Last week, the Shadow Brokers hacker group made national headlines by leaking zero-day firewall vulnerabilities, and offering additional exploits for sale through auction. In response, the RedSeal team produced:
A blog post on how major infrastructure vulnerabilities produce the same questions – and how digital resilience puts organizations in the best position to respond.
A step by step “how-to” that shows how network teams can use RedSeal to understand their potential exposure – and to what degree.
A video demonstration of how defenders can use RedSeal to understand the extent of the problem in their specific network.
The feedback we received was tremendous, and we wanted to share a response we received from a customer:
“I sent it out to several of our key users here because I love when you guys do this. It enabled me to highlight that RedSeal is useful for zero days when there is no patch…
Funny timing as well by the way – the order to identify affected firewalls just came out this morning and we have to respond by tomorrow, so I spent the day researching and working on something before I remembered you sent this and made my life easier. So thank you.”
Have questions, or want to understand how RedSeal can help you with the next inevitable vulnerability hack? Contact us here.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Wayne Lloyd, Federal CTO, RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngWayne Lloyd, Federal CTO, RedSeal2016-08-25 07:09:462018-06-11 10:12:10Update: Responding to the Shadow Broker Vulnerabilities
The latest revelations about firewall vulnerabilities stolen and leaked by the Shadow Brokers are very scary, but not all that new. We learn about the release of a major infrastructure vulnerability about once every six months or so. Organizations that have learned to focus on resilience — knowing their network and how to operate through a threat — are in the best position to respond.
With each new revelation, every defender has to scramble to answer the same three basic questions: do I have this problem? Where? Is it exposed? In today’s situation with weaponized vulnerabilities in major firewalls, the first question is easy to answer (if unfortunate). It seems that almost every major network has instances of these vulnerable products as part of their security defenses. The second and third questions require mapping the vulnerability into your own network. Do you have wide open access, or, effective internal segmentation? For this disclosure, have you properly locked down the important protocol known as SNMP? Once you can answer these questions, you are ready to begin incident response based on any surprises you turn up.
Imagine you’re responsible for a physical building, and you put up doors marked “Authorized Personnel Only”. That’s an important thing to do. Whether you run a retail store, a corporate office, or a cruise ship, you need to keep some critical infrastructure and access in a special zone. Now imagine forgetting to put those signs on some of the doors, or worse, leaving them open – perhaps through simple oversight, rushing to build out your business, or as you adapt to changing times. And, the only way you could know if you have a problem is to walk through every single hallway to check. If you don’t know or can’t tell whether your restricted areas are solid, then incidents are much scarier. This is the issue behind the latest revelations. It’s an important industry-wide best practice to isolate important network management protocols in a special zone, similar to the “Authorized Personnel Only” part of many buildings. But organizations everywhere have to scramble to see whether they have done this properly in light of the new vulnerabilities in those protocols.
RedSeal users can see where they stand with just a few clicks.
To read more, including step by step instructions for using RedSeal to answer these critical questions, see here.
For a demonstration of how you can use RedSeal to understand the extent of the problem in your specific network, watch our video.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Dr. Mike Lloyd, CTO, RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngDr. Mike Lloyd, CTO, RedSeal2016-08-18 15:24:262018-08-14 08:58:07Responding to the Shadow Broker Vulnerabilities
Recent press coverage has focused a lot of attention on some long-hidden vulnerabilities in firewalls. Network security teams are scrambling to understand whether they are exposed, and to what extent. These notes show how you can use RedSeal to understand the extent of the problem in your specific network.
This is not the only vulnerability found in the “Shadow Broker” files, but serves as a good working example. The nature of the vulnerability is a flaw in SNMP, which is very commonly used as an important function of network infrastructure. Simply disabling SNMP is not generally a viable workaround, since SNMP is a vital part of network visibility. (Even if your windshield has a crack in it, it’s not a good response to paint it black.) Instead, organizations have to understand whether they have properly limited access to the vulnerable protocol, and where the locations are that need access.
In other words, a network is in poor shape if anyone, anywhere inside the network can use SNMP to communicate with the firewalls. In that scenario, an attacker anywhere inside the organization can compromise a firewall — an extremely undesirable situation. Such an attacker can surreptitiously monitor traffic, since firewalls are often at critical choke points in networks with a view into all boundary-crossing flows. Worse, if the attacker wants to be disruptive to operations, there are few locations as powerful as a main firewall to cut off the ability of an organization to function and respond.
A well-built organization does not allow SNMP access from anywhere to their key network infrastructure. Instead, they limit access, since SNMP is useful, but not needed by most people in an organization to do their jobs. It has long been a best practice in network architecture to limit access for SNMP only to those locations that need it. But which locations are those exactly? An organization responding to the “Shadow Broker” disclosures has to scramble to quickly understand where they allow SNMP, since these locations are the critical attack surface for these newly revealed attacks.
Finding Access to Firewalls
With RedSeal, it’s very easy to find out whether you are wide open to these SNMP attacks, and if not, to locate where you allow access.
Step 1: Bring up the Security Intelligence Center, using the yellow light bulb icon in the icon bar:
Step 2: On the left, under Source, click Select, then Browse, then All Subnets, then Replace. This sets the source for the query to “anywhere”. You should see this:
Step 3: On the right, under Destination, click Select, then Browse, and change the View to Primary Capability. Open the Firewall folder, like this:
Step 4: To start with, pick just one firewall – in this example, I’ll take the second one on the list, from Vienna. Hit Replace to add this to the query dialog.
Step 5: In the Protocols field, enter “udp” (without the quote marks) and in the Ports field, enter “161”. This is the port and protocol for basic SNMP communication. The query dialog now looks like this:
Step 6: Click the Access button in the icon bar at the bottom. This will show you a table of all access to the given firewall – in this case, just one row:
Step 7: To see this visually, click “Show In Topo” at the bottom of this result. This will take you to the network map, and highlight where you have SNMP access to the firewall.
This is a “good” result. Only one location in the network can use SNMP to reach this firewall. There is still risk – it’s important to investigate any defects, vulnerabilities, or indicators of compromise from the source side of this arrow. But fundamentally, this firewall was secured following best practices – the total amount of the network that can access the SNMP management plane of this device is very limited.
However, in real world networks, the answer will often be messier. RedSeal recommends following the above steps for only one firewall at first, to look at the extent of SNMP access. If your organization shows a good result for the first few firewalls, this is reassuring, but can then lead to harder questions. For example, we can ask a much wider question, covering all the firewalls at once. This should only be attempted after looking at a few individual firewalls, since the full query can generate an overwhelming amount of data.
To ask this broader question, go back to step 4 – in the Security Intelligence Center dialog, click Select on the right, under Destination. Rather than picking one firewall off the list, we can select the folder of all firewalls, then click Replace. The query dialog now looks like this:
Even in a relatively small network, this generates a lot of information. We can look at the answer visually, using Show in Topo:
Clearly, this network has not followed the best practice design of limiting access to all firewalls. Each blue arrow represents some location that has access to a firewall over SNMP. It is not plausible that so many locations in this network need that access to perform their job functions. This network needs to focus on internal segmentation.
Checking Firewall Code Versions
As the various vendors release updates, it’s important to track whether you have firewalls that need to be updated urgently – especially those with very wide access. You can use RedSeal to generate a summary report on the types of firewalls you have, and which versions of software they are running. One way to report on firewalls by version is as follows:
Step 1: Open Reports tab, select Security Model in the left hand list of reporting areas.
Step 2: Click the + button to create a new report, and select a data type of Network Device
Step 3: On the first tab, name your report “Firewalls by OS” (without the quotes – or pick your own name for the report), like this:
Step 4: On the second tab (Fields), click Edit, select OS Version on the left list, and click Add to add it to the list of fields in the report. Click OK.
Step 5: Under Group Report By, change the grouping to “OS Version”
Step 6: Under Display Options, enter 10 in “Limit display of results to the first N rows”. (This is to abbreviate the report, at least initially. Some organizations have a great many firewalls, and the first thing to do is to figure out which OS versions you have, with a few listed examples, before digging through too large of an inventory report.)
By this point, tab 2 should look as follows:
Step 7: Change to tab 3, Filters, and under “Match All”, add a rule for “Primary Capability”, then “Is”, then “Firewall”, like this:
Step 8: Hit Save. The default choices on tabs 4 and 5 will work well here, to include some counts and a chart.
Step 9: On the Reports tab, run your new report by double-clicking the icon above “Firewalls by OS” (or whatever name you gave your report).
Your browser will pop up requesting log in (if you haven’t logged in previously), then will display a report summary chart like this:
You may want to focus first on the smaller bars – the unusual outliers in your network infrastructure. This is where overlooked problems – in this case, well down-rev firewall operating systems – can lurk. The report details will include a sample of the firewalls running each code image in your environment, like this:
As the firewall vendors move to produce new releases to close off these vulnerabilities, you can use a report like this to track how well your operational teams are deploying these important updates.
Conclusions
The recently uncovered vulnerabilities, which appear to have been in use for many years, are further proof that we need to keep our houses in order. An organization with good discipline about internal segmentation, with a well separated network management infrastructure, has less to worry about with these new revelations. But even that organization needs rapid ways to assess whether the discipline has really held up in practice. Are there gaps? If so, where? Even the locations that do have SNMP access to firewalls, are they easy or hard for an attacker to break into? All of these questions are easy to answer if you have the ability to analyze your as-built, rapidly evolving network infrastructure. RedSeal makes it easy to find answers to these vital questions.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Dr. Mike Lloyd, CTO, RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngDr. Mike Lloyd, CTO, RedSeal2016-08-18 15:19:292018-08-14 08:59:42Using RedSeal to Understand Access to the “Shadow Broker” Firewall Vulnerabilities
This is a contributed piece by Dr. Mike Lloyd, Chief Technology Officer of RedSeal
Cyberthreats continue to dominate the headlines and wreak havoc on corporate networks. There are now nearly one million new malware threats released every single day, according to recent reports. In a bid to stem the tide, several groups have announced programs to rate the cybersecurity of network-connectable products and systems.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2016-08-16 08:50:032018-05-03 16:08:48A Cybersecurity Seal of Approval is Not Enough
WHAT: Black Hat is a technical and global information security event series that began in 1997. The event series are held annually in the United States, Europe and Asia, and offer attendees the very latest in information security research, development and trends. This will be the 19th annual Black Hat USA, taking place in Las Vegas, Nevada.
WHY: Security professionals are tasked with building and monitoring networks that can withstand cyberattacks and quickly bounce back once their network is compromised. RedSeal executives can talk more about the overall move to “resilience” in the industry, which ensures organizations continue to operate effectively throughout cyberattacks/incidents to their resolution. They can also share insights on their recent 1H-2016 momentum – including 19 new customers in the first half of 2016 across government and commercial sectors. Today, digital resilience is an operational and strategic imperative.
WHEN: Wednesday, August 3, 2016 – Thursday, August 4, 2016
WHERE: Booth #774, Mandalay Bay Convention Center, Las Vegas, Nevada
About RedSeal: RedSeal puts power in decision makers’ hands with the essential cybersecurity analytics platform for building digitally resilient organizations. RedSeal’s Digital Resilience Score, modeled after a creditworthiness score, measures how prepared an organization is to respond to an incident and quickly rebound. The company’s platform adds value to existing network devices by working with them and building a network model. With this, customers can understand the state of their networks, measure resilience, verify compliance, and accelerate incident response. RedSeal’s customers are Global 2000 corporations and government agencies that depend on the most sophisticated security. Founded in 2004, RedSeal is headquartered in Sunnyvale, California and serves customers globally through a direct sales and channel partner network.
About Black Hat: Black Hat is a technical and global information security event series. For more than 18 years, Black Hat has provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment. These high-profile global events and Trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2016-08-02 05:00:512016-08-01 16:06:18RedSeal to Attend the Premier Technical Security Conference Black Hat USA
The trove of leaked Democratic National Committee emails posted to Wikileaks on July 22 has sparked concerns about malware as users access the vast trove of documents.
WikiLeaks posted close to 20,000 emails and 8,000 attachments that were sent or received from top Democratic officials, appearing to suggest that the committee’s chairwoman, Rep. Debbie Wasserman Schultz, and others favored Hillary Clinton over Sen. Bernie Sanders during the party’s primary. The release forced the resignation of Wasserman Schultz.
On the day of the leak, Google’s Transparency Report warned users of dangerous downloads from Wikileaks.org.
The cost of cybersecurity has become a burdensome tax on business and with 1.5 million IT security jobs unfilled, US corporations are losing to sophisticated criminal gangs, said security experts at a recent event in San Francisco.
“Cyber is a tax on business. Jamie Dimon [JP Morgan Chase CEO] has had to double his cybersecurity budget to $500 million. Things can’t continue this way forever, we have to get ahead of the problem,” said Ray Rothrock (photo), a veteran VC, now chairman and CEO of RedSeal, a startup that measures the effectiveness of enterprise security.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2016-07-28 11:46:442018-05-03 16:08:49Cybersecurity is Becoming an Unsustainable Tax on Business
Cyber Analytics Company Expects to Reach Profitability in Second Half of Year
SUNNYVALE, Calif.— July 27, 2016 — RedSeal(redseal.net), the cybersecurity analytics company, today announced it reached break-even in the first half of 2016 and projects profitability in the second half of the year. Demand for RedSeal’s analytics platform is steadily growing as digital resilience and cyberattack preparedness become a strategic priority in the C-suites of global 2000 companies and government agencies.
“The C-Suite is asking for more comprehensive and measurable results from their security and network organizations. This requires new thinking—and new behavior to support that thinking—not just better prevention,” said Ray Rothrock, chairman and CEO of RedSeal. “RedSeal’s proven network resilience technology has been implemented by over 40 government agencies and hundreds of commercial enterprises. Digital resilience is the new watchword in cybersecurity and RedSeal provides an essential element of resilience.”
Highlights of the company’s first-half performance include a 70 percent increase in bookings and a 110 percent increase in revenue over the first half of 2015. RedSeal acquired 19 new customers in the first half of 2016 from across government and commercial sectors, including several multinational technology companies and media conglomerates, an international consumer packaged goods manufacturer, a national health insurance plan provider, and a branch of the U.S. Armed Forces.
RedSeal’s second half has begun on a strong note. The company just closed a $6.3 million contract—the largest in its history—with an existing customer that was using RedSeal in just one part of its organization. The results demonstrated so much value, in the form of insights and the ability to prioritize its cybersecurity initiatives, that the customer is expanding use of RedSeal across its entire $65 billion enterprise.
RedSeal grew its international presence in the first half of the year, opening new offices in Japan and Canada, and accelerating its international traction in government and commercial segments across the globe. Overall, the company has increased headcount by 30 percent since the beginning of 2016 and has doubled its headcount in EMEA. This global momentum demonstrates an increasing demand from the people who run networks for more complete information of their infrastructures, which helps them prioritize their security activities and thus remain resilient against evolving threats.
###
About RedSeal
RedSeal puts power in decision makers’ hands with the essential cybersecurity analytics platform for building digitally resilient organizations. RedSeal’s Digital Resilience Score, modeled after a creditworthiness score, measures how prepared an organization is to respond to an incident and quickly rebound. The company’s platform adds value to existing network devices by working with them and building a network model. With this, customers can understand the state of their networks, measure resilience, verify compliance, and accelerate incident response. RedSeal’s customers are Global 2000 corporations and government agencies that depend on the most sophisticated security. Founded in 2004, RedSeal is headquartered in Sunnyvale, California and serves customers globally through a direct sales and channel partner network.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2016-07-27 11:44:192023-01-20 16:01:19RedSeal Records Strong Growth, New Clients and International Expansion in First Half of 2016
As this is written, Debbie Wasserman Schultz, chairwoman of the Democratic National Committee, has resigned under pressure and effectively been forced off the stage of her party’s convention.
But the release of thousands of emails from the DNC showing how the party leadership conspired to keep Sen. Bernie Sanders from winning the presidential nomination is not all bad, because it revealed the fact that the breach took place.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2016-07-26 11:42:402018-05-03 16:08:49DNC Email Scandal Shows What Must Be Done to Prevent Breaches, Leaks
In order to provide you with the best experience possible we might sometimes track information about you. Sometimes this may involve writing a cookie. We use this information for things like experience enrichment, analytics and targeting advertising. We recommend allowing these functions to get the most out of your experience.
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.