What is XDR?

Defining the Value in Security’s Hottest Buzzword

 

Ever watch the old ’80s cartoon the Smurfs? If you did, you may recall a quirky pattern in Smurf language, where everyday adjectives, verbs, and nouns were replaced by the word smurf: “I smurfed into the smurf for a smurf!” It’s a fun word, but without context, the word smurf means everything—which ultimately makes it mean nothing. In cybersecurity, we’re doing the same thing with XDR.

With tech acronyms growing exponentially, anytime we use a new acronym in cybersecurity, we should do our best to explain it clearly. We already have EDR, SIEM, SOAR, and NDR, to name a few, and as I walked the RSA Conference floor earlier this year, it looked like the acronym XDR was everywhere. The term is applied to many products and features in a vague, high-level fashion, making it truly hard to understand what it means. I feel really smurfed out thinking about it.

Defining Extended Detection and Response (XDR)

Extended detection and response (XDR) is a security solution based on the concept of correlating and analyzing data from multiple sources, including machine data, log data, and network data into a single, unified stream.

The concept leans on the Gartner-coined SOC visibility triad, which advocates for the use of SIEM, EDR, and NDR solutions to close visibility gaps and enable effective response times and investigations by using diverse data sources. The SOC visibility triad offers comprehensive security, but can also create data silos, which XDR—at least in theory—aims to solve.

The Reality of How XDR Works

XDR is typically marketed as a single tool that encompasses SIEM, EDR, and NDR capabilities—but this definition hinges on the belief in a perfect security system across all data sources that detects and responds to any threat from anywhere, in any environment.

The reality of XDR typically goes one of two ways: Security organizations scrambling for the top of the security solution food chain have started to repackage any expanded detection capability as XDR to jump on the trend, or an approach that may offer aspects of SIEM, EDR, and NDR, but hands control to a single vendor.

The first pitfall isn’t exclusive to XDR. Throughout my career, I have seen vendors chase the latest buzzword. For example: When NDR first hit the scene, a number of products claimed NDR capabilities, despite offering nothing more than the top websites visited and basic NetFlow data. Similarly, the offerings under the XDR umbrella vary widely in the depth of capabilities. The XDR label has allowed even the most basic solutions to try to capitalize on the halo-effect of the buzzword du jour without making the corresponding product investments necessary to make those claims a reality.

The second pitfall is more accurate to the promise of XDR, but risks serious shortcomings in other areas. Single vendor solutions fail by diluting their offerings across the security spectrum. All too often, when a security vendor attempts to build solutions beyond core competencies they spread precious development resources thin. The end result is underwhelming solutions. There are of course occasional exceptions to this: Companies that acquire leaders in other security categories for integration into their product framework (such as SIEM & firewall solutions purchasing SOAR solutions) can do so more effectively, but customers can still lose flexibility if they get locked into products with limited integrations.

Rethinking the Value in XDR

The underlying concept of XDR is a solid reminder to look deeper and ask, ‘what’s out there that could help me be more secure?’ The ideology behind XDR is to make siloed tools and systems work together to solve the security challenges of your organization. Separate the concept of XDR from a single product, and it starts to make more sense.

I think of effective XDR as a philosophy or a strategy and not a product or solution. That philosophy is to integrate (when possible) disparate data sources to identify and investigate more threats in a simplified way.

The goal of XDR is to make security teams more effective at securing their organizations. The reality of defending against today’s threat landscape requires a massive amount of data from logs, packets, agents, instrumentation, and telemetry. These requirements are outpacing most security organizations’ ability to effectively process this massive amount of data. If we subscribe to XDR as a philosophy we can evaluate solutions based on their ability to correlate and help us understand and effectively use massive amounts of data from disparate sources.

Evaluating Strategic XDR Solutions

We should be critical but open-minded to the possibilities of purpose-built, turn-key integrations that qualify as strategic XDR. Talk is cheap; anyone can write up a one-pager claiming smurftacular capabilities, but a real-world proof of concept of each XDR competency (firewalls, NDR, SIEM, and EDR), including the fidelity of purpose-built integrations will separate the hype from reality. This will allow anyone purchasing an XDR solution to make an informed decision.

The Future of XDR?

If nothing else XDR should make you look at your framework and systems and ask, ‘what can be done better?’ The XDR concept can be used as a catalyst to examine and challenge the effectiveness of our current security toolsets: It reminds us to push forward and challenge ourselves in our current frameworks and beliefs on what is secure. The concept also asks vendors to do more to collaborate on high-fidelity integrations that support the common goal of stopping advanced threats.

I believe that ultimately the concept of XDR will push the industry forward on new innovations and challenges once competing security vendors work together to offer the integrations security teams need—we just need the hype train to leave Smurf Station and arrive in the world of reality.

SentinelOne Debuts at the Top of MITRE Engenuity ATT&CK® Deception Evaluation. See Why.

Released May 25, 2022, MITRE Engenuity ATT&CK® Evaluation Trials – Deception is an inaugural evaluation that expands the ATT&CK Evaluations landscape to evaluate vendors on their deception capabilities. The evaluation can dramatically increase analyst confidence in detection via high fidelity tripwires, causing the adversary to waste time, money, or capability, and potentially provide vendors critical new insights into adversary behavior.

What Did the ATT&CK Deception Evaluation Consist Of?

For this evaluation, MITRE chose to emulate APT29 threat group. APT29 is a threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. The evaluation seeks to answer two questions:

  1. Did the adversary encounter the deception ? (Observe)
  2. Did the adversary engage in the deception? (Engage)
  • Observe: Determining whether the adversary encountered deception is pretty straightforward. The evaluation can determine by running the adversary technique and recording whether it sees something different from a scenario that did not deploy deception. For the Observe portion of the evaluation, the MITRE Engenuity team did not interact with the Deception.
  • Engage: In order to fully capture the value of the vendor participants’ products, the MITRE Engenuity team executed a modified scripted plan that allowed deeper interaction with the deceptions. In the Engage portion of the Evaluation, the red team would go off-script and interact with deception if it was present. When the red team engaged, they would exhaust all interactions before going back to the script.

How Did SentinelOne Perform on the ATT&CK Deception Evaluation?

As evidenced from the results of all four years of the ATT&CK Enterprise Evaluations, SentinelOne Singularity XDR platform already excels at visibility and detection. With SentinelOne’s Hologram deception solution tested in this evaluation, SentinelOne also protects the enterprise against sophisticated Identity-based attacks.

According to MITRE Engenuity’s published results, SentinelOne observed and/or engaged with most detections, identifying 17 unique techniques, including 11 techniques that targeted identities specifically. SentinelOne’s Singularity XDR platform – and specifically its Hologram deception technology – was recognized for its ability to:

  1. Deliver Real-time Protection Against Active Directory (AD) Compromise.
    A security compromise of AD can essentially undermine the integrity of the entire enterprise enabling adversaries to steal credentials and gain access to critical systems. 

    SentinelOne protects AD privileged credentials from theft by hiding them from attackers and replacing them with decoys. During the MITRE Deception evaluation, when the MITRE red team tried to get access to the system to get account information and credentials (T1033 T1082 T1087), the solution returned decoy credentials to them every time.
    Console output showing the attempted credential enumeration

    This enables the security team to protect in real-time against advanced attacks targeting Active Directory.

  2. Mislead Attackers To Protect Critical Assets With Data Cloaking.Attackers steal and destroy information as part of their attacks, whether they seek to move deeper into the network or hold data for ransom. Preventing them from seeing or accessing local file and account information can prevent lateral movement, discovery, and data theft or destruction.
    SentinelOne steers adversaries away by misdirection, showing decoys indistinguishable from production assets. During the MITRE Deception evaluation, when the red team tried to monitor system activity and queried for the computer name, SentinelOne reported decoy hostname “Newburgh” instead of the actual hostname “Utica” (T1082). When the red team tried to manipulate the software and engage with the file by browsing to it, SentinelOne hid the file from the directory listing (T1560).

    Console output showing the attempted discovery activities

     

    By preventing attackers from seeing or exploiting critical data, organizations can disrupt discovery or lateral movement activities and limit the damage from ransomware attacks.

  3. Stop Lateral Movement and Privilege Escalation By Preventing Pass-The-Ticket Attacks.Pass-The-Ticket attacks, such as a Golden Ticket attack or a Silver Ticket Attack, are powerful techniques adversaries employ for post-exploitation lateral movements and privilege escalation. Using these techniques, attackers can gain unlimited access to any endpoint on the network or service, potentially causing catastrophic consequences.
    During the MITRE Deception Evaluation, when the red team created a ticket, the terminal output of klist reported no cached tickets. SentinelOne detected a Kerberos attack, and hid the contents of the klist command from the output (T1550).
    Console output showing the Pass-the-Ticket attack attempt

    SentinelOne denies the red team from using the Golden Ticket, even though Mimikatz generated and loaded it successfully. SentinelOne detects forged Kerberos Golden and Silver tickets and prevents lateral movement and privilege escalation when the red team uses the forged Kerberos tickets.

  4. Maximize Security Insight Into the Adversary Behavior.
    SentinelOne’s deception technology not only serves to detect and respond to active attackers in a customer environment but also to inform and strengthen security programs in the longer term. By misdirecting attacks using SentinelOne, defenders can gain ingestible, actionable TTP information and high-confidence, substantiated attack forensics that can support investigations and develop threat intelligence. SentinelOne even lets you visualize attacks, see how they progressed over time, and map their associated events to the MITRE ATT&CK D3FEND™ matrix.

Mapping to MITRE Engage Matrix

The MITRE Engage Matrix is a framework for planning and discussing adversary engagement operations that empower organizations to engage their adversaries and achieve their cybersecurity goals. MITRE Engage seeks to help defenders by lowering the barrier to entry while raising the ceiling of expertise to use adversary engagement technologies. SentinelOne provides the most extensive capabilities to implement the activities outlined in the Engage Matrix, covering 38 of the 41 areas in the Operations phase.

Why SentinelOne? Why Should It Matter To You?

Top Coverage for Both Enterprise ATT&CK + Deception ATT&CK Frameworks

As a leader across MITRE Enterprise ATT&CK Evaluations for the third consecutive year and a leader in the inaugural MITRE ATT&CK Deception Evaluation Trial, SentinelOne once again demonstrate its commitment to push the boundaries to help enterprises gain control of their dynamic attack surface.

As the first and only XDR vendor to participate and lead the ATT&CK Deception Evaluation, Singularity XDR platform demonstrates the most powerful, autonomous XDR platform, reducing the enterprise attack surface across human, device, and cloud attack surfaces. The solution provides an effective combination of prevention, protection, detection, and deception capabilities to stop attackers early whether they are attempting to establish a beachhead inside the network or compromising identity data to move laterally, escalate privileges, and acquire targets.

SentinelOne is an enthusiastic supporter of what MITRE does, bringing transparent and open evaluation methodologies to the security industry and participating in all the evaluations has become an essential practice that we have used to improve our products further.

To learn more about SentinelOne’s results on the ATT&CK® Deception Evaluations, visit https://www.sentinelone.com/lp/mitre-deception/

To learn more about SentinelOne’s results on the fourth round of ATT&CK® Enterprise Evaluations, visit: https://www.sentinelone.com/lp/mitre/.

How to Stay Ahead of the Adversary in 2022 | A Cybersecurity Checklist

Rarely a week passes by without news of another company being breached, a ransomware attack crippling critical infrastructure, or a data loss event causing millions to suffer a loss of privacy. On the other hand, these same organizations are trying as hard as they can to safeguard their customers, their data and their reputations. So what is missing? Is it a gap in technology? Is it about strengthening policies and procedures? Is it simply “the cost of doing business” – an inevitable outcome of the way we work and trade today?

In this post, I will share a few of the main reasons why we are where we are, and provide some simple steps for enterprises to take to change this paradigm.

Top 5 Trends That Increase Cyber Security Risk in 2022

There are a vast number of threats and threat actors out there, and their numbers are only growing. This expansion reflects a number of major technological shifts in recent years that have contributed to the changing threat landscape.

1. Increasing Discovery of Software Vulnerabilities

Vulnerability hunting has hit the big-time in recent years, thanks in large part to the popularity of bug bounty programs and “hacker” platforms that reward researchers and share knowledge. This is not only a good thing, it’s undoubtedly a necessary thing.

However, the flipside of better vulnerability reporting is faster time to exploitation, as threat actors rapidly jump on research publications and look for victims that have failed or are unable to patch. Exploited vulnerabilities can cause serious damage to all organizations, including those running our critical infrastructure.

Phasing out unpatchable technology and obtaining visibility across the entire digital estate are imperatives. Until then, the net result is that the bar for breaching unwary organizations will keep getting lower.

2. The Hybrid Nature of Today’s Networks

Users and identity represent the new cybersecurity frontier as the world of work moves away from the office to remote or location independent. As long as users are connected, they remain part of your network, whether they are in the next office or on the other side of the world.

The new reality of a distributed workforce increases the risk to enterprises as attackers shift to targeting end users and endpoints via compromising credentials and authentication methods at any point along the entire supply chain.

Take, for example, the recent highly-publicized activities of the Lapsus$ hacker group, which among other things compromised Okta’s systems by gaining remote access to a machine belonging to an employee of Sitel, a company subcontracted to provide customer service functions for Okta.

3. The Migration to the Cloud

The new kid on the block is your cloud assets. While businesses are growing rapidly by scaling up their offering with the cloud, it makes it harder for security teams and defenses to stay on top of that risk. The security implications of AWS, Azure or other cloud assets is difficult to grasp for many businesses, even those with large SOCs.

From cloud misconfigurations and compromise through vulnerable services – think Log4J – protecting cloud workloads can be a challenging task, particularly when they are spread over public clouds, private clouds and on-prem data centers.

4. Increasing Attacks on IoT Devices

‘Smart devices’ that are connected to the internet have increased the attack surface for organizations. From networked printers to security cameras, anything connected to the public internet can serve as a backdoor into your organization.

Increased risk caused by IoT devices includes unchanged default passwords, outdated firmware with known exploitable vulnerabilities, and the lack of network discovery for many IT and security teams. As threat actors scan networks with automated tools for any sign of weakness, administrators similarly need automated tools that can identify and protect any device as it is plugged into the network.

The increasing use of unprotected or insecure Smart devices has given attackers an easy way into networks, a beachhead from which they launch attacks to steal information or commit fraud through ransomware or other techniques.

5. Increase in BYOD and Mobile Authentication

While the use of mobile devices in the workplace has been with us for a number of years now, mobiles and mobile authentication is still creating new opportunities for malicious actors to steal valuable data.

Mobile authentication, or the verification of a user’s identity through a mobile device and one or more authentication methods to ensure secure access, has opened a new stream of attacks, using recycled numbers and other new attack vectors. Recent examples include attackers using social engineering techniques against users suffering from so-called “MFA fatigue”, where multiple 2FA push notifications trick users into authenticating fake login attempts.

The Threat Landscape is Booming

The bar for compromising enterprise assets is lower than ever before. There are a few reasons for that. As one of the main operating system vendors, Microsoft plays a significant role in this area. There are too many ways attackers utilize vulnerabilities to exfiltrate secured networks. Some novel examples include ProxyLogon, Hafnium, and many others. There are growing voices in our industry criticizing the way Microsoft handles researcher vulnerability reporting, including some very vocal discussions. Other OS vendors should also improve the way they respond to vulnerabilities, and work more closely with security vendors to make their products better.

Key Takeaways – A CISO’s Cybersecurity Checklist

  • Eat Your Vegetables – Always stay ahead of best practices, ensuring you kill off any “low-hanging fruit” attack vectors. This includes enforcing multi-factor authentication and deploying endpoint protection on every computer, cloud or mobile device. Use your budget and create teams who live and breathe securing your organizations. Know your adversaries. Simulate attacks and see that you are ready for the day of a breach. Create backups. There are no shortcuts here.
  • Create a Coalition – Cybersecurity is not a challenge only for the CISO: It’s a priority for the company. This means the CEO, the board of directors and other senior stakeholders should be aware of the risks and consider them against the priorities of the business.

    In 2022, there is no business without security. The CISO needs to ensure that all these stakeholders are aware of that and that they understand securing the enterprise does not happen in a silo. Share news, simulate breach responses, raise awareness. A breach can be caused by malicious actors or happen accidentally, but either way, it can cost companies millions in damages, lost revenue and reputational harm.
  • Stay Informed, and Increase Awareness of End Users – Follow the news and share with your users. While some headlines can inevitably be overblown, they can also be motivating, and there’s nothing exaggerated about the cost of ransomware, BEC, fraud and other cybercrimes to businesses today. Keep your people in the know regarding cybersecurity risks by encouraging them to be aware and interested in cyberspace. If the topic is good enough for mainstream television, we can make it good enough for our users also.
  • Get an Outsider’s Perspective – If you can run a red team, that’s great. If you cannot, work to establish periodic red team exercises to ensure there are no blind spots within your organization. If you are developing software or providing software as a service, run a bug bounty program and ensure “friendly eyes” are discovering your vulnerabilities before attackers do.
  • Know Your Enterprise Assets – How well do you know the security implications of your AWS, Azure or other cloud assets? What are the security implications of running Docker and Kubernetes? Cloud-focused attacks are a rapidly growing area of interest to opportunistic and targeted attackers alike.

    While the techniques used in such attacks are vast and varied, they typically rely heavily on the fact that cloud networks are large, complex, and onerous to manage. This makes agent and container security solutions critical for the defense of any organization against all cloud platforms. Look for and deploy security solutions that make this complexity simple.
  • Remember Supply Chain Attacks – Be in the know to reduce the risk of supply chain attacks. Although it is difficult for any security team to monitor and approve every business application entering the enterprise, visibility into every device can provide good insight into applications that may be more vulnerable than your end users believe.

    The previous year in cybersecurity showed us all how easy it is for adversaries to compromise widely-used applications. The SolarWinds and Kaseya compromises were unfortunate but timely reminders that software dependencies are a massive blindspot. When organizations rely on shared modules, plug-ins, and packages from open-source or non-security focused developers, the chance of such components being secure out-of-the-box is low.

    Attacks tend to seek the easy way in, and compromising relatively weak applications that are used by many is all an attacker needs. Technology can help to maximize visibility across the entire cyber estate.

Conclusion

There are no magic bullets, and cybersecurity remains a challenge that requires focus, knowledge and the right solutions that fit your business needs. SentinelOne is here to help CISOs with the challenge of securing the enterprise. To learn more about how to defend and protect your organization from today’s adversaries, contact us for more information or request a free demo.

Singularity Cloud

Simplifying security of Cloud VMs and containers, no matter their location, for maximum agility, security, and compliance.

Read more about Cyber Security

Email Security and XDR | Simple Integration, Powerful Results

The State of Email Security

As tactics change, the sophistication of threat actors increases, and new vulnerabilities are constantly discovered, security operations teams are stretched to the limit investigating and remediating each incident. Email remains one of the most highly leveraged attack vectors. A staggering 79% of respondents to Mimecast’s State of Email Security 2022 study reported an increase in email volume at their organization, while 72% reported the number of email-based threats had risen during the past 12 months. Organizations today seek integrated defenses to protect email and improve incident response capabilities, while helping to reduce complexity, minimize risk, and decrease the demand on an already over-extended and under-staffed security team.

The State of Threat Intelligence

As email-based cyber attacks continue to rise, security teams are stretched and suffering from alert fatigue. They are still challenged by decision making and find themselves relying on limited data found during the investigation, accepting decisions will be made based on incomplete knowledge because they do not have time to investigate further.

Another common challenge: Security teams spend so much time gathering data that they do not have time to solve the problem. Organizations have to reduce complexity, minimize risk, and decrease the demand they put on already overtasked security teams. In the meantime, threats can move laterally throughout the organization before they are properly identified and remediated.

The Cybersecurity Skills Gap

And while the volume, intensity, and intelligence of cyberthreats increase, the world is simultaneously seeing a shortage of skilled cybersecurity talent that continues to widen. Tight job market or not, SOC analysts remain fatigued with the collection, normalization, and prioritization of data, unable to focus on cybersecurity incident response and resolution. Organizations face challenges hiring and retaining skilled security professionals. The deluge of alerts from security tooling and repetitive nature of the Tier 1 analyst position makes burnout one of the leading contributors to this shortage.

A New Solution Has Become Necessary

Security teams look to automation to help alleviate some of the repetitive tasks of incident response to focus their limited resources on the highest impact and most critical incidents, increasing throughput and reducing the time to respond. Integrating automation tools can help alleviate some of the alert and decision-making fatigue, data gathering woes, worker burnout, and pain caused by a lack of skilled workers, but we can leverage technoogy to do much more than that. As threats become more complex and organizations face worker shortages, a more advanced method of detection – XDR – has become necessary for most organizations.

What Is XDR, and Why Is It So Critical?

In an era where there are essentially no network perimeters, and disastrous breaches can come from anywhere at any time, security teams must sharpen their focus on threat detection and response.

In many organizations, earlier approaches such as first-generation security information and event management (SIEM) systems have proven unwieldy. They can be difficult to deploy and integrate, and are too costly and too susceptible to false positives. Linking SIEM to security orchestration and response (SOAR) systems has helped some organizations build response playbooks for automating responses to certain threats, but creating these has often been more complex and difficult than anticipated.

Cloud-native XDR solutions promise to overcome each of these problems, providing more focused and actionable data, better integration, more relevant insights, fewer false positives, and easier automation of responses. As XDRs move beyond endpoint-only EDR solutions, they promise to provide the fuller visibility and faster response that couldn’t be achieved with earlier tools.

Integrated Solutions Stop Threats

Strategic integrations lessen SOC teams’ pain by using automation between email and endpoint security solutions to prevent the lateral movement of threats throughout the organization.

Mimecast and SentinelOne provide an integrated solution that stops threats and streamlines response across the organization. Customers can be confident their devices will be protected from zero-day threats across each endpoint. By correlating response between email and endpoint security solutions, analysts automate repetitive tasks for faster and more comprehensive incident response. When integrated, the two solutions deliver accelerated incident response and reduced mean time to response.

How the Mimecast and SentinelOne Integration Works

SentinelOne Singularity XDR provides AI-powered prevention, detection, and response across endpoints, cloud workloads, and IoT devices. When a threat is detected in SentinelOne, SentinelOne StorylineTM correlates detections and activity data across security layers, including email, endpoints, mobile, and cloud. Analysts can streamline the organization’s response by automatically suspending email for a given user, blocking the user email, or quarantining them. Upon detection of the threat, SentinelOne can automatically suspend the last logged-in user’s ability to send an email, helping secure a critical lateral movement path.

Sample Attack Timeline Without XDR Integration


Sample Attack Timeline With XDR Integration

Stopping Attacks Like LAPSUS$

Integrated solutions like the one from SentinelOne and Mimecast can stop prominent and damaging attacks like the recent LAPSUS$ attacks.

Threat actors such as LAPSUS$ take the time needed to research employees at a company they have decided to target. They first compromise the employee’s personal network and search for credentials that can be used to access corporate systems. This is particularly easy if the employee uses the same passwords for both their personal and private credentials. Even if the attacker does not find the credentials they are looking for, they can use the information they have already obtained to reset passwords and complete account recovery actions. Attackers like LAPSUS$ have even been known to call a company’s IT Helpdesk to attempt to get credentials reset.

The SentinelOne and Mimecast integration can stop attacks like LAPSUS$ by preventing them from moving laterally. The two solutions share information about threats that have been identified, reducing the likelihood that an attack will be successful. Security Awareness Training can also play an important part in thwarting attacks like LAPSUS$, giving employees an edge in identifying potential threats that can arrive in either their personal or work email.

The Bottom Line

Email security and XDR are the ideal pairing for security teams that are overtasked and struggling to keep up with alert volume and a never-ending stream of threats delivered via email. For more information about how your organization can benefit from this joint SentinelOne and Mimecast solution, read our joint solution brief.

4 Steps Toward Successfully Measuring the Effectiveness of Your Security Controls

In the past, organizations might have been able to get away with firewalls and antivirus software as their primary defenses against cybercriminals. Unfortunately, those days are long gone. Defending against today’s threats requires a more active approach capable of evolving alongside attackers and their ever-changing tactics. “Set it and forget it” security tools are no longer an option. Today’s organizations need to continuously evaluate the effectiveness of their security controls, identifying potential weaknesses, vulnerabilities, compliance issues, and other problems.

Determining the effectiveness of these tools isn’t always easy, though. What’s more, company leaders are generally interested in knowing more than just how security solutions deal with threats. They want to understand the value the tools provide and whether they are generating enough ROI to justify continued use, which can be difficult to measure in specific, quantifiable terms. Fortunately, there are options available. Organizations seeking to understand the performance of their security solutions better should focus on a few key areas.

1. Gauging Attack Surface Awareness

Building a wall to keep attackers at bay isn’t sufficient in today’s threat landscape. Eventually, one or more will get in. It simply isn’t possible to stop 100% of threats, meaning that security should shift from focusing on perimeter protection to in-network detection. To be successful, organizations need awareness of things like exposed credentials, misconfigurations, potential attack paths, and other vulnerabilities that attackers are likely to exploit.

There is a wide range of tools available that can help. Endpoint Detection and Response (EDR) tools provide visibility into attacks on endpoints, while Extended Detection and Response (XDR) tools expand upon those capabilities by integrating with other solutions. Attackers will almost always look to compromise Active Directory (the service that handles authentication throughout the enterprise), which is notoriously difficult to secure. Detection tools capable of identifying suspicious AD queries and other potential attack activity can help prevent the nightmare scenario of a compromised AD.

Of course, identity security is also increasingly critical. While traditional EDR tools and AD security solutions don’t offer the identity protection needed in today’s environments, Identity Threat Detection and Response (ITDR) solutions have emerged to fill that gap.

It all comes down to coverage. Organizations can assess the degree of awareness they have in the network. Identity controls without endpoint protections can leave their networks dangerously vulnerable, as can endpoint protections with AD security. And as more and more organizations embrace the cloud, new cloud environments will expand the attack surface even further. Ensuring sufficient visibility across the entire network is a critical first step in assessing the effectiveness of an organization’s tools.

2. Investigating Permissions and Entitlements

Overprovisioning is a serious problem today. IT teams generally do not want to interfere with business operations, which means it is easier to provide users and other identities with more permissions than they need rather than risk impeding someone’s job function. Unfortunately, identities often end up with entitlements that far outstrip what they actually need to do their jobs. Consequently, when attackers compromise those identities, they also have access to far more data than they otherwise would have.

Implementing a Zero Trust Architecture (ZTA) is one way of dealing with this challenge, providing identities with only the minimum level of access they need to function and continuously validating that they are who or what they say they are. To that end, organizations need tools to identify excessive permissions and other potential vulnerabilities throughout the network. Organizations should regularly audit and update these permissions to ensure they remain appropriate, and that someone can examine those audits. How many excessive permissions were detected? How many obsolete or orphaned credentials did they expunge? Proper awareness across the network can help IT teams gauge how effectively they are managing their permissions.

3. Measuring and Improving Detection Accuracy

Security alerts are good—ostensibly, they indicate that security tools are functioning correctly and detecting threats. Unfortunately, that isn’t always the case. Suspicious-looking activity often turns out to be harmless, resulting in a false alarm that wastes the security team’s time with useless investigation. These false alerts can result in alert fatigue, with excessive false alarms drowning out the actual threats needing remediation.

Tracking the false positive reporting rate (FPRR) can help security personnel understand the quality of their alerts. If the FPRR is too high, it may be time to look into newer, more accurate tools. Today’s detection technology often comes armed with artificial intelligence and machine learning (AI and ML) capabilities that allow them to learn over time and substantiate alerts before relaying them to the security team. These high-fidelity alerts reduce the overall alert volume and enable network defenders to focus on actual threats rather than chasing ghosts.

4. Understanding the Effectiveness of Automation

Automation is useful for more than reducing false alarms. It isn’t always feasible to manually remediate all threats at today’s attack volumes. Fortunately, today’s tools can automatically correlate attack information from different sources and display it on a single dashboard for assessment. By creating playbooks for certain types of attack activity, these tools can automatically remediate specific threats before even bringing them to the attention of a defender. This automation accelerates and simplifies incident response, addressing threats as soon as they are detected and stopping them before they can escalate and spread throughout the network.

Incident response volume is a good way to gauge how effective these controls are. The number of incidents reported as open, closed, or pending can provide insight into how well automated tools deal with threats. Too many open or pending incidents doesn’t bode well, but a significant number of verifiably closed cases means the system is doing its job.

Conclusion

Today’s threats are wide-ranging, and modern attackers don’t just focus on large organizations. Everyone is at risk, and organizations large and small need to have appropriate protections in place and the knowledge and resources necessary to gauge their efficacy. Fortunately, assessing things like network visibility, entitlement management, and incident and false alarm reporting can help organizations determine their overall network health and how well their defenses are faring.

This information can also help security teams generate additional buy-in from CISOs and corporate boards when enhancing and expanding their network defense capabilities. As attackers evolve, network defense tools evolve alongside them, and helping today’s business leaders understand the steps needed to stay one step ahead of the cybercriminals is essential. Given that the average cost of a data breach in 2021 rose to $4.24 million, effective security solutions have never been more critical.

If you would like to learn how SentinelOne can help protect your business, contact us or request a free demo.

Top 10 Ways to Protect Your Active Directory

Active Directory (AD) is a high-value target for attackers, who frequently attempt to compromise it to escalate their privileges and expand their access. Unfortunately, its operational necessity means that AD must be easily accessible to users throughout the enterprise—making it notoriously difficult to secure. Microsoft has stated that more than 95 million AD accounts come under attack every day, underscoring the seriousness of the problem.

While protecting AD is a challenge, it is far from impossible—it just requires the right tools and tactics. Below are ten tips that enterprises can use to more effectively secure AD against some of today’s most common attack tactics.

1. Prevent and Detect Enumeration of Privileged, Delegated Admin, Service, and Network Sessions

Once an adversary has penetrated perimeter defenses and established a foothold within the network, they will conduct reconnaissance to identify potentially valuable assets—and how they can get to them. One of the best ways they do this is to target AD since they can disguise those as normal business activities with little chance of detection.

The ability to detect and prevent enumerations of privileges, delegated admins, and service accounts can alert defenders to the presence of an adversary early in the attack cycle. Deploying deceptive domain accounts and credentials on endpoints can also trip up attackers and allow defenders to redirect them to decoys for engagement.

2. Identify and Remediate Privileged Account Exposures

Users often store credentials on their workstations. Sometimes they do this accidentally, while other times willingly—usually for convenience. Attackers know this and will target those stored credentials to gain access to the network environment. The right set of credentials can go a long way, and intruders will always look to escalate their privileges and access further.

Enterprises can avoid giving attackers an easy way into the network by identifying privileged account exposures, remediating misconfigurations, and removing saved credentials, shared folders, and other vulnerabilities.

3. Protect and Detect “Golden Ticket” and “Silver Ticket” Attacks

Pass-the-Ticket (PTT) attacks are among the most powerful techniques adversaries use to move laterally throughout the network and escalate their privileges. Kerberos’s stateless design strategy makes it easy to abuse, which means attackers can easily forge tickets within the system. “Golden Ticket” and “Silver Ticket” are two of the most severe types of PTT attacks that adversaries use to achieve domain compromise and domain persistence.

Addressing this requires the ability to detect vulnerable Kerberos Ticket Granting Ticket (TGT) and computer service accounts, identifying and alerting on misconfigurations that could potentially lead to PTT attacks. Additionally, a solution like Singularity Identity can prevent the use of forged tickets at the endpoints.

4. Protect Against Kerberoasting, DCSync, and DCShadow Attacks

A “Kerberoasting” attack is an easy way for adversaries to gain privileged access, while DCSync and DCShadow attacks maintain domain persistence within an enterprise.

Defenders need the ability to perform a continuous assessment of AD that provides real-time analysis of AD attacks while alerting on the misconfigurations that lead to those attacks. Furthermore, a solution capable of leveraging endpoint presence to prevent bad actors from discovering accounts to target can inhibit their ability to carry out these incursions.

5. Prevent Credential Harvesting From Domain Shares

Adversaries commonly target plaintext or reversible passwords stored in scripts or group policy files stored in domain shares like Sysvol or Netlogon.

A solution like Ranger AD can help detect these passwords, allowing defenders to remediate the exposures before attackers can target them. Mechanisms like those in the Singularity Identity solution can also deploy deceptive Sysvol group policy objects in the production AD, helping to further disrupt the attacker by misdirecting them away from production assets.

Get a Demo of SentinelOne’s Identity Suite
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

6. Identify Accounts With Hidden Privileged SID

Using the Windows Security Identifier (SID) injection technique, adversaries can take advantage of the SID “history” attribute, allowing them to move laterally within the AD environment and further escalate their privileges.

Preventing this requires detecting accounts set with well-known privileged SID values in the SID history attribute and reports.

7. Detect Dangerous Access Rights Delegation on Critical Objects

Delegation is an AD feature that allows a user or computer account to impersonate another account. For example, when a user calls a web application hosted on a web server, the application can mimic the user’s credentials to access resources hosted on a different server. Any domain computer with unconstrained delegation enabled can impersonate user credentials to any other service on the domain. Unfortunately, attackers can exploit this feature to gain access to different areas of the network.

Continuous monitoring of AD vulnerabilities and delegation exposures can help defenders identify and remediate these vulnerabilities before adversaries can exploit them.

8. Identify Privileged Accounts With Delegation Enabled

Speaking of delegation, privileged accounts configured with unconstrained delegation can lead directly to Kerberoasting and Silver Ticket attacks. Enterprises need the ability to detect and report on privileged accounts with delegation enabled.

A comprehensive list of privileged users, delegated admins, and service accounts can help defenders take stock of potential vulnerabilities. In this instance, delegation is not automatically bad. It is often necessary for an operational reason, but defenders can use a tool like Singularity Identity to prevent attackers from discovering those accounts.

9. Identify Unprivileged Users in AdminSDHolder ACL

Active Directory Domain Services (AD DSs) use the AdminSDHolder object and the Security Descriptor propagator (SDProp) process to secure privileged users and groups. The AdminSDHolder object has a unique Access Control List (ACL), which controls the permissions of security principals that are members of built-in privileged AD groups. To enable lateral movement, attackers can add accounts to the AdminSDHolder, granting them the same privileged access as other protected accounts.

Organizations can prevent this activity with a tool like Ranger AD to detect and alert on the presence of unusual accounts within the AdminSDHolder ACL.

10. Identify Recent Changes to Default Domain Policy or Default Domain Controllers Policy

Within AD, organizations use group policies to manage several operational configurations by defining security settings specific to the environment. These often configure administrative groups and include startup and shutdown scripts. Administrators configure them to set organization-defined security requirements at each level, install software, and set file and registry permissions. Unfortunately, attackers can change these policies to achieve domain persistence within the network.

Monitoring changes to default group policies can help defenders quickly spot these attackers, mitigating security risks and helping to prevent privileged access to AD.

Putting the Right Tools in Place

Understanding the most common tactics adversaries use to target AD can help enterprises defend it. When developing tools like Ranger AD and Singularity Identity, we considered many attack vectors and identified how best to detect and derail them.

With these tools in place, today’s enterprises can effectively identify vulnerabilities, detect malicious activity early, and remediate security incidents before intruders can escalate their privileges and turn a small-scale attack into a major breach. Protecting AD is a challenge, but it is not an insurmountable one, thanks to today’s AD protection tools.

 

Read more about Cyber Security

On the Board of Directors? Beware of These Six Common Cyber Security Myths

The days when cyber security was merely a technical or niche issue to be dealt with by some small department in the basement are long behind us. Boards now have CISOs and CIOs, and yet there is still a need for all directors to understand the impact of cyber security risk when making strategic business decisions as well as to understand what to ask when a breach takes place.

Failing to grasp the nature of cyber security in today’s business environment can have dire consequences. Proper board preparedness and planning are critical both to protecting the business and to insulating officers and directors from liability. Accordingly, directors must ensure that the business is ready to face cyber risks and the potential legal ramifications of those risks by aligning the organization’s cyber risk profile with its business needs.

Of course, there is no shortage of information out there on cyber security and cyber risk, but much of it is couched in sales and marketing jargon peculiar to one vendor or another, and what isn’t is often aimed at a technical audience with a level of detail that is rarely relevant to high-level decision makers. In this post, we cut through the clutter and cover the basics of cyber risk management for directors by dispelling six common cybersecurity myths.

Myth 1: Cyber Security Is Only Necessary for Some Businesses

Many believe that only certain kinds of companies require cyber security and that if they are not in that list, cyber security isn’t for them. Typically that list includes:

  • technology companies

  • companies that store sensitive customer data (PII)

  • Health, infrastructure and other organizations legally required by law

  • Companies of a certain size or value

Cybersecurity is critical for all organizations, regardless of their industry. The ongoing wave of ransomware attacks has shown that attackers are opportunistic and will target any organization that has valuable data or systems that they can exploit.

Even companies that don’t store sensitive data (PII) can be hacked or infected with ransomware if their systems are not properly secured, and PII is not the only thing that can be stolen or compromised in a cyber attack. Organizations can also lose money, suffer damage to their reputation, and experience other negative consequences as a result of a cyber breach.

Similarly, size is not a significant factor in risk assessment. Any organization, regardless of size, can be a target for cyber attacks. Small businesses are often seen as easier targets because they may not have the same resources to devote to cyber security as larger organizations. The level of risk increases if the business does not take the necessary precautions to protect itself.

All businesses regardless of size, industry or value should have a comprehensive cyber security plan in place to protect themselves from potential attacks.

Myth 2: Security Software Is All You Need to Stay Safe

There are so many pinpoint tools in the cybersecurity defense arsenal. Tools like SIEM, SOAR, Firewalls, Anti Virus, and many others have proven in recent years that they are not sufficient to keep businesses out of negative news cycles.

The modern working environment allows employees more freedom than ever before, with the ability to install software and to gain access to company assets from the endpoint, wherever they may be physically located.

The effort of staying safe from cyber risk may start with getting the right tool to see it all, but it does not end there. As the cybersecurity landscape continues to evolve, defense capabilities need to keep pace, too.

The idea of total protection from cyber threats is unrealistic. However, organizations are best served when their boards promote a culture of cyber awareness and integrate investments into cyber resilience with the overall strategic vision of the organization.

Myth 3: Software Vulnerabilities Aren’t an Issue for the Board

Every piece of software that an organization uses can also introduce vulnerabilities that make it easy to penetrate the corporate network.

Some recent high-profile examples include CVE-2022-30190 (aka the Follina vulnerability), which allows attackers to compromise a Windows machine simply by sending a malicious Word document, and CVE-2021-44228 (aka Log4Shell), a vulnerability in a Apache’s Log4j library that most companies didn’t even realize was in their software stack.

Unfortunately, the biggest and most likely source of vulnerabilities in your software stack is likely the operating system itself. Here’s some sobering statistics:

  • In 2020, Microsoft confirmed 1,220 new vulnerabilities impacting their products, a 60% increase on the previous year.

  • 807 of 1,220 vulnerabilities were associated with Windows 10, with 107 of those related to code execution, 105 to overflows, 99 to gaining information, and 74 to gain privileges.

  • In 2021, 836 new vulnerabilities were confirmed, 455 of which impact Windows 10 and 107 allow malicious code execution.

While patch management is certainly the responsibility of your IT team, boards need to understand that no amount of patching is going to negate the security risk presented by the operating system itself.

This means that your organizations should look to partner with security-first companies that can provide a holistic approach to security. Avoid relying on the OS vendor either to patch everything or to provide security add-ons to plug the gaps.

Develop a strategy that aims to reduce risk by decreasing dependencies while easily integrating your security solution with the rest of your software stack.

Myth 4: You Don’t Need to Worry About Supply Chain Attacks

Even if an organization manages to keep its own software safe, any other service provider can unknowingly facilitate a way into the network. In recent times, we’ve seen the SolarWinds supply chain attack, where the attackers were able to compromise organizations through the SolarWinds software update, and the Kaseya incident, in which attackers targeted Kaseya VSA servers—commonly used by MSPs and IT management firms—to infect downstream customers with ransomware.

Such attacks are highly lucrative for threat actors because compromising one weak link enables access to a complete portfolio of customers using that software.

Ensuring you have maximal protection against digital supply chain attacks is a strategic decision that needs to be taken at the board level.

Ensure your board’s strategy includes things such as deploying the right security solution, developing an Incident Response (IR) plan, ensuring application integrity policies only allow authorized apps to run, and driving a cybersecurity-centric culture.

Myth 5: You Can’t Do Anything About Cyber Security Threats

While it is true that some threats are out of your control, there are many things you can do to protect your organization from cyber attacks. Implementing strong cyber security measures can help reduce your risk of being targeted by cyber criminals.

It is also important to remember that while it may be true that you cannot secure your organization against every possible attack, there are steps that organizations can take to make themselves as secure as possible against the most likely attacks.

In the vast majority of cases, threat actors are financially-motivated, and they are looking for easy wins. Like the weakest animal in the herd, the companies that cannot protect themselves will soon be picked off by cyber predators.

Implementing a comprehensive cybersecurity plan, including several layers of security, will help to protect your organization from most attacks.

Myth 6: It’s Impossible to Train Employees to be Cyber Secure

While employees are a key part of any organization’s cyber security strategy, they cannot be expected to be experts in cybersecurity. Organizations need to provide employees with appropriate training and resources. This includes regular awareness of the kinds of threats the business faces, simple steps in how to identify things like phishing emails or unusual requests, and clear steps for reporting suspicious activity. Social engineering, more commonly known as the subtle art of convincing people to click on spear phishing emails, remains one of the most common ways cybercriminals operate today.

Think of employees as an aid to your cyber defenses, and ensure that they not only have the means to report anything suspicious but that they feel safe and confident in doing so.

Conclusion

Cybersecurity is all about managing risk as effectively as possible. There is no organization in the world that is immune to cyber threats, but in today’s threat landscape, it is vital that cyber security is understood to be a strategic factor that must be planned from the very top of the organization. The risk to the business is too great for it to start anywhere else.

If you would like to learn more about how SentinelOne can help manage cyber security risk in your organization, contact us or request a free demo.

How Attackers are Leveraging the Log4j Vulnerability Six Months Later

Over six months ago, on December 14th, a little-known but ubiquitous logging utility, log4j embedded deep into the software supply chain caused a cybersecurity stir when a zero-day vulnerability that allows remote code execution attacks—enabling an attacker to gain full server control—was disclosed. It was widely reported, with news outlets generating widespread awareness of the explosive vulnerability that was dubbed Log4Shell. Security teams responded accordingly by scrambling to update affected devices.

After the Log4Shell disclosure, defenders had a difficult task ahead: Log4j is extremely common in Java-based apps, including iCloud, the popular game Minecraft, and numerous others. This made it difficult for organizations and individuals to know if and where the supply-chain dependency was running on their network, and attackers knew that just one unpatched device is enough to gain a foothold.

Log4j Vulnerabilities Six Months Later

Broad awareness and quick action can be attributed to the fact that no massive breaches have been reported as a result of Log4j. Despite the quick response, Log4j has become a standard target for vulnerability scanners and hacker toolkits—and is even built-in to a number of botnets. I would expect that continuous scanning for vulnerable systems may continue to occur for a long time as criminals use automation to look for easy targets.

The Data:
Since its disclosure, ExtraHop tracked scan attempts for the Log4j vulnerabilities month over month. ExtraHop data shows that cybercriminals continue to scan for Log4j vulnerabilities, despite a patch being available for over six months. While the volume of attempts has declined recently, February, March, and April were big months for exploit scanning, proving that cybercriminals are capitalizing on the widespread nature of this vulnerability.

Timeline of Log4J scans showing peaks from Feb to April

While the recent dip in scanning attempts may signal a slowdown, the massive drop may be due to law enforcement’s shut down of botnet networks. We’ll see continuous scanning for vulnerable systems for a long time now as criminals take advantage of their automated tools to target low-hanging fruit.

The Top Targeted Industries

Among the industries targeted, ExtraHop found that a disproportionate volume of scans targeted the financial services sector. Financial services organizations made up 20% of the sample set, yet accounted for 49% of the scan attempts. This data shows that the scans are likely becoming more targeted, focusing on industries where cybercriminals expect a bigger payoff for their efforts. Financial services are an attractive target due to the massive potential payoffs from hacking organizations who handle vast amounts of wealth.

The fact that scans are focusing on the financial sector is consistent with the fact that finance is the most breached industry according to the 2022 DBIR: The report found that financial institutions suffered 690 breaches among a total of 5,212 breaches reported across 21 industry sectors.

The next biggest scanning target according to ExtraHop data is healthcare, which accounted for 17% of the sample set but 11% of the scan attempts. Healthcare, which has been a consistent target for attackers over the past decade, was the fourth most breached industry, according to the 2022 DBIR.

An ‘every dollar spent on positive patient outcomes is a dollar well spent’ mindset may be the reason why healthcare organizations remain among the top victims of cybercrime. A recent survey conducted by HIMSS indicates that healthcare organizations are allocating 6% or less of their IT budget toward cybersecurity.

Identifying Signs of Log4j Compromise

The net takeaway here is that organizations should continue to stay vigilant to prevent attackers from successfully discovering unpatched Log4j access points. While scanning attempts have recently dropped, the numbers may trend toward a temporary dip rather than an overall downward trend, making continued security efforts necessary.

While a previous article offers a detailed technical explanation of how Log4j attacks work and how to detect them, the basic premise is that, for a Log4j exploit attack to proceed, the vulnerable application must be tricked into reaching out to an external server. Established network baselines can help identify normal vs anomalous behavior, helping to identify signs of compromise. Understanding normal network behavior gives organizations the ability to quickly identify IoCs associated with this flaw. This allows security teams to stop a breach, even if attackers succeed in identifying and exploiting unpatched Log4j vulnerabilities.

 

Five Blind Spots That Leave You Open to Supply Chain Vulnerabilities

Software supply chain attacks have received increased attention over the past year with high-profile examples such as the SolarWinds SUNBURST attack, the Kaseya VSA (REvil) attack, or the Log4j vulnerability making headlines and impacting thousands of enterprises. It isn’t that a handful of examples happen to make the news: Supply chain attacks are growing more common. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chain.

Furthermore, the sheer variety in how software supply chain attacks can be executed adds complexity to the process of risk mitigation, detection, response, and resilience against them. From intentionally introduced malware in enterprise software to accidental vulnerabilities in ubiquitous open-source code, the software supply chain is dark and full of terrors.

We’ll explore five real-world examples of supply chain attacks and third-party risk introduced through the software supply chain. We’ll provide advice on how to improve your security posture against these attacks. You’ll learn how to:

  • Improve your readiness and security hygiene to reduce the likelihood of a supply chain attack working against you
  • Increase your ability to detect early indicators of a supply chain attack in progress
  • Accelerate your response capabilities against both sophisticated and basic supply chain attacks
  • Boost your overall ability to monitor and manage third-party risk from software vendors

What is a Software Supply Chain Attack and Why Are Businesses Uniquely Vulnerable

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), “a software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system.”

Your organization’s software supply chain consists of all the companies you buy software from, all of the open-source repositories their developers pull code from, all the service organizations you allow into your environment, and more. All of these sources represent an enormous and difficult-to-secure cyber attack surface.

Even in cases where an attacker exploits a vulnerability in a supply-chain dependency, rather than introducing their own malicious code, the software supply chain serves as an amplifier. This enables attackers to stay stealthy while breaking into a wider range of targets, making third-party risk introduced through the software supply chain above and beyond sophisticated attacks such as SUNBURST. The overlapping blind spots inside the enterprise contribute to the enormity of this challenge for defenders.

CISA says that organizations are uniquely vulnerable to software supply chain attacks for two major reasons:

  1. Many third-party software products require privileged access.
  2. Third-party software products require frequent communication between the vendor’s network and the vendor’s software product located on customer networks.

Supply chain attacks exploit this privileged access and open communication channels between vendor and customer as an initial intrusion path. Some supply chain attacks simultaneously target many devices or workloads within target organizations at once.

As a preventive measure, most organizations conduct due-diligence security assessments of software they plan to use. This is important for weeding out basic security holes but is insufficient for catching and stopping more advanced adversaries. By monitoring network behavior, particularly inside of your environment, organizations can catch the advanced attackers that sneak through.

Enterprise Software Supply Chain Attacks: The SUNBURST Model

The Attack: The SolarWinds SUNBURST attack is the biggest supply chain attack in recent memory to exploit a major, well-established software provider. The attackers first compromised SolarWinds, then inserted malicious code into the build server for the SolarWinds Orion infrastructure monitoring and management software. From that moment, SolarWinds customers who updated their software received the malicious code. All told, 18,000 customers were potentially impacted.

Far beyond SolarWinds, the software supply chain attack surface is getting bigger. There was a 24% increase in the number of applications used by enterprises from 2016 to 2022, according to Okta, an identity and access management provider. On average, Okta reports that their large customers (over 2,000 employees) use an average of 187 applications, each of which represents a potential intrusion pathway for supply chain attackers. It must be noted here that Okta itself was the victim of a software supply chain attack that was disclosed in March, 2022.

The Blind Spot: Application Servers and Software Update Pathways
Enterprise software-based supply chain attacks are very likely to use the update mechanism as a delivery pathway. This was the case in SUNBURST as well as in the legendary NotPetya attack which abused the update servers of Ukrainian productivity software MeDocs to deliver ransomware that nearly destroyed global shipping giant Maersk.

The Solution: Behavioral Analysis of Application Servers
After a device downloads a malicious software update, it is likely to start behaving differently than normal. Sophisticated attackers may build in a period of dormancy so that defenders have a harder time attributing the new malicious behavior to the software update. If the first compromised device is a dedicated server for enterprise software such as SolarWinds Orion, then it likely has a fairly narrow range of expected behaviors, at least compared to a workstation. Any aberration would stick out like a sore thumb to a sufficiently sophisticated behavioral analysis system.

Unfortunately, dedicated servers are also less likely to be monitored effectively by endpoint detection and response agents or activity logging processes. Even devices that are being monitored may yield threat signals that are difficult to interpret without the appropriate context. Security teams and security tool developers need to develop greater understanding of the types of observable behavior that are most likely to indicate a threat.

Furthermore, watching for behavioral changes in devices that receive software updates from outside your organization can reveal other risks that may not be related to intentional supply chain attacks. Since third-party software often requires frequent communication back to the vendor and regular updates, it is vital to monitor these communications and other behavior of the app servers to detect the early signs of malicious behavior indicating a supply chain attack.

Software makers sometimes publish a software bill of materials (SBOM) to disclose components and open source packages that are present in commercial software. It would be valuable for security teams to also request disclosure of any commercial software’s expected network behavior.

Open Source Software Vulnerability: The Log4Shell Model

The Vulnerability: Log4Shell (CVE-2021-44228) is a vulnerability in a widely used piece of open-source software called Log4j. The vulnerability allows attackers to gain remote code execution capabilities on any device where the Log4j library is being used by an internet-accessible server in a way that allows an attacker to transmit values to the Log4j library. For example, Minecraft used Log4j in such a way that chat messages within Minecraft servers might be ingested by Log4j, leaving a pathway open for attackers.

This open-source library may be present on any of the three billion or more devices that run Java. When the vulnerability was first disclosed, low-sophistication attackers immediately started exploiting it to install cryptocurrency miners. As time went on, more sophisticated attacks began using Log4Shell for everything from ransomware to distribution of DDOS malware.

Open-source software is also a common target for attackers to intentionally introduce malicious code. Attackers may simply submit code to open source projects and hope that it is not caught by code reviewers. They may also use a technique called “dependency confusion” to publish open-source software.

The Blind Spot: Unknown, Unmanaged Hardware and Software Components
If you have unmanaged devices or shadow IT in your environment that runs Java with the Log4j package, you may be vulnerable. Unless you have a complete inventory of all networked devices in your environment, you may be exposed. Because Log4j is such a widely used open-source component, it may be present in innumerable devices and applications. To effectively secure your organization, you need a mechanism for discovering every device in your environment, and for detecting Log4Shell activity to and from that device, indicating that it is actively under attack or already compromised.

The Solution: Real-time inventory of all software running in your environment
Most organizations conduct some level of due diligence before bringing new third-party software into their environment. Often, this involves getting a SBOM from the software vendor. In theory, this allows defenders to keep an inventory of all software running in the environment, including potentially vulnerable open source components such as Log4j.

In practice, an SBOM can go out of date quickly, or may not be supplied by the vendor at all. A continuously updated asset inventory driven by real-time visibility into the devices and workloads operating on your network gives you a better chance of discovering vulnerable or compromised devices on your network, so you can stop the attack from successfully exfiltrating or encrypting your data for ransom.

Managed Services and Software Ransomware Attack: The Kaseya VSA Model

The Attack: In the highly publicized Kaseya VSA attack of 2021, conducted by the REvil ransomware group, a remote monitoring and management software was hijacked with the intent of attacking downstream targets. Kaseya VSA software is used by managed service providers (MSPs) who remotely maintain and monitor IT systems for their own customers. By exploiting a vulnerability in Kaseya VSA, the REvil ransomware group was able to distribute ransomware two steps downstream in the IT environments of customers of MSPs using Kaseya’s VSA software. The attack is thought to have impacted up to 1,500 companies.

The Blind Spot: Internet-Facing Devices, Devices Under Remote Management, and Communication Pathways with Remote Managed Service Providers
In order to employ MSPs for services such as remote IT monitoring, businesses need to give the MSP access to internal IT systems. This requires a certain level of trust and risk acceptance. No matter how much vendor assessment due diligence you do ahead of time, it is impossible to verify with 100% certainty that an MSP will not expose you to a cyberattack.

The Solution: Monitor Network Behavior of Devices and Data Flows Accessed by MSPs
Beyond the due diligence, you should also actively monitor any channels that the MSP can use to communicate in and out of your environment. Devices that an MSP has access to should have their behavior observed and analyzed, particularly if the devices have privileged access to sensitive data. This may be a challenge, as the reason that many companies onboard MSPs is that they don’t have the staffing or resources to manage their own systems in house.

Organizations that cannot closely monitor the access paths of an MSP need to be aware of the risk that they are accepting by giving a third party privileged access to the network. This risk represented by MSP connections grows rapidly as advanced attackers get better at accessing and misusing these connections, and as MSP usage increases. These shifts must be taken into account in risk calculations by security teams at companies of all sizes.

Cloud Infrastructure and Malicious Insiders (IaaS, PaaS, SaaS): The Capital One Model

The Attack: An Amazon employee used insider knowledge of Amazon Web Services (AWS) vulnerabilities in specific AWS products being used by Capital One. The Amazon employee stole an estimated 100 million credit card applications containing private, personally identifiable information from the bank.

The Blind Spots: Cloud Infrastructure & User Behavior
Any business that uses a public cloud provider such as AWS, Google Cloud Platform, or Microsoft Azure is placing a great deal of trust in their cloud provider and accepting the risk that, should their cloud provider be compromised, their own data may be as well. In the case of the Capital One hack, an insider from Amazon understood both the holes in AWS, and how they could be exploited against AWS customers.

The Solution: Monitor Network Behavior in IaaS, PaaS, and SaaS Solutions
Whether a malicious insider is using legitimate credentials to steal data, or an outsider has gained access to credentials, the fact remains that behavioral analysis is the best, and often the only way to catch them.

When a legitimate service in a dynamic, growing business starts doing something malicious, it can be difficult to catch—it isn’t as if an intruder has loudly broken in and started smashing things. The behaviors in such an attack may be much more subtle, but can still lead to enormous damage.

One of CISA’s recommendations for defending against supply chain attacks is to develop baselines for business-critical devices and data flows, and to use AI/ML behavior analysis to detect anomalous deviations from those baselines. When a user logs in from an unusual location, at an unusual time, or accesses a data set they don’t normally access, that can serve as an early warning that your enterprise is under attack.

Malicious employees are not always thought of in the context of supply chain attacks. However, if an employee of a contractor or software vendor chooses to attack you, as happened to CapitalOne, your ability to detect their behavior early could enable you to prevent them from stealing data, which averts an extended incident response and public disclosure. Behavioral monitoring of IaaS, PaaS, and SaaS systems is a vital component of a defense in depth strategy against supply chain attacks that attempt to use the cloud as an intrusion vector.

Bring Your Own Device: The Pre-loaded Malware Problem

The Attack: The move to remote work caused a spike in the use of employee personal devices for work purposes. That means more personal smartphones and laptops connecting to sensitive company resources.

Android devices have been discovered to contain pre-loaded malware straight from the manufacturer many times over the past several years. The Chinese technology company Huawei, known for producing budget Android phones, is banned from getting network equipment licenses in the U.S. due to security concerns. The same phenomenon has been observed in cheap IoT devices.

It’s also true that many devices include software used to harvest information about user behavior and send it back to the parent company for use in advertising targeting. From malicious attackers to data-hungry advertisers, the software and hardware supply chain is rife with individuals and businesses looking for ways to gather monetizable data. Enterprises hoping to keep control of their own data face a growing challenge in their own technology supply chain.

The Blind Spot: BYOD and unmanaged, unsanctioned devices
One of the biggest challenges in keeping devices with pre-loaded malware out of your environment is knowing that they’re there in the first place. Most organizations do not have a complete inventory of devices connected to their network, nor the software they are running.

The Solution: Network intelligence driven asset inventory
When a new supply chain attack is disclosed, the first step to secure your organization is to find out if any of the affected devices are present in your environment. This can be an incredibly difficult and drawn-out process, during which attackers can expand their access in your environment and cause real harm.

How to Reduce Your Supply Chain Risk

No matter how effective your prevention strategy may seem, it is always necessary to have steps in place to detect and respond to the presence and exploitation of vulnerable software in your environment. Some steps recommended by CISA to mitigate and stay resilient in the case of a successful exploit in your environment include:

CISA Recommendations:

  • Maintain an information system component inventory
  • Identify your critical data and baseline how that data flows between processes or systems.
  • Deploy analytics based on artificial intelligence and machine learning to detect anomalies in data flows which may be early indicators of a threat.
  • Apply basic network segmentation to isolate different parts of the enterprise.
  • Monitor endpoints and/or servers for unexplained deviations from your software inventory.

 

Why Conventional Wisdom Hasn’t Stopped or Even Slowed Ransomware

Ask any other security leader, they’ll tell you ransomware is their top threat initiative, and the board is asking what they are doing about it. Read recommendations from analysts, government agencies, and vendor’s councils on stopping the ransomware menace, and repeated themes persist: better access controls, regular patch management, more phishing training, and having backups ready.

Despite conventional wisdom, implementation of these reasonable and wise requirements hasn’t slowed the frequency or dampened ransomware’s crushing impacts on victims’ businesses. Meanwhile, counting on cyber insurance and frequent backups only offers partial relief after the collateral damage is done.

What these pearls of wisdom miss is that prevention often fails against motivated extortionists: There is more to the fight than preventing initial access and then falling back to recovery.

Modern ransomware is now carried out in a three-part playbook:

  • Opening (initial access)
  • Midgame (post compromise)
  • Endgame (extortion, get paid)

Each phase has its specialization experts and a supporting tooling ecosystem. Fighting two of the three rounds hasn’t been an effective strategy; defenders have to battle at each stage to beat back the extortionists.

The attackers control the cadence and hold the advantage at the opening. Yes, intrusions are a terrifying thing to consider. Still, they don’t spell doom: Visibility and response inside the perimeter are your best hope to prevent crippling damage from the ransomware menace.

But first, let’s explore why initial access prevention inevitably fails and reliance on recovery alone is surrendering to the collateral damage of ransomware.

Why Initial Access Prevention Fails

Shift left is a key security mantra. The hope is to stop the attacker before they get a foothold by blocking their initial moves with firewalls, IAM, anti-phishing training, EDR, and a slew of other preventive controls. Unfortunately, there is a narrative in the security community called the defender’s dilemma, an uncomfortable downer for shift left. It points to the reality that the attacker has the advantage at the perimeter because the attacker controls the what, when, and how they attack, tweaking as they go. Whereas the defender has to have all the controls in place before the attack and be right 100% of the time to win. The defender’s dilemma warns of the inevitable failure of preventative defenses against a persistent attacker.

Is it true? As an industry, we hate to accept it, but history repeatedly proves it to be so. Let’s consider a couple of alarming facts:

(1) 4.8% out of 6.6 million users from 23K companies, after one full year of phishing training, will click the bait. Based on a 4.8% click rate, if an attacker sends 100 well-crafted emails, they have a 99.27% chance that at least one user will open the bait (math here). So, what hope is there to prevent initial access as long as people are part of the equation?

(2) 93% of all penetration test results in a successful intrusion, without using social engineering techniques. Keeping in mind pentesters are on a short timeline, and have limiting rules of engagement, the probability of success for a financially motivated attacker with patience is even higher.

This means that while any security team would prefer to stop an attacker at the beginning of the kill chain—it makes more practical sense to take on attackers where you have the advantage. The fact is that intrusions are inevitable against persistent attackers, making the perimeter only the first line of defense against more easily deterred attackers. Investments and expectations may need to be adjusted for this reality.

The ransomware defender’s higher ground is actually in the midgame, but we will get to that after we look at the conventional widsom typically applied to part three, their endgame.

Why Backups and Cyber Insurance Aren’t Enough

Having backups and layering cyber insurance is wise and necessary. However, the math doesn’t match “do this, get that” with ransomware. This is because the extortion demand doesn’t equal the damage caused by modern ransomware, where extortionists apply unfair game theory to ensure you will pay.

For example, in 2021, the average ransom payment, negotiated down from the staggering millions of dollars demanded, was $170K. However, in the same year, the average impact from ransomware was $1.85M.

Average ransom payout vs ransomware recovery fees

During the crisis phase, the media, insurance-sponsored negotiators, and likely your business leaders will focus on the shocking ransom demand. No question having backups and cyber insurance are critical parts of your ability to negotiate. Although, blackmail feels weird, dirty, shameful, it also accounts for only 10% of the total weighted damage. Pay, don’t pay, the impact of downtime, lost business, and other indirect impacts from reputational damage and recovery expenses have to be dealt with once the ransomware opening kicks off.

The only way to be fully resilient against ransomware is to stop the intruder before the data is encrypted and the ransom note is delivered.

As we can see, hoping perimeter defenses hold, then falling back to recovery plays into the hands of ransomware.

How to Stop Ransomware Before the Encryption Starts

The Ransomware Midgame

In the midgame, the ransomware intruder lands blind into the victim’s infrastructure, then sets out to meet their objectives. Their necessities and tooling to discover and pivot toward critical assets are documented in their leaked playbooks and insights shared by incident responders’post-mortem reports.

Three stages of the ransomware playbook

Unlike advanced persistent threats (APT), or cyberespionage, ransomware crews are less interested in the quality of what to compromise. Rather, they are more interested in the quantity or impactfulness of that compromise. Ransomware intruders are also in a rush, having an average of just five days of dwell time, to noisily accomplish their play before raising their extortion note victory flag. These motivational drivers lead to certain behaviors.

From an attacker’s perspective, the inside of the network looks like a wide-open field to maraud about or a gauntlet of tripwires if it is being observed, creating an intruder’s dilemma.

Five Ways Attackers Leave Ransomware Vulnerable to Detection

Interestingly, tables can turn from the attacker’s to the defender’s advantage in the midgame. Defenders should have a home-field advantage, know the environment, understand what is expected, and have context on users, assets, and workloads if they are watching.

The ransomware midgame is dominated by the extortion-motivated intruders’ need to discover, compromise, and stage data across the network before encryption starts their endgame. These actions are modeled in five tactics and techniques repeated through each network segment until a critical mass of damage is accomplished. Each attacker’s step on the network opens up another opportunity for defenders to respond before destruction is done, and the ransom note delivered.

1. Target enumeration

Target discovery and enumeration starts once an intruder lands and begins expanding their footprint within the environment.

Ransomware intruders land blind and need to gain environmental awareness. They start by using traditional network scanning tools, e.g., NMAP, ping, net, etc., to get the lay of the land. Next, the RaaS playbooks and post-mortem evidence show that attackers focus on Active Directory (AD) in order to maximize the damage while reducing dwell time.

Commonly used AD enumeration tools include: Nltest, AdFind, Powerview Get-ADGroupMember, MSRPC, OSINT, and BloodHound.

2. Domain escalation

Ransomware attackers establish a beachhead on any easily accessible host. However, they may not have the privileges needed to accomplish their goals from that position. To gain access, intruders exploit directory hierarchy vulnerabilities, decode hashed passwords left on hosts (e.g., LSASS), reuse stolen credentials, or exploit the myriad of configuration errors found on domain controllers.

With escalated privileges, intruders take control of other assets and data services in that domain or pivot toward adjacent, more lucrative segments.

The most damaging incidents include vertical privilege escalation to Domain Admin. The attacker gains the ultimate rights, even leveraging GPO to push malware as a software update in one motion, without slow hands-on keyboard hacking.

Domain escalation tools and vulnerability exploits commonly used include DCSync, Zerologon, Rubeus, Cobalt Strike, Mimikats, WMI, Ticket forgery, and PrintNightmare.

3. Lateral movement

Modern ransomware searches for volumes of assets and data to improve its payment calculus before springing its encryption trap. Intruders expand their controls beyond the beachhead by moving laterally through the victim’s environment, exploiting unmonitored and assumed trusted east-west communications.

Ironically, intruders regularly reuse living-of-the-land tooling made available by IT operations for network-wide systems administration.

Lateral movement tools commonly used include PSExec, RPC, Powershell, WMI, and Cobalt Strike.

4. C&C

Once the intruder has mapped the environment, enumerated assets, and marked data to compromise, they call home to command and control (C&C) infrastructure to get orders and additional tooling.

Intruders apply C&C obfuscation techniques to avoid detection as they cross firewalls. The obfuscation techniques include creating tunnels over DNS and HTTP, encrypting egress communications, or using tooling like F-Secure C3.

5. Data Staging

Data is the lifeblood of businesses. Not having access to that data is the leverage extortionists hold over their victims. Along with AD, ransomware tactics prioritize compromising file systems, databases, and backup platforms as the fast path to strengthen their payment calculus.

The ransomware midgame’s land-and-pivot workflow exploits trusted relationships between users and applications’ access to data inside the perimeter. As a result, the assumptions made in data access management breakdown give intruders the ability to misuse data systems for staging data before exfiltration and encryption starts.

Additionally, data storage systems share a prevalence of unpatched vulnerabilities, weak security controls for performance tradeoffs, and the prevalence of misconfigurations, similar to AD.

Data staging tools and data system vulnerability exploits commonly used include SQLi, NoSQLi, buffer overflow, Rclone, SMBclient, and Dropbox.

Take Action, Stop Ransomware Tactics in Its Midgame

Modern ransomware is an existential threat to your business. Every security leader has to answer how they are building resilience against it. The damage from ransomware is growing, which is why following the tried and failed conventional wisdom of bookending ransomware defense, focusing on initial access, and then falling back to recovery isn’t enough.

The midgame is where modern ransomware does its damage and also where defenders hold an observable advantage if they are ready to fight on the inside.