How Can We Vaccinate Our Networks?

Security Weekly | December 29, 2020

 

The news is flooded with updates regarding the COVID-19 vaccine.  Cyberattacks are targeting the vaccine supply chain.  Phishing attacks are exploiting sign-ups for the vaccine.  There are even attacks to get access to vaccine data.  Sounds a lot like our enterprises every day!  We’re all learning about human immunology from the headlines, but what are the equivalent defenses for our networks? How do we achieve resilience at scale, when we don’t really have a network immune system?

The List of Known SolarWinds Breach Victims Grows, as Do Attack Vectors

Data Center Knowledge | December 23, 2020

 

The SolarWinds breach story continues to get worse.

The list of known victims now includes US departments of Commerce, Defense, Energy, Homeland Security, State, the Treasury, and Health.

More worrisome for those responsible for cybersecurity at enterprise data centers, however, are the technology vendors that allowed the compromised SolarWinds Orion software into their environments.

Lessons for All of Us From the SolarWinds Orion Compromise

All cybersecurity news events, like the recent disclosure of compromise involving SolarWinds Orion by APT 29, aka “Cozy Bear,” cause CISOs to ask the same initial questions:

  • Do I have this problem?
  • Where?
  • What are the consequences?

In this instance, the attack is extremely sophisticated, and quite alarming – it’s a supply chain attack, involving compromise of a widely used and trusted monitoring product.  This adds a lot of pressure to these questions.  As organizations are scrambling to respond, we wanted to publish some suggestions here, as a resource.  In discussions with our customers, many of whom have been impacted by this compromise, we find there is a common playbook, as follows:

  • Step 1: Do I have SolarWinds Orion?
  • Step 2: Where is it, in the context of my network?
  • Step 3: What is it capable of accessing or controlling?
  • Step 4: Fix Orion, or take it offline (if subject to the CISA Emergency Directive)
  • Step 5: Block unwanted access to or from SolarWinds Orion, to the extent possible
  • Step 6: For all assets SolarWinds could reach, reset them to known good state

This is an arduous journey. RedSeal can be one of your supporting resources. It is especially helpful in the middle stages – steps 2, 3, and 5 in the above playbook.

Specifically, for Step 2, a RedSeal network map can help you locate the hostnames or addresses of your SolarWinds Orion software.  One large customer of ours had well over 100 distinct addresses with this software installed. Your total is likely to be lower, but still may be more than just a single location.  Mapping out where they all are is a starting point, before heading in to the deeper stages.

Note also, in Step 2, that RedSeal’s L2 mapping capability may be helpful, since you can locate the nearest switch port to any given endpoint.  This may be helpful if you need to abruptly terminate network access, or decide to monitor span traffic closely.  (If you have not previously set up L2 mapping, we would not recommend this as a tactical step in your response, because the data gathering setup would take some time, but if you already have the data in place, this is a good time to use it, as an aid to shutting down any inappropriate activity.)

In Step 3, it’s important to know what a compromised instance of the monitoring product could reach.  Sadly, because this is a widely trusted product, whose whole purpose is to give you wide visibility, in most networks this turns out to be a large space.  We have had customer reports of a “blast radius” of endpoints well into 6 figures.  Figuring this out by hand is absurdly difficult – far better to automate the search.  In RedSeal, this involves an Access Query, from your SolarWinds Orion instances, out to the wider network.  Just be prepared – the query may be so large that RedSeal will prompt you to make sure you want that much data in one go.  If it’s not manageable, you may prefer to break the query into regions – “What can Orion reach in New York?”, or “in my Amazon fabric”, and so on.

For step 5, blocking unwanted access from SolarWinds Orion to the Internet, RedSeal’s capability to define Zones and Policies may be helpful.  As a first step, a Zone containing your SolarWinds Orion endpoints, and another Zone of Internet, can be used to investigate what access is already possible.  Unfortunately, this may be quite wide, since you may actively be using Orion to monitor cloud fabric and you may want to permit access for software updates (even though, ironically, this was the method originally used in the compromise – but subsequently addressed).  Still, before you can lock this down just to the access you feel is necessary, it can help to review what the current state is, and see what blanket restrictions might be possible, without removing any access pathways you need to keep open.

Hopefully this overview is of use, as a playbook of the common steps we are seeing.  If we can be of any assistance as you work through the cleanup of this incident, please don’t hesitate to get in touch.

Download: A step-by-step guide for using RedSeal to respond

RedSeal customers: Take advantage of our complimentary Sunburst Exposure Assessment.

Not a customer yet? Contact us at info@redseal.net to explore how we can help.

Network Middle East: The Next Big Thing in Security

Network Middle East | December 2020 (Page 29)

Dr. Mike Lloyd, CTO at RedSeal, on “the next big thing in security”

We are in unprecedented times and no one can truly predict what lies ahead. What do we know is that threat actors are on the lookout for vulnerabilities and the sudden move to remote operations may have left loopholes that they can leverage. We sat down with security experts to understand how the security landscape may shape up next year.

Tool Sprawl – The Cybersecurity Challenge of 2021

Solutions Review | December 14, 2020

It’s not news that the pace of change in IT is extremely fast. What’s less well-known is the downside — tool sprawl. IT teams innovate at a breakneck pace, picking up whatever innovations suit their immediate needs. Security, in contrast, must protect the old applications that are still around, plus the new ones, plus the different platforms those new applications are built on. It creates a juggling challenge – how many different technologies can your security team juggle at once? If you have too many, how do you decide which are most important and which you must drop?

7 SecOps roles and responsibilities for the modern enterprise

SearchSecurity | December 7, 2020

Security operations, or SecOps, has had a direct, if increasingly challenging, mandate since the dawn of enterprise networking: detect, respond to, predict and prevent cyberattacks. But SecOps roles and responsibilities are shifting to accommodate growing interest in an offensive, rather than defensive, approach to cybersecurity. By staying ahead of threats and anticipating bad actors’ next moves, security leaders aim to thwart attacks before they happen.

Top 20 Predictions Of How AI Is Going To Improve Cybersecurity In 2021

Forbes | December 5, 2020

Bottom Line: In 2021, cybersecurity vendors will accelerate AI and machine learning app development to combine human and machine insights so they can out-innovate attackers intent on escalating an AI-based arms race.

UK tech skills gap to reduce as more Brits consider IT jobs

IT Pro | 4 November 2020

The UK’s tech skills gap is set to decrease as over half of workers are contemplating a career change into more tech-based roles, new research suggests.

A survey of over 2,000 professionals from CWJobs found that over half (55%) of non-tech workers are contemplating a career change.

What You Need to Know About CMMC Certification

Supply Chain Brain | October 7, 2020

As the Cybersecurity Maturity Model Certification (CMMC) nears full implementation, affected organizations are scurrying to ensure they’ll pass the certification process.

The goal is simple: organizations must meet minimum cybersecurity standards, and in doing so, they do their part to improve national security. The stakes are extraordinarily high for the estimated 300,000 defense industrial base (DIB) organizations which will soon need to be certified to one of the five CMMC levels to be eligible to be awarded a federal contract. Simply stated: no certification, no contract. From the perspective of the U.S. Government and the Department of Defense, the stakes have always been high since the DIB plays such a critical role in the defense of our nation. The only way to ensure the protection of our data and the integrity of the supply chain is to hold industry to a higher standard.

The Role of Cyber Hygiene in the COVID Crisis

Signal Magazine | October 7, 2020

By Ray Rothrock
Federal teleworkers need to know the cyber basics.

When it comes to nefarious deeds, the COVID-19 pandemic has been a gold mine for bad actors. In addition to wreaking havoc for individuals and healthcare organizations, federal agencies are also prime targets. Case in point: a portion of the Department of Health and Human Services’ (HHS) website was recently compromised, in what appears to be a part of an online COVID-19 disinformation campaign.

In a time of heightened cyber risk and limited human and fiscal resources, how can agencies protect their networks from malicious actors by taking a page from the COVID playbook? They can diligently practice good (cyber) hygiene.