System Security Planning with RedSeal

In high-security environments like the DoD and the Intelligence Community, the System Security Plan (SSP) is critical for ensuring that systems handle sensitive national security data appropriately. It helps in achieving and maintaining the authorization to operate (ATO), which is mandatory for systems that process, store, or transmit classified information. The SSP ensures all stakeholders are aware of the security features of the system and understand their responsibilities in maintaining its security integrity.

The SSP is not only a compliance document but also a dynamic tool used for ongoing security management and decision-making, essential for maintaining the stringent security requirements demanded by the DoD and Intelligence Community.

RedSeal plays a pivotal role in assisting Information System Security Officers (ISSOs) and Information Systems Security Managers (ISSMs) in creating and maintaining a System Security Plan (SSP) for the systems managed within high-security environments.

How RedSeal can contribute to each aspect of an SSP:

 

Step 1: System identification

RedSeal function: Provides detailed network mapping and visualization capabilities.

Benefit: Helps define the system boundary by identifying all network devices and connections, ensuring a comprehensive description of the system.

 

Step 2: System environment

RedSeal function: Models both the physical and virtual aspects of the network environment.

Benefit: Offers a clear view of how the system operates within its environment, including how data flows across the network and external interactions.

 

Step 3: Security requirements

RedSeal function: Integrates with compliance frameworks and checks against security policies.

Benefit: Ensures all security controls meet specific requirements outlined in relevant security standards and regulations.

 

Step 4: Security controls implementation

RedSeal function: Automatically maps and validates security controls against industry standards like NIST SP 800-53.

Benefit: Helps document the implementation details of each security control within the network, including configurations and the effectiveness.

 

Step 5: Roles & responsibilities

RedSeal function: Does not directly manage roles and responsibilities but provides documentation and reporting that supports role definition.

Benefit: Helps define the scope of responsibility for network security, detailing responsibility for managing and operating specific security controls.

 

Step 6: System interconnection

RedSeal function: Identifies and documents all network connections and interdependencies.

Benefit: Assists in accurately describing each interconnection, including security measures and data flow between systems.

 

Step 7: Security assessment & authorization

RedSeal function: Facilitates security assessments by providing comprehensive network visibility and risk analysis.

Benefit: Enhances the security assessment process, helping document current security state and changes needed for maintaining or obtaining ATO.

 

Step 8: Risk assessment results

RedSeal function: Conducts thorough risk assessments and prioritizes vulnerabilities.

Benefit: Provides detailed insights into potential risks, helping to document current risks and previous assessments in the SSP.

 

Step 9: Incident response plan

RedSeal function: Models potential attack paths and simulates breach scenarios.

Benefit: Supports development and documentation of system-specific incident response plans by identifying critical assets and potential attack vectors.

 

Step 10: Maintenance & continuous monitoring 

RedSeal function: Offers continuous monitoring of the network’s security posture and compliance status.

Benefit: Helps document the procedures and technologies used for continuous monitoring and maintenance of security controls, ensuring the SSP remains up-to-date with the actual security posture of the system.

 

RedSeal significantly streamlines the process of SSP development and maintenance by providing critical data, insights, and automation capabilities. This support not only enhances the accuracy and effectiveness of the SSP but also reduces the manual effort required from ISSOs and ISSMs, allowing organizations to focus more on strategic security management tasks.

Download our System Security Planning datasheet today.

Navigating the Authorization to Operate Process with RedSeal

The Authorization to Operate (ATO) is a critical component in the security architecture of the DoD and IC, ensuring that systems operate with a recognized and accepted level of risk. This process underscores the rigorous standards that these systems must meet to safeguard national security effectively. RedSeal can significantly assist system owners, Information System Security Officers (ISSOs), and Information Systems Security Managers (ISSMs) in obtaining and maintaining an Authorization to Operate (ATO) for systems within environments such as the Department of Defense (DoD) and the Intelligence Community (IC).

How RedSeal can support each phase of the ATO process:

 

Step 1: Preparation & categorization

RedSeal function: Assists in network discovery and asset identification, crucial for system categorization.

Benefit: Ensures the system categorization reflects the real operational environment, helping to select appropriate security controls.

 

Step 2: Segment & implementation

RedSeal function: Provides insights into network vulnerabilities and security gaps.

Benefit: Helps ensure the implemented controls are adequately addressing the identified risks, making the system more secure and compliant.

 

Step 3: Assessment of controls

RedSeal function: Facilitates continuous vulnerability assessments and compliance checks against security policies.

Benefit: Provides detailed documentation and reports that can be used during the security control assessment phase.

 

Step 4: Authorization decision

RedSeal function: Offers comprehensive security metrics and risk scores that summarize the security posture of the network.

Benefit: Enables AOs to make informed risk-based decisions regarding the ATO, supported by empirical data on the network’s security readiness.

 

Step 5: Continuous monitoring

RedSeal function: Continuously monitors the network for changes that might affect security postures.

Benefit: Helps maintain ongoing ATO compliance by ensuring that any changes or updates to the system do not introduce new risks.

 

Step 6: Incident response preparedness

RedSeal function: Simulates potential attack paths and prioritizes remediation efforts based on the risk to critical assets.

Benefit: Enhances the incident response strategy, which is a critical component of the continuous monitoring and operational resilience required for ATO maintenance.

 

Step 7: Reporting & documentation

RedSeal function: Generates detailed reports and visualizations of network compliance, security postures, and risk assessments.

Benefit: Reports are integral to the documentation required for ATO audits and reviews, providing clear evidence of compliance and proactive security management.

 

By leveraging RedSeal’s capabilities, system owners, ISSOs, and ISSMs can effectively manage the lifecycle of an ATO—from initial authorization through continuous compliance monitoring. RedSeal’s tools help streamline the process, reduce the complexity of compliance, and enhance the overall security posture of the systems, thereby supporting the critical requirements of ATO maintenance in high-security environments.

 

Download our Navigating the ATO Process datasheet today.

Cyber News Roundup for May 17, 2024

Welcome to our latest cybersecurity roundup. This week, we explore critical lessons from NERC’s GridEx VII exercise, the surge in Chinese-manufactured devices in US networks, increased OT attacks by Russia’s Sandworm group, a data breach disclosure by Dell, a gift card fraud warning from the FBI, and how solar storms impacted Midwest corn planting. We’ve compiled the latest headlines to keep you informed on pressing cybersecurity developments.

 

1. Lessons from NERC’s GridEx exercise

A report from NERC and the E-ISAC looks at lessons learned from the GridEx VII exercise, a simulated targeting of North America’s electric grid with cyber and physical attacks. The exercise, which was conducted over two days in November 2023, involved participants from the electric sector and the government, and was followed by an in-person meeting between industry executives and government leaders from the United States and Canada. Recommendations from the report include increasing resilience for communications systems essential for operating the grid, preparing for recovery from complex and prolonged power outages, and increased coordination efforts between non-federal government partners and electric utilities. (NERC)

 

2. Chinese-manufactured devices in US networks see a 41% YoY increase

A report from Forescout found that the number of Chinese-manufactured devices in US networks has increased 41% year-over-year, despite official bans by the US government. The report says, “Critical infrastructure organizations are among those that use the highest numbers of such devices and some of these industries more than doubled the number of Chinese-manufactured devices in their networks in one year. One vertical of interest is the government where Hikvision and Dahua cameras, despite being banned, remain connected to networks. Other devices, including Yealink VoIP phones, are also present in the thousands.” The researchers note that vulnerable IP cameras often serve as initial access points to sensitive networks, and China-linked APTs have been known to exploit these devices in the past. (Forescout)

 

3. More OT attacks tied to Sandworm

Mandiant has published a report on the recent activities of Sandworm, a threat actor attributed to Russia’s GRU. Mandiant now tracks the group as “APT44,” and notes that “no other Russian government-backed cyber group has played a more central role in shaping and supporting Russia’s military campaign.” The threat actor has a much broader focus than the war in Ukraine, however, and the researchers are tracking “operations from the group that are global in scope in key political, military, and economic hotspots for Russia.”

Mandiant’s report ties APT44 to several hacktivist groups that have claimed responsibility for attacks against OT systems in the United States and the European Union, including three water utilities in Texas, a wastewater treatment plant in Poland, and a hydroelectric dam in France. These attacks don’t seem to have had any serious effects, but the researchers note that “[c]ontinued advancements and in-the-wild use of the group’s disruptive and destructive capabilities has likely lowered the barrier of entry for other state and non-state actors to replicate and develop their own cyber attack programs.” Sandworm has been responsible for several damaging attacks in the past, including the 2017 NotPetya attack and the disruptions of Ukraine’s energy grid in 2015 and 2016. (Mandiant)

 

4. Dell discloses data breach

Dell has disclosed a breach involving customer names and home addresses, as well as “Dell hardware and order information, including service tag, item description, date of order, and related warranty information,” TechCrunch reports. The company didn’t provide information on how many customers were affected or how the data was breached. TechCrunch notes that a user posted on a dark web forum last month claiming to be selling 49 million customer records from Dell, including “information of systems purchased from Dell between 2017 and 2024.” (Techcrunch)

 

5. F5 Networks warns of new Big-IP vulnerabilities

The vulnerabilities, numbered CVE-2024-26026 and CVE-2024-21793, exist in the BIG-IP Next Central Manager (NCM), a single-pane-of-glass management and orchestration solution provided by F5. Discovered by a researcher at Eclypsium, the vulnerabilities can lead to device takeover via SQL injection and OData injection respectively. F5 suggests “restricting the management access to the impacted products to only trusted users and devices over a secure network.” (Security Affairs)

 

6. Gift card fraud ring targets retailers’ employees

A warning from the FBI regarding Storm-0539, a financially motivated hacking group that targets the mobile devices of retail department staff using a phishing kit that enables them to bypass multi-factor authentication. After stealing the login credentials of gift card department personnel, the group seeks out SSH passwords and keys, which along with employee PII can be sold online. They then use compromised employee accounts to generate fraudulent gift cards. (BleepingComputer)

 

7. Solar storms delay the planting of corn

And finally, last Friday we noted that coming solar storms had the potential to disrupt electronics here on planet Earth, including the electrical grid and GPS satellite signals.  Over the weekend, intense solar storms, the strongest since 2003, did indeed disrupt GPS systems crucial for self-driving tractors, causing some farmers in the Midwest to halt planting corn. This timing is critical as planting after May 15th can significantly reduce crop yields, according to the University of Nebraska-Lincoln. Farmer Tom Schwarz noted that the precision required for his organic farming is so high that only GPS can achieve the necessary accuracy. Additionally, farmers were warned that future tending to their crops based on GPS data gathered this past weekend would likely be inaccurate. The solar storms reached a G5 severity, indicating potential major impacts on power grids and communications, although significant disruptions were avoided. We had clouds here in the Baltimore area, so no northern light show for us, but some of our colleagues from the Boston area shared pictures that were spectacular. (The Verge)

 

8. Black Basta ransomware targets critical infrastructure entities

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint advisory on the Black Basta ransomware-as-a-service operation, stating that BlackBasta affiliates have breached more than five hundred organizations since the ransomware surfaced in April 2022. The advisory notes that the threat actors “have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.” The agencies add, “Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions.” CNN cites sources as saying a Black Basta affiliate was responsible for the attack against the Ascension healthcare network last week. (CISA, CNN)

 

9. CMMC is coming, but concerns for small businesses persist under revamped rule

The Cybersecurity Maturity Model Certification (CMMC) is being revamped and its implementation is imminent, but significant concerns remain for small businesses. The updated rules aim to improve the security of the defense supply chain by requiring contractors to meet specific cybersecurity standards. However, small businesses face challenges such as the high costs of compliance, resource constraints, and the need for technological upgrades. These challenges could be financially burdensome, requiring investments in cybersecurity infrastructure and training for employees. Additionally, small businesses may struggle to allocate the necessary resources to meet the new requirements. (Federal News Network)

 

10. A malicious Python package targets macOS users

A malicious Python package named ‘requests-darwin-lite’ on PyPI, mimicking the popular ‘requests’ library, targeted macOS devices using the Sliver C2 framework, a tool for gaining access to corporate networks. Discovered by Phylum, the attack included multiple obfuscation steps such as steganography within a PNG image to covertly install Sliver. The package has since been removed from PyPI following Phylum’s report. Sliver is known for its post-exploitation capabilities and has become a preferred tool for cybercriminals due to its effectiveness in simulating adversary actions and evading detection compared to other frameworks like Cobalt Strike. This recent incident underscores the ongoing rise in cybercriminal adoption of Sliver for targeting various platforms, including macOS.

Meanwhile, Apple has extended security updates to older iPhones and iPads, addressing a zero-day vulnerability initially patched in March for newer devices. This vulnerability, found in the iOS Kernel’s RTKit, could allow attackers to bypass kernel memory protections. Although the exploiters of this flaw and the specific nature of the attacks remain undisclosed, such iOS zero-days are often used in targeted state-sponsored spyware attacks. Devices including the iPhone 8, iPhone X, and various iPad models have received the patches. Users of these devices are strongly encouraged to update immediately to safeguard against potential exploits. (Bleepingcomputer)

 

11. A glimpse into Africa’s internet vulnerability

Early Sunday morning, several African countries experienced a severe internet outage caused by two severed undersea cables. The incident is under investigation but is suspected to have been caused by a ship anchor. The country recently experienced two similar disruptions including back in February,  when a ship’s anchor dragged through three cables in the Red Sea. Africa’s internet relies on a limited number of fragile undersea cables so when routes become unavailable, alternate pathways become jammed causing service slowdowns. Repairing damaged cables can take weeks due to requiring specialized skills and equipment and fair weather conditions. Progress toward improving Africa’s internet infrastructure challenges has been slowed by logistical and financial constraints. Experts say the problem needs to be solved through investment in diversified connectivity such as satellite internet links and vital communications infrastructure on the ground such as data centers and internet exchanges. (BBC)

 

12. Wichita ransomware attack resulted in data theft

The city of Wichita, Kansas has disclosed that the ransomware attack it sustained earlier this month led to the theft of personal and financial information. The city stated, “As part of our thorough review and assessment of this matter, we identified that certain files were copied from our computer network without permission between May 3 and 4, 2024. These files contained law enforcement incident and traffic information, which include names, Social Security numbers, driver’s license or state identification card numbers, and payment card information.”The city added, “We identified that this matter is related to a recently disclosed security vulnerability that affects organizations throughout the world.” SecurityWeek reports that the LockBit ransomware gang has claimed responsibility for the attack.(SecurityWeek)

 

13. Turla Group looks to backdoor diplomatic missions

Researchers at ESET detailed how an unnamed European Monistry of Foreign Affairs saw three of its diplomatic missions in the Middle Easter targeted by two novel backdoors. ESET said it had medium confidence that the Russian-affiliated group Turla orchestrated the attack. The LunarWeb backdoor deployed on servers, while LunarMail targeted workstations as an Outlook add-in, communicating with C2 servers over email. LunarMail spreads through a spearphishing email with malicious Word doc attachments, while LunarWeb uses a compiled ASP.NET page to decode two embedded components in the attack chain. An analysis shows both being used in targeted attacks since 2020. (The Hacker News)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

Navigating DoD’s Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification (CMMC) remains pivotal for defense contractors and entities handling Controlled Unclassified Information (CUI). A third-party assessment across five levels ensures enterprises security maturity, which is vital for safeguarding national interests. CMMC builds upon NIST SP 800-171 compliance, with 110 security controls established by SP 800-171 extending its scope and rigor.

The foundation of the 171 practices across 17 security domains is necessary to reach the highest level of CMMC. Each Request for Proposal (RFP) will state the level of certification required to be awarded the contract.

The Department of Defense (DoD) is progressing towards integrating CMMC into contracts, aiming for full implementation by 2025. The CMMC Accreditation Body oversees Third-Party Assessment Organizations (3PAOs) responsible for auditing. Certification is expected to be valid for three years and ongoing compliance with the specified level is necessary. For more information, visit U.S. Department of Defense.

Staying ahead with RedSeal

RedSeal’s military grade network exposure analytics platform helps automate or partially automate many of the controls required by CMMC. Many of these controls are tedious to complete and must be checked repeatedly at specific intervals determined by NIST 800-171. By continuously monitoring controls, RedSeal streamlines preparation for recertification audits, eliminating the need for your team to review tens of thousands of lines of firewall rules while sifting through hundreds of spreadsheets to access control lists and ensure compliance.

Through comprehensive and continuous inspection, RedSeal provides a risk-based audit of a network and continuously monitors its security posture. Operators and leadership can track trends in defensive operations over time using RedSeal’s Digital Resilience Score, which also measures vulnerability management, secure configuration management, and network understanding.

RedSeal’s platform visually represents what is on your network, how it’s connected, and the associated risk. With RedSeal, you can visualize end-to-end access, both intended and unintended, between any two points of the network, accelerating incident response.

This visualization includes detailed access and attack paths for individual devices in the context of exploitable vulnerabilities, aiding decision-making during missions.

RedSeal builds a complete model of your network—including cloud, SDN and physical environments— using configuration files retrieved dynamically or offline. It brings in vulnerability and all available endpoint information, enabling your teams to validate that network segmentation is in place and configured as intended.

RedSeal checks all devices for compliance with industry best practices and standards such as DISA STIGs and NIST guidelines. This proactive automation significantly reduces audit preparation time (including CCRI and others) and assists with speedy remediation.

Achieving CMMC basics

RedSeal can support organizations through each level of CMMC 2.0. Below is an outline of where organizations may fall within the Proposed Rule:

  • Level 3: Highest level, for requirements with elevated security concerns, particularly to address the risk of an Advanced Persistent Threat.
  • Level 2: One step below Level 3, will operate where most contractors burdened by DFARS 252.204-7012 have been required to operate.
  • Level 1: A new requirement imposed upon contractors that may not have started their cybersecurity journey, will be assessed against an organization’s ability to properly safeguard Federal Contract Information (“FCI”).

As outlined by McCarter & English, specific CMMC Levels requirements can be found on THIS informational piece. RedSeal provides the DoD—as well as commercial, civilian, intelligence organizations—with real-time understanding and a model of their cyber terrain so they can discover, detect, analyze and mitigate threats and deliver resilience to the mission.

 

At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure.

Reach out to RedSeal or schedule a demo today.

Cyber News Roundup for May 9, 2024

Cuckoo malware, a paralyzed city of Wichita, and early cybersecurity preparations for the upcoming Olympics made headlines this week. RedSeal is here to keep you informed and equipped to fortify your cyber defenses in an ever-evolving digital landscape.

 

1. Cuckoo malware targets macOS systems

Cybersecurity researchers at Kandji have identified a new malware called Cuckoo targeting Apple macOS systems. It’s designed as a universal Mach-O binary, compatible with both Intel and ARM-based Macs, and found on websites offering music ripping and MP3 conversion tools. Cuckoo establishes persistence via a LaunchAgent and employs a locale check to avoid execution in Russia or Ukraine. It tricks users into providing system passwords through fake password prompts for escalated privileges and performs extensive data harvesting. This includes capturing hardware information, running processes, installed apps, screenshots, and sensitive data from iCloud Keychain, Apple Notes, web browsers, crypto wallets, and various applications like Discord and Steam. The associated malicious application bundles are signed with a valid developer ID. (Kandji)

 

2. Secretary of State Blinken is set to unveil a new international cybersecurity strategy at the RSA Conference in San Francisco

The Biden administration is set to introduce a new international cybersecurity strategy, marking the first U.S. global cyber strategy in over a decade, aimed at bolstering global cooperation against cyber threats. Secretary of State Antony Blinken will unveil the strategy at the RSA Conference in San Francisco. This strategic plan targets enhancing cybersecurity through four main pillars: establishing a secure digital ecosystem, promoting rights-respecting digital technology with allies, forming coalitions against cyberattacks, and boosting cybersecurity resilience among partner nations. A key element of this strategy is the allocation of $50 million to the newly formed Cyberspace and Digital Connectivity fund, aimed at supporting cybersecurity improvements in allied countries.

Additionally, the strategy emphasizes a proactive role in cyber diplomacy at the United Nations and seeks to develop global norms for emerging technologies like artificial intelligence (AI). The U.S. aims to foster international consensus on AI usage and cyber conduct. The strategy’s implementation is considered urgent, with efforts intensifying in the months leading up to the November presidential election, reflecting the need for consistent U.S. leadership in global cybersecurity irrespective of potential administration changes. (Politico)

 

3. Chinese-linked ArcaneDoor targets global network infrastructure

A new cyber espionage campaign named ArcaneDoor, potentially linked to Chinese actors, has targeted network devices from vendors like Cisco, starting in July 2023 with the first attack detected in January 2024, according Censys. The attacks involved custom malware, Line Runner and Line Dancer, and exploited patched vulnerabilities in Cisco Adaptive Security Appliances. The findings indicate the involvement of a China-based threat actor, given that key infrastructure used SSL certificates linked to Chinese networks and hosted services related to anti-censorship tools. (The Hacker News)

 

4. Largest city in Kansas paralyzed by ransomware attack

Another city government faces the implications of a ransomware attack. The city of Wichita, Kansas was forced to shut down portions of its network over the weekend after its IT systems were encrypted with ransomware. Bleeping Computer reports: payment systems for city water, court citations, and tickets are down. There is no additional information regarding whether any information was compromised or which ransomware group has claimed responsibility for the attack. (Bleeping Computer)

 

5. Microsoft warns Android developers to steer clear of the Dirty Stream

Microsoft has issued a warning to Android app users and developers about a new attack method called Dirty Stream, which exploits a path traversal vulnerability within Android’s content provider component, particularly the ‘FileProvider’ class. This vulnerability can lead to the takeover of apps and theft of sensitive data. Notably affected are popular apps like Xiaomi File Manager and WPS Office, which together boast over 1.5 billion installs. The vulnerability has been identified in applications totaling four billion installations and could potentially be present in other apps. Dirty Stream allows malicious apps to overwrite files in another app’s directory, facilitating arbitrary code execution and token theft. This can give attackers complete control over the app and access to user accounts. Microsoft has informed affected developers, who have patched their apps, and urges all developers to review their apps for this security flaw. Google has also published guidance for developers on handling this issue. (Security Week)

 

6. French cybersecurity teams prepare for “unprecedented” Olympic threat

Jérémy Couture, who is in charge of the cybersecurity hub for the event being held in Paris in July, says his goal is to have his team’s activities perceived as a “non-event” by successfully fending off attacks from nation state actors, hacktivists, thrill seekers, and everyone else. He adds that it’s not just the games themselves that need protecting, but also the infrastructure that supports them, such as transport networks and supply chains. Russia, which is banned from these games, is of particular focus, but, officials state, they are looking at everything. (Security Week)

 

7. Ascension health system disrupted by cyberattack

 US health system Ascension has sustained a cyberattack that disrupted some of its systems, the Record reports. The organization, which runs 140 hospitals across the country, stated, “Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible. There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption.” The nonprofit is working with Mandiant to respond to the incident. (The Record)

 

8. Mobile medical provider DocGo discloses data breach

Mobile health service provider DocGo has disclosed a cyberattack that led to the theft of patient health information, BleepingComputer reports. The company stated in an SEC filing, “Promptly after detecting unauthorized activity, the Company took steps to contain and respond to the incident, including launching an investigation, with assistance from leading third-party cybersecurity experts, and notifying relevant law enforcement. As part of its investigation, the Company has determined that the threat actor accessed and acquired data, including certain protected health information, from a limited number of healthcare records within the Company’s U.S.-based ambulance transportation business, and that no other business lines have been involved.”(Bleepingcomputer)

 

9. MedStar Health sustains breach

Maryland-based healthcare organization MedStar Health sustained a data breach affecting more than 183,000 patients, the Record reports. A hacker gained access to the data through email accounts belonging to three MedStar employees. The threat actor was able to access “patients’ names, mailing addresses, dates of birth, date(s) of service, provider name(s), and/or health insurance information.”The company said in a breach notification, “Patients whose information may have been involved are encouraged to review statements they receive related to their healthcare. If they identify anything unusual related to the healthcare services or the charges for services, they should contact the healthcare entity or health insurer immediately.” (The Record, MedStar Health)

 

10. US indicts LockBit ransomware ringleader

On Tuesday, the U.S. Department of Justice (DoJ) charged the mastermind behind the notorious LockBit ransomware-as-a-service (RaaS) operation. The DoJ unmasked 31-year-old Russian National, Dimitry Yuryevich Khoroshev (also known as LockBitSupp, LockBit, and putinkrab) in a 26-count indictment that includes charges of fraud, extortion, and damaging protected computers. The charges carry a combined maximum penalty of 185 years in prison. Khoroshev is accused of designing LockBit, recruiting affiliates and maintaining LockBit’s infrastructure and leak site. Khoroshev allegedly received over $100 million in proceeds from the ransom payments. The US is offering a reward of up to $10 million for information leading to Khoroshev’s arrest. Sanctions were also announced on Tuesday by the United Kingdom and Australia. (SecurityWeek)

 

11. CISA is moving the needle on vulnerability remediation

CISA launched its Ransomware Vulnerability Warning Pilot in January 2023, and issued 1,754  warning notices to entities with vulnerable internet-accessible devices in its first year. The agency said that nearly half (for a total of 852) of these notifications resulted in organizations either patching, briefly taking systems offline to fix the issue, or otherwise mitigating exploitable flaws. The pilot program is set to launch as a fully automated warning system by the end of next year.

Another CISA-led initiative called Known Exploited Vulnerabilities (KEV), which the agency introduced in 2021, is also speeding up vuln remediation times. The KEV is designed to notify government agencies and enterprises of high-risk threats in the wild. Bitsight reported that critical KEVs are remediated 2.6 times faster than a non-KEV threats, while high-severity KEVs are fixed 1.8 times faster. Non-profits and NGOs are the slowest to remediate, while tech companies and insurance and financial firms are the fastest.(The Register and Dark Reading)

 

12. Lockbit takes credit for Wichita attack

The pernicious ransomware organization added the city of Wichita to its leak site, giving officials until May 15th to pay an unspecified ransom. We previously covered the city’s announcement of the attack over the weekend. In the wake of the attack, city officials say it can only accept cash or checks for all city services, although the city will not shut off water services as a result until regular payment methods come back online. This attack also comes on the heels of the US law enforcement agencies publicly naming the suspected leader of LockBit, Dmitry Khoroshev. (The Record)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

Cyber News Roundup for May 2, 2024

From sophisticated cyberattacks crippling essential infrastructure to stealthy botnet discoveries and revelations about data breaches, this week’s roundup has something for all. Join us as we delve into the latest stories surrounding cyber warfare, emerging threats, and innovative defense strategies.

RedSeal is here to keep you informed and equipped to fortify your cyber defenses in an ever-evolving digital landscape.

 

1.  A crucial Kansas City weather and traffic system is disabled by a cyberattack

Last week, the Kansas City Scout System, a crucial bi-state traffic and weather management tool operated by the Departments of Transportation in Missouri and Kansas, was disabled by a cyberattack. This outage occurred during a weekend of severe storms, posing significant risks as the system displays real-time weather and traffic updates on highway signs and through its app and website. Following the attack, all systems, including traffic cameras and message boards, were shut down as a protective measure by the IT team. Restoration efforts are underway, but there is no specified timeline for when services will resume. The disruption has raised concerns about the inability to communicate urgent weather warnings to drivers, complicating safety measures during a critical time. (The Record)

 

2. Muddling Meerkat uses China’s Great Firewall to manipulate DNS queries

Infoblox has published a report on “Muddling Meerkat,” a suspected Chinese government threat actor that uses China’s Great Firewall (GFW) to generate fake DNS Mail Exchange (MX) records. The group’s motivations are unclear. Infoblox explains, “The most remarkable feature of Muddling Meerkat is the presence of false MX record responses from Chinese IP addresses. This behavior, never published before, differs from the standard behavior of the GFW. These resolutions are sourced from Chinese IP addresses that do not host DNS services and contain false answers, consistent with the GFW. However, unlike the known behavior of the GFW, Muddling Meerkat MX responses include not IPv4 addresses but properly formatted MX resource records instead. This feature is truly remarkable and largely inexplicable.”

The researchers speculate that Muddling Meerkat may be pre-positioning for future DDoS attacks, creating DNS noise to cover up malicious activity, or simply conducting internet mapping and research. Renée Burton, Vice President of Threat Intelligence at Infoblox, concludes in a blog post, “In my professional experience, I have found Chinese threat actors to be extremely adept at managing, understanding, and leveraging the DNS for many purposes—whether that be censorship, cybercrime, or DDoS attacks. They also have some of the finest researchers in the field. Whatever the real goal of Muddling Meerkat is, we should not underestimate the talent and patience required to achieve it.” (Infoblox)

 

3. Marriott backtracks claims of encryption protection

Marriott is trying to sweep some new revelations about a 2018 breach under the rug. According to CSO Online, the hotel conglomerate has defended itself after a massive data breach, arguing that its encryption level (AES-128) was so strong that the case against it should be dismissed. It turns out, however, that the company had never used any encryption at the time but had instead implemented a hashing mechanism. Regarding the part about wanting to sweep this whole ‘miscommunication’ under the rug, Marriott has not released any updates about the misrepresentation. Instead, it has added a couple of sentences to an old article that is more than five years old. An impact statement from 2018 reveals that Marriott believes the information of approximately 500 million guests was impacted. (CSO)(Marriott Statement- 2018)

 

4. Massive malware campaigns infect Docker Hub

Researchers at JFrog have identified that around 20% of the 15 million Docker Hub repositories hosted malicious content, including malware and phishing sites. They discovered nearly 4.6 million repositories lacking actual Docker images, with 2.81 million linked to three major malicious campaigns initiated since early 2021. These campaigns employed various strategies, such as batch creation of fake repositories and SEO manipulation, to distribute harmful software. One prominent campaign, active in 2021 and 2023, utilized a generic Trojan to push malware through fake installation dialogs, potentially as part of a larger adware or monetization operation targeting compromised systems. (Bleeping Computer)

 

5. New vulnerabilities are found in Intel processors

Researchers from multiple universities, including UC San Diego and Purdue, along with industry partners such as Google, have discovered two new types of cyberattacks targeting the conditional branch predictor in Intel processors. These attacks, detailed in their upcoming presentation at the 2024 ACM ASPLOS Conference, exploit the Path History Register—a feature that tracks the order and addresses of branches, revealing more precise information than previous methods. The attacks allow for an unprecedented level of control and data extraction from affected processors, posing potential risks to billions of devices. These findings have prompted Intel and AMD to issue security advisories. The research showcases the ability to manipulate processor behaviors, potentially exposing confidential data through sophisticated techniques that outpace existing security measures. (Helpnet Security)

 

6. Researchers discover a stealthy botnet-as-a-service coming from China

A comprehensive botnet-as-a-service network originating from China has been identified by researchers at EPCyber. It features multiple domains, over 20 active Telegram groups, and using domestic communication channels. This infrastructure supports a botnet capable of launching coordinated attacks, including denial-of-service (DDoS) strikes that can incapacitate systems despite advanced DDoS protections from services like CloudFlare. The botnet’s efficacy in bypassing current defenses poses significant threats. Particularly at risk are European companies, as attackers target their domain names, potentially redirecting users to harmful sites. This highlights vulnerabilities in the Domain Name System (DNS), underscoring the urgent need for robust DNS security to protect online operations and maintain customer trust. (GBHackers)

 

7. US Department of Defense launches CORA program

The US Department of Defense Information Network, part of the Joint Force Headquarters, on March 1st launched its Cyber Operational Readiness Assessment (CORA) program following a successful nine-month pilot phase. Air Force Lieutenant General Robert Skinner, commander of the Joint Force Headquarters DoD Information Network, stated, “CORA is a vital aspect of continually understanding our cyber readiness through fusing many risk factors including access control, detecting anomalies, adjusting to adversary threat information and executing cyber orders. Ultimately, the assessment provides commanders and directors a more precise understanding of their high-priority cyber terrain and their overall cyber security and defensive posture enabling greater command and control and enhancing decision making.” (US DOD)

 

8. Anti Ukraine hack exploits seven-year-old Microsoft Office vulnerability

According to security experts at Deep Instinct Threat Lab, a recent campaign targeting Ukraine used a Microsoft Office vulnerability to deploy Cobalt Strike. In this case it was a malicious PowerPoint Slideshow PPSX file. Its filename included the word signal and made it look like it was shared through the Signal app. It was based on an outdated U.S. Army manual for tank mine clearing blades. The payload included a DLL file that injects the post-exploitation tool Cobalt Strike Beacon into memory and awaits commands from the C2 server. Threat actors used a cracked version of Cobalt Strike. The researchers could not attribute the attacks to a known threat actor. (Security Affairs)

 

9. Russia-linked APT group uses GooseEgg to exploit Windows Print Spooler flaw

According to Microsoft, APT28 group who we also know as Fancybear and Strontium, has been exploiting a Windows Print Spooler flaw with the CVE code 2022-38028 using a previously unknown tool called GooseEgg. This has been going on since at least June 2020. GooseEgg modifies a JavaScript constraints file and executes it with SYSTEM-level permissions. APT28 has been seen using GooseEgg activities against targets, including government, education, and transportation sector organizations in Ukraine, Western Europe, and North America. (Security Affairs)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

Cyber News Roundup for April 26, 2024

Welcome to our Cyber News Roundup, your go-to source for staying informed about the ever-evolving world of cybersecurity. Staying ahead of the curve is more crucial than ever as cyber threats continue to evolve and adapt at an unprecedented pace.

Each week, we’ll share a curated selection of top stories from around the globe. Whether you’re a seasoned cybersecurity professional, a business owner looking to safeguard your digital assets, or simply someone interested in staying informed about online security issues, our roundup has something for you.

Our team of cybersecurity experts sifts through the noise to deliver concise summaries on the latest in cybersecurity, empowering you to make informed decisions and strengthen your cyber defenses.

 

1. Frontier Communications discloses cyberattack 

US telecom provider Frontier Communications disclosed in an SEC filing yesterday that the company sustained a cyberattack on Sunday, Dark Reading reports. The attack resulted in the theft of personally identifiable information and caused the company to shut down some of its systems. The nature of the attack wasn’t disclosed, but SecurityWeek notes that Frontier’s response to the incident suggests that ransomware was involved. Frontier says it believes “the third party was likely a cybercrime group.” The company added, “As of the date of this filing, the Company believes it has contained the incident and has restored its core information technology environment and is in the process of restoring normal business operations.” (SecurityWeek)

 

2. Texas town repels water system cyberattack by unplugging 

In the face of a cyberattack reportedly linked to Russia that targeted the water system of a small Texan city, one notable action taken was the decision to physically unplug computers from the network. This move, while seemingly simple, played a crucial role in mitigating the impact of the attack and preventing further infiltration into the city’s critical infrastructure. (Bloomberg)

 

3. MITRE’s breach was through Ivanti zero-day vulnerabilities 

The MITRE Corporation is a not-for-profit organization that oversees federally funded research. In a blog post released on Friday the organization stated that it had been breached and reconnoitered by nation-state hackers in January. The group exploited one of its VPNs through two vulnerabilities in Ivanti Connect Secure. In the blog post, MITRE explained that the hackers used a “combination of sophisticated backdoors and webshells to move laterally and harvest credentials.” The organization said, “it followed advice from the government and Ivanti to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure,” adding, “at the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient.” (The Record and MITRE blog post

 

4. SafeBreach researchers disclose vulnerabilities in Windows Defender that allow remote file deletion

At the Black Hat Asia conference, SafeBreach cybersecurity researchers Tomer Bar and Shmuel Cohen disclosed vulnerabilities in Windows Defender that allow remote file deletion on Windows and Linux servers, risking data loss and system instability. By inducing false positives in security systems, they demonstrated the potential to bypass security controls and delete crucial files without authentication. The researchers developed a Python tool to discover unique byte signatures in Endpoint Detection and Response (EDR) systems, exploiting these for remote deletions of significant files, including Windows event logs and Microsoft’s own detection logs. Despite Microsoft’s attempt to fix the vulnerability, SafeBreach found the patch partially effective, leaving some attack vectors open and discovering another vulnerability as a bypass. Microsoft acknowledged the findings, implementing measures to minimize false positives and allowing configurations to quarantine remediation actions by default. (GBHackers)

 

5. The White House and HHS update HIPAA rules to protect private medical data

The Biden administration introduced new rules on Monday aimed at protecting the privacy of abortion providers and patients from conservative legal challenges. These regulations, updated by the Department of Health and Human Services (HHS), prohibit healthcare providers, insurers, and related entities from disclosing health information to state officials involved in investigating or prosecuting patients or providers related to abortion services. The updates to the Health Insurance Portability and Accountability Act (HIPAA), originally established in 1996, now address modern challenges in reproductive rights, particularly for those seeking legal abortions across state lines or under special circumstances like rape. These changes, set to take effect in two months, come amid significant concerns about the misuse of private medical data in the charged post-Dobbs legal environment. The new rule also mandates that any requests for health information related to reproductive health must be formally declared as unrelated to criminal investigations or legal actions. (The Record)

 

6. TikTok ban passes the US House

The bill passed as part of a larger foreign aid package by a vote of 360-58. THe House passed a similar standalone TikTok ban last month by a vote of 362-65, but that currently sits stalled in the Senate. Due to the new bill’s ties to allies in Ukraine and Israel, the Senate will likely vote on it much faster. Senate Commerce Committee Chair Maria Cantwell already signed her support of the legislation. The new bill gives ByteDance potentially up to a year to divest of TikTok prior to a formal ban, up from six months laid out in the earlier bill. If it passes the Senate as-is, President Biden already signaled he would sign it into law. (The Verge)

 

7. CrushFTP exposes system files

Security researcher Simon Garrelou reported a vulnerability in the CrushFTP service. All versions of CrushFPT under 11.1 contain the flaw, which for virtual file system escape and access to full system files. CrowdStrike reports seeing the flaw under active exploitation “in a targeted fashion.” CrowdStrike’s intelligence report indicates these attacks represent politically motivated recognizance. CrushFTP released a patch for the flaw, available through its dashboard. (Infosecurity Magazine)

 

8. Medical diagnostic services disrupted by ransomware

The medical diagnostic and testing services provider Synlab Italia announced it suffered a security breach on April 18th. It took all IT systems offline including email and suspended medical services. This impacted 380 labs and medical centers across Italy. It did not impact the rest of the Synlab group, which operates in 29 other countries. Synlab Italia did not confirm if it lost patient data in the attack. No word on any group taking responsibility for the attack. (Bleeping Computer)

 

9. ArcaneDoor hackers exploit Cisco zero-days to breach govt networks

Hackers utilizing previously undiscovered vulnerabilities in Cisco’s firewall products, executed a sophisticated campaign targeting government entities worldwide. Dubbed ArcaneDoor, this operation has been active since November 2023, and is linked to the threat groups UAT4356 and STORM-1849. These groups deployed custom malware for espionage, leading Cisco to issue urgent advisories for updating affected devices to mitigate risks. (Bleepingcomputer)

 

10. Siemens working to fix device affected by Palo Alto firewall bug

Siemens is rushing to fix a bug we reported last week on Cyber Security Headlines, that is affecting its Ruggedcom APE1808 devices configured with Palo Alto Networks (PAN) virtual next-gen firewalls. The bug in question is a maximum severity zero-day command injection vulnerability (identified as CVE-2024-3400) that affects multiple versions of PAN-OS. Palo Alto said a growing number of attacks are leveraging public proof-of-concept exploit code to deploy a novel Python backdoor. Siemens’ advisory references Palo Alto’s recommendation to disable GlobalProtect gateway and GlobalProtect portal, which they point out are disabled by default in Ruggedcom APE1808 deployments. (Dark Reading)

 

11. Russian hackers claim cyberattack on Indiana water plant

Over the weekend, the threat actor known as the Cyber Army of Russia posted a video on its Telegram channel showing how they hacked systems of the Tipton Wastewater Treatment Plant. Tipton provides the city of Tipton and surrounding areas with electric power, water, and wastewater collection and treatment. An Indiana official confirmed that the plant suffered a cyberattack on Friday evening. Tipton’s general manager, Jim Ankrum, said, “TMU experienced minimal disruption and remained operational at all times.” Security research firm Mandiant recently reported that the Cyber Army of Russia has ties to the Russian state actor, Sandworm, which was responsible for a separate attack on a water facility in Muleshoe, Texas that caused a tank to overflow. (The Record)

 

12. Siemens working to fix device affected by Palo Alto firewall bug

Siemens is rushing to fix a bug we reported last week on Cyber Security Headlines, that is affecting its Ruggedcom APE1808 devices configured with Palo Alto Networks (PAN) virtual next-gen firewalls. The bug in question is a maximum severity zero-day command injection vulnerability (identified as CVE-2024-3400) that affects multiple versions of PAN-OS. Palo Alto said a growing number of attacks are leveraging public proof-of-concept exploit code to deploy a novel Python backdoor. Siemens’ advisory references Palo Alto’s recommendation to disable GlobalProtect gateway and GlobalProtect portal, which they point out are disabled by default in Ruggedcom APE1808 deployments. (Dark Reading)

 

13. Russian hackers claim cyberattack on Indiana water plant

Over the weekend, the threat actor known as the Cyber Army of Russia posted a video on its Telegram channel showing how they hacked systems of the Tipton Wastewater Treatment Plant. Tipton provides the city of Tipton and surrounding areas with electric power, water, and wastewater collection and treatment. An Indiana official confirmed that the plant suffered a cyberattack on Friday evening. Tipton’s general manager, Jim Ankrum, said, “TMU experienced minimal disruption and remained operational at all times.” Security research firm Mandiant recently reported that the Cyber Army of Russia has ties to the Russian state actor, Sandworm, which was responsible for a separate attack on a water facility in Muleshoe, Texas that caused a tank to overflow. (The Record)

 

14. ArcaneDoor hackers exploit Cisco zero-days to breach government networks

Hackers utilizing previously undiscovered vulnerabilities in Cisco’s firewall products, executed a sophisticated campaign targeting government entities worldwide. Dubbed ArcaneDoor, this operation has been active since November 2023, and is linked to the threat groups UAT4356 and STORM-1849. These groups deployed custom malware for espionage, leading Cisco to issue urgent advisories for updating affected devices to mitigate risks. (Bleepingcomputer)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

From Reactive to Proactive: Transforming Healthcare Cybersecurity Post-Change Healthcare Attack

Change Healthcare, a major player in the healthcare technology sector, fell victim to a ransomware attack in February and is quickly heading towards a billion dollars in loss. The breach disrupted its operations and potentially compromised sensitive patient data. The attackers, ALPHV, also known as BlackCat and Noberus, exploited vulnerabilities in the company’s IT infrastructure, likely through phishing emails or other means, to gain unauthorized access to their systems. This breach not only posed a significant threat to patient privacy but also raised concerns about the integrity of healthcare data and the reliability of essential services.

In the landscape of healthcare, where interconnected IT, operational technology (OT), and Internet of Things (IoT) networks are the norm, it’s inhumanly difficult to understand the whole attack surface.  This is why experts and regulators advise adopting a proactive approach to security with best practices including segmentation – keep separate things apart, so that an attacker cannot easily spread from one place to another.  Defenders of healthcare networks need automated assessment of their defensive posture, to uncover gaps and ensure good hygiene ahead of the next attack.

Healthcare administrators must fortify network infrastructure with stringent policies, including robust password enforcement, firewall configurations, and access controls. Vigilant monitoring and configuration of all connected devices, from medical equipment to personal devices, are imperative. Employing strong encryption further enhances data security, deterring cyber intrusions.

Another best practice is implementing a framework such as NIST and MITRE ATT&CK as part of your comprehensive cyberdefense efforts. Take for example another high-growth healthcare organization. Managing 20,000 clinicians and 150,000 medical devices, taking a proactive approach to network visibility and vulnerability prioritization is critical. As cyberattacks have become more sophisticated, healthcare organizations must be proactive and adopt best practices to, as this health system’s cybersecurity expert put it, “prepare the battle space.” In addition to having a dynamic map of their environment, the health system relies on the MITRE ATT&CK (adversarial tactics, techniques, and common knowledge) framework, a comprehensive knowledge base that gives security personnel key insights into attacker behavior and techniques, to help it prevent potential attacks and keep patient information, payment information, and other key data secure.

Click here to read the full case study

Regular attack surface scans are essential for proactive risk mitigation, providing crucial insights for informed decision-making in cybersecurity strategy development. Prioritizing rigorous testing of all software and device updates is crucial to preempt vulnerabilities.

Secure your healthcare network comprehensively with RedSeal. Our network exposure analytics platform offers dynamic visualization of network ecosystems, empowering organizations to identify and address vulnerabilities efficiently. Partnering with leading infrastructure suppliers, we deliver unparalleled network security solutions and professional services, ensuring robust protection against evolving threats.

Reach out to RedSeal or schedule a demo today.

Tales from the Trenches: “Is that what you’re going to say to the auditor?”

Today’s tale from the trench is brought to you by Brad Schwab, Senior Security Solutions Consultant.

 

In the high-stakes world of security operations, one question looms larger than most: Are you sure you’re scanning the entire network? It seems straightforward, but for any team dealing with a network of significant scale, answering this question can be a daunting task.

During a pivotal meeting with stakeholders of a large health organization, the focus was squarely on the performance and security of the network. As discussions turned to the scanning program, the head of security operations confidently outlined the procedures in place to ensure comprehensive scanning—scanning that covered the entire network. Wait, scanning that covered the entire network? This is when my skepticism crept in.

“How do you know you’re scanning the entire network?” I interjected, addressing the elephant in the room. The head of security operations deflected to the head of network operations, claiming his assurance. “[Head of network operations] said I could…” she asserted.

Turning to the head of network operations, I couldn’t resist a quip: “Is that what you’re going to say to the auditor? ‘He said I could’?” Though we shared a solid working relationship, I couldn’t let such a critical issue slide with mere assurance. And it was clear that the others in the room shared my same concerns.

With a blend of humor and seriousness, I delved into the complexities and uncertainties inherent in ensuring comprehensive network scanning. Questions rained down from the attendees, making it clear that a deeper exploration of their scanning protocols was necessary to instill confidence in the organization’s security measures. I began to outline critical considerations:

  • Does the scanner have a complete list of all IP space on the network that needs scanned?
  • Are there any overlapping subnets? If so, that overlapped portion of a subnet is not visible to the scanner, thus, creating a possible hiding place for a bad actor.
  • Is there a duplicate IP space in the network? This creates blind spots to any scanner.
  • And finally, the hard part of the answer, does the scanner have logical access to the entire network? Even if the scanner is trying to scan a network subnet, if the network architecture via Access Control Lists and Routing is blocking the access or not granting the access, the scan won’t be complete. On top of that, you will get no indication from the scanner that the scan didn’t work.

Beyond the logical access issue, no one had thought about the other issues. I then explained how RedSeal automatically looks for subnets that have no scan data, thus possibly not part of the IP list giving to the scanner. Also, overlapping subnets and colliding IP space is revealed as a RedSeal finding. Finally, I also explained how a RedSeal Access Query combined with our “show what is missing” feature can give you a list of everything that the scanner can’t reach because of network architecture.

I ended my explanation with “these features will give you comprehensive documentation of complete scanner coverage for your upcoming audit(s)…”

After less than a few days of work, we had provided a list to both network operations and security operations of additions and changes required by both teams to make their vulnerability program complete.

At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure.

Reach out to RedSeal or schedule a demo today.

 

 

The Critical Role of Network Security in Zero Trust

The National Security Agency’s (NSA) Cybersecurity Information Sheet (CIS) entitled “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar” outlines how organizations can enhance their network security within the Zero Trust model. This involves leveraging advanced cybersecurity strategies to mitigate risks of lateral movement by malicious actors within networks.

In a recent SCmagazine article, the creator of the Zero Trust concept, John Kindervag, pointed out the industry’s current overemphasis on identity management, cautioning against neglecting network security’s critical role. This viewpoint complements the NSA’s guidance on implementing Zero Trust within the network and environment pillar, underscoring the need for a balanced approach that values both identity and network infrastructure. Kindervag’s insights advocate for not only recognizing the network as a foundational component of Zero Trust, but also actively engaging in strategies like data flow mapping, macro- and micro-segmentation, as well as leveraging software-defined networking (SDN) for enhanced security measures​​. This balanced focus ensures a comprehensive and resilient Zero Trust model, and RedSeal can address those network-related challenges effectively.

RedSeal can play a crucial role in implementing these strategies:

  • Data Flow Mapping: RedSeal’s capabilities in mapping the network and understanding how data moves across it align with the document’s emphasis on understanding data flow to identify and secure unprotected data flows. RedSeal can help organizations visualize their network paths and flows, which is foundational for recommended effective segmentation and isolation strategies.
  • Macro Segmentation: RedSeal’s Zones and Policies feature directly supports the concept of macro-segmentation, which is about segmenting the network into different security zones to control access and movement between them. By defining and enforcing network policies, RedSeal can help prevent unauthorized access between different parts of the network, such as between departments or between the IT environment and operational technology systems.
  • Micro Segmentation: While the document discusses micro-segmentation’s role in further reducing the attack surface within network segments, RedSeal’s detailed network models and policy management can assist in the detailed enforcement of policies that control access to resources within these segments. RedSeal’s analytical capabilities can help identify where micro-segmentation can be most effectively applied and help manage the policies that enforce this segmentation.
  • Software-Defined Networking (SDN): Although RedSeal itself is not an SDN solution, its network modeling and risk assessment capabilities are complementary to SDN’s dynamic and adaptable network management. RedSeal can enhance SDN implementations by providing a detailed understanding of the network structure and potential vulnerabilities, thereby aiding in the creation of more effective SDN policies.

RedSeal can significantly aid an organization’s efforts to advance its Zero Trust maturity, particularly within the network and environment pillar outlined in the NSA document. By providing detailed network visibility, facilitating effective macro- and micro-segmentation and complementing SDN strategies, RedSeal helps limit potential attack surfaces, enhances network security posture, and supports continuous verification of all elements within the network environment.

You can find out more by getting a demo of RedSeal and attend one of our monthly free Cyber Threat Hunt workshops.