Posts

The Network Dimension in Vulnerability Management

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) third control for implementing a cybersecurity program is to practice continuous vulnerability management. Organizations that identify and remediate vulnerabilities on an on-going basis will significantly reduce the window of opportunity for attackers. This third control assumes you’ve implemented the first two CIS framework controls — understanding both the hardware that makes up your infrastructure and the software that runs on that infrastructure.

The first two controls are important to your vulnerability management program. When you know what hardware assets you have, you can validate that you’re scanning all of them for vulnerabilities. As you update your IT inventory, you can include new assets in the scanning cycle and remove assets that no longer need to be scanned. And, when you know what software run on your infrastructure, you can understand which assets are more important. An asset’s importance is key to identifying what should be remediated first.

Most vulnerability scanning platforms allow you to rank the importance of systems being scanned. They prioritize vulnerabilities by applying the CVSS (Common Vulnerability Scoring System) score for each vulnerability on an asset and couple it with the asset’s importance to develop a risk score.

The dimension missing from this risk scoring process is understanding if attackers can reach the asset to compromise it. Although you are remediating vulnerabilities, you can still be vulnerable to attacks if what you’re remediating isn’t accessible by an attacker. It may be protected by firewalls and other network security measures. Knowledge of the network security controls already deployed would allow the vulnerability management program to improve its prioritization efforts to focus on high value assets with exposed vulnerabilities that can be reached from an attacker’s location.

Other vulnerability scanning and risk rating platforms use threat management data to augment their vulnerability risk scoring process. While threat management data (exploits actively in use across the world) adds value, it doesn’t incorporate the network accessibility dimension into evaluating that risk.

As you work to improve your vulnerability management program, it’s best to use all the information available to focus remediation efforts. Beyond CVSS scores, the following elements can improve most programs:

  • Information from network teams on new and removed subnets (IP address spaces) to make sure that all areas of the infrastructure are being scanned.
  • Information from systems teams on which systems are most important to your organization.
  • Including network information in the risk scoring process to determine if these systems are open to compromise.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for meeting your vulnerability management goals by providing network context to existing vulnerability scanning information. Additionally, RedSeal provides pre-built integrations with many security products and easy integration with others via its REST API interface.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your program using the CIS Controls.

Finding Devices Vulnerable and Exposed to CVE-2018-0101 with RedSeal

Summary

Cisco has disclosed a critical CVSS 10 vulnerability in ASA that can allow an uncredentialled user to take over the vulnerable device and change access rules. RedSeal has published a custom best practice check for customers to detect vulnerable devices that have the offending service (WebVPN) enabled.

Quick Links:

What is it?

On January 29th, 2018, Cisco disclosed a critical vulnerability (CVE-2018-0101: Cisco Advisory, NVD Link) in the Cisco ASA software that runs on Cisco firewalls and other network devices. On January 30th, the advisory was updated to reflect the newly issues severity score of CVSS 10 – the highest possible score. The vulnerability is in the WebVPN feature of ASA. An uncredentialled attacker with access to the WebVPN portal can exploit the vulnerability to take over the device and execute arbitrary code, or force the device to restart.

What is the impact?

This WebVPN service is often exposed on firewalls, particularly on edge devices mediating access from untrusted networks into organization’s private networks. A successful exploit of this vulnerability can allow the attacker to take over the device, changing any routing or access rules on it to open access from untrusted networks leading to infiltration of the corporate network. Alternatively, the exploited device can be forced to restart resulting in a denial of service for anyone that depends on access which goes through the device.

Impacted Devices:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

Mitigation and Remediation – How can RedSeal help?

Cisco is currently rolling out patches to the impacted devices. RedSeal has developed a custom best practice check and made it freely available to customers to quickly identify vulnerable devices anywhere on their network with the WebVPN service enabled. This CBPC can be manually imported into RedSeal to quickly and accurately identify which devices are vulnerable and in need of patching or other mitigation.

Customers can find the CBPC as well as installation instructions in the RedSeal Customer Support Portal.

Being Digitally Resilient in the Face of HIDDEN COBRA

Watch Video: RedSeal and Hidden Cobra Overview, Use Cases and Demo

Introduction

On November 17th, the United States Computer Emergency Ready Team (US-CERT), in conjunction with the FBI, released a pair of advisories about the North Korean hacking and espionage campaign code named HIDDEN COBRA. The latest advisories describe two pieces of malware called Volgmer and FALLCHILL, which have been actively used to attack enterprises and other commercial entities in the US. Since 2013, organizations in the aerospace, telecommunications, and finance industries have been targeted with spear phishing campaigns.

The US-CERT advisories provide both a detailed analysis of how the underlying malware packages function as well as the detection signatures and the observed IP addresses of the command and control (C2) infrastructure. This data can be used to detect the malware on your network and sever access to its controllers (Volgmer C2 IP Addresses: CSV STIX; FALL CHILL C2 IP addresses: CSV STIX). US-CERT’s previous HIDDEN COBRA advisories from June also reveal several vulnerabilities (CVEs) that North Korean threat actors are known to target and exploit.

This article will describe how the Volgmer and FALLCHILL malware operate, what they target, how they infect those targets, the potential impacts of these infections, and effective mitigation and remediation strategies to protect your enterprise.

Summary of Suggested Actions:

  1. Identify and eliminate outbound network traffic to the C2 infrastructure.
  2. Perform a risk-based prioritization of vulnerabilities to patch on accessible and high-risk endpoints
  3. Run RedSeal’s incident response query to efficiently isolate and contain any observed indicators of compromise.

About the Volgmer and FALLCHILL Malware

Both malware packages are Windows binaries consisting of executable files and DLL counterparts able to be run as a Windows service. The primary method of attack has been through targeted spear phishing campaigns that trick victims into opening malicious attachments or clicking links leading to malicious websites exploiting browser-based vulnerabilities.

Volgmer

The Volgmer package contains four distinct modules, a “dropper”, two remote administration tools (RATs), and a botnet controller.

  • The Volgmer dropper, a Windows executable, creates a Windows registry key containing the IP address of external C2 servers. It then installs its payload (either a RAT or the botnet controller), achieving stealthy persistence by overwriting an existing Windows service DLL with the payload. Finally, it can clean up after itself and remove all traces.
  • The RAT payload, after achieving persistence on the infected Windows machine, communicates back to its C2 infrastructure over ports 8080 or 8088. The RAT enables the attacker to take over the infected computer, executing arbitrary code and exfiltrating data.
  • The botnet controller can direct the activity of other compromised computers to orchestrate DDoS attacks.

FALLCHILL

The FALLCHILL malware is a remote administration tool demonstrating a heightened degree of sophistication in its ability to remain hidden, as well as an advanced communication mechanism with its C2 infrastructure. FALLCHILL masquerades as a legitimate Windows service randomizing across seemingly innocuous service names. It generates fake TLS traffic over port 443, hiding the C2 commands and communications in the TLS packet headers, which then get routed through a network of proxy servers.

Figure 1: US-CERT visualization of how FALLCHILL communicates with HIDDEN COBRA threat actors

 

How the Malware Spreads and Impact of Infection

Although both malware packages are primarily distributed via targeted spear phishing campaigns, they have also been observed on malicious websites. This increases the chances for opportunistic drive-by-download infections. These targeted attacks have been seen in the US aerospace, telecommunications, and financial services.

A successful infection will result in the HIDDEN COBRA threat actors having persistent access to and control over compromised computers. The remote administration tools allow them to modify the local file system, upload files, execute files or any arbitrary code, as well as download anything on the file system. The result is that attackers will have a hidden backdoor to your system and can execute any arbitrary code. Thus, in addition to being able to exfiltrate local files such as documents directories or Outlook databases, the infection establishes a beachhead into the rest of the network from which future breaches can be staged.

General Mitigation Advice

Enterprise security organizations can take several steps to mitigate the risk of a successful spear phishing or drive-by-download infection. In the past few years, attackers have, with increasing frequency targeted end user workstations to exfiltrate local data and establish a beachhead into the rest of the corporate network. As a result, it is increasingly important to expand vulnerability management programs to include regular scans of workstations and laptops followed by timely patching of any discovered vulnerabilities. Employees, particularly executives and those exposed to sensitive or proprietary data, should be trained on practicing good email hygiene and being vigilant for possible phishing attacks. User workstations should be configured according to the principle of least privilege, avoiding local administrator level access where possible. Additionally, the US-CERT also advises limiting the applications allowed to execute on a host to an approved whitelist, to prevent malware masquerading as legitimate software.

RedSeal Can Increase Resilience and Decrease Risk

RedSeal users can decrease their risk of exposure by identifying, closing, and monitoring access from their networks to the HIDDEN COBRA C2 infrastructure. Moreover, in the event of a detected IOC, RedSeal allows you to accelerate incident investigation and containment to mitigate the impact of an infection.

1. Identify and close any existing outbound access to the C2 infrastructure

The first step is to make sure you eliminate or minimize outbound access from your networks to the HIDDEN COBRA C2 infrastructure. Since the C2 IP addresses point at proxies across the world that relay commands and data to and from the threat actors, many are associated with legitimate entities whose servers have been exploited, or commercial hosting providers whose servers have been rented. To locate access from the inside of your network to any given C2 address from the advisory, use RedSeal’s security intelligence center to perform an access query from an internal region to the internet, and in the IPs filter box, enter the IP address from the US-CERT data.

 

Figure 2: Running an Access Query from the Security Intelligence Center from internal to C2 Infrastructure

 

Figure 3: Access query results shown on map, showing existing access from internal assets to external THREAT COBRA infrastructure

 

With the results of the access query, the next step is to create additional controls such as firewall or routing rules to block access to the relevant IP address at your perimeter. To decide where to introduce such controls, you can run a RedSeal detailed path query to generate a visual traceroute of the offending access path(s) and identify which devices are along those paths and can be used to close access.

 

Figure 4: Detailed Path result identifying all network devices and relevant config locations mediating access from an internal asset to the HIDDEN COBRA infrastructure

 

2. Verify vulnerability scan coverage and perform a risk-based prioritization of vulnerabilities

The HIDDEN COBRA campaign has been known to use a set of five CVEs (CVE-2015-6585; CVE-2015-8651; CVE-2016-0034; CVE-2016-1019; CVE-2016-4117) as the vector for infection. These CVEs include several browser-based vulnerabilities for the Adobe Flash and Microsoft Silverlight plugins as well as a Korean word processing application. It is important to note that while these are the vulnerabilities known to be targeted in the wild to deliver Volgmer or FALLCHILL, any known or unknown Windows-based vulnerability that allows arbitrary code execution and/or privilege escalation can be used as part of a future spear phishing campaign. While it is crucial to locate and remediate the above CVEs first, it is important to perform a vulnerability scan of user workstations for all such vulnerabilities, not just the five enumerated ones.

 

Figure 5: Using the Security Intelligence Center to execute a Threat Query to reveal which vulnerable assets are directly exploitable from the Internet

 

After importing the results of a vulnerability scan, vulnerability managers can first verify whether the scanner’s coverage was complete and identify any areas on the network missed by the scanner. This is accomplished by looking for all “Unscanned Subnets” model issues (MI-7) within your RedSeal model. A subsequent detailed path query from the scanner to the unscanned subnet will reveal whether and why access is blocked.

Next, you can perform a risk-based prioritization of the vulnerable hosts to ensure that the highest risk vulnerabilities are remediated first. The CVEs known to be actively exploited by the HIDDEN COBRA threat actors should be patched or otherwise mitigated first. A good start is to target the vulnerabilities that are on hosts that are accessible from untrusted networks, such as the Internet or a vendor’s network.

Since the malware attempts to establish a hidden Windows service with RAT capabilities, the next vulnerabilities to target for remediation are those that are directly or indirectly accessible and exploitable from any potentially compromised host. To find them, a RedSeal threat query can reveal all vulnerable hosts exploitable from a compromised endpoint on your network.

 

Figure 6: Visual results showing direct (red) and indirect (yellow) threats to the rest of the enterprise from a compromised host.

 

Figure 7: Threat Query results identifying vulnerable hosts threatened by the compromised endpoint


3. Investigate and contain existing IOCs

Finally, you can achieve greater resilience by accelerating your response to detected indicators of compromise and contain compromised systems while working to eliminate the infection. UC-CERT released several detection signatures to identify potentially compromised systems. By leveraging RedSeal’s incident response query directly or from our integrations with major SIEMs like QRadar, ArcSight, and Splunk, you can quickly assess the potential impact of a compromise and identify the mitigating controls necessary to isolate and contain it. The query allows incident responders to rapidly discover and prioritize by value all assets that are accessible from the vulnerable endpoint. A subsequent detailed path query between the vulnerable endpoint and a downstream critical asset will reveal all network devices mediating access and where controls such as firewall rules can be deployed to reduce downstream risk.

 

Figure 8: Incident Response query showing accessible groups and assets from the source of an indicator of compromise

 

Summary

The HIDDEN COBRA campaign is sophisticated, recently showing increases in intensity and variety of methods used. Defenders need to be resilient to minimize enterprise risk, efficiently mitigate damage, and recover from a successful compromise.  RedSeal can help you achieve resilience in the face of these changing threats — by assessing ways to block outbound access to C2 nodes, by locating vulnerable and high risk internal machines, and by speeding the investigation of any detected indicators of compromise.

____________________


Vulnerabilities: The Weeds of Your Digital Terrain

RedSeal Blog - Vulnerabilities - The Weeds of Your Digital Terrain

In the warmer months when I’m not traveling I often get up early and wander my property pulling and spraying weeds. This is an endless and thankless task, yet a necessary evil to preserve my investment and maintain appearances. I am amazed how quickly weeds grow and by the places they find purchase. In just a few days, given the right conditions whole beds can be overtaken.

A few days ago I was meandering about my yard wondering why I don’t have a gardener when it struck me. My own personal battle for yard supremacy provides a great parallel to the efforts of cybersecurity professionals. It occurred to me that vulnerabilities are the weeds of the digital terrain. They are constantly popping up in the strangest places; you can never seem to get them all; and they can quickly get out of hand if you let your attention slip.

Just like weeds, all vulnerabilities are not created equal. Their type, and more importantly their location, are factors we need to consider. The poison ivy at the far end of the property where no one goes is a concern, but far less of one than the poison ivy on the kids’ play set. In the digital terrain, this is the equivalent of vulnerabilities on assets that don’t provide access to critical data verses those that do — whether directly or via pivot attacks. So, it’s not the type of vulnerability that’s important, it’s the exposure that vulnerability delivers to critical resources that is the true cause of risk. The common practice of focusing on CAT1 vulnerabilities is inherently flawed, since the severity of the vulnerability has little to do with the risk it causes for the organization.

People have been fighting weeds since the first crops were sown sometime around 9000 BC. We know weeds and have developed many tools to fight them, yet they persist. We pull them, spray them and set up lines of defense for them to cross. Sound familiar? This is akin to patching, firewalls, and micro segmentation.

I’m making two points here: first and most importantly I need a gardener, but also it is worth reminding ourselves that vulnerabilities aren’t going away anytime soon. Regardless of how much effort you put in, you’ll never have the necessary resources to patch them all. A better strategy is to prioritize what you patch based on the actual risk it causes for your organization. A CAT1 vulnerability isolated by firewall rules provides little risk, but that CAT3 vulnerability exposed directly to the internet may provide a beachhead that exposes your most important data and systems. To quote the old adage, we need to work smarter not harder. For cyber, that means moving from a patch-based methodology to one that focuses on risk.

Digital Resilience Helps Mitigate or Prevent the ExPetr/NotPetya/ GoldenEye Malware


What is it?

The most recent malware campaign hitting Ukraine and the rest of the world is a wiper style malware which is packaged with several propagation mechanisms including the same weaponized Windows SMBv1 exploit utilized by WannaCry.  What was initially thought to be a variant of the 2016 Petya ransomware has now been shown to be a professionally developed cyber-attack masquerading as run-of-the-mill ransomware gone wild. In fact, security researchers have demonstrated that, despite demanding a ransom payment, the payload irreversibly wipes the hard drives of infected systems with no way to decrypt even if a ransom is paid to the specified wallet.

Purpose & Impact

The motivation behind the attack appears to be one of destruction and disruption. Indeed, it has had a devastating impact on enterprise’s operations world-wide as it is designed to rapidly spread throughout corporate networks, irreversibly wiping hard drive in its wake. The initial infection is believed to have targeted Ukrainian businesses and government, managing to wreak havoc in the country’s financial, manufacturing, and transportation industries. Even Chernobyl radiation monitoring systems were impacted, forcing technicians to switch to manual monitoring of radiation levels. ExPetr managed to quickly spread worldwide to thousands of computers in dozens of countries with significant disruption to major enterprises across industries as varied as shipping, pharmaceuticals, and law. Over 50% of the companies being attacked worldwide are in the industrial manufacturing or oil & gas sectors.

How it Spreads

Researchers have identified several distinct mechanisms utilized by the ExPetr malware to penetrate enterprises’ perimeter defenses for an initial infection as well as lateral movement after a successful compromise. The malware’s lifecycle is split into three distinct phases: 1) initial infection, 2) lateral movement, and finally 3) wiping the compromised system. The initial infection is believed to have spread by a malicious payload delivered through a highjacked auto-update mechanism of accounting software used by businesses in Ukraine. Alternatively, ExPetr has been observed to achieve initial infection through phishing and watering hole attacks. Next, once inside, the malware utilizes a different array of techniques to self-propagate and move laterally. Critically, ExPetr attempts to infect all accessible systems with the same Windows SMBv1 vulnerability as last month’s WannaCry attack over TCP ports 445 and 139. The malware is also able to spread laterally by deploying credential stealing packages in search of valid admin and domain credentials. It will leverage any stolen credentials to copy itself through normal Windows file transfer functionality (over TCP ports 445 and 139) and then remotely execute the copied file using the standard administrative tools, PSEXEC or WMIC.

 

Figure 1: Visualizing all accessible areas of the network from a compromised system.

 

How Digital Resilience Helps

Because one of the primary ways the ExPetr malware spreads is through the same Windows SMBv1 vulnerability addressed by Microsoft’s MS17-010 patch in March 2017, the same prevention and mitigation techniques described in depth in RedSeal’s WannaCry response are effective. To review:

  1. Assess and limit exposure by using an access query to discover any assets accessible through TCP ports 445 or 139 from untrusted networks like the Internet or a 3rd party.
  2. Identify vulnerable hosts and prioritize remediation efforts based on risk to the enterprise by importing vulnerability scanner findings and sorting based on risk score.
  3. Isolate critical assets and contain high risk or compromised systems by discovering and eliminating unnecessary access to or from sensitive areas of the network.
  4. Continuously monitor compliance with network segmentation policies by analyzing the relevant rules in RedSeal’s Zones & Policy.
  5. Accelerate incident response by reactively or proactively discovering the blast radius from a compromised system, understanding which assets are network-accessible and deploying the relevant mitigating controls.

 

Figure 2 Results of an access query revealing what access exists from all subnets leading to the critical assets over TCP 139 or 445.

 

While applying the MS17-010 patch to vulnerable systems per a risk-based prioritization of vulnerable hosts is necessary, it is not sufficient to mitigate or prevent infection. ExPetr moves laterally through normal file-transfer and administrative capabilities using stolen credentials. As such, it is important to also reduce the attack surface of production and other mission critical assets through sensible network segmentation techniques, paying close attention to access over ports 445 and 139. RedSeal users can accomplish this by running an access query to determine what can reach critical systems through the implicated ports. Next, access that is not necessary or out of compliance can be cut off by examining the detailed path to see all network devices touched along the path and determine the optimal placement of a network countermeasure, such as a firewall rule, to eliminate the unnecessary access.

 


Figure 3 Detailed Path from the DMZ to a critical asset is 6 hops long with several routers and firewalls along the way

 

Conclusion

Cyber attacks are getting more efficient, more aggressive, and more destructive. Only a digitally resilient organization with full visibility into their network composition and security posture can hope to avoid falling victim, or to mitigate fallout in the event of compromise. Reducing your attack surface is essential to decreasing risk. This can best be done by adhering to standard IT best practices including implementing a robust backup strategy, a vulnerability management program, and a segmented internal network. In this day and age, network segmentation and micro-segmentation are increasingly important as attackers and malware routinely get past perimeter defenses, and often move laterally with impunity due to a lack of internal boundaries. RedSeal helps customers gain visibility into their network as it is built today, providing assurance through continuous monitoring of compliance with network access and segmentation policies. With the increased visibility and understanding, digitally resilient organizations can perform risk-based prioritization of remediation and mitigation activity to efficiently marshal resources and minimize overall enterprise risk.

For more information on how RedSeal can help you become resilient, please contact info@redseal.net.

Update: Responding to the Shadow Broker Vulnerabilities

Last week, the Shadow Brokers hacker group made national headlines by leaking zero-day firewall vulnerabilities, and offering additional exploits for sale through auction. In response, the RedSeal team produced:

  1. A blog post on how major infrastructure vulnerabilities produce the same questions – and how digital resilience puts organizations in the best position to respond.
  2. A step by step “how-to” that shows how network teams can use RedSeal to understand their potential exposure – and to what degree.
  3. A video demonstration of how defenders can use RedSeal to understand the extent of the problem in their specific network.

The feedback we received was tremendous, and we wanted to share a response we received from a customer:

“I sent it out to several of our key users here because I love when you guys do this.  It enabled me to highlight that RedSeal is useful for zero days when there is no patch…

Funny timing as well by the way – the order to identify affected firewalls just came out this morning and we have to respond by tomorrow, so I spent the day researching and working on something before I remembered you sent this and made my life easier. So thank you.”

Have questions, or want to understand how RedSeal can help you with the next inevitable vulnerability hack? Contact us here.

Responding to the Shadow Broker Vulnerabilities

The latest revelations about firewall vulnerabilities stolen and leaked by the Shadow Brokers are very scary, but not all that new.  We learn about the release of a major infrastructure vulnerability about once every six months or so. Organizations that have learned to focus on resilience — knowing their network and how to operate through a threat — are in the best position to respond.

With each new revelation, every defender has to scramble to answer the same three basic questions: do I have this problem? Where? Is it exposed? In today’s situation with weaponized vulnerabilities in major firewalls, the first question is easy to answer (if unfortunate). It seems that almost every major network has instances of these vulnerable products as part of their security defenses. The second and third questions require mapping the vulnerability into your own network. Do you have wide open access, or, effective internal segmentation? For this disclosure, have you properly locked down the important protocol known as SNMP? Once you can answer these questions, you are ready to begin incident response based on any surprises you turn up.

Imagine you’re responsible for a physical building, and you put up doors marked “Authorized Personnel Only”. That’s an important thing to do. Whether you run a retail store, a corporate office, or a cruise ship, you need to keep some critical infrastructure and access in a special zone. Now imagine forgetting to put those signs on some of the doors, or worse, leaving them open – perhaps through simple oversight, rushing to build out your business, or as you adapt to changing times. And, the only way you could know if you have a problem is to walk through every single hallway to check. If you don’t know or can’t tell whether your restricted areas are solid, then incidents are much scarier.  This is the issue behind the latest revelations. It’s an important industry-wide best practice to isolate important network management protocols in a special zone, similar to the “Authorized Personnel Only” part of many buildings. But organizations everywhere have to scramble to see whether they have done this properly in light of the new vulnerabilities in those protocols.

RedSeal users can see where they stand with just a few clicks.

To read more, including step by step instructions for using RedSeal to answer these critical questions, see here.

For a demonstration of how you can use RedSeal to understand the extent of the problem in your specific network, watch our video.

Using RedSeal to Understand Access to the “Shadow Broker” Firewall Vulnerabilities

Recent press coverage has focused a lot of attention on some long-hidden vulnerabilities in firewalls. Network security teams are scrambling to understand whether they are exposed, and to what extent. These notes show how you can use RedSeal to understand the extent of the problem in your specific network.

Nature of the Issues

The current focus is on a set of newly publicized vulnerabilities that had not been uncovered previously, including this Cisco advisory for their ASA products: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp

This is not the only vulnerability found in the “Shadow Broker” files, but serves as a good working example. The nature of the vulnerability is a flaw in SNMP, which is very commonly used as an important function of network infrastructure. Simply disabling SNMP is not generally a viable workaround, since SNMP is a vital part of network visibility. (Even if your windshield has a crack in it, it’s not a good response to paint it black.) Instead, organizations have to understand whether they have properly limited access to the vulnerable protocol, and where the locations are that need access.

In other words, a network is in poor shape if anyone, anywhere inside the network can use SNMP to communicate with the firewalls. In that scenario, an attacker anywhere inside the organization can compromise a firewall — an extremely undesirable situation. Such an attacker can surreptitiously monitor traffic, since firewalls are often at critical choke points in networks with a view into all boundary-crossing flows. Worse, if the attacker wants to be disruptive to operations, there are few locations as powerful as a main firewall to cut off the ability of an organization to function and respond.

A well-built organization does not allow SNMP access from anywhere to their key network infrastructure. Instead, they limit access, since SNMP is useful, but not needed by most people in an organization to do their jobs. It has long been a best practice in network architecture to limit access for SNMP only to those locations that need it. But which locations are those exactly? An organization responding to the “Shadow Broker” disclosures has to scramble to quickly understand where they allow SNMP, since these locations are the critical attack surface for these newly revealed attacks.

Finding Access to Firewalls

With RedSeal, it’s very easy to find out whether you are wide open to these SNMP attacks, and if not, to locate where you allow access.

Step 1: Bring up the Security Intelligence Center, using the yellow light bulb icon in the icon bar:

RedSeal_ShadowBroker_1

Step 2: On the left, under Source, click Select, then Browse, then All Subnets, then Replace.  This sets the source for the query to “anywhere”.  You should see this:

RedSeal_ShadowBroker_2

Step 3: On the right, under Destination, click Select, then Browse, and change the View to Primary Capability.  Open the Firewall folder, like this:

RedSeal_ShadowBroker_3

Step 4: To start with, pick just one firewall – in this example, I’ll take the second one on the list, from Vienna.  Hit Replace to add this to the query dialog.

Step 5: In the Protocols field, enter “udp” (without the quote marks) and in the Ports field, enter “161”.  This is the port and protocol for basic SNMP communication.  The query dialog now looks like this:

RedSeal_ShadowBroker_4

Step 6: Click the Access button in the icon bar at the bottom.  This will show you a table of all access to the given firewall – in this case, just one row:

RedSeal_ShadowBroker_5

Step 7: To see this visually, click “Show In Topo” at the bottom of this result.  This will take you to the network map, and highlight where you have SNMP access to the firewall.

RedSeal_ShadowBroker_6

This is a “good” result.  Only one location in the network can use SNMP to reach this firewall.  There is still risk – it’s important to investigate any defects, vulnerabilities, or indicators of compromise from the source side of this arrow. But fundamentally, this firewall was secured following best practices – the total amount of the network that can access the SNMP management plane of this device is very limited.

However, in real world networks, the answer will often be messier. RedSeal recommends following the above steps for only one firewall at first, to look at the extent of SNMP access. If your organization shows a good result for the first few firewalls, this is reassuring, but can then lead to harder questions. For example, we can ask a much wider question, covering all the firewalls at once. This should only be attempted after looking at a few individual firewalls, since the full query can generate an overwhelming amount of data.

To ask this broader question, go back to step 4 – in the Security Intelligence Center dialog, click Select on the right, under Destination.  Rather than picking one firewall off the list, we can select the folder of all firewalls, then click Replace.  The query dialog now looks like this:

RedSeal_ShadowBroker_7

Even in a relatively small network, this generates a lot of information.  We can look at the answer visually, using Show in Topo:

RedSeal_ShadowBroker_8

Clearly, this network has not followed the best practice design of limiting access to all firewalls.  Each blue arrow represents some location that has access to a firewall over SNMP.  It is not plausible that so many locations in this network need that access to perform their job functions.  This network needs to focus on internal segmentation.

Checking Firewall Code Versions

As the various vendors release updates, it’s important to track whether you have firewalls that need to be updated urgently – especially those with very wide access.  You can use RedSeal to generate a summary report on the types of firewalls you have, and which versions of software they are running.  One way to report on firewalls by version is as follows:

Step 1: Open Reports tab, select Security Model in the left hand list of reporting areas.

Step 2: Click the + button to create a new report, and select a data type of Network Device

Step 3: On the first tab, name your report “Firewalls by OS” (without the quotes – or pick your own name for the report), like this:

RedSeal_ShadowBroker_9

Step 4: On the second tab (Fields), click Edit, select OS Version on the left list, and click Add to add it to the list of fields in the report.  Click OK.

Step 5: Under Group Report By, change the grouping to “OS Version”

Step 6: Under Display Options, enter 10 in “Limit display of results to the first N rows”.  (This is to abbreviate the report, at least initially.  Some organizations have a great many firewalls, and the first thing to do is to figure out which OS versions you have, with a few listed examples, before digging through too large of an inventory report.)

By this point, tab 2 should look as follows:

RedSeal_ShadowBroker_10

Step 7: Change to tab 3, Filters, and under “Match All”, add a rule for “Primary Capability”, then “Is”, then “Firewall”, like this:

RedSeal_ShadowBroker_11

Step 8: Hit Save. The default choices on tabs 4 and 5 will work well here, to include some counts and a chart.

Step 9: On the Reports tab, run your new report by double-clicking the icon above “Firewalls by OS” (or whatever name you gave your report).

Your browser will pop up requesting log in (if you haven’t logged in previously), then will display a report summary chart like this:

RedSeal_ShadowBroker_12

You may want to focus first on the smaller bars – the unusual outliers in your network infrastructure. This is where overlooked problems – in this case, well down-rev firewall operating systems – can lurk. The report details will include a sample of the firewalls running each code image in your environment, like this:

RedSeal_ShadowBroker_13

As the firewall vendors move to produce new releases to close off these vulnerabilities, you can use a report like this to track how well your operational teams are deploying these important updates.

Conclusions

The recently uncovered vulnerabilities, which appear to have been in use for many years, are further proof that we need to keep our houses in order. An organization with good discipline about internal segmentation, with a well separated network management infrastructure, has less to worry about with these new revelations. But even that organization needs rapid ways to assess whether the discipline has really held up in practice. Are there gaps? If so, where? Even the locations that do have SNMP access to firewalls, are they easy or hard for an attacker to break into?  All of these questions are easy to answer if you have the ability to analyze your as-built, rapidly evolving network infrastructure. RedSeal makes it easy to find answers to these vital questions.