Welcome to the Sentinel Blog!
We are proud to feature a carefully curated collection of articles and other content related to the most important technology topics of today and beyond. Our posts are composed and edited by Sentinel’s ALWAYS ENGAGED team of solutions architects, engineers, project managers and other subject matter experts.
Sentinel SecuritySelect: Breaking the SamSam Attack (Part 3 of 4)
By Robert Keblusek, Sentinel Chief Technology Officer
In part 2 we discussed the delivery and attack phase of the cyber kill chain as it related to the SamSam attack. Exploit and installation are the next levels in the cyber kill chain, where an attacker gets into your network and is able to move laterally, thereby increasing the impact of their attack. While layers of protection help to prevent attacks from getting into the network, no network is attack proof, according to Rob McMillan of Gartner:
“Your business must be prepared – an intrusion is inevitable for many organizations and preventative security measures will eventually fail,” says McMillan. “The question you must accept isn’t whether security incidents will occur, but rather how quickly they can be identified and resolved.”
As pointed out in Part 2, 68% of breaches took a month or longer to detect. Also noteworthy is that according to the latest Verizon Breach Report, 48% of attacks featured hacking followed closely by the use of malware in the attack. In fact, that report didn’t include thousands of additional malware attacks in the assessment because the malware was actually a secondary motive. In a recent attack, Sentinel’s incident response team was brought in to stop it and minimize the damages. The attacker had compromised a host via hacking and gained access using weak administration-level credentials left by a (non-Sentinel) managed service provider. Once access was gained, the attackers were able to move laterally and compromise additional hosts until Sentinel’s incident response team was able to intervene. Along with strong patching and prevention, detection and response is critical at these more advanced stages of the attack. I would also encourage organizations to deploy multi-factor authentication anywhere compromised credentials can be leveraged to exploit sensitive data and systems. Credentials are for sale on the black market and are also very commonly used by hackers to gain privileged access to your assets. Multi-factor authentication should no longer be viewed as optional and must become an integral component to all cyber security programs. To assist, Sentinel recently launched multi-factor authentication as a service powered by DUO.
The alarm screen in Figure 1 below shows a very well-run and protected organization with excellent detection across the kill chain. As you can see from this example, a great deal of alarms never escalate to the point of exploit and installation and even fewer evolve to system compromise. If your organization lacks this level of detection and alarming you might consider investing in constant monitoring for detection and response tools and staff. In fact, Gartner predicts that 60% of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020.
Figure 1: Alarm Example
Sentinel’s Security as a Service (SECaaS) and SOC response team identifies all alarms at this stage of the attack as requiring immediate action. Once detected, our 24x7x365 support team initiates a 15 minute response SLA to take action on all alarms at Exploit and Installation as well as System Compromise stages of the attack. Additionally, the constant learning loop of our analysts and DevOps teams results in consistent alarm improvements for our many subscribers and utilizes behavior detection techniques to enhance our ability to identify indicators of compromise. If your cyber security team lacks these capabilities, I would encourage you to make them part of your strategy immediately. Attacks also happen throughout the year and at any time of the day, so organizations must be ready to respond at any time to stop attackers from creating significant business loss.
Exploit and Installation
Exploit and installation is a critical point in an attack. Your systems are vulnerable and/or actively under attack, potentially leading to command and control (C2). You must stop the attackers at this point, and quickly!
Figure 2 shows a threat from China attempting to use a known vulnerability in Server 2003 Microsoft IIS. In this case, if successful, the attacker would be able to execute arbitrary code on the server to compromise critical systems. Identifying this threat could result in multiple paths of action, including upgrading or patching this host along with blocking all available ports and protocols other than the minimum needed to serve the business. Sentinel’s Adaptive Threat Response™ (ATR) automatically responded to this threat by blocking traffic from this IP address (blurred below), which stopped the attacker before he or she could gain any access and exploit this vulnerability.
Figure 2: Install and Exploit Server 2003 IIS
In the above example, this is a Server 2003 device that is unable to be updated or patched as it is no longer supported by Microsoft. If possible, all Server 2003s should be retired, however in many organizations there are still some exceptions that are unable to be updated for various reasons. This requires special attention as security updates and patches are no longer available for those devices but they continue to server a critical business role. Since patching will not be a viable option, here’s what I would recommend:
1. Isolation – ideally these systems should leverage micro segmentation using technologies such as Cisco ACI, Vmware NSX, Cisco Tetration, or something similar. If micro segmentation is unavailable, isolate these with traditional networking technologies and advanced intrusion prevention technologies.
2. Multiple Endpoint Protection Technologies – I also recommend multiple endpoint protection technologies when economically viable and host performance permits. In the case of Server 2003 it might be advisable to run both corporate standard endpoint protection and advanced malware protection technologies such as Cisco AMP for Endpoints, Palo Alto Traps, and/or Cylance Protect with Optics. I prefer a combination of threat intelligence-powered signature technology along with AI-powered behavior endpoint protection. Protection that profiles normal system activity and monitors for unusual changes is ideal going forward. Sentinel offers multiple options in this space along with many others under our MSSP (managed security service provider) service as a month-to-month managed technology.
3. Decoy Detection – I sometimes refer to this as our “motion” sensor for networks. If you think about the IDS/IPS as the door or window sensor in a house alarm, I like to compare decoy technology to the motion sensor looking for activity in the home. With decoy we are able to plant fake servers, client services, and credentials that look identical to the real workloads supporting the business. Decoy is very useful for accurate detection of attackers, ransomware, and more and has nearly 100% accuracy in detection as these decoys would never be accessed during normal business operations. In addition to external attacks, decoy is also very useful for insider threat detection.
Identification of this threat allowed our team to block the bad actor as well as increase the level of protection around the critical host. This minimized the attack surface while simultaneously stopping this threat actor from ever executing potentially dangerous code. Because of our host-level intrusion detection, our Sentinel-managed SIEM and SOC team was made immediately aware of the threat, even though our Adaptive Threat Response™ system had already taken necessary counter measures.
Figure 3: Decoy Catches
Malware Movement from X-Ray Machine
In the below example, a decoy has identified a
compromised x-ray machine that is trying to plant malware on bait hosts.
With decoy technology in place, this alarm made it to the customer response team in time to prevent the breach. “Motion” was sensed on the network by decoys, allowing for proper investigation and response. In this case the bad actor was using the x-ray system to try and drop an executable ‘tasksched.exe’ onto a Windows 7 decoy system.
In my opinion, this is a great showcase of lateral movement and why Gartner recognizes that investments in rapid detection and response will continue to expand. There are a number of ways to add lateral detection, and this example perfectly highlights why it is so critical. If you don’t currently have strong lateral detection with the ability to rapidly respond, you are at risk.
What You Can Do - How It Relates to SamSam
SamSam attackers are actively searching your network for high value targets and attempting to escalate access. If they are successful, they can extract high value information or plant ransomware to monetize their attack. The more time attackers have to navigate your network, the greater their chance of success, which is why both detection and response are so critical. Detection is great, but it is also critical to have a response team ready 24x7x365 because an attack can take place at any time.
Lateral detection is another key point. It certainly makes sense to place protection and detection at the perimeter(s), but as I’ve already mentioned it is inevitable that bad actors will eventually breach the perimeter and compromise your network. Also, a large number of successful breaches come from inside the network – from trusted endpoints, servers, or employees! All of this points to the need for increasing the lateral detection within the network in addition to creating smart isolations and protection within the data center.
Figure 4: SamSam Attack and Cyber Kill Chain
With strong lateral detection and response, an attack would
likely be identified in the above illustration by the third step in item 1. As
the bad actor moves laterally escalating privilege and mapping resources, they
would ideally trip a “motion” sensor on the network (decoy). Proper
micro-segmentation and security between networks or tenant spaces would limit
the bad actor’s lateral movement to hosts protected by policy-based data center
networking, where you can control access from the endpoints through the data
center and put additional security around critical servers with confidential or
business critical data.
Today's attacks are far more complex and easier to execute than ever before, and have the ability to evade even the most sophisticated protection technology. There is no silver bullet for security, which is why it's important to remember that it's not about IF an attacker will get into your network, but WHEN.
Will you be ready?
If you haven't already, make sure to read Part 1 and Part 2 of the Breaking the SamSam Attack series. If you are interested in learning more about Sentinel’s SecuritySelect portfolio and Advisory Services, please contact us. You can follow Robert Keblusek on Twitter, @RKeblusek.
Cisco Live 2018: The Major Announcements
The size and scale of an annual event like Cisco Live means there are often so many things happening over the course of the five day conference it’s impossible to see and hear everything. Since tens of thousands of customers and vendors have all gathered in one location, Cisco also uses the time to talk about the future, which includes unveiling new products and innovations set to transform the technology landscape. In last week’s blog, several experts from Sentinel highlighted some of their favorite moments and takeaways from their time in Orlando at the conference. This week, we wanted to explore two of the major announcements in greater detail.
Cisco DNA Center as a Platform
Cisco DNA Center is a software-based network management, automation, analytics, and security solution designed primarily for use by college campuses, companies with a large number of branch locations, as well as those operating with an edge network. What makes DNA Center as a Platform different from other Cisco offerings is its inclusion of open APIs (Application User Interface) as part of its core structure. That means developers can create new, custom applications using a provided set of SDKs (Software Development Kit) and integrate them into their network more easily than ever before. It also opens things up for enhanced network integration with multi-vendor devices, and creates a single management platform to unite multiple networks and systems. In other words, it gives organizations more flexibility with how they deploy, automate, and manage their network. DNA Center as a Platform will be officially released later this summer.
Expansion of DevNet
DevNet is Cisco’s community for open source developers. They are providing the tools, spaces, and support for developers to create applications and integrations with Cisco products. This includes generating new mobile, cloud, IoT (Internet of Things), data center, collaboration, SDN (software-defined networking), and security solutions to further innovation and customization throughout the IT industry. As of Cisco Live, it was revealed that DevNet had grown to more than 500,000 developers, which is why Cisco announced plans to increase the available community resources and offerings in the hopes of making it easier for anyone to find and share applications and solutions built for Cisco platforms.
There are currently close to 1,500 DevNet-created solutions available via Cisco’s online portal, a number that should increase exponentially in the coming months thanks to features like the Code Exchange, which allows developers to access and share building blocks for applications and workflow integrations so they don’t have to go through the time and trouble of piecing them together on their own. It’s like the difference between baking a cake from scratch or using a cake mix from the store – the mix is easier and less time-consuming, and while it may not give you the same sense of accomplishment had you made everything from scratch, there are still plenty of opportunities to change the recipe and craft a uniquely delicious dessert. Cisco has also created a special DevNet DNA Development Center, featuring resources to help with the customization elements of the newly announced DNA Center as a Platform.
As always, Sentinel plans to keep a close eye on
these and any other new Cisco offerings as they are announced and officially
released. If you are interested in learning more about developments related to
Cisco DNA Center or DevNet, please contact
us for additional information.
Cisco Live 2018: Top Takeaways from Sentinel Staff
Cisco Live is Cisco’s annual conference for their partners and customers that focuses on technology trends, education, thought leadership, and networking. The primary goal of the event is to provide inspiration and showcase innovation as technology continues to evolve at an incredibly fast rate.
This year’s Cisco Live conference took place from June 10-14 at the Orange County Convention Center in Orlando, Florida. Several members of the Sentinel team were in attendance, eager to connect with customers and learn more about the solutions set to transform the technology landscape in the coming months.
As the conference wrapped up, we asked some of our staff to briefly share three major takeaways or themes from the speeches and panel discussions they attended. Here are their insights:
Odell Waters – Senior Solutions Architect
-Cisco Tetration to protect critical cloud and premise data
-Cisco Software-Defined (SD) Access with DNA Center, which enables network access to any application without compromising security.
-Cisco Identity Services Engine (ISE) – next-generation security with greater awareness and easier access management.
Matt LaSota – Director of Support Services, Network, and CloudSelect
-Automation was a major discussion point.
-A lot of content was focused on Cisco DNA and UCS Director. The technology keynote focused on DNA, a software-based network automation solution.
-Multi-cloud continues to be a focus, with some more definition and actual configuration examples given this year. The sessions on multi-cloud and cloud center were great.
Dan Ristovski – Solution Design Team Lead
-Cisco DNA is going to be leveraged in pretty much every
-Visibility into the Network and Data Center has never been better.
-Security on every device needs to be a requirement. We need protection beyond the office, because the office is now everywhere.
Michael Soule – Strategic Solutions Advisor
-The proliferation and adoption of cloud services will keep
increasing and the product offerings will likely be matured in another 1-2
years with greater adoption looking into years 3-5.
-From Software-Defined Wide Area Networks (SD-WAN) to SD-Campus, Cisco is investing heavily in network virtualization and the usage of overlay networks. These are likely to become popular over the next few years, though the complexity of these technologies may make them challenging to support and difficult to troubleshoot in the future.
-Cisco is working hard to redefine the IT market. This most evident by how many different solutions they are incubating internally and the number of product enhancement partners they are bringing on. The integration between product offerings is stronger than ever before, however they may face difficulties with product overlap and competing functionality if they’re not careful.
Shiling Ding – Senior System Support Engineer
-DevNet/Network automation and programmability
are new skills network engineers need to learn.
-Security should be a primary part of any network foundation.
-ISE is critical for almost all enterprise-related security these days.
If you are interested in learning more about these solutions and how they are changing the IT landscape, please contact us for additional information.
My Sentinel Story: Terri Carpenter
It’s no secret that at Sentinel we place a high value on our employees. Their unparalleled expertise, strong work ethic, and dynamic personalities help us maintain our status as an Always Leading IT solutions and services provider. We are proud of the work they do on a daily basis, and hope our customers recognize the Sentinel difference.
Project Manager Terri Carpenter is the focus of our next “My Sentinel Story”. Terri has been a valued member of our team for more than 20 years, initially joining Sentinel as a Customer Service representative. Her favorite things about that job were helping with customers and the flexibility afforded by working three 12-hour shifts each week instead of something more traditional. A close collaboration with a co-worker enabled Terri to expand her duties to become a co-team lead, and eventually an Associate Manager. Her current position as a Project Manager was inspired by her passion for interacting with customers, managing others, and developing innovative solutions to unique challenges. Watch the video to learn more about her journey!
If you are passionate, motivated, and interested in joining the Sentinel team, you can learn more about our corporate culture and browse our current job openings by visiting our Careers page.
What GDPR Compliance Means For Businesses
by Dr. Mike Strnad, Sentinel Strategic Solutions Advisor
The General Data Protection Regulation goes into effect this Friday, May 25th, and very few are ready — not the companies and not even the regulators.
After four years of deliberation, the General Data Protection Regulation (GDPR) was officially adopted by the European Union (EU) in 2016. The regulation gave companies a two year time limit to achieve compliance, which is theoretically plenty of time to prepare and institute the change.
The reality is messier. Like term papers and tax returns, there are organizations that got it done early, however most have waited until the very last minute. GDPR is an ambitious set of rules spanning from requirements to notify regulators about data breaches within 72 hours, to transparency for users about what data is being collected by the organization and why.
GDPR is only supposed to apply to the EU and EU residents, but because so many companies do business in Europe, the American technology industry is scrambling to become GDPR compliant. Still, even though GDPR’s big debut is bound to be messy, the regulation marks a sea change in how data is handled across the world. Americans outside of Europe can’t make data subject access requests nor can they demand that their data be deleted, however GDPR compliance is going to have spillover effects for them anyway.
The breach notification requirement, especially, is more stringent than anything in the United States. The hope is that as companies and regulatory bodies settle into the flow of things, the heightened privacy protections of GDPR will become business as usual. In the meantime, it’s just a mad scramble to keep up.
Some organizations are choosing to follow the
GDPR requirements even if they have little or no business based in the EU or
with EU customers. These regulations can be highly valuable for safety and
transparency in business. Sentinel offers tools and training to help your
organization achieve GDPR compliance. Please contact
us and our Advisory Services team if you would like to learn more.
New Study Examines the Human Factor in Cybersecurity
The following is an excerpt from a recent 2018 report by next-generation cybersecurity company Proofpoint, investigating how attackers are exploiting human nature to steal data, money, and more from organizations and individuals. It contains some very interesting discoveries, and provides recommendations on how organizations can avoid falling victim to some of the most dangerous tactics.
Email remains the top attack vector. Threats range from spam that clogs inboxes and wastes resources to email fraud that can cost organizations and people millions of dollars. The modern threat landscape also includes a variety of web-based threats that span social channels and cloud applications, while mainstream interest in cryptocurrency is driving advances in malware and new approaches to phishing and cyber-crime.
Here are the key findings from Proofpoint research over the last year. The results, based on data collected across Proofpoint’s global customer base and analysis of over one billion messages per day, highlight the ways actors are stepping up attacks that exploit “the human factor.”
Social engineering underpins the Human Factor. Attackers are adept at exploiting our natural curiosity, desire to be helpful, love of a good bargain, and even our time constraints to persuade us to click.
• Suspiciously registered domains of large enterprises outnumbered brand-registered domains 20 to 1. That means targets of phishing attacks are more likely to mistake typo squatted and suspicious domains for their legitimate counterparts.
• Fake browser and plugin updates appeared in massive advertising campaigns affecting millions of users. As many as 95% of observed web-based attacks like these, including those involving exploit kits, incorporated social engineering to trick users into installing malware rather than relying on exploits with short shelf lives. Two years ago, social engineering in web-based attacks was much less widely deployed.
• About 55% of social media attacks that impersonated customer-support accounts—a trend known as “angler phishing”—targeted customers of financial services companies.
• Some 35% of social media scams that used links and “clickbait” brought users to video streaming and movie download sites. In-browser coin mining, in which attackers hijack victims’ computers to generate cryptocurrency, also went mainstream. These attacks converged largely around pirated video streaming sites; users’ long viewing sessions gave the miners extended access to victims’ PCs, netting more income for their operators.
Train employees to spot attacks that use social engineering through email, social media, and on websites—even those seemingly tied to well-known brands or current events. Use phishing simulations (fake attacks that test use real-world tactics) to see who in your organizations clicks. Paired with awareness training, these simulations can reduce the impact of real attacks.
Email threats: malware, phishing, and fraud
Analyzing the vast number of malicious messages sent every day, we saw new trends in how attackers target victims and the volume of email they send.
• Dropbox phishing was the top lure for phishing attacks. Twice as many phishing messages used the file-sharing service to entice victims than next most popular lure. However, click rates for DocuSign lures were the highest at over five times the average click rate for the top 20 lures, demonstrating that volume did not necessarily equate to effectiveness.
• Observed network traffic of coin mining bots jumped almost 90% between September and November. This threat activity closely mirrored the rise and fall of the value of Bitcoin, the best-known cryptocurrency.
• Ransomware and banking Trojans accounted for more than 82% of all malicious email messages, making them the most widely distributed malware types. However, by the end of 2017, many campaigns also included coin miner modules or secondary payloads.
• Microsoft Office exploits appeared regularly in email campaigns but they usually came in short bursts. This pattern highlights the short shelf life of exploits before they are rendered ineffective due to organizations patching their systems to fix the vulnerability.
Invest in an advanced email security solution that protects against the full range of tools and techniques used in attacks. Your solution should include awareness training, and it must protect against credential phishing, fraud, and unsafe URLs and attachments.
Attacks throughout the year ranged from massive malicious spam campaigns to highly targeted email fraud attacks. While no industries were immune, Proofpoint did observe noteworthy targeting trends.
• Education, management consulting, entertainment, and media firms experienced the greatest number of email fraud attacks, averaging over 250 attacks per organization.
• Construction, manufacturing, and technology topped the most phished industries. Manufacturing, healthcare, and technology firms were the top targets of crime ware.
• Ransomware predominated worldwide, but Europe and Japan saw the highest regional proportions of banking Trojans, with 36% and 37% of all malicious mail in those regions respectively.
Deploy email gateway solutions that prevent unsafe emails from reaching users in the first place, and have tools and processes in place that help you quickly detect and resolve any threats that get through.
How Sentinel Can Help
Sentinel offers awareness training as well as
other security solutions and services to help educate your staff and minimize
the possibility of a breach due to a malware, phishing, spam, or email attack.
Please contact us if you would
like to learn more.
Sentinel Helps An Insurance Provider Assess Their Security
A large insurance company recognized as a trusted risk advisor and top solution provider for personal and business insurance, employee benefits insurance, HR solutions, surety bonds, and financial services. They have seven locations with more than 170 total employees.
The customer expressed concern over their security posture, and asked Sentinel to conduct a Cisco Security Online Visibility Assessment (SOVA) to gain a better understanding of how well their environment and data were being protected. The SOVA is a free, 14-day cloud-based evaluation that analyzes critical network and system elements to uncover potential security risks and vulnerabilities within an organization. Here are some details revealed about the customer’s environment from the five different areas measured as part of the assessment.
Internal Monitored Network
Provides background information on internal traffic, including hosts communicating within the network, traffic between the network and the internet, devices that export traffic, flows per second, and total records analyzed. The gathered information can highlight activity on unauthorized servers and old servers that are utilizing bandwidth or providing access for rogue or malicious entities. It is also used to “benchmark” the network traffic and analyze circuit sizing.
Since a large amount of network traffic is encrypted, visibility is not allowed with standard networking tools. While encryption can protect data, it also makes it difficult to identify threats that may be hiding. For our customer, 71% of the total traffic detected on their network was encrypted. Current industry trends have shown that an increase in encrypted traffic is often utilized to conceal malware, command and control activity, or data exfiltration.
This portion of the assessment examines unauthorized DNS servers along with potential hosts in danger of exposure, DNS malware, or potential data loss. Unauthorized DNS servers can direct hosts to bad websites where malware or exploitation tools are downloaded. They also have the ability to control or block access to software updates from vendors and prevent monitoring of DNS traffic for data loss, command and control activity, and exploitation. The SOVA uncovered five unauthorized DNS servers and four unknown hosts residing on the customer’s network.
Unclassified servers are servers set up on the network that an organization has no administrative control over. These can be servers that were set up and forgotten by a network administrator, leaving them unpatched with the potential to be exploited by an attacker. They can be utilized to expose unintentional risk and execute man-in-the-middle attacks or DNS hijacking. During the customer assessment, we discovered the workstation of a financial advisor was acting as a rogue, unclassified server on their network.
Traffic to High Risk Countries
Network traffic to high-risk countries could be a sign of data exfiltration, advanced persistent threats, or command and control activity. There should be minimal (if any) network traffic coming from or being exported to these locations. The SOVA revealed 87.3 MB of the customer’s traffic originated from five primary inside host IP addresses that connected to high-risk countries, including the Ukraine, Russia, and South Korea. The final report also determined that 29 peers and several hundred flows had taken place over the two week monitoring period.
The 14-day SOVA provided the customer with unprecedented visibility into their environment, which helped them detect security events and identify new areas of risk. These insights enabled the customer to improve their overall defense strategy, which included new investments in Cisco Umbrella for DNS protection, Cisco AMP for Endpoints to harden devices on the network, plus Sentinel’s Security as a Service (SECaaS) and SOC for monitoring and management of network security events on their network. The customer plans to implement these solutions over the next 6-12 months.
If you are interested in learning more about the free Cisco Security Online Visibility Assessment and how it can benefit your organization, please contact Sentinel.
My Sentinel Story: Diane Jackson
It’s no secret that at Sentinel we place a high value on our employees. Their unparalleled expertise, strong work ethic, and dynamic personalities help us maintain our status as an Always Leading IT solutions and services provider. We are proud of the work they do on a daily basis, and hope our customers recognize the Sentinel difference.
The next part of our “My Sentinel Story” series introduces Managed Services Solution Architect Diane Jackson. Diane started at Sentinel just over five years ago as an Administrative Assistant. While her duties originally focused on contracts with the legal department and vendors, she quickly began to take on additional responsibilities out of a desire to learn more and help others. A fortuitous mentorship and an unexpected opportunity eventually guided her into an important role as part of our Managed Services team. Learn more about Diane and her growth through Sentinel via the video below!
If you are passionate, motivated, and interested in joining the Sentinel
team, you can learn more about our corporate culture and browse our current job
openings by visiting our Careers page.
The Dependence on Security Hardware
By Dr. Mike Strnad, Sentinel Strategic Solutions Advisor
Many organizations believe just because they invest so much into industry-best security hardware that they don’t need to devote a lot of time and effort into other aspects of protection. While security hardware does play an important role in every IT environment, it is also entirely dependent on human intervention to operate properly. Unfortunately humans are prone to make mistakes, and if they fail to maintain and reinforce the hardware it can easily weaken your overall security posture.
Think about how we protect our homes using multiple layers of security. We need to do things like turn on the outside lights, lock the doors, and activate the alarm system in order for these security elements to actually be effective. These are tasks we repeat every day without a second thought out of concern for our own safety and the safety of loved ones.
Security hardware also requires repeated checkups to remain fully effective. Firmware updates and patches are developed to keep security components aligned with the current threat landscape, however if your IT team fails to install those modifications correctly or within a reasonable amount of time, it has the potential to place your organization at significant risk.
While there is no such thing as bulletproof security, here are a few fundamental principles organizations can employ to minimize the potential of a breach or infection:
• Conduct a complete risk assessment that includes internal, third party, and cloud-based systems and services.
• Patch, patch, and update. Always be running the latest version of your software.
• Encrypt, encrypt, encrypt—end to end. Make sure you have secure encryption key management.
• Conduct regular security awareness training so workers don’t fall for phishing emails and other social engineering attacks.
• Train employees in both physical and data security to avoid lost data, files, drives, devices, and computers.
Your organization can have the best security
hardware money can buy, but there’s very little actual protection if it’s not
maintained on a consistent basis by a well-trained IT staff. Sentinel offers
Cybersecurity Awareness Training and other SecuritySelect services to help your
team significantly reduce the likelihood of a mistake that leaves your data
vulnerable. Please contact us
if you would like to learn more.
Sentinel SecuritySelect: Breaking the SamSam Attack (Part 2 of 4)
By Robert Keblusek, Sentinel Chief Technology Officer
In Part 1, I wrote about how SamSam is a great example of an attack that spans the cyber kill chain and used the graphic below to help show how. At our Vision 20/20 customer summit this past January we highlighted how your organization can detect and disrupt SamSam and similar attacks using Sentinel’s SecuritySelect™ portfolio of solutions and services.
In Part 2, I will detail
the delivery and attack portions of the kill chain. There are plenty of
technologies that have a big impact protecting an organization but equally
important is maintaining a strong security policy and awareness program
designed to help prevent breaches but also respond and recover from them when
they do occur. You will see screenshots from an actual SIEM and learn how your
organization can detect and protect against some of these exploits as attacks
continue to become more frequent and more sophisticated.
Fig. 1 - SamSam Attack and Cyber Kill Chain
Delivery & Attack
During delivery and attack, the attacker determines the best approach to entering the network, provided they are not already an insider. They choose what type of malware or compromise will be best to achieve their objectives and monetize their attack. In some cases this may be a “drive by” attack where a generic phishing email was sent to an unsuspecting (and likely untrained) end user that unknowingly executed malware by clicking on a malware-weaponized link or even provided login credentials to a well-crafted fake web site that looked exactly like the Office 365 user portal. In other phishing cases a user might receive a very well-crafted and seemingly authentic email from a trusted source that is actually a compromised host within the network allowing code execution within the network. Once the attacker is in the network, depending on the experience level of the attacker and how targeted the attack, they will make good use of the information gathered in the reconnaissance phase. With over 50% of attacks coming from organized criminals, if you are specifically targeted it is highly likely your attacker is very capable.
You can refer back to the previous post here, where I wrote about the reconnaissance phase from a more technical perspective, including scanning a target for vulnerabilities, seeking available services, exposed port scans, and more. It is worth noting that I didn’t even mention the sophisticated social research attackers will sometimes do to create a great deal of authenticity to some attacks using phishing or malvertising web sites. An experienced hacker or advanced automated attack is likely to find an available resource or unaware user to exploit without much difficulty. At this point, perimeter defenses are often rendered useless. Modern attacks, much like secure virtual private networking used by organizations, use encryption keys to hide their attack in an encrypted tunnel often invisible to your defenses. A great example of this type of attack can be seen in this Anatomy of an Attack video from Cisco.
Unless you have an extremely well-protected organization with immaculate patching procedures and highly trained/aware users with policy behind your security program, attackers will find a way in. Motivated attackers are nearly impossible to stop. So once they gain access to your environment, is your organization prepared to respond?
The latest Verizon security report notes that 68% of breaches took more than a month or longer to detect. Time to detection is difficult to measure but a critical key performance indicator (KPI) Sentinel’s Security as a Service focuses to improve. Gartner predicts that 60% of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020, because attackers will get in, regardless of how much you invest in protection.
Detection During Delivery & Attack
In the screenshot below, I have provided some
examples of the Delivery & Attack intent from a Sentinel-managed SIEM. Some
very common items we see are brute force attacks and known bad actors from our world-wide
threat feeds. In addition, this example shows an attempted denial of service
attack using a known vulnerability.
Fig. 2 - Delivery & Attack
We see both external and internal attempts to steal or break into accounts using various types of attacks via HIDS agents (host intrusion detection) in nearly every deployment of our managed SIEM. Brute force attacks have become the norm and we have seen these from external hosts attacking exposed IP addresses, but also against internal resources such as end user workstations and even IoT devices. Our dedicated security DevOps teams continually alters our detection algorithms to identify brute force attacks. For example, our team can look at the new Office 365 plug-in or host-based IDS instances that we deploy on domain controllers and critical servers to compare what might be a user struggling to recall or type their password or an automated machine attack repeatedly attacking the target with failed logins. Even if you don’t have Sentinel’s managed SIEM, it is critical to identify these attacks within your various systems and stop them in their tracks before your credentials are compromised and lead to a full-scale breach.
In many cases we need to have our customer remove those devices and either clean them or re-image the desktop. IoT devices typically require more specialized approaches to protection. Prior to having this detection, these systems went undetected and sometimes were successful at breaking weak passwords to then move laterally to a full cyber breach.
Some of our customers opt to use our Adaptive Threat Response™ to automatically block identified threats in supported security firewalls. This allows you to respond without action against known bad activities while triggering a report from the SIEM on the behaviors and blocked elements. Other customers choose to receive the alarm and either investigate it themselves or leave it to our professionals. In either case, tracking and investigating activities such as brute force attacks is critical to your defenses. In some cases this could be a device trying to legitimately log in to a host, but a change in credentials requires attention. In other cases, this could be a bad actor trying to break into your network to further their attack and eventually obtain command and control (C&C). The complexity of detecting east/west compromise has brought about a number of network flow-based and decoy detection options available from Sentinel to assist in identifying an attacker before it is too late. Decoy technology can place traps on your network for attackers to unknowingly trigger. Think of them as “motion sensors” on your network that can be modified to look very genuine and result in a highly trustworthy anomalous detection alarm when an attacker touches one. Sentinel has worked with Attivo Networks to launch a Decoy as a Service offering integrated to our managed SIEM and SOC service. Sentinel and Attivo are very excited about this offering as it is becoming critical to trick the attackers and detect them in order to investigate and potentially even identify the attacker to authorities.
Another example from the screenshot above identified by our world-wide threat feed is a common vulnerability (CVE) for a potential denial of service attack on an IIS server. According to the national reporting of this vulnerability it “allows remote attackers to cause a denial of service (use-after-free) or possibly have an unspecified alternative impact via unknown vectors.” Identifying vulnerabilities attempting to be exploited is a powerful feature of Sentinel’s SECaaS and allows you to patch these items prior to any damage being inflicted. Vulnerable hosts with exposed services have been identified as the attack vector in many recent high profile attacks such as the City of Atlanta (based on initial reports) and has been confirmed in a number of other recent attacks, especially targeted at healthcare organizations. These can be vulnerable web servers, RDP servers exposed to the internet, IoT devices or nearly any type of connected device that might be compromised and allow lateral movement within the network.
The Human Factor
While vulnerable host attacks by SamSam have made headlines lately, the top attacked resource within your organization is your people. A stunning fact is that 96% of social attacks occur through email phishing campaigns. All of us likely see these types of attacks multiple times per week, if not multiple times daily!
Most organizations have some form of email gateway in place to try and prevent these types of attacks, however some will still get through no matter how strong your defenses are. A lot of customers are moving to hosted email services such as Office 365. These hosted services typically include email protection. While some can be very capable, we often see customers set these up and then fail to maintain them properly. Our own hosted email security, which supports Office 365 and premise email services, has proven very valuable in preventing email attacks and malware-weaponized attachments from getting into organizations. In many cases we have had customers send us sample phishing emails for investigation and determined that our service would have stopped those emails in their tracks. However we also experience more advanced email attacks that sometimes slip through even our well-managed gateway service. Once identified, we put automated rules in place to protect all users of our service. Even with a managed email gateway powered by an experienced SOC organization like Sentinel, we still recommend additional layers of protection along with strong end user education and mock phishing testing programs. End user awareness is critical to keeping any organization secure. Users shouldn’t simply assume they are safe, because they are not. Diligence is a necessary job requirement today.
The screenshot below shows
a number of attacks that progressed through strong endpoint security, email
gateway services, and made it into the user’s inbox ready for exploitation.
With these emails now in the network, users sometimes take the bait.
Fig. 3 - Sentinel Managed Cisco Umbrella Phishing Prevention