Welcome to the Sentinel Blog!
We are proud to feature a carefully curated collection of articles and other content related to the most important technology topics of today and beyond. Our posts are composed and edited by Sentinel’s ALWAYS ENGAGED team of solutions architects, engineers, project managers and other subject matter experts.
My Sentinel Story: Diane Jackson
It’s no secret that at Sentinel we place a high
value on our employees. Their unparalleled expertise, strong work ethic, and
dynamic personalities help us maintain our status as an Always Leading IT
solutions and services provider. We are proud of the work they do on a daily
basis, and hope our customers recognize the Sentinel difference.
The next part of our “My Sentinel Story” series introduces Managed
Services Solution Architect Diane Jackson. Diane started at Sentinel just over
five years ago as an Administrative Assistant. While her duties originally
focused on contracts with the legal department and vendors, she quickly began
to take on additional responsibilities out of a desire to learn more and help
others. A fortuitous mentorship and an unexpected opportunity eventually guided
her into an important role as part of our Managed Services team. Learn more
about Diane and her growth through Sentinel via the video below!
If you are passionate, motivated, and interested in joining the Sentinel
team, you can learn more about our corporate culture and browse our current job
openings by visiting our Careers page.
The Dependence on Security Hardware
By Dr. Mike Strnad, Sentinel Strategic Solutions Advisor
Many organizations believe just because they invest so much
into industry-best security hardware that they don’t need to devote a lot of
time and effort into other aspects of protection. While security hardware does play
an important role in every IT environment, it is also entirely dependent on
human intervention to operate properly. Unfortunately humans are prone to make
mistakes, and if they fail to maintain and reinforce the hardware it can easily
weaken your overall security posture.
Think about how we protect our homes using multiple layers of security. We need to do things like turn on the outside lights, lock the doors, and activate the alarm system in order for these security elements to actually be effective. These are tasks we repeat every day without a second thought out of concern for our own safety and the safety of loved ones.
Security hardware also requires repeated checkups to remain
fully effective. Firmware updates and patches are developed to keep security
components aligned with the current threat landscape, however if your IT team
fails to install those modifications correctly or within a reasonable amount of
time, it has the potential to place your organization at significant risk.
While there is no such thing as bulletproof security, here
are a few fundamental principles organizations can employ to minimize the
potential of a breach or infection:
•
Conduct a complete risk assessment that includes internal, third party,
and cloud-based systems and services.
•
Patch, patch, and update. Always be running the latest version of your
software.
•
Encrypt, encrypt, encrypt—end to end. Make sure you have secure
encryption key management.
•
Conduct regular security awareness training so workers don’t fall for
phishing emails and other social engineering attacks.
•
Train employees in both physical and data security to avoid lost data,
files, drives, devices, and computers.
Your organization can have the best security
hardware money can buy, but there’s very little actual protection if it’s not
maintained on a consistent basis by a well-trained IT staff. Sentinel offers
Cybersecurity Awareness Training and other SecuritySelect services to help your
team significantly reduce the likelihood of a mistake that leaves your data
vulnerable. Please contact us
if you would like to learn more.
Sentinel SecuritySelect: Breaking the SamSam Attack (Part 2 of 4)
By Robert Keblusek, Sentinel Chief Technology Officer
In Part 1, I
wrote about how SamSam is a great example of an attack that spans the cyber
kill chain and used the graphic below to help show how. At our Vision 20/20
customer summit this past January we highlighted how your organization can
detect and disrupt SamSam and similar attacks using Sentinel’s SecuritySelect™
portfolio of solutions and services.
In Part 2, I will detail
the delivery and attack portions of the kill chain. There are plenty of
technologies that have a big impact protecting an organization but equally
important is maintaining a strong security policy and awareness program
designed to help prevent breaches but also respond and recover from them when
they do occur. You will see screenshots from an actual SIEM and learn how your
organization can detect and protect against some of these exploits as attacks
continue to become more frequent and more sophisticated.
Fig. 1 - SamSam Attack and Cyber Kill Chain
Delivery & Attack
During delivery and attack, the attacker determines
the best approach to entering the network, provided they are not already an
insider. They choose what type of malware or compromise will be best to achieve
their objectives and monetize their attack. In some cases this may be a “drive
by” attack where a generic phishing email was sent to an unsuspecting (and
likely untrained) end user that unknowingly executed malware by clicking on a
malware-weaponized link or even provided login credentials to a well-crafted
fake web site that looked exactly like the Office 365 user portal. In other phishing
cases a user might receive a very well-crafted and seemingly authentic email from
a trusted source that is actually a compromised host within the network
allowing code execution within the network. Once the attacker is in the
network, depending on the experience level of the attacker and how targeted the
attack, they will make good use of the information gathered in the
reconnaissance phase. With over 50% of attacks coming from organized criminals,
if you are specifically targeted it is highly likely your attacker is very
capable.
You can refer back to the previous post here, where I wrote about the reconnaissance phase from a more technical perspective, including scanning a target for vulnerabilities, seeking available services, exposed port scans, and more. It is worth noting that I didn’t even mention the sophisticated social research attackers will sometimes do to create a great deal of authenticity to some attacks using phishing or malvertising web sites. An experienced hacker or advanced automated attack is likely to find an available resource or unaware user to exploit without much difficulty. At this point, perimeter defenses are often rendered useless. Modern attacks, much like secure virtual private networking used by organizations, use encryption keys to hide their attack in an encrypted tunnel often invisible to your defenses. A great example of this type of attack can be seen in this Anatomy of an Attack video from Cisco.
Unless you have an extremely well-protected
organization with immaculate patching procedures and highly trained/aware users
with policy behind your security program, attackers will find a way in.
Motivated attackers are nearly impossible to stop. So once they gain access to
your environment, is your organization prepared to respond?
The latest Verizon security report notes that 68% of breaches took more than a month or longer to detect. Time to detection is difficult to measure but a critical key performance indicator (KPI) Sentinel’s Security as a Service focuses to improve. Gartner predicts that 60% of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020, because attackers will get in, regardless of how much you invest in protection.
Detection During Delivery & Attack
In the screenshot below, I have provided some
examples of the Delivery & Attack intent from a Sentinel-managed SIEM. Some
very common items we see are brute force attacks and known bad actors from our world-wide
threat feeds. In addition, this example shows an attempted denial of service
attack using a known vulnerability.
Fig. 2 - Delivery & Attack
We see both external and internal attempts to steal or break
into accounts using various types of attacks via HIDS agents (host intrusion
detection) in nearly every deployment of our managed SIEM. Brute force attacks
have become the norm and we have seen these from external hosts attacking
exposed IP addresses, but also against internal resources such as end user
workstations and even IoT devices. Our dedicated security DevOps teams
continually alters our detection algorithms to identify brute force attacks.
For example, our team can look at the new Office 365 plug-in or host-based IDS
instances that we deploy on domain controllers and critical servers to compare
what might be a user struggling to recall or type their password or an
automated machine attack repeatedly attacking the target with failed logins.
Even if you don’t have Sentinel’s managed SIEM, it is critical to identify
these attacks within your various systems and stop them in their tracks before
your credentials are compromised and lead to a full-scale breach.
In many cases we need to have our customer remove those devices
and either clean them or re-image the desktop. IoT devices typically require more
specialized approaches to protection. Prior to having this detection, these
systems went undetected and sometimes were successful at breaking weak
passwords to then move laterally to a full cyber breach.
Some of our customers opt to use our Adaptive Threat
Response™ to automatically block identified threats in supported security
firewalls. This allows you to respond without action against known bad
activities while triggering a report from the SIEM on the behaviors and blocked
elements. Other customers choose to
receive the alarm and either investigate it themselves or leave it to our
professionals. In either case, tracking and investigating activities such as
brute force attacks is critical to your defenses. In some cases this could be a
device trying to legitimately log in to a host, but a change in credentials
requires attention. In other cases, this could be a bad actor trying to break
into your network to further their attack and eventually obtain command and
control (C&C). The complexity of
detecting east/west compromise has brought about a number of network flow-based
and decoy detection options available from Sentinel to assist in identifying an
attacker before it is too late. Decoy technology can place traps on your
network for attackers to unknowingly trigger. Think of them as “motion sensors”
on your network that can be modified to look very genuine and result in a
highly trustworthy anomalous detection alarm when an attacker touches one. Sentinel
has worked with Attivo
Networks to
launch a Decoy as a Service offering
integrated to our managed SIEM and SOC service. Sentinel and Attivo are very
excited about this offering as it is becoming critical to trick the attackers
and detect them in order to investigate and potentially even identify the
attacker to authorities.
Another example from the screenshot above identified by our world-wide threat feed is a common vulnerability (CVE) for a potential denial of service attack on an IIS server. According to the national reporting of this vulnerability it “allows remote attackers to cause a denial of service (use-after-free) or possibly have an unspecified alternative impact via unknown vectors.” Identifying vulnerabilities attempting to be exploited is a powerful feature of Sentinel’s SECaaS and allows you to patch these items prior to any damage being inflicted. Vulnerable hosts with exposed services have been identified as the attack vector in many recent high profile attacks such as the City of Atlanta (based on initial reports) and has been confirmed in a number of other recent attacks, especially targeted at healthcare organizations. These can be vulnerable web servers, RDP servers exposed to the internet, IoT devices or nearly any type of connected device that might be compromised and allow lateral movement within the network.
The Human Factor
While vulnerable host attacks by SamSam have
made headlines lately, the top attacked resource within your organization is your
people. A stunning fact is that 96% of social attacks occur through email
phishing campaigns. All of us likely see these types of attacks multiple times per
week, if not multiple times daily!
Most organizations have some form of email gateway in place
to try and prevent these types of attacks, however some will still get through
no matter how strong your defenses are. A lot of customers are moving to hosted
email services such as Office 365. These hosted services typically include
email protection. While some can be very capable, we often see customers set
these up and then fail to maintain them properly. Our own hosted email security,
which supports Office 365 and premise email services, has proven very valuable
in preventing email attacks and malware-weaponized attachments from getting
into organizations. In many cases we have had customers send us sample phishing
emails for investigation and determined that our service would have stopped
those emails in their tracks. However we also experience more advanced email
attacks that sometimes slip through even our well-managed gateway service. Once
identified, we put automated rules in place to protect all users of our
service. Even with a managed email gateway powered by an experienced SOC
organization like Sentinel, we still recommend additional layers of protection
along with strong end user education and mock phishing testing programs. End user
awareness is critical to keeping any organization secure. Users shouldn’t
simply assume they are safe, because they are not. Diligence is a necessary job
requirement today.
The screenshot below shows
a number of attacks that progressed through strong endpoint security, email
gateway services, and made it into the user’s inbox ready for exploitation.
With these emails now in the network, users sometimes take the bait.
Fig. 3 - Sentinel Managed Cisco Umbrella Phishing Prevention
In this case you can see Cisco Umbrella’s efficiency at
stopping the attacker from getting further into the attack by blocking the
infected user at the DNS/IP layer. This is a great way to disrupt such an attack
and prevent a breach from ever happening. Cisco Umbrella also has end user
client services to ensure corporate assets are protected no matter where your
employees go, even when they leave the network.
It is also important to note that the users themselves will benefit from cyber security education to avoid clicking through in the first place. Sentinel’s cyber awareness program includes both computer-based training and mock phishing services to encourage responsible computing. While this is outside the scope of this blog, Sentinel can help develop and deploy a program for your organization to better enable end users to work responsibly and avoid most cybercriminal temptations.
Be Prepared - Test, Test, Test
One of our hottest offerings today is our Advisory
Services-delivered security assessments and penetration testing (PEN). They can
help organizations better understand their risk beyond a simple vulnerability
scan. PEN testing digs deeper into your most at-risk systems and determines the
effectiveness of your detection services.
During a PEN test, we
execute attacks on your identified assets of interest. While assessments have
become the norm for any organization interested in advancing their security
posture, many organizations are adding our PEN testing as well to provide a
more in-depth review of their posture and more specific security recommendations
that can further harden their systems. For organizations with a SIEM and SOC,
we also supply feedback on what was and was not detected during the PEN
testing. This allows an organization to further improve their detection and
response systems, and test their teams responsible for the investigation of and
response to attack activities.
Fig. 4 - Sentinel PEN Testing Overview
What You Can Do - How It Relates to SamSam
While PEN testing (which I recommend no less than annually) and
protection tools are great to help prepare for and prevent a breach, improving lateral
detection systems are just as critical. Most organizations have neither the
systems nor the people in place to detect attacker activities on their network
and respond to them before it’s too late.
The SamSam attacks could have been strongly defended or
altogether stopped in every case with proper protection, detection, and
response tools in place. Although SamSam hasn’t been shown to exploit email
systems, it was important to point out in these examples that most attacks do utilize
that vector as a point of entry into your environment. Constant monitoring is
critical, as is having resources available 24x7x365 to investigate and respond
to an attack. Without those things, modern attacks will get through your
protection and move laterally across the network undetected for weeks or
months. The longer an attacker goes undetected on your network, the more likely
that their attack will be a success.
According to the 2017
Marsh & McLennan Cyber Risk Report the worldwide average dwell time is
146 days with Europe averaging 469 days! Dwell time, the time between
compromise and detection, is a critical component I would encourage all
organizations to work to reduce down to single digit days or even hours. The
longer an attacker is on your network the more opportunity they have to
identify vulnerable targets, escalate their access, and monetize their attack –
eventually leading to command and control.
Sentinel does many NIST alignment workshops with our customers, and while we often find critical deficiencies in detection and response, there tend to be even more deficiencies in the NIST “identify” area of the framework. Our NIST alignment workshop is a very small investment of time and money and provides some great visibility for your team to get started identifying security strengths and weaknesses.
Up Next...
In part 3, I will highlight exploit and installation. At this point of the attack, the attacker has begun to exploit your systems and is progressing closely to command, control, and ultimately a full scale breach. If you are interested in learning more about Sentinel’s SecuritySelect® portfolio, including Advisory Services, PEN testing, and NIST alignment, please contact us. You can follow Robert Keblusek on Twitter, @RKeblusek.
Sentinel SecuritySelect: Breaking the SamSam Attack (Part 1 of 4)
By Robert Keblusek, Sentinel Chief Technology Officer
In recent months I have presented an example of the cyber
kill chain using the SamSam ransomware attack, which was first identified in
2015. It has seen a resurgence as of late, and if you follow the news, the
recent cyber-attack crippling the City of Atlanta was yet another form of SamSam.
SamSam can be quite difficult to stop without proper process, patching, and tools.
Protecting your organization from SamSam is no different than being prepared
for other known and unknown attacks.
In this multi-part blog series I
will profile some strong detection and protection solutions for SamSam and
similar attacks. You will learn more about Sentinel’s Security as a Service
(SECaaS) offerings and how they can help defend against these attacks. I will
also break down the attack across the cyber kill chain and recommend areas
where detection or protection might intervene to protect your organization and
ensure it doesn’t wind up like Atlanta.
A majority of enterprises invest in excellent protection technologies and develop a fairly regular patching cadence. Some use vulnerability scanning software to report on and prioritize their patching needs, but fail to do so frequently enough. Others hire Sentinel’s Advisory Services team to perform timely security assessments instead. Sentinel’s world-class Managed Services team is also available to handle patching for you. The most advanced organizations engage us to go beyond security assessments and perform penetration (PEN) testing on critical internal and publically exposed assets. Often however, organizations lack detailed visibility into their security environment. They may invest in many protection tools, but nobody is constantly watching what those tools are doing and how well they’re performing. There is no single perfect security solution, and even if one existed, most organizations don’t have enough qualified staff to properly develop, manage, and monitor it.
Environmental Awareness - Who's Watching Your Network?
Being fully aware of your environment is the first step toward keeping it protected. With this information you can cultivate best practices such as regular patching while identifying unauthorized services on your network that introduce additional risk. Security teams can focus on improving system hardening as well as understanding what is happening on your network. Vulnerabilities in items like Adobe or Java software become easier to identify and patch. Threat feeds identify known risky IPs that are “knocking on your door” and alert you to activity.
Vulnerability Scanning
Sentinel’s Security as a Service (SECaaS)-managed SIEM
includes constant vulnerability scanning of your assets and rates each one
using the common vulnerability scoring system (CVSS). By putting a full-time
vulnerability scanning system with real-time detection service on your network,
you gain unprecedented visibility into your environment.
Patching is critical, no matter if you handle it on your own
or use Sentinel’s Managed Services to take care of it for you. With constant
vulnerability scanning you can have your assets scanned and reports delivered
to your team on a regular basis (our service defaults to monthly). Cyber
threats are taking advantage of known vulnerabilities faster than ever. Attack
windows are shrinking and patching on an annual or even quarterly basis simply
isn’t often enough. Sentinel has even created a custom reporting
dashboard allowing your team to sift through vulnerabilities within the SIEM to
find specific items that might be within their domain of support or to simply
identify the most at risk items quickly and easily to continue to harden your
defenses.
Intrusion Detection
Vulnerability management, security assessments, and even
periodic PEN tests are just a start. Organizations also need constant security
monitoring. When combined with vulnerability visibility, constant monitoring
will let you bring together log information from your current security
investments and add Intrusion Detection Sensors (IDS) at strategic locations
within your network.
The graphic below is a
real-world example of the constant visibility offered by Sentinel’s SECaaS. In
this sample, I have it filtered to show only the first “intent” level within
the managed SIEM “environmental awareness.”
IDS sensors review activity on the network as well as log source information to identify risks such as suspicious behavior and service scanning of the network. Risks are rated as low, medium, or high so that IT teams can easily identify and prioritize risk items before taking action.
How it relates to SamSam
Thus far, SamSam attacks seem to be targeted at specific
organizations rather than drive-by attacks looking for “low hanging fruit.” Data
gets stolen, and traditional recovery methods such as snapshots or backups are
crippled or eliminated so organizations are forced to pay a significant amount
of money to get it back. This is why a strong backup
strategy with air gapping plays an essential role in recovery. It is one of
the many benefits our customers receive as part of Sentinel’s Backup as a
Service (BaaS) offering. Contact
Sentinel today to learn more on how you can air gap your existing backup or add
an air gapped service within our CloudSelect® BaaS offering.
While many attacks depend on unsuspecting users opening a deviously crafted email asking for credentials or loaded with a malicious file, SamSam tends to hunt for vulnerabilities in your network and move laterally. Knowing your vulnerabilities and addressing them in a timely manner is one of the best practices to avoid becoming the next victim. In past years SamSam took advantage of known web server vulnerabilities. In the case of the City of Atlanta, although not officially disclosed at the time of this blog, it has been mentioned that publicly accessible RDP servers were affected as well as servers with known vulnerabilities. Patching might prevent these attacks, but if a bad actor wants to get in they won’t stop there.
Reconnaissance and Probing - Who's Knocking on Your Door?
Most customers that I meet have invested in great protection
technologies, including next-generation firewalls and strong endpoint
protection. However, many take the approach of set it and forget it, which isn’t
an effective security strategy.