Welcome to the Sentinel Blog!
We are proud to feature a carefully curated collection of articles and other content related to the most important technology topics of today and beyond. Our posts are composed and edited by Sentinel’s ALWAYS ENGAGED team of solutions architects, engineers, project managers and other subject matter experts.
Cisco Live 2018: Top Takeaways from Sentinel Staff
Cisco Live is Cisco’s annual conference for their partners and customers that focuses on technology trends, education, thought leadership, and networking. The primary goal of the event is to provide inspiration and showcase innovation as technology continues to evolve at an incredibly fast rate.
This year’s Cisco Live conference took place from June 10-14 at the Orange County Convention Center in Orlando, Florida. Several members of the Sentinel team were in attendance, eager to connect with customers and learn more about the solutions set to transform the technology landscape in the coming months.
As the conference wrapped up, we asked some of our staff to briefly share three major takeaways or themes from the speeches and panel discussions they attended. Here are their insights:
Odell Waters – Senior Solutions Architect
-Cisco Tetration to protect critical cloud and premise data
-Cisco Software-Defined (SD) Access with DNA Center, which enables network access to any application without compromising security.
-Cisco Identity Services Engine (ISE) – next-generation security with greater awareness and easier access management.
Matt LaSota – Director of Support Services, Network, and CloudSelect
-Automation was a major discussion point.
-A lot of content was focused on Cisco DNA and UCS Director. The technology keynote focused on DNA, a software-based network automation solution.
-Multi-cloud continues to be a focus, with some more definition and actual configuration examples given this year. The sessions on multi-cloud and cloud center were great.
Dan Ristovski – Solution Design Team Lead
-Cisco DNA is going to be leveraged in pretty much every
-Visibility into the Network and Data Center has never been better.
-Security on every device needs to be a requirement. We need protection beyond the office, because the office is now everywhere.
Michael Soule – Strategic Solutions Advisor
-The proliferation and adoption of cloud services will keep
increasing and the product offerings will likely be matured in another 1-2
years with greater adoption looking into years 3-5.
-From Software-Defined Wide Area Networks (SD-WAN) to SD-Campus, Cisco is investing heavily in network virtualization and the usage of overlay networks. These are likely to become popular over the next few years, though the complexity of these technologies may make them challenging to support and difficult to troubleshoot in the future.
-Cisco is working hard to redefine the IT market. This most evident by how many different solutions they are incubating internally and the number of product enhancement partners they are bringing on. The integration between product offerings is stronger than ever before, however they may face difficulties with product overlap and competing functionality if they’re not careful.
Shiling Ding – Senior System Support Engineer
-DevNet/Network automation and programmability
are new skills network engineers need to learn.
-Security should be a primary part of any network foundation.
-ISE is critical for almost all enterprise-related security these days.
If you are interested in learning more about these solutions and how they are changing the IT landscape, please contact us for additional information.
My Sentinel Story: Terri Carpenter
It’s no secret that at Sentinel we place a high value on our employees. Their unparalleled expertise, strong work ethic, and dynamic personalities help us maintain our status as an Always Leading IT solutions and services provider. We are proud of the work they do on a daily basis, and hope our customers recognize the Sentinel difference.
Project Manager Terri Carpenter is the focus of our next “My Sentinel Story”. Terri has been a valued member of our team for more than 20 years, initially joining Sentinel as a Customer Service representative. Her favorite things about that job were helping with customers and the flexibility afforded by working three 12-hour shifts each week instead of something more traditional. A close collaboration with a co-worker enabled Terri to expand her duties to become a co-team lead, and eventually an Associate Manager. Her current position as a Project Manager was inspired by her passion for interacting with customers, managing others, and developing innovative solutions to unique challenges. Watch the video to learn more about her journey!
If you are passionate, motivated, and interested in joining the Sentinel team, you can learn more about our corporate culture and browse our current job openings by visiting our Careers page.
What GDPR Compliance Means For Businesses
by Dr. Mike Strnad, Sentinel Strategic Solutions Advisor
The General Data Protection Regulation goes into effect this Friday, May 25th, and very few are ready — not the companies and not even the regulators.
After four years of deliberation, the General Data Protection Regulation (GDPR) was officially adopted by the European Union (EU) in 2016. The regulation gave companies a two year time limit to achieve compliance, which is theoretically plenty of time to prepare and institute the change.
The reality is messier. Like term papers and tax returns, there are organizations that got it done early, however most have waited until the very last minute. GDPR is an ambitious set of rules spanning from requirements to notify regulators about data breaches within 72 hours, to transparency for users about what data is being collected by the organization and why.
GDPR is only supposed to apply to the EU and EU residents, but because so many companies do business in Europe, the American technology industry is scrambling to become GDPR compliant. Still, even though GDPR’s big debut is bound to be messy, the regulation marks a sea change in how data is handled across the world. Americans outside of Europe can’t make data subject access requests nor can they demand that their data be deleted, however GDPR compliance is going to have spillover effects for them anyway.
The breach notification requirement, especially, is more stringent than anything in the United States. The hope is that as companies and regulatory bodies settle into the flow of things, the heightened privacy protections of GDPR will become business as usual. In the meantime, it’s just a mad scramble to keep up.
Some organizations are choosing to follow the
GDPR requirements even if they have little or no business based in the EU or
with EU customers. These regulations can be highly valuable for safety and
transparency in business. Sentinel offers tools and training to help your
organization achieve GDPR compliance. Please contact
us and our Advisory Services team if you would like to learn more.
New Study Examines the Human Factor in Cybersecurity
The following is an excerpt from a recent 2018 report by next-generation cybersecurity company Proofpoint, investigating how attackers are exploiting human nature to steal data, money, and more from organizations and individuals. It contains some very interesting discoveries, and provides recommendations on how organizations can avoid falling victim to some of the most dangerous tactics.
Email remains the top attack vector. Threats range from spam that clogs inboxes and wastes resources to email fraud that can cost organizations and people millions of dollars. The modern threat landscape also includes a variety of web-based threats that span social channels and cloud applications, while mainstream interest in cryptocurrency is driving advances in malware and new approaches to phishing and cyber-crime.
Here are the key findings from Proofpoint research over the last year. The results, based on data collected across Proofpoint’s global customer base and analysis of over one billion messages per day, highlight the ways actors are stepping up attacks that exploit “the human factor.”
Social engineering underpins the Human Factor. Attackers are adept at exploiting our natural curiosity, desire to be helpful, love of a good bargain, and even our time constraints to persuade us to click.
• Suspiciously registered domains of large enterprises outnumbered brand-registered domains 20 to 1. That means targets of phishing attacks are more likely to mistake typo squatted and suspicious domains for their legitimate counterparts.
• Fake browser and plugin updates appeared in massive advertising campaigns affecting millions of users. As many as 95% of observed web-based attacks like these, including those involving exploit kits, incorporated social engineering to trick users into installing malware rather than relying on exploits with short shelf lives. Two years ago, social engineering in web-based attacks was much less widely deployed.
• About 55% of social media attacks that impersonated customer-support accounts—a trend known as “angler phishing”—targeted customers of financial services companies.
• Some 35% of social media scams that used links and “clickbait” brought users to video streaming and movie download sites. In-browser coin mining, in which attackers hijack victims’ computers to generate cryptocurrency, also went mainstream. These attacks converged largely around pirated video streaming sites; users’ long viewing sessions gave the miners extended access to victims’ PCs, netting more income for their operators.
Train employees to spot attacks that use social engineering through email, social media, and on websites—even those seemingly tied to well-known brands or current events. Use phishing simulations (fake attacks that test use real-world tactics) to see who in your organizations clicks. Paired with awareness training, these simulations can reduce the impact of real attacks.
Email threats: malware, phishing, and fraud
Analyzing the vast number of malicious messages sent every day, we saw new trends in how attackers target victims and the volume of email they send.
• Dropbox phishing was the top lure for phishing attacks. Twice as many phishing messages used the file-sharing service to entice victims than next most popular lure. However, click rates for DocuSign lures were the highest at over five times the average click rate for the top 20 lures, demonstrating that volume did not necessarily equate to effectiveness.
• Observed network traffic of coin mining bots jumped almost 90% between September and November. This threat activity closely mirrored the rise and fall of the value of Bitcoin, the best-known cryptocurrency.
• Ransomware and banking Trojans accounted for more than 82% of all malicious email messages, making them the most widely distributed malware types. However, by the end of 2017, many campaigns also included coin miner modules or secondary payloads.
• Microsoft Office exploits appeared regularly in email campaigns but they usually came in short bursts. This pattern highlights the short shelf life of exploits before they are rendered ineffective due to organizations patching their systems to fix the vulnerability.
Invest in an advanced email security solution that protects against the full range of tools and techniques used in attacks. Your solution should include awareness training, and it must protect against credential phishing, fraud, and unsafe URLs and attachments.
Attacks throughout the year ranged from massive malicious spam campaigns to highly targeted email fraud attacks. While no industries were immune, Proofpoint did observe noteworthy targeting trends.
• Education, management consulting, entertainment, and media firms experienced the greatest number of email fraud attacks, averaging over 250 attacks per organization.
• Construction, manufacturing, and technology topped the most phished industries. Manufacturing, healthcare, and technology firms were the top targets of crime ware.
• Ransomware predominated worldwide, but Europe and Japan saw the highest regional proportions of banking Trojans, with 36% and 37% of all malicious mail in those regions respectively.
Deploy email gateway solutions that prevent unsafe emails from reaching users in the first place, and have tools and processes in place that help you quickly detect and resolve any threats that get through.
How Sentinel Can Help
Sentinel offers awareness training as well as
other security solutions and services to help educate your staff and minimize
the possibility of a breach due to a malware, phishing, spam, or email attack.
Please contact us if you would
like to learn more.
Sentinel Helps An Insurance Provider Assess Their Security
A large insurance company recognized as a trusted risk advisor and top solution provider for personal and business insurance, employee benefits insurance, HR solutions, surety bonds, and financial services. They have seven locations with more than 170 total employees.
The customer expressed concern over their security posture, and asked Sentinel to conduct a Cisco Security Online Visibility Assessment (SOVA) to gain a better understanding of how well their environment and data were being protected. The SOVA is a free, 14-day cloud-based evaluation that analyzes critical network and system elements to uncover potential security risks and vulnerabilities within an organization. Here are some details revealed about the customer’s environment from the five different areas measured as part of the assessment.
Internal Monitored Network
Provides background information on internal traffic, including hosts communicating within the network, traffic between the network and the internet, devices that export traffic, flows per second, and total records analyzed. The gathered information can highlight activity on unauthorized servers and old servers that are utilizing bandwidth or providing access for rogue or malicious entities. It is also used to “benchmark” the network traffic and analyze circuit sizing.
Since a large amount of network traffic is encrypted, visibility is not allowed with standard networking tools. While encryption can protect data, it also makes it difficult to identify threats that may be hiding. For our customer, 71% of the total traffic detected on their network was encrypted. Current industry trends have shown that an increase in encrypted traffic is often utilized to conceal malware, command and control activity, or data exfiltration.
This portion of the assessment examines unauthorized DNS servers along with potential hosts in danger of exposure, DNS malware, or potential data loss. Unauthorized DNS servers can direct hosts to bad websites where malware or exploitation tools are downloaded. They also have the ability to control or block access to software updates from vendors and prevent monitoring of DNS traffic for data loss, command and control activity, and exploitation. The SOVA uncovered five unauthorized DNS servers and four unknown hosts residing on the customer’s network.
Unclassified servers are servers set up on the network that an organization has no administrative control over. These can be servers that were set up and forgotten by a network administrator, leaving them unpatched with the potential to be exploited by an attacker. They can be utilized to expose unintentional risk and execute man-in-the-middle attacks or DNS hijacking. During the customer assessment, we discovered the workstation of a financial advisor was acting as a rogue, unclassified server on their network.
Traffic to High Risk Countries
Network traffic to high-risk countries could be a sign of data exfiltration, advanced persistent threats, or command and control activity. There should be minimal (if any) network traffic coming from or being exported to these locations. The SOVA revealed 87.3 MB of the customer’s traffic originated from five primary inside host IP addresses that connected to high-risk countries, including the Ukraine, Russia, and South Korea. The final report also determined that 29 peers and several hundred flows had taken place over the two week monitoring period.
The 14-day SOVA provided the customer with unprecedented visibility into their environment, which helped them detect security events and identify new areas of risk. These insights enabled the customer to improve their overall defense strategy, which included new investments in Cisco Umbrella for DNS protection, Cisco AMP for Endpoints to harden devices on the network, plus Sentinel’s Security as a Service (SECaaS) and SOC for monitoring and management of network security events on their network. The customer plans to implement these solutions over the next 6-12 months.
If you are interested in learning more about the free Cisco Security Online Visibility Assessment and how it can benefit your organization, please contact Sentinel.
My Sentinel Story: Diane Jackson
It’s no secret that at Sentinel we place a high value on our employees. Their unparalleled expertise, strong work ethic, and dynamic personalities help us maintain our status as an Always Leading IT solutions and services provider. We are proud of the work they do on a daily basis, and hope our customers recognize the Sentinel difference.
The next part of our “My Sentinel Story” series introduces Managed Services Solution Architect Diane Jackson. Diane started at Sentinel just over five years ago as an Administrative Assistant. While her duties originally focused on contracts with the legal department and vendors, she quickly began to take on additional responsibilities out of a desire to learn more and help others. A fortuitous mentorship and an unexpected opportunity eventually guided her into an important role as part of our Managed Services team. Learn more about Diane and her growth through Sentinel via the video below!
If you are passionate, motivated, and interested in joining the Sentinel
team, you can learn more about our corporate culture and browse our current job
openings by visiting our Careers page.
The Dependence on Security Hardware
By Dr. Mike Strnad, Sentinel Strategic Solutions Advisor
Many organizations believe just because they invest so much into industry-best security hardware that they don’t need to devote a lot of time and effort into other aspects of protection. While security hardware does play an important role in every IT environment, it is also entirely dependent on human intervention to operate properly. Unfortunately humans are prone to make mistakes, and if they fail to maintain and reinforce the hardware it can easily weaken your overall security posture.
Think about how we protect our homes using multiple layers of security. We need to do things like turn on the outside lights, lock the doors, and activate the alarm system in order for these security elements to actually be effective. These are tasks we repeat every day without a second thought out of concern for our own safety and the safety of loved ones.
Security hardware also requires repeated checkups to remain fully effective. Firmware updates and patches are developed to keep security components aligned with the current threat landscape, however if your IT team fails to install those modifications correctly or within a reasonable amount of time, it has the potential to place your organization at significant risk.
While there is no such thing as bulletproof security, here are a few fundamental principles organizations can employ to minimize the potential of a breach or infection:
• Conduct a complete risk assessment that includes internal, third party, and cloud-based systems and services.
• Patch, patch, and update. Always be running the latest version of your software.
• Encrypt, encrypt, encrypt—end to end. Make sure you have secure encryption key management.
• Conduct regular security awareness training so workers don’t fall for phishing emails and other social engineering attacks.
• Train employees in both physical and data security to avoid lost data, files, drives, devices, and computers.
Your organization can have the best security
hardware money can buy, but there’s very little actual protection if it’s not
maintained on a consistent basis by a well-trained IT staff. Sentinel offers
Cybersecurity Awareness Training and other SecuritySelect services to help your
team significantly reduce the likelihood of a mistake that leaves your data
vulnerable. Please contact us
if you would like to learn more.
Sentinel SecuritySelect: Breaking the SamSam Attack (Part 2 of 4)
By Robert Keblusek, Sentinel Chief Technology Officer
In Part 1, I wrote about how SamSam is a great example of an attack that spans the cyber kill chain and used the graphic below to help show how. At our Vision 20/20 customer summit this past January we highlighted how your organization can detect and disrupt SamSam and similar attacks using Sentinel’s SecuritySelect™ portfolio of solutions and services.
In Part 2, I will detail
the delivery and attack portions of the kill chain. There are plenty of
technologies that have a big impact protecting an organization but equally
important is maintaining a strong security policy and awareness program
designed to help prevent breaches but also respond and recover from them when
they do occur. You will see screenshots from an actual SIEM and learn how your
organization can detect and protect against some of these exploits as attacks
continue to become more frequent and more sophisticated.
Fig. 1 - SamSam Attack and Cyber Kill Chain
Delivery & Attack
During delivery and attack, the attacker determines the best approach to entering the network, provided they are not already an insider. They choose what type of malware or compromise will be best to achieve their objectives and monetize their attack. In some cases this may be a “drive by” attack where a generic phishing email was sent to an unsuspecting (and likely untrained) end user that unknowingly executed malware by clicking on a malware-weaponized link or even provided login credentials to a well-crafted fake web site that looked exactly like the Office 365 user portal. In other phishing cases a user might receive a very well-crafted and seemingly authentic email from a trusted source that is actually a compromised host within the network allowing code execution within the network. Once the attacker is in the network, depending on the experience level of the attacker and how targeted the attack, they will make good use of the information gathered in the reconnaissance phase. With over 50% of attacks coming from organized criminals, if you are specifically targeted it is highly likely your attacker is very capable.
You can refer back to the previous post here, where I wrote about the reconnaissance phase from a more technical perspective, including scanning a target for vulnerabilities, seeking available services, exposed port scans, and more. It is worth noting that I didn’t even mention the sophisticated social research attackers will sometimes do to create a great deal of authenticity to some attacks using phishing or malvertising web sites. An experienced hacker or advanced automated attack is likely to find an available resource or unaware user to exploit without much difficulty. At this point, perimeter defenses are often rendered useless. Modern attacks, much like secure virtual private networking used by organizations, use encryption keys to hide their attack in an encrypted tunnel often invisible to your defenses. A great example of this type of attack can be seen in this Anatomy of an Attack video from Cisco.
Unless you have an extremely well-protected organization with immaculate patching procedures and highly trained/aware users with policy behind your security program, attackers will find a way in. Motivated attackers are nearly impossible to stop. So once they gain access to your environment, is your organization prepared to respond?
The latest Verizon security report notes that 68% of breaches took more than a month or longer to detect. Time to detection is difficult to measure but a critical key performance indicator (KPI) Sentinel’s Security as a Service focuses to improve. Gartner predicts that 60% of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020, because attackers will get in, regardless of how much you invest in protection.
Detection During Delivery & Attack
In the screenshot below, I have provided some
examples of the Delivery & Attack intent from a Sentinel-managed SIEM. Some
very common items we see are brute force attacks and known bad actors from our world-wide
threat feeds. In addition, this example shows an attempted denial of service
attack using a known vulnerability.
Fig. 2 - Delivery & Attack
We see both external and internal attempts to steal or break into accounts using various types of attacks via HIDS agents (host intrusion detection) in nearly every deployment of our managed SIEM. Brute force attacks have become the norm and we have seen these from external hosts attacking exposed IP addresses, but also against internal resources such as end user workstations and even IoT devices. Our dedicated security DevOps teams continually alters our detection algorithms to identify brute force attacks. For example, our team can look at the new Office 365 plug-in or host-based IDS instances that we deploy on domain controllers and critical servers to compare what might be a user struggling to recall or type their password or an automated machine attack repeatedly attacking the target with failed logins. Even if you don’t have Sentinel’s managed SIEM, it is critical to identify these attacks within your various systems and stop them in their tracks before your credentials are compromised and lead to a full-scale breach.
In many cases we need to have our customer remove those devices and either clean them or re-image the desktop. IoT devices typically require more specialized approaches to protection. Prior to having this detection, these systems went undetected and sometimes were successful at breaking weak passwords to then move laterally to a full cyber breach.
Some of our customers opt to use our Adaptive Threat Response™ to automatically block identified threats in supported security firewalls. This allows you to respond without action against known bad activities while triggering a report from the SIEM on the behaviors and blocked elements. Other customers choose to receive the alarm and either investigate it themselves or leave it to our professionals. In either case, tracking and investigating activities such as brute force attacks is critical to your defenses. In some cases this could be a device trying to legitimately log in to a host, but a change in credentials requires attention. In other cases, this could be a bad actor trying to break into your network to further their attack and eventually obtain command and control (C&C). The complexity of detecting east/west compromise has brought about a number of network flow-based and decoy detection options available from Sentinel to assist in identifying an attacker before it is too late. Decoy technology can place traps on your network for attackers to unknowingly trigger. Think of them as “motion sensors” on your network that can be modified to look very genuine and result in a highly trustworthy anomalous detection alarm when an attacker touches one. Sentinel has worked with Attivo Networks to launch a Decoy as a Service offering integrated to our managed SIEM and SOC service. Sentinel and Attivo are very excited about this offering as it is becoming critical to trick the attackers and detect them in order to investigate and potentially even identify the attacker to authorities.
Another example from the screenshot above identified by our world-wide threat feed is a common vulnerability (CVE) for a potential denial of service attack on an IIS server. According to the national reporting of this vulnerability it “allows remote attackers to cause a denial of service (use-after-free) or possibly have an unspecified alternative impact via unknown vectors.” Identifying vulnerabilities attempting to be exploited is a powerful feature of Sentinel’s SECaaS and allows you to patch these items prior to any damage being inflicted. Vulnerable hosts with exposed services have been identified as the attack vector in many recent high profile attacks such as the City of Atlanta (based on initial reports) and has been confirmed in a number of other recent attacks, especially targeted at healthcare organizations. These can be vulnerable web servers, RDP servers exposed to the internet, IoT devices or nearly any type of connected device that might be compromised and allow lateral movement within the network.
The Human Factor
While vulnerable host attacks by SamSam have made headlines lately, the top attacked resource within your organization is your people. A stunning fact is that 96% of social attacks occur through email phishing campaigns. All of us likely see these types of attacks multiple times per week, if not multiple times daily!
Most organizations have some form of email gateway in place to try and prevent these types of attacks, however some will still get through no matter how strong your defenses are. A lot of customers are moving to hosted email services such as Office 365. These hosted services typically include email protection. While some can be very capable, we often see customers set these up and then fail to maintain them properly. Our own hosted email security, which supports Office 365 and premise email services, has proven very valuable in preventing email attacks and malware-weaponized attachments from getting into organizations. In many cases we have had customers send us sample phishing emails for investigation and determined that our service would have stopped those emails in their tracks. However we also experience more advanced email attacks that sometimes slip through even our well-managed gateway service. Once identified, we put automated rules in place to protect all users of our service. Even with a managed email gateway powered by an experienced SOC organization like Sentinel, we still recommend additional layers of protection along with strong end user education and mock phishing testing programs. End user awareness is critical to keeping any organization secure. Users shouldn’t simply assume they are safe, because they are not. Diligence is a necessary job requirement today.
The screenshot below shows
a number of attacks that progressed through strong endpoint security, email
gateway services, and made it into the user’s inbox ready for exploitation.
With these emails now in the network, users sometimes take the bait.
Fig. 3 - Sentinel Managed Cisco Umbrella Phishing Prevention
In this case you can see Cisco Umbrella’s efficiency at stopping the attacker from getting further into the attack by blocking the infected user at the DNS/IP layer. This is a great way to disrupt such an attack and prevent a breach from ever happening. Cisco Umbrella also has end user client services to ensure corporate assets are protected no matter where your employees go, even when they leave the network.
It is also important to note that the users themselves will benefit from cyber security education to avoid clicking through in the first place. Sentinel’s cyber awareness program includes both computer-based training and mock phishing services to encourage responsible computing. While this is outside the scope of this blog, Sentinel can help develop and deploy a program for your organization to better enable end users to work responsibly and avoid most cybercriminal temptations.
Be Prepared - Test, Test, Test
One of our hottest offerings today is our Advisory Services-delivered security assessments and penetration testing (PEN). They can help organizations better understand their risk beyond a simple vulnerability scan. PEN testing digs deeper into your most at-risk systems and determines the effectiveness of your detection services.
During a PEN test, we
execute attacks on your identified assets of interest. While assessments have
become the norm for any organization interested in advancing their security
posture, many organizations are adding our PEN testing as well to provide a
more in-depth review of their posture and more specific security recommendations
that can further harden their systems. For organizations with a SIEM and SOC,
we also supply feedback on what was and was not detected during the PEN
testing. This allows an organization to further improve their detection and
response systems, and test their teams responsible for the investigation of and
response to attack activities.
Fig. 4 - Sentinel PEN Testing Overview
What You Can Do - How It Relates to SamSam
While PEN testing (which I recommend no less than annually) and protection tools are great to help prepare for and prevent a breach, improving lateral detection systems are just as critical. Most organizations have neither the systems nor the people in place to detect attacker activities on their network and respond to them before it’s too late.
The SamSam attacks could have been strongly defended or altogether stopped in every case with proper protection, detection, and response tools in place. Although SamSam hasn’t been shown to exploit email systems, it was important to point out in these examples that most attacks do utilize that vector as a point of entry into your environment. Constant monitoring is critical, as is having resources available 24x7x365 to investigate and respond to an attack. Without those things, modern attacks will get through your protection and move laterally across the network undetected for weeks or months. The longer an attacker goes undetected on your network, the more likely that their attack will be a success.
According to the 2017 Marsh & McLennan Cyber Risk Report the worldwide average dwell time is 146 days with Europe averaging 469 days! Dwell time, the time between compromise and detection, is a critical component I would encourage all organizations to work to reduce down to single digit days or even hours. The longer an attacker is on your network the more opportunity they have to identify vulnerable targets, escalate their access, and monetize their attack – eventually leading to command and control.
Sentinel does many NIST alignment workshops with our customers, and while we often find critical deficiencies in detection and response, there tend to be even more deficiencies in the NIST “identify” area of the framework. Our NIST alignment workshop is a very small investment of time and money and provides some great visibility for your team to get started identifying security strengths and weaknesses.
In part 3, I will highlight exploit and installation. At this point of the attack, the attacker has begun to exploit your systems and is progressing closely to command, control, and ultimately a full scale breach. If you are interested in learning more about Sentinel’s SecuritySelect® portfolio, including Advisory Services, PEN testing, and NIST alignment, please contact us. You can follow Robert Keblusek on Twitter, @RKeblusek.
Sentinel SecuritySelect: Breaking the SamSam Attack (Part 1 of 4)
By Robert Keblusek, Sentinel Chief Technology Officer
In recent months I have presented an example of the cyber kill chain using the SamSam ransomware attack, which was first identified in 2015. It has seen a resurgence as of late, and if you follow the news, the recent cyber-attack crippling the City of Atlanta was yet another form of SamSam. SamSam can be quite difficult to stop without proper process, patching, and tools. Protecting your organization from SamSam is no different than being prepared for other known and unknown attacks.
In this multi-part blog series I will profile some strong detection and protection solutions for SamSam and similar attacks. You will learn more about Sentinel’s Security as a Service (SECaaS) offerings and how they can help defend against these attacks. I will also break down the attack across the cyber kill chain and recommend areas where detection or protection might intervene to protect your organization and ensure it doesn’t wind up like Atlanta.
A majority of enterprises invest in excellent protection technologies and develop a fairly regular patching cadence. Some use vulnerability scanning software to report on and prioritize their patching needs, but fail to do so frequently enough. Others hire Sentinel’s Advisory Services team to perform timely security assessments instead. Sentinel’s world-class Managed Services team is also available to handle patching for you. The most advanced organizations engage us to go beyond security assessments and perform penetration (PEN) testing on critical internal and publically exposed assets. Often however, organizations lack detailed visibility into their security environment. They may invest in many protection tools, but nobody is constantly watching what those tools are doing and how well they’re performing. There is no single perfect security solution, and even if one existed, most organizations don’t have enough qualified staff to properly develop, manage, and monitor it.
Environmental Awareness - Who's Watching Your Network?
Being fully aware of your environment is the first step toward keeping it protected. With this information you can cultivate best practices such as regular patching while identifying unauthorized services on your network that introduce additional risk. Security teams can focus on improving system hardening as well as understanding what is happening on your network. Vulnerabilities in items like Adobe or Java software become easier to identify and patch. Threat feeds identify known risky IPs that are “knocking on your door” and alert you to activity.
Sentinel’s Security as a Service (SECaaS)-managed SIEM includes constant vulnerability scanning of your assets and rates each one using the common vulnerability scoring system (CVSS). By putting a full-time vulnerability scanning system with real-time detection service on your network, you gain unprecedented visibility into your environment.
Patching is critical, no matter if you handle it on your own or use Sentinel’s Managed Services to take care of it for you. With constant vulnerability scanning you can have your assets scanned and reports delivered to your team on a regular basis (our service defaults to monthly). Cyber threats are taking advantage of known vulnerabilities faster than ever. Attack windows are shrinking and patching on an annual or even quarterly basis simply isn’t often enough. Sentinel has even created a custom reporting dashboard allowing your team to sift through vulnerabilities within the SIEM to find specific items that might be within their domain of support or to simply identify the most at risk items quickly and easily to continue to harden your defenses.
Vulnerability management, security assessments, and even periodic PEN tests are just a start. Organizations also need constant security monitoring. When combined with vulnerability visibility, constant monitoring will let you bring together log information from your current security investments and add Intrusion Detection Sensors (IDS) at strategic locations within your network.
The graphic below is a real-world example of the constant visibility offered by Sentinel’s SECaaS. In this sample, I have it filtered to show only the first “intent” level within the managed SIEM “environmental awareness.”
IDS sensors review activity on the network as well as log source information to identify risks such as suspicious behavior and service scanning of the network. Risks are rated as low, medium, or high so that IT teams can easily identify and prioritize risk items before taking action.
How it relates to SamSam
Thus far, SamSam attacks seem to be targeted at specific organizations rather than drive-by attacks looking for “low hanging fruit.” Data gets stolen, and traditional recovery methods such as snapshots or backups are crippled or eliminated so organizations are forced to pay a significant amount of money to get it back. This is why a strong backup strategy with air gapping plays an essential role in recovery. It is one of the many benefits our customers receive as part of Sentinel’s Backup as a Service (BaaS) offering. Contact Sentinel today to learn more on how you can air gap your existing backup or add an air gapped service within our CloudSelect® BaaS offering.
While many attacks depend on unsuspecting users opening a deviously crafted email asking for credentials or loaded with a malicious file, SamSam tends to hunt for vulnerabilities in your network and move laterally. Knowing your vulnerabilities and addressing them in a timely manner is one of the best practices to avoid becoming the next victim. In past years SamSam took advantage of known web server vulnerabilities. In the case of the City of Atlanta, although not officially disclosed at the time of this blog, it has been mentioned that publicly accessible RDP servers were affected as well as servers with known vulnerabilities. Patching might prevent these attacks, but if a bad actor wants to get in they won’t stop there.
Reconnaissance and Probing - Who's Knocking on Your Door?
Most customers that I meet have invested in great protection technologies, including next-generation firewalls and strong endpoint protection. However, many take the approach of set it and forget it, which isn’t an effective security strategy.