The Real Reason for Breaches (and How to Avoid Them)

/by

Security is a tough job – we invest so much effort, and yet the breaches keep on happening.  Why?  In a word, complexity. 

The digital world brings so many great efficiencies and innovations – the pressure to move fast and exploit opportunities is irresistible to every organization.  But crossing all these online frontiers brings the unavoidable frontier challenges – lawlessness, chaos, and rapid change.  Security is easiest in mature, well understood, and above all, in simple infrastructures.  Every added bit of complexity and change moves away from security, and towards chaos.  The security professional has a thankless task – we cannot simply demand that our employers be more orderly or cease changing.  Instead, we have to adapt constantly, and try to keep up with all the new territory that is constantly opening up, with new threats and new ways to get it all wrong.

When you analyze any of the major breaches in detail, you find they are always multi-component – there is never just one simple, single cause.  Attackers are stealthy, persistent, and they move from one foothold to another.  This means that when a breach happens, it’s a system-level failure, not just one component that could have been isolated and fixed.  Worse, even if you put all your effort into fixing as many components as possible, you’ll never get to 100% secure and impervious to attack.  The bad guys will search and search for anything you missed, then exploit it, gain a new foothold, and work outwards from there.

Clearly, the road to security doesn’t come from finding and fixing everything – it’s impossible to fix every issue in your network today, and even if you could, there will be new defects tomorrow, because the rate of change is so high.  Instead, we have to learn to thrive in a world with inherent vulnerability, just the way animals and people do in the biological world.  Biological systems are resilient rather than perfectly protected – they can adapt and bounce back from infection, since Mother Nature long ago learned that blocking every pathogen just wasn’t going to work.  Of course, this doesn’t mean you should give up and just accept every possible attack – biological systems still aim to be hard targets, they just actively maintain an immune system so they can detect, isolate, and remove the inevitable successful attacks.

So the way forward is to find what you have, in the cloud and across your physical sites, see how it’s all connected, and understand where you can block incoming attacks, as well as thwart lateral movement for attackers who do make it past your defenses.  The first goal is a complete inventory – in itself, that’s a hard challenge because of the diverse and changing fabric we use to get the work done.  The second goal is to harden any assets that are exposed.  The third goal is based on recognizing that perfect hardening at step two won’t happen, so instead, it’s essential to understand what is connected to what, so that you can stay ahead of attacks and block them before they get a chance to spread.  This is why RedSeal focuses on these three disciplines – gather and map the network in all its hybrid complexity, then harden the individual elements, then help our customers conduct war games where they can think at a system level, and prioritize their defensive efforts to become a resilient hard target.

For further details on how RedSeal tackles cloud security, check out our solution brief: “Redseal Ensures Your Critical Cloud Resources Aren’t Exposed To The Internet”

Experts Warn of Attacks on a Cisco ASA Security Flaw due to a new Proof-of-Concept Exploit

/by

RedSeal Cyber Threat Series            

Researchers at Positive Technologies have created a proof-of-concept (PoC) exploit that leverages a 2020 Cisco ASA vulnerability. A Cisco administrator would have to click on a link that takes the unsuspecting user to a web page where the malware is downloaded and the Cisco ASA must not be patched. Cisco released a patch for a Medium Severity web services vulnerability that affects the Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software CVE-2020-3580. This security flaw can allow an unauthenticated attacker to remotely conduct a cross site scripting (XSS) attack against a user of the web services interface.

Enterprises should patch their Cisco ASA Software and Firepower Software as soon as possible.  A successful attack could allow the attacker to execute code or access sensitive browser information.   

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

Cybersecurity Best Practices 

  • Keep your devices patched and up to date 
  • Ensure you are using TLS v1.2 or above; disable lower versions of TLS and HTTP 
  • Disable WebVPN or AnyConnect if not in use on your device  

References 

https://securityaffairs.co/wordpress/119442/hacking/cisco-asa-under-attack.html 

https://nvd.nist.gov/vuln/detail/CVE-2020-3580 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe   

Zero Trust Is Here to Stay, So How Can I Prepare My Network?

/by

Whether you agree or not with the concept–zero trust architecture is here for the foreseeable future.

Unless your organization is cloud-native, you are going to have to prepare to implement zero trust on your existing enterprise. If you are the one responsible for deploying and maintaining networks for the Federal government, zero trust is most likely at the top of your to-do list.

The President’s latest executive order, dated May 12, 2021, compels Federal agencies to move to zero trust architectures and adoption of cloud services. This is meant to modernize departmental and agency IT infrastructures, and the security technologies that protect them. However, Federal agencies are not cloud-native companies. Most have large on-premise networks that will need to have their networks inventoried, along with all their applications and services identified, prior to implementing zero trust. Like any good implementation strategy, you are going to have to plan.

Zero trust is not a destination, but a continuous journey that is going to require rigorous configuration management and continuous monitoring.  RedSeal is not a magic zero trust platform, but it can help you on your journey to prepare and maintain specific aspects.

One major step of this journey is just understanding what you have (network devices, mobile, desktops, IOT, etc.) and how your data moves through the network, as well as existing segmentation policies to comply with standards and regulations. One of the first steps in this journey will require enumeration of all the possible pathways, from every source to every destination, and you will have the challenge of also having to account for NAT IP address, along with load balancers. That is a daunting task by itself.

This is where the power of RedSeal’s Netmap analysis comes in. RedSeal automatically calculates every possible path through the network accounting for the effect of NATs and load balancing. Then you can ask RedSeal to show you these pathways to determine if they are approved and needed for business and mission success.

A side benefit of this analysis is RedSeal creates an inventory of all your network gear and IP space, as well as your cloud and software defined network (SDN) assets.  You cannot secure it if you do not know about it, and the output of RedSeal gives you a great start on understanding what you have.  Remember, with zero trust you are going to have to identify not only who, but what can, or should have access, so an inventory is an absolute must have.

As you move along this journey, and if your journey takes some, or most of your assets to the cloud, you can test the network segmentation of your cloud configuration in RedSeal before you deploy to the cloud to verify it is configured securely. Finally, RedSeal can continuously monitor your network segmentation and micro segmentation policies to make sure they stay compliant with your zero-trust architecture goals.

If you’d like to learn more about securing both your cloud and on-premise networks, visit our Cloud Security page.

We’ve also partnered with MeriTalk on a new infographic report on “Braving the Cloud Storm” – a look at how agencies are addressing cybersecurity across a multitude of clouds and on-premise environments.

Cloud Security Posture Management and RedSeal

/by

Pilots know that to fly safely means keeping track of the weather. They track storm fronts because that is where the turbulence is. Pilots lose their wings if they fly blindly into the air.

Gaps in your security posture are where the cyber storm fronts are. The cyber storm is both on-prem and in the cloud. To do your job correctly, you need to get an accurate forecast today of the cyber weather.

The rush to move assets into the cloud has created all sorts of new stormy weather to contend with.

Pilots and Weather

A nationally recognized financial institution, a large well-resourced company, did not check the security gaps and was caught off guard when Paige Thompson, former AWS software engineer, exploited a misconfigured web application firewall to access one of their servers. That server contained 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, and an undisclosed number of customers’ personal information. Thompson then attempted to share access to the information with others online, per CNN.

Had the organization’s cyber team acted like safety-conscious pilots and checked the weather first, they would have noticed the misconfigurations before someone on the outside did.

So, what is the cyber equivalent of checking the weather?

Cloud Security Posture Management

Cloud security posture management (CSPM) automates the identification and remediation of risks across cloud infrastructures, including Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS).

Without CSPM, developers can create any number of instances in the cloud, and deploy them, with little oversight.

According to Threatpost, the team at Imperva created an internal compute instance that was misconfigured and publicly accessible. Worse, it had an AWS API key that enabled attackers to access a database snapshot and exfiltrate customer information.

It was reported that security researchers found MongoDB database, run by a vendor, that was left unprotected on a cloud server and contained 2.8 million CenturyLink data records belonging to several hundred thousand of the tech company’s customers.

Why? Most companies have a lack of central control and value speed over security.

If large companies like these are messing up the necessary security configurations in their cloud services, then medium and small sized firms are unquestionably doing the same thing, given their lack of resources.

How is the RedSeal Approach to CSPM Different?

The thing is, most enterprise networks are hybrid, spanning both public and private cloud environments along with physical network infrastructure. While you may have security tools for each environment, you probably cannot see how your whole network is woven together.

RedSeal’s cloud security solution is the only product that brings complex hybrid multi-cloud networks into one unified model. You’ll be able to understand all your network environments in one dynamic visualization, where your high-value assets are, and all the ways they are vulnerable to attack.

RedSeal shows you all possible network access — across, within and between public cloud, private cloud and physical network environments — whether the access is intended or not.

RedSeal allows SMBs to compete and defend themselves and overcome their lack of experience. The responsibility for security is different on different platforms, and smaller companies automatically assume that it has been taken care of, when it’s not. Moreover, different providers use different terminology for the same services.

You are only milliseconds away from the bad guy.

Pilots are grounded when they fly willy-nilly into a dangerous storm, if they are lucky enough to still be alive. Gaps in your security posture are the cyber storms you have to contend with and plan for. These storms are both on-prem and in the cloud. Today’s accurate forecast of the cyber weather comes from RedSeal.

Happy flying!

For more information, visit our page Understand Your Hybrid Multi-Cloud Network.

Old Fortinet Flaws are being used to breach federal and commercial networks

/by


RedSeal Cyber Threat Series            

The Federal Bureau of investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint advisory warning that 3 Fortinet CVEs (CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591) are being leveraged to gain a foothold in government agency and commercial networks to be exploited in the future. The FBI and CISA observed attackers scanning for ports 4443, 8443, and 10443.

Enterprises should immediately patch their FortiOS software and follow the recommended configuration guidance.

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

References:

https://www.ic3.gov/Media/News/2021/210402.pdf

https://www.fortiguard.com/psirt/FG-IR-19-283

https://www.fortiguard.com/psirt/FG-IR-18-384

https://www.fortiguard.com/psirt/FG-IR-19-037

https://kb.fortinet.com/kb/documentLink.do?externalID=FD49410

 

 

F5 Server iControl REST unauthenticated remote command execution vulnerability

/by

RedSeal Cyber Threat Series

F5 has released patches for several BIG-IP and BIG-IQ critical vulnerabilities. CVE-2021-22986 is the most critical since it allows unauthenticated attackers with network access to use the iControl REST interface, via the BIG-IP management interface and self IP addresses, to execute system commands that could lead to complete system compromise. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane.

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

References:

https://support.f5.com/csp/article/K03009991

https://www.tenable.com/blog/cve-2021-22986-f5-patches-several-critical-vulnerabilities-in-big-ip-big-iq

 

Microsoft Releases Fixes for 4 Zero Day Exchange Server Vulnerabilities

/by

RedSeal Cyber Threat Series

Multiple news sources, security researchers and security agencies have reported on a new attack against tens, if not hundreds, of thousands of Internet accessible Exchange servers configured for Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Outlook Web App (OWA) access. These attacks are being carried out by the China nation/state sponsored hacking group known as Hafnium.

The exploit utilizes 4 Zero Day vulnerabilities in Microsoft Exchange software, three in Exchange and one in Unified Messaging Services.

The four Zero Day Microsoft CVEs are as follows:
• CVE-2021-26855 – allows an attacker to send specific HTTP requests and authenticate to the Exchange Server
• CVE-2021-26857 – insecure deserialization in Unified Messaging allows remote code execution on Exchange sever
• CVE-2021-26858 – post authentication arbitrary file write vulnerability in Exchange
• CVE-2021-27065 – post authentication arbitrary file write vulnerability in Exchange

The result is a persistent web shell that allows attackers to steal data and perform other malicious actions.

RedSeal customers should:

1) Track the Hosts that the vulnerability scanner identifies as Exchange servers (this example was done with Rapid7 data).

2) Report to inventory the existence of hosts with any of the four vulnerabilities required for this exploit

3) Report on the access from subnets indicated as Internet to Exchange servers via TCP 443

4) -optional- Report on the access from ALL subnets to Exchange servers via TCP 443

All of these actions will be performed using the RedSeal Java UI.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

References:
https://cyber.dhs.gov/ed/21-02/

NSA publishes list of top vulnerabilities currently targeted by Chinese hackers

/by

RedSeal Cyber Threat Series

 

The U.S. National Security Agency published a report detailing the top 25 vulnerabilities consistently being scanned, targeted, and exploited by Chinese state-sponsored hacking groups.

All 25 vulnerabilities are known and have patches available from their vendors.

Exploits for many vulnerabilities are available publicly and have been used by various malware and ransomware groups and other nation-state actors.

The first three CVEs of this 25 that should be remediated — especially if open to an untrusted network — are:

  • Citrix Netscaler CVE-2019-19781
  • Windows RDP Exploit (aka Bluekeep) CVE-2019-0708
  • Windows Zerologon CVE-2020-1472)

RedSeal customers should:

 Create and run daily reports until all systems with the 25 vulnerabilities are patched.

 For additional details, contact your RedSeal sales representatives or email info@redseal.net

 References:

https://www.zdnet.com/article/nsa-publishes-list-of-top-25-vulnerabilities-currently-targeted-by-chinese-hackers/

 

Lessons for All of Us From the SolarWinds Orion Compromise

/by

All cybersecurity news events, like the recent disclosure of compromise involving SolarWinds Orion by APT 29, aka “Cozy Bear,” cause CISOs to ask the same initial questions:

  • Do I have this problem?
  • Where?
  • What are the consequences?

In this instance, the attack is extremely sophisticated, and quite alarming – it’s a supply chain attack, involving compromise of a widely used and trusted monitoring product.  This adds a lot of pressure to these questions.  As organizations are scrambling to respond, we wanted to publish some suggestions here, as a resource.  In discussions with our customers, many of whom have been impacted by this compromise, we find there is a common playbook, as follows:

  • Step 1: Do I have SolarWinds Orion?
  • Step 2: Where is it, in the context of my network?
  • Step 3: What is it capable of accessing or controlling?
  • Step 4: Fix Orion, or take it offline (if subject to the CISA Emergency Directive)
  • Step 5: Block unwanted access to or from SolarWinds Orion, to the extent possible
  • Step 6: For all assets SolarWinds could reach, reset them to known good state

This is an arduous journey. RedSeal can be one of your supporting resources. It is especially helpful in the middle stages – steps 2, 3, and 5 in the above playbook.

Specifically, for Step 2, a RedSeal network map can help you locate the hostnames or addresses of your SolarWinds Orion software.  One large customer of ours had well over 100 distinct addresses with this software installed. Your total is likely to be lower, but still may be more than just a single location.  Mapping out where they all are is a starting point, before heading in to the deeper stages.

Note also, in Step 2, that RedSeal’s L2 mapping capability may be helpful, since you can locate the nearest switch port to any given endpoint.  This may be helpful if you need to abruptly terminate network access, or decide to monitor span traffic closely.  (If you have not previously set up L2 mapping, we would not recommend this as a tactical step in your response, because the data gathering setup would take some time, but if you already have the data in place, this is a good time to use it, as an aid to shutting down any inappropriate activity.)

In Step 3, it’s important to know what a compromised instance of the monitoring product could reach.  Sadly, because this is a widely trusted product, whose whole purpose is to give you wide visibility, in most networks this turns out to be a large space.  We have had customer reports of a “blast radius” of endpoints well into 6 figures.  Figuring this out by hand is absurdly difficult – far better to automate the search.  In RedSeal, this involves an Access Query, from your SolarWinds Orion instances, out to the wider network.  Just be prepared – the query may be so large that RedSeal will prompt you to make sure you want that much data in one go.  If it’s not manageable, you may prefer to break the query into regions – “What can Orion reach in New York?”, or “in my Amazon fabric”, and so on.

For step 5, blocking unwanted access from SolarWinds Orion to the Internet, RedSeal’s capability to define Zones and Policies may be helpful.  As a first step, a Zone containing your SolarWinds Orion endpoints, and another Zone of Internet, can be used to investigate what access is already possible.  Unfortunately, this may be quite wide, since you may actively be using Orion to monitor cloud fabric and you may want to permit access for software updates (even though, ironically, this was the method originally used in the compromise – but subsequently addressed).  Still, before you can lock this down just to the access you feel is necessary, it can help to review what the current state is, and see what blanket restrictions might be possible, without removing any access pathways you need to keep open.

Hopefully this overview is of use, as a playbook of the common steps we are seeing.  If we can be of any assistance as you work through the cleanup of this incident, please don’t hesitate to get in touch.

Download: A step-by-step guide for using RedSeal to respond

RedSeal customers: Take advantage of our complimentary Sunburst Exposure Assessment.

Not a customer yet? Contact us at info@redseal.net to explore how we can help.

Supporting the DoD’s Defend Forward Initiative

/by

 

What is Defend Forward?

The DoD’s Defend Forward operational concept has been rolling out over the past few years. Policy makers and cyber defenders in government realized that, as the situation in Afghanistan led directly to the rise of Al-Qaeda and the 9-11 attacks, the situation in cyberspace was going to lead to crippling cyber-attack of similar power.

However, unlike Afghanistan, where a power vacuum was created by the withdrawal of the Soviet Union, the Internet was designed from the outset to be open. By design, there are no police; no organization with the authority with the power to punish bad actors. The cavalry are stuck in the fort.

Something had to change.

Cyber Protection Teams (CPTs) working at the Department of Defense (DOD) were restricted to preparing for and responding to attacks on their own network. Hacktivists, cyber criminals, and nation state adversaries were not restricted in the same way. This unequal playing field was addressed by removing the restriction on CPTs and allowing them to operate, if asked, in the networks of foreign countries. This new operational concept is called Defend Forward.

The goal of Defend Forward is to move out into cyberspace and inflict costs on bad actors, especially other nation states. As most adversary cyber teams tend to use and reuse the same tactics, techniques, and procedures (TTPs), finding malware on foreign networks and publicizing it forces those cyber attackers to create new methods. This takes time, effort and money. By shining a light on these playbooks, friendly nations, other parts of government and civilians will know what to look for, further disrupting cyber attacked operations. Lastly, this serves as a signal to enemies that we know about their procedures and puts them on the defensive.

 

How Do We Protect the Base?

While Defending Forward is off to a promising start, it is only a part of the ongoing cyber war. A “whole – nation” effort is needed –involving both government and industry. Only 10% of the critical infrastructure networks in the U.S. are controlled by our government. Industry needs to do its part and protect the home base.

We need to know our networks better than the attackers do. We need to make sure our networks are set up securely as we intended. We need to find and mitigate the highest risk issues first. Our complex networks make this very hard to do without technical support.

RedSeal’s cyber terrain analytics platform and professional services help all organizations improve their resilience to security events by understanding what’s on their networks, how it’s all connected, and the associated risk. RedSeal verifies that network devices are securely configured; validates network segmentation policies; and continuously monitors compliance with policies and regulations. RedSeal continually checks to see if a network’s segmentation is working as designed, ranks end point vulnerabilities in order of risk, and adds knowledge of your network to determine how accessible the vulnerability is to untrusted networks and what it will expose if compromised.

Click here to view the webinar titled, “Defend Forward, But Protect Your Base” with Wayne Lloyd, RedSeal Federal CTO and Mike Lloyd, RedSeal CTO.

Contact us for more information about how RedSeal can help you support our cyber protection teams.