worldwide are in the industrial manufacturing or oil & gas sectors.

How it Spreads

Researchers have identified several distinct mechanisms utilized by the ExPetr malware to penetrate enterprises’ perimeter defenses for an initial infection as well as lateral movement after a successful compromise. The malware’s lifecycle is split into three distinct phases: 1) initial infection, 2) lateral movement, and finally 3) wiping the compromised system. The initial infection is believed to have spread by a malicious payload delivered through a highjacked auto-update mechanism of accounting software used by businesses in Ukraine. Alternatively, ExPetr has been observed to achieve initial infection through phishing and watering hole attacks. Next, once inside, the malware utilizes a different array of techniques to self-propagate and move laterally. Critically, ExPetr attempts to infect all accessible systems with the same Windows SMBv1 vulnerability as last month’s WannaCry attack over TCP ports 445 and 139. The malware is also able to spread laterally by deploying credential stealing packages in search of valid admin and domain credentials. It will leverage any stolen credentials to copy itself through normal Windows file transfer functionality (over TCP ports 445 and 139) and then remotely execute the copied file using the standard administrative tools, PSEXEC or WMIC.

 

Figure 1: Visualizing all accessible areas of the network from a compromised system.

 

How Digital Resilience Helps

Because one of the primary ways the ExPetr malware spreads is through the same Windows SMBv1 vulnerability addressed by Microsoft’s MS17-010 patch in March 2017, the same prevention and mitigation techniques described in depth in RedSeal’s WannaCry response are effective. To review:

  1. Assess and limit exposure by using an access query to discover any assets accessible through TCP ports 445 or 139 from untrusted networks like the Internet or a 3rd party.
  2. Identify vulnerable hosts and prioritize remediation efforts based on risk to the enterprise by importing vulnerability scanner findings and sorting based on risk score.
  3. Isolate critical assets and contain high risk or compromised systems by discovering and eliminating unnecessary access to or from sensitive areas of the network.
  4. Continuously monitor compliance with network segmentation policies by analyzing the relevant rules in RedSeal’s Zones & Policy.
  5. Accelerate incident response by reactively or proactively discovering the blast radius from a compromised system, understanding which assets are network-accessible and deploying the relevant mitigating controls.

 

Figure 2 Results of an access query revealing what access exists from all subnets leading to the critical assets over TCP 139 or 445.

 

While applying the MS17-010 patch to vulnerable systems per a risk-based prioritization of vulnerable hosts is necessary, it is not sufficient to mitigate or prevent infection. ExPetr moves laterally through normal file-transfer and administrative capabilities using stolen credentials. As such, it is important to also reduce the attack surface of production and other mission critical assets through sensible network segmentation techniques, paying close attention to access over ports 445 and 139. RedSeal users can accomplish this by running an access query to determine what can reach critical systems through the implicated ports. Next, access that is not necessary or out of compliance can be cut off by examining the detailed path to see all network devices touched along the path and determine the optimal placement of a network countermeasure, such as a firewall rule, to eliminate the unnecessary access.

 


Figure 3 Detailed Path from the DMZ to a critical asset is 6 hops long with several routers and firewalls along the way

 

Conclusion

Cyber attacks are getting more efficient, more aggressive, and more destructive. Only a digitally resilient organization with full visibility into their network composition and security posture can hope to avoid falling victim, or to mitigate fallout in the event of compromise. Reducing your attack surface is essential to decreasing risk. This can best be done by adhering to standard IT best practices including implementing a robust backup strategy, a vulnerability management program, and a segmented internal network. In this day and age, network segmentation and micro-segmentation are increasingly important as attackers and malware routinely get past perimeter defenses, and often move laterally with impunity due to a lack of internal boundaries. RedSeal helps customers gain visibility into their network as it is built today, providing assurance through continuous monitoring of compliance with network access and segmentation policies. With the increased visibility and understanding, digitally resilient organizations can perform risk-based prioritization of remediation and mitigation activity to efficiently marshal resources and minimize overall enterprise risk.

For more information on how RedSeal can help you become resilient, please contact info@redseal.net.

Petya: Recommendations for defense and remediation

The CyberWire | June 29, 2017

What can enterprises do, now, to protect themselves against Petya and the other, similar attacks soon to follow? This won’t be a one-time thing: WannaCry wasn’t, and it’s reasonable to expect fresh ransomware campaigns to keep coming, hard and fast. The attackers get a good return on investment from repurposing tools and exploits. There’s no reason to expect them to stop.

For your coverage of Petya, Ray Rothrock, CEO of RedSeal, said in an email, “It’s happening again. This time in a slightly different form and name, but it’s the same. A new strain of Petya malware is going after unpatched Windows systems via EternalBlue, the same stolen NSA tool exploited by WannaCry.”

3.5M vacant cybersecurity roles by 2021, Cybersecurity Ventures report

SC Magazine | June 7, 2017

A look out at the jobs landscape shows that over the next five years, positions in the cybersecurity field will triple, according to “The Cybersecurity Jobs Report,” sponsored by Herjavec Group.

The global information security advisory firm predicts that – largely owing to increases in cybercrime – the number of cybersecurity job openings will hit 3.5 million by 2021.

Cybersecurity Faces 1.8 Million Worker Shortfall By 2022

Dark Reading | June 7, 2017

Over the next five years, the number of unfilled cybersecurity jobs will rise to a whopping 1.8 million, a 20% increase from 2015 estimates, according to a new (ISC)2 survey released today.

Driving this widening shortage is not only the often discussed lack of qualified workers but also a greater need to bring in more warm bodies to tackle the rapidly evolving ways that cybercriminals and attackers are launching their nefarious activities, according to the report. It’s getting easier for low-tech criminals to get into hacking, thanks to malware-as-a-service operations and crimeware kits.