What is Pen Testing and Should You Have a Company that Performs them on Retainer?
Pen testing is the art of attempting to breach an organization’s network, computers and systems to identify possible means of bypassing their defenses. It’s an “art” because there is no one-size-fits-all method or process. Testers need a variety of skills, knowledge and tools to make the attempt.
Most testers are hackers trying to use their skills legitimately, technical administrators, network administrators or just computer enthusiasts who enjoy trying to undermine IT security stacks. Many testers are jacks-of-all trades (and masters of them all). Their primary goal is to succeed in getting past defenses and report on their findings. An MSPs intention is to NOT allow this to happen by putting up the right security posture through layered defenses.
So it’s easy to see how the relationship can quickly become adversarial. But there are ways pen testing organizations can help MSPs. Before we get to that, more details on types of pen tests.
Types of testing
An issue with pen testing is a lack of standard operating procedures. No one company performs the tests the same way. Testers are fallible actors with certain skills they apply to circumvent defenses. While testers and testing organizations are usually highly skilled, they are not all knowing. Trust, but verify.
So, what types of testing methods are there? While standardization is scarce and pen testing is pretty much a Wild West environment, there are some common methods and approaches. These can be broken down into two categories: Blue Teams and Red Teams.
(Tools are varied and not important until the tester discovers or knows what type, brand or systems are present. In other words, tools are specific to the environment.)
Blue Teams
With Blue Teams, “tester” has some information about the network, computers and organization that they’re pitted against. They know how things are set up and are there as more of an audit/report type tester rather than a malicious hacker.
Blue Teams can be anyone inside or outside the organization. However, in the MSP community, the Blue Teams are usually the technicians responsible for establishing the layered security defenses and then verifying their effectiveness. They’re the internal folks that are standing up various tools to block bad actors from encroaching or breaching their network, computers and systems.
Here’s where it can get murky and why you should always insist on more information about ay client’s pen test. Pen testing can be an outside organization performing a Blue Team activity and their report can be communicated as a Pen Test Failure. Trust, but verify.
Red Teams
Red Team testers have no idea about the organization they’re testing against and must figure out the technology, network, computers and systems before doing anything. These are true hackers starting from nothing. They may use social engineering to conduct reconnaissance, they may google employees, use LinkedIn or any other publicly available information to gain a foothold with the organization before they write one line of code.
This is real penetration testing, as they make the attempt to access networks, computes and systems of the identified organization they’re testing against. When a Red Team reports its findings on why and how they were able to breach a client, it’s time to pay attention.
Should you put a Penetration Testing company on retainer?
So, now that we’ve established some high-level perimeters, how should MSPs engage with pen testers?
First, it’s important to learn everything you can about your tools. The mantra of a strong security posture is ‘know your tools inside and out.’
But don’t stop there. Rather than stand up the layers of the latest cool tools and cross your fingers no pen tester hits a client with a failing report, be proactive. Learn about the penetration testing market, find a good pen testing company with strong credentials and engage with them. With security concerns exploding over the past few years, pen testing should be considered an essential tool for validating your effort and spend on the security stack. So get to know the good ones.
Again, many MSP view third-party pen testing organizations as the enemy. Instead, engage with pen testing organizations to test your own defenses before issues affect your customers.
Here are a few tips for improving your business’s relationships with pen testers:
- Pen test your own network, computers and systems. If you want to know how good your “Blue Team” is, put their feet to the fire and have a solid, reputable third-party pen testing organization attempt to breach your own defenses. Learn all you can about their methods and findings, then review and adjust.
- Work with the pen test organization as a potential revenue opportunity. Work out an agreement that lets you as the MSP provide work and opportunity through your own customer network. You act as the lead generator and offer their services as an adjunct to your own.
- When customers come along with a report that you were not involved, ask questions about how the test was conducted and then offer your own services to proactively verify their report.
Now that you know the basics of pen testing and how they can be used constructively, here’s a question: what happens when a customer fails a pen test? We’ll answer that question in an upcoming post.
What Real Security and Compliance Look like when Managing 5000+ Endpoints
In the United States, there are approximately 350,000 companies contracting for the Department of Defense. Each of these companies have to meet varying degrees of compliance and are now subject to the Cybersecurity Maturity Model Certification (CMMC). Effectively, CMMC means that before a DoD contractor can execute on their contract, they have to receive an independent, third-party verification certifying whether they meet the correct security and compliance criteria. The process is expensive and it’s pass/fail.
F1 Solutions, an MSP based in Huntsville, Alabama, has been working to align their security stack to the CMMC guidelines to help ensure that all of their customers, whether DoD contractors or otherwise, benefit from the comprehensive level of security the regulation requires. DNS protection, in particular, is a must-have under these rules. With over 5,000 endpoints under management, F1 has set itself quite a task. But with cyber resilience solutions from Webroot in their security stack, they’re up to the challenge.
“Of all our clients on our full stack (about 140), we’ve never had a client fall victim to cryptojacking or any significant virus, for that matter, unless the system was not using part or all of our stack or being managed by us. That’s pushing 5,000 endpoints, including all servers, terminal servers, Macs and PCs.” – James VanderWier, CEO, F1 Solutions
Hear how F1’s overall security and compliance offering changed for the better since they made the switch to Webroot endpoint security solutions in F1 CEO James VanderWier’s video testimonial.
Watch the video: https://vimeo.com/487018201
We Finally Got Businesses to Talk About Their Run-ins With Ransomware. Here’s What They Said.
“It is a nightmare. Do all you can to prevent ransomware.”
– A survey respondent
Many businesses are hesitant to talk about their experiences with ransomware. It can be uncomfortable to cop being hit. Whether it’s shame at not doing more to prevent it, the risk of additional bad publicity from discussing it or some other reason, companies tend to be tight-lipped about these types of breaches.
By offering anonymity in exchange for invaluable quantitative and qualitative data, Webroot and professional researchers surveyed hundreds of business leaders and IT professionals about their experiences with ransomware attacks.
Perhaps the most surprising finding from our survey, and certainly one that presents broader implications for those involved, is that the ransom demanded by attackers is only a small part of the loss that accompanies these crimes. There are also lost hours of productivity, reputational suffering, neutralized customer loyalty, data that remains unrecoverable with or without paying a ransom and the general sense of unfairness that comes with being the victim of a crime.
Our ransomware report seeks to quantify these knock-on effects of ransomware to the extent possible. We looked at the value of a brand and how likely customers are to remain loyal to one after their data is compromised in a breach. We studied the relationship between the time to detection of the incident and its cost. We added up the labor cost spent during remediation.
But we were also interested in real people’s stories concerning their run-ins with ransomware. What advice would they give to those who may find themselves in their same position? Respondents talked about the inevitability of attack, the relief when frequent backups mitigate the worst effects of ransomware, the importance of a plan, and advised against the payment of ransoms.
Finally, we provide advice for defending against or at least reducing the disruptive impact of ransomware attacks. As a security company, it won’t be surprising that we recommend things like endpoint and network security. But it goes deeper than that. We stress the importance of empowering users with the knowledge of what they’re up against and implementing multiple layers of defense.
Most importantly – no matter how comprehensive or scattershot a business’s protection is – is that that it’s are in place before it’s needed. During the fight is not the time to be building battlements. If your organization has avoided the scourge of ransomware so far, that’s excellent. But IT administrators and other decision-makers shouldn’t count on their luck holding out forever.
Here are a few of the report’s most enticing findings, but be sure the download the full eBook to access all of the insights it delivers.
KEY FINDINGS
- 50% of ransomware demands were more than $50k
- 40% of ransomware attacks consumed 8 or more man-hours of work
- 46% of businesses said their clients were also impacted by the attack
- 38% of businesses said the attack harmed their brand or reputation
- 45% were ransomware victims in both their business and personal lives
- 50% of victims were deceived by a malicious website email link or attachment
- 45% of victims were unaware of the infection for more than 24 hours
- 17% of victims were unable to recover their data, even after paying the ransom
Why SMBs are Under Attack by Ransomware
Ransomware attacks generate big headlines when the targets are government entities, universities and healthcare organizations. But there’s one increasingly frequent target of ransomware attacks that tends to slip under the radar. Small and midsize businesses (SMBs) have become bigger financial targets for hackers. As Webroot Senior Threat Researcher Kelvin Murray points out in a recent Hacker Files podcast, the SMB sector has become a cash cow for cybercriminals. According to Murray, there are more SMB targets than criminals have time to target, mostly due to inadequate security among SMBs.
Listen to the full episode of the Hacker Files podcast hosted by Joe Panettieri here.
It’s also become far easier for anyone with malign intentions but lacking coding skills to launch attacks. Murray cites the availability of ransomware kits on the dark web that anyone can download and figure out how to launch. Going by the name Ransomware as a Service, these kits reduce the sophistication required for perpetrators to target SMBs and collect hefty ransom payments.
Business email compromise (BEC) is also on the rise. In BEC attacks the perpetrator, pretending to be a colleague or vendor, contacts you under the pretense of requesting payment or disbursement for a seemingly legitimate business purpose. Businesses easily fall for these scams because, with so many invoices and payments occurring on a daily basis, it’s easy to slip a fake one in.
All of this malicious activity points to the need for a layered approach to cybersecurity. This includes essential security measures like firewalls, endpoint protection and DNS protection. And, since even firewalls can be circumvented, it means keeping backups of all business data so you never have to pay a ransom to get your data back.
Attacks like BEC are less about malware and more about manipulating people. This is why security awareness training with phishing simulations are increasingly important. Murray emphasizes that security awareness training is necessary due to the increasing popularity of remote working. While the corporate office is usually equipped with firewalls, DNS protection, corporate logins and security guards at the front door, now that everybody’s working from home, all of those things are absent. In their place you have faulty routers, dodgy setups, people sharing houses with other people and maybe even sharing PCs.
You can listen to the full Hacker Files podcast hosted by Joe Panettieri here.
Is the Value of Bitcoin Tied to Ransomware Rates?
With investors currently bullish on Bitcoin, is its high value driving cybercriminals to pursue crypto-generating forms of cybercrime like ransomware and illicit miners?
At time of writing, the value of one Bitcoin is north of $58 thousand. Famously volatile, a crash is widely expected to accompany the current bubble, perhaps before the end of 2021. The reason for this volatility is at least partly attributed to an event known as “the halvening,” where the reward generating supply of the cryptocurrency is cut in half, simultaneously increasing demand.
At the same time, the average cost of a ransomware incident is also rising steeply. A study by Palo Alto Networks charted a growth rate of 171 percent in ransoms paid between 2019 and 2020, with the average cost now over $312 thousand. The steepest ransom doubled between 2015 and 2020, from $15 million to $30 million.
An iron law?
So, is it fair to argue that the two trends positively correlated? When the price of Bitcoin rises we should expect ransomware activity to rise with it? Not necessarily, says threat researcher and cryptocurrency expert Tyler Moffitt.
For one, Moffitt cautions it’s important to keep the relative values of U.S. dollars and the various cryptocurrencies in mind when comparing the cost of ransomware. Demanding $50 million in Monero last month for hacking the Taiwanese PC manufacturer Acer and demanding $10 million in Bitcoin for a hack last year will not have netted cybercriminals the same amount. Patient ones, at least.
“Ransomware actors can always grow their demands based on the value of the U.S. dollar,” says Moffitt. “But they have the added benefit of being able grow profits exponentially by riding the Bitcoin market.”
As could be expected with such a volatile asset, these swings sometimes happen quickly. Like when ransomware actors had Baltimore’s public schools between a rock and hard place with WannaCry. The price of Bitcoin had crashed in 2018, but as the ransom demand was on the desk of the city the price surged, sending the total value of the ransom up with it.
In a sense, it’s the volatility of Bitcoin that undermines any direct, positive relationship with ransomware rates. While it’s tempting to see today’s sky-high price and assume cybercriminals would rush to get their slice of that pie, they too know how markets work. It’s possible a ransom of Bitcoin this year could be worth far less next year. For ransomware actors, it’s better to ride out the market, treating their Bitcoin stash like a cybercrime savings plan for aging hackers.
“A lot of ransomware actors aren’t turning their Bitcoin into cash as soon as they get it,” says Moffitt. “Many of them live cheaply on the hope that the $200 million they made in their cybercrime careers will one day net them billions.”
A more direct relationship
Cryptojacking—the process of secretly hijacking a victim’s computing power to generate cryptocurrency—has a much simpler relationship with the value of various currencies. Because miners only collect their currency after doing the work (redirected CPU in this case), it’s only worth doing when values justify it.
“With cryptojacking, we do actually see an increase or decrease in the number of attacks based on its price. So right now, in a bull year when the price keeps rising, you’re going to earn more when you mine,” says Moffitt.
Browser-based cryptojacking uses scripts injected into the webserver, usually by exploiting an unpatched server or capitalizing on an out-of-date WordPress plugin, etc. Then any browser that visits that webpage will mine cryptocurrency using the viewers browser. This attack skyrocketed from its inception in 2017 into 2018.
A watershed moment in browser-based cryptojacking followed the great crypto-crash of 2018 mentioned above. At least according to their official statement, the drop in mining profitability caused the ostensibly-legitimate mining script company Coinhive to shut down in early 2019.
“The ‘crash’ of the crypto currency market, with the value of [Monero] depreciating over 85% in the last year,” was cited by the company as a reason for closing up shop, though some researchers doubt how much truth there is to that claim.
In reality, Coinhive scripts were used by cybercriminals to mine on unsuspecting users’ devices. Researchers at Cornell University discovered that 99 percent of the sites they found running malicious mining scripts were no longer running them following the shutdown of Coinhive.
Its authors concluded, “It became less attractive not only because Coinhive discontinued their service, but also because it became a less lucrative source of income for website owners. For most of the websites, ads are still more profitable than mining.”
Executable-based cryptojacking is when criminals leverage a breach on a machine, whether through phishing, exploits, RDP, and then drop a payload that on execution will use the machines resources to mine crypto. This attack was around before browser-based scripts and is still alive today. In fact, it’s the tactic seeing the most growth during cryptocurrency bull markets.
Monero, a favored cryptocurrency for miners based on its efficiency using consumer-grade devices, witnessed a rebound during this period. Over the course of 2020 and into 2021, the value rose from around $50 to around $250, perhaps explaining why Webroot found 8.9 million cryptojacking scripts in use in 2020.
In summary, both of these crypto-generating schemes require patience from their perpatraitors. When ransomware actors land a big payment from an extorted business, they may be forced to wait out market forces to maximize their earnings. For cryptojackers, profits trickle in over time. First they must determine whether they’re worth the effort and if they too want to play the long game with their take.
This World Backup Day, Our Customers Do the Talking
“I solemnly swear to back up my important documents and precious memories on March 31st.”
Are you taking the pledge this World Backup Day? Now in its tenth year, World Backup Day remains one of our favorite reminders of the risks of not backing up the data we hold dear.
According to the World Backup Day site, “This independent initiative to raise awareness about backups and data preservation started out — like most good things on the internet – on reddit by a couple of concerned users.”
The day goes beyond reminding businesses and private citizens of what they stand to lose due to device theft, hardware failure and other common forms of data loss. It’s a reminder that more and more of our culture is digital, and some of our greatest achievements reside online. Without them, we risk losing a piece of the very greatness of our civilization. (It’s a lot easier to come to work every day in support of the Carbonite mission when you put it like that.)
Here are some of the threats we’ve recently faced online:
- 121 million ransomware attacks in the first half of 2020 alone, up 20 percent over 20191
- Eighty-nine percent of businesses claim to have been targeted by COVID-19-related malware in 20202
- Phishing attacks claiming to be companies like Netflix, HBO and YouTube skyrocketed early in the pandemic3
Numbers are great, and necessary for showing the scope of the problem, but I wanted to see how data loss—and backups—affect real people. So I reached out to our community for stories about times when backup saved their backsides. Here’s what they had to say.
“In the past six weeks we have had two clients hit with ransomware. We have been able to use our backups to bring up server live environments within 45 minutes and it has saved a lot of time and data.” —David H.
“We managed IT for a remote office of a national law firm. The senior partner worked out of our office, and we had a contract to back up all client data firm-wide, as we felt there were numerous vulnerabilities in their system. One morning at 7 a.m., the server RAID array died, and not only were none of the drives recoverable but their tape backup also had not been working properly for at least six months. After the first few hours of them discovering all the things that did not work, I reminded the partner that we had been backing up their data and had a full, clean back up from six hours before the crash. Our extra backup saved the day!” —David Y.
“Backups saved us from a ransomware attack. We were able to isolate the server with the infected machine and restore our files from a local backup. Total downtime was less than 30 hours.” —PJ
“I have been saved from losing both personal and business data more than once!”—Vasilis
“I was able to use a backup to restore all my client’s data after a ransomware attack. Needless to say, they were very happy!”—Nathan
“We are extremely lucky in the fact that we haven’t had any cyberattacks. We did have an issue when our sever failed, and backup basically saved us.”—Simon
“Having good off-site backups enabled recovery from a large fire which rendered on-site backups useless.”—Warren
“We came in one day to find the office doors busted down and the computers raided. They left the cashbox alone, just stole RAM and hard drives. We were encrypting the hard drives, so we didn’t lose any data to the wild as the encryption couldn’t be cracked. But we were back up and running within two hours from backups alone.” —Sharif
Hardware failure, natural disasters, ransomware, device theft, file corruption—it’s not surprising that all of the most common forms of data loss surfaced when we reached out to our users. Don’t fall victim to them!
Back up your data this March 31 to keep from feeling like a fool come April.
Sources:
1 SonicWall Capture Labs
2 VMware/Carbon Black Global Threat Report June 2020
3 Webroot RTAP
A Defense-in-Depth Approach Could Stop the Next Big Hack in its Tracks
Last year’s SolarWinds attack and its aftermath have provided numerous lessons concerning the dangers of IT supply chain attacks. Not all apply to every small and medium-sized business—most are unlikely to be targeted by highly trained state-backed hackers with virtually limitless funding—but some will be.
We learned, for instance, that even IT pros could use a refresher on basic password hygiene through security awareness training. A more substantive lesson is the importance of defense in depth, an approach that prioritizes mutually reinforcing layers of security.
In the case of SolarWinds, the Trojanized Orion update was able to elude endpoint security because it was issued by such a trusted source. As we’ve discussed, however, the damage from the compromise could have been limited significantly by using a defense in depth approach backed by leading threat intelligence.
A firewall with the right threat intelligence embedded could have blocked communications with the command-and-control server thus preventing a Trojanized Orion install from connecting back to the attackers and stopping them from furthering the attack. An endpoint DNS solution could have stopped the Trojanized Orion version by refusing to resolve the domain names of the command-and-control servers, again disrupting the infection to the point that no real damage could be done.
This is what we mean when we stress the importance of a layered defense. Take a hypothetical scenario in which the opposite happens, for example. A zero-day threat with no known connection to malicious IPs, files, or other data objects may not be known to the threat intelligence feed informing a network security solution. Once it has made its way to the endpoint, however, it begins to engage in behaviors known to be malicious. Examples include elevating privileges, moving laterally, or trying to establish outbound communications to name a few.
In this case, it is the endpoint security solution’s turn to save the day. If equipped with a rollback or remediation feature, endpoint solutions can not only stop the activity but also remediate the damage already done. These two layers work in concert to pick up the slack left by the other, helping organizations remain resilient against different types of attacks.
Remote work threatens defense in depth
Most larger organizations and a growing number of smaller ones have caught on to the need for layering endpoint and network protection. Firewalls embed threat intelligence and DNS security solutions are used to both block malware and control internet use. But recent events have worked to undermine this growing understanding.
Remote work exploded in 2020 with the advent of COVID-19, rapidly ushering in a new way of working before all of the security details could really be worked out. This presents a new set of stubborn challenges for IT security admins that’s not likely to fade soon. Outside of the corporate firewall, it is the Wild West. Every employee’s home network has a different set of security protocols and internet use is unregulated.
Webroot’s report on COVID-19 work habits found that three out of four people (76%) worldwide admit they use personal devices for work tasks, use work devices for personal tasks, or both. The 2020 Webroot Threat Report also found that personal devices were about twice as likely to encounter a malware infection as business devices. Together these numbers suggest a significant security threat for companies with remote workers.
DNS security solutions are one way of addressing this risk. Installed as an agent on each corporate endpoint, they route traffic through protected DNS servers that can identify, stop and disrupt communications threats. Of course, personal device use still represents a problem for companies not enforcing strict policies against their use. Nevertheless, DNS security remains a way to protect business-issued devices beyond the company network.
The “next one” will look different
Focusing solely on how the SolarWinds attack is not the key to preventing future breaches. The next large supply chain attack will likely look very different than the SolarWinds attack. In fact, other than the infamous CC Cleaner hack of 2017, in which more than 2.3 million users of the computer cleanup software were duped into downloading malware onto their own machines, these types of attacks leveraging trusted but Trojanized updates are relatively rare.
But this fact makes defense in depth more critical, not less. Zero days will continue to be encountered. There is no telling which techniques the next one will employ, so it is important to make use of multiple tools to limit potential damage.
Cybercriminals will continue to undermine individual defenses. Smart organizations will hedge their cybersecurity bets so they are not all overcome at one time.
Why MSPs Need to Shift from Cybersecurity to Cyber Resilience
If your critical systems, website or customer data were suddenly inaccessible due to a cyberattack, how soon would you be able to get back up and running? That’s a question that should be on every business leader’s mind. We’ve written before about cyber resilience and why it’s so important, but in today’s increasingly disruptive threat landscape, it’s more important than ever for managed service providers (MSPs) and small to medium-sized businesses (SMBs) to embrace cyber resilience so they can mitigate disruption.
Threats such as hacking, phishing, ransomware and distributed denial-of-service (DDoS) attacks are only the tip of the iceberg and have the potential to interrupt critical business operations and cause reputational damage to organizations of all sizes. With attacks such as the SolarWinds security breach making headlines, as well as increasing threats targeting remote workers and taking advantage of COVID-19, MSPs and SMBs must concern themselves with threats that were once only a concern for much larger organizations. To stay resilient, it’s essential that leaders understand how to protect their businesses using a multi-layered approach.
Learn how your business can stay a step ahead of cybercriminals.
Download our Lockdown Lessons e-book today.
What’s driving the need for cyber resilience?
Cyberattacks are, unfortunately, a matter of “if,” not “when.” Being cyber resilient means that a company has both the ability to prevent attacks and also to mitigate damage and maintain business continuity when systems or data have been compromised. Where cybersecurity focuses more on protecting an organization before an attack has occurred, cyber resilience encompasses an end-to-end approach that keeps the business operating even in the midst and aftermath of an attack.
Without a holistic approach to security and recovery, catastrophic failures can occur. For example, many SMBs rely only on free cybersecurity solutions or eschew security all together. Our data shows only 26% of SMBs deploy enough layers of security to cover their users, networks and devices.
Complicating matters further is the digital disruption that stems from the rapid shift to remote work. The challenge for both MSPs and SMBs is in securing a remote workforce and new, unsecured perimeters, especially across home networks and personal devices, which are already at increased risk for an attack.
SMBs will look to MSPs to achieve cyber resilience
Business leaders have a significant opportunity to bolster confidence in the business through cyber resilience, especially as employees look to management to protect them against increasingly sophisticated threats. According to data from a recent report, only 60% of office workers worldwide believe their company is resilient against cyberattacks. Nearly one in four (23%) admit to not knowing whether their company is resilient, while nearly one in five (18%) flat-out think it isn’t. What’s more, only 14% of office workers worldwide consider cyber resilience to be a responsibility all employees share, meaning that the burden of championing resilience starts with leadership. These statistics indicate a clear gap, and it’s safe to say that many SMBs are grappling with how to keep their businesses safe from cyberattacks.
As prominent attacks and the flow of threats continue, SMBs will look to MSPs to protect their businesses and help them achieve cyber resilience. This creates a unique opportunity for MSPs to guide customers through the maze of cybersecurity and data protection solutions and ensure they are receiving relevant education on protecting the business. MSPs can ensure that customers have defense in depth by offering ongoing security awareness training as well as endpoint protection. Those looking to transition to managed security can lean on Webroot’s training modules and phishing simulations to provide world-class training and monitoring.
It can take a village to prevent cyber threats
While getting support from MSPs is a great stride towards keeping businesses safe, a big piece of the cyber resilience puzzle is teamwork. There’s no single solution or approach that can protect a business, and it really does take a village to protect against today’s cyberattacks. Just as SMBs look to MSPs to become cyber resilient, MSPs can rely on security expertise to fill in the remaining gaps.
Cyber resilience solutions can be custom built for MSPs and their SMB customers, and further tailored to each individual business. By partnering with Webroot and Carbonite, you can offer a customizable set of solutions including endpoint protection, ongoing end user training, threat intelligence, and backup and recovery.
To learn more about cyber resilience and stay up to date on security tips and industry topics, follow our Hacker Files and Lockdown Lessons podcast series.
It’s Too Late for Threat Intelligence Vendors to Ignore IPv6
IPv6 has been a long time coming. Drafted by the Internet Engineering Task Force (ITEF) in 1998, it became an Internet Standard in 2017. Though the rollout of IPv6 addresses has proceeded at a glacial pace since then, adoption numbers continue to inch higher.
Worldwide IPv6 adoption, according to Google’s handy tracker, is around 33 percent. It’s higher in the United States, at just shy of 45 percent. The graph has been trending relentlessly up and to the right since the mid-2000s.
This increased adoption means more cyberattacks are originating from IPv6 addresses. That means security vendors and device manufacturers who rely on embedded threat intelligence should insist on visibility surrounding the successor to IPv4.
Why we needed IPv6
Since the late 1980s, the internet’s architects realized they were cruising toward a problem. IP addresses, those numbers assigned to every internet-connected device, or node, were designed to contain 32 bits. That made for just under 4.3 billion possible number combinations under the IPv4 system. It was apparent even thirty years ago that these possibilities would be exhausted.
That day came in February 2011, met with a dramatic announcement by the Internet Corporation for Assigned Names and Numbers. Its opening line reads, “A critical point in the history of the Internet was reached today with the allocation of the last remaining IPv4 (Internet Protocol version 4) addresses.”
It seemed like the end of an era. But it wasn’t really one at all. IP addresses are frequently recycled, reallocated and many millions were never used at all. There’s even a famous story about Stanford University giving back a block of millions of unused IPv4 addresses. That helps explain why we’ve gotten so far from the adoption of IPv6 as an Internet Standard to majority adoption.
On the other hand, IPv6 is based on 128-bit encryption. This allows for a whopping 3.4 x 1038 permutations, or roughly 340 trillion trillion trillion. So, while the day may come when we need to revisit the IP system, that day is unlikely to be soon and it almost certainly won’t be because we’ve run out of assignable options.
By the way…whatever happened IPv5? Didn’t we skip a number? Well, it did exist, but was never officially adopted because it used the same 32-bit architecture as its predecessor. Begun as an experimental method for transferring streaming voice and video data, IPv5 lives on through its successor, voice over IP (VoIP).
What continued IPv6 adoption means for internet security
Hackers tend to set their sites on new targets only when they become worthy of their attention. The same goes for IPv6. As the rest of the internet pursues its perfectly logical reasons for making the migration, increasing numbers of cybercriminals are looking to exploit it. As IPv6 adoption becomes more prevalent, threat actors are increasingly using its addresses as an attack vector.
If threat intelligence feeds haven’t prepared to analyze IPv6 addresses, they’re faced with big black holes in their data sets. As we’ve seen in recent attacks, the ability to monitor anomalous web traffic is key to detecting a breach. So, in addition to having visibility into the threat status of an IP, it’s also critical to have location data and be able to cross-reference its activities with known malicious ones.
Device manufacturers, too, should look to account for accelerated IPv6 adoption when it comes to securing their products. This is especially true for IoT devices. Not typically armed with the highest security measures to start with, they now face the additional threat of an intelligence blind spot if the manufacturer makes no effort to analyze IPv6 addresses.
As internet-connected nodes in the form of IoT devices continue to proliferate, millions of new IPs will be needed. IPv6 will thankfully be more than up to the task of accommodating them, but manufacturers should make sure their devices are designed with the capabilities to analyze them.
IPv6 may have been a long time coming, but it’s too late in the game to ignore. When it’s time to choose a threat intelligence partner, choose one that’s prepared.
To learn more about the Webroot BrightCloud IP Reputation Service, click here.
Cyber News Rundown: Phishing Targets NHS Regulatory Commission
Spanish labor agency suffers ransomware attack
Multiple systems were taken offline following a ransomware attack on the Spanish government labor agency SEPE, which has affected all 700 of their offices across the country. While some critical systems were impacted by the attack, officials have confirmed that the systems containing customer and other sensitive payroll data were not compromised. The Ryuk ransomware group are believed to be behind the attack. The group were involved in nearly a third of all ransomware attacks in 2020.
Latest phishing campaign targets NHS regulatory commission
Officials for the Care Quality Commission (CQC) have been received roughly 60,000 malicious phishing emails over the past three months that seems to be linked to the release of the COVID- 19 vaccine. The campaign has followed a pattern of spreading false information and requesting sensitive information for user’s NHS accounts. The use of the pandemic to scare recipients of fraudulent emails continues as many look forward to their turn to receive the vaccine.
Hackers gain admin access to surveillance company cameras
Hackers from a known collective were able to gain access to over 150,000 Verkada surveillance cameras in various sensitive locations across the globe after finding an access point available on the web. Viewable feeds included jails, banks and internal entry cameras for top companies like Cloudflare, which has since confirmed that they have taken these cameras offline. It remains unclear how long the hackers had access to the systems. They have stated they were able to steal roughly 5GB of data from the Verkada systems, which will likely be leaked in the coming months.
Ransomware distributor arrested in South Korea
An individual was arrested by South Korean police late last month after a lengthy investigation tracked ransomware payments to withdrawals made by the individual. The man in custody is believed to be responsible for distributing more than 6,000 phishing emails spoofing local law enforcement. These used malicious attachments to trigger GandCrab ransomware payloads to encrypt systems. This is the second reported GandCrab affiliate caught by law enforcement in the past year as global law enforcement agencies work together to transnational ransomware organizations.
REvil ransomware group puts 170GB of data up for sale
Officials for the Pan-American Life Insurance Group have issued a statement regarding recent outages in their systems, which were the result of a ransomware attack. Though there was a post on a known REvil ransomware group forum claiming to have taken 170GB of data from this breach, that post has since been removed, which could indicate that Pan-American could be in negotiations with the group to restore their systems.
Does a SIEM make sense for my MSP?
Every device on an MSP’s managed network provides insight into what’s happening on that network. This includes network routers, switches, printers, wireless devices to servers, endpoints, IoT devices and everything else connected to the network. Each creates a log in its own format, or syntax, that a technician can review for troubleshooting, configuration confirmation, the creation of specific alerts based on a device’s activity or a host of other reasons. These records of each devices’ activities are known as syslogs.
Syslogs present information in a variety of ways, including custom formatting, industry-standard formatting, even raw data lacking a consistent format. The good news is that any activity requiring a security review is buried somewhere in these syslogs. The bad news is that data can buried in these syslogs.
Whole mountain ranges of information are regularly processed by these systems. Millions upon millions of data points may be present, making the set overwhelmingly confusing. At best, sorting meaningful information from noise is a daunting task, even for well-staffed IT departments.
Fortunately for security professionals—and more specifically for MSPs and MSSPs focused on providing insight into their managed networks—there is a mature product category that can be incorporated into their technology stack to help. Security information event management (SIEM) solutions have existed for years, but they’ve recently been gaining traction among MSPs and MSSPs. For good reason: knowledge of a network’s activity is essential to protecting it.
Is setting up a SIEM worth the cost and effort for an MSP?
The short answer is: YES. If you want to synthesize information from various sources to determine if a security event has or is taking place on a customer network, then yes, a SIEM is the natural evolution of the MSP security stack.
The longer answer is, well, longer. Let’s break out a couple of options for those interested in establishing a more sophisticated security information and event management solution.
SIM, SEM or SIEM? That’s the question to begin with. While security information management (SIM) and security event management (SEM) solutions have been in place for some time, they’re now commonly combined into the offering referred to as a SIEM.
So, where does an MSP get started? There are three common choices for getting a SIEM stood up and configured:
- On-premise – Stand up a server, add some software (a bunch, actually), point all the syslogs to the device and get started. Easy, right? In reality, on-premise solutions have a higher cost and can be daunting to get started. Software costs range based upon the solution provider’s model. But if control and compliance are important, on-premise solutions may be a great option.
- Cloud-based – Any one of a number of existing solutions that cater to MSPs are simpler to get started. The challenge with cloud-based solutions entails pulling data from many sources and pushing it through firewalls and networks to a public cloud solution.
- Hybrid – As its name implies, some options blend cloud-based solutions with a local collection server to gather information and push a single source, securely, to the cloud for analysis and processing.
Feeding your SIEM a healthy diet of data
Before deciding on a SIEM component, a log collection or data collection solution must be set up to feed it. Syslog collection refers to a number of different activities, but in a SIEM or security-specific sense it usually comes down to what makes the most sense for the application: purpose-built or generic.
- A syslog aggregator or log collector – These are devices that take in all syslog information from all devices. They range from sophisticated solutions with alerting and performance reviews to feeds that simply “normalize” the data, distilling the most relevant input and then reworking the details into a consistent standard and reporting on the highlights.
- Syslog bridges – These are more generic solutions that act mostly as log collectors. Simply point devices to this collector and it maps the data.
- Syslog collector – These are generic log collectors much like a bridges, but they usually provide a little more intelligence, cost more, and often serve multiple purposes like performance, device status and security event reporting.
Log gathering is the most misunderstood aspect of a SIEM and is often overlooked. The key is finding the most appropriate strategy for your needs.
For most MSPs, a basic bridge with a specific security purpose for feeding a SIEM may be the most efficient and cost-effective option. For additional needs like performance or status determinations, a more sophisticated syslog may be good. But most performance and status information is already provided by RMM solutions, so why reinvent the wheel?
What to expect from your SIEM
After deciding on a syslog collector and SIEM setup, it’s time to put the SIEM to work parsing data and making sense of the output. This is the intel that allow technicians to make sound decisions regarding security events.
Which SIEM to incorporate into a given MSPs operations depends on the level of services offered. MSPs building out a SOC or offering managed detection and response (MDR) services may require more sophisticated output from their SIEM. MSPs simply looking to distill information for their respective technical teams to analyze and make security decisions can usually rely on tailored, cloud-based solutions.
Regardless of the provider, a SIEMs should at least do the following:
- Perform log gathering – If log gathering is not directly accounted for by a SIEM, another solution will be necessary for feeding data to it.
- Correlate security events – To spot security threats that may be spread across a network, not only native to a single device’s syslog, a SIEM must be able to track data across multiple devices.
- Connect to threat intelligence feeds – To keep up with a rapidly shifting threat landscape (and therefore useful to preventing attacks) it must be informed by strong threat intelligence feeds, preferably those using machine learning to recognize even zero-day threats.
- Issue security alerts – A key SIEM benefit is the ability to provide timely alerts regarding security events based on large amounts of data to assist with decision making, making it possible to stop attacks before they develop
- Present reports – Many SIEMs can produce reports in a cadence that makes sense for an MSP or MSSP depending on their needs and the needs of their clients.
- Enhance compliance – Because SIEMs aggregate information on a network, it can produce compliance reports for clients based on industry-specific needs.
A good SIEM solution can minimize technician workload and minimize manual data interpretation. It also benefits clients by beefing up your own security capabilities. A SIEM is a natural step for any growing MSP’s looking to provide the best security solution for customers with workable margins.
With a little focus, it shouldn’t take months or an act of congress to setup and use a SIEM. The above guidance should enable any MSP, regardless of size, to devise a viable plan for putting one in place.
3 Ransomware Myths Businesses Need to Stop Believing ASAP
Despite the rising ransomware numbers and the numerous related headlines, many small and medium-sized businesses (SMBs) still don’t consider themselves at risk from cyberattacks. Nothing could be further from the truth. Smaller organizations are a prime target, and ransomware authors have only upped the ante in their methods to ensure they get paid. For example, many ransomware groups now threaten to expose or sell company data stolen in a breach if victims refuse to pay, meaning the business in question could have to shell out for heavy fines due to GDPR and similar regulations. In many cases, paying the ransom may be the most cost effective (and least publicly embarrassing) option. But what if your business can’t afford it? Or if the downtime from the attack is too much to recover from? And what’s the long-term psychological and emotional toll?
Here are 3 myths about ransomware that businesses need to stop believing to stay resilient against these evolving and insidious attacks.
Myth #1: My company is small, so attackers won’t bother.
Today, any business is a target for ransomware, no matter its size. Since 2018, up to 86% of SMBs have reported being victims of ransomware each year. And, according to Verizon, “[Ransomware] is a big problem that is getting bigger, and the data indicates a lack of protection from this type of malware in organizations.”
We’ve put this myth at the top of our list because it’s particularly dangerous. For many small organizations, a single cyberattack could put them out of business. Bigger enterprises with more robust data recovery and bigger security budgets are much more likely to weather an attack, while a smaller business may have no way of making up for the loss of time, revenue, and damage to customer trust that an attack could have.
Ransomware is not going away, and it’s getting more costly for SMBs. Businesses can’t afford to underestimate the risk.
Myth #2: There’s no way to prepare for a ransomware attack.
The sad truth in today’s cyber climate is that an attack is practically inevitable. The trick is reducing the likelihood of an attack, and making sure critical data is protected in case an attack succeeds. To prepare your business to weather the storm, there are a few key steps you can take.
- Proactively defend against ransomware attacks.
Ransomware typically gets into an organization by tricking a user into downloading a file and/or enabling macros. Combining reliable endpoint protection that can stop macros and malicious scripts with security awareness training for end users is an excellent step toward a proactive and in-depth defense. - Protect your data.
The ransomware business model works because losing access to your data can cause serious damage. A strong backup solution is vital. Full-server backups or asking end users to manage their own backups aren’t the most feasible options. But with the right solution set, there are significantly more efficient ways to ensure data on endpoint devices, servers, and within the Microsoft 365 suite is secured.
Myth #3: I already have a backup, so I’m safe.
If your business gets hit with an attack, you can and should expect some downtime. And if we accept the maxim “time is money,” then any amount of downtime is costly and potentially damaging. Having backups in place is crucial, but you also need to be able to recover the data you need quickly from safe backups that haven’t also been infected with the ransomware.
Bigger organizations have more resources to invest in redundant servers in secondary locations, but these protections can come at too high a cost for many SMBs. If that sounds like you, you’re not alone. We recommend you look into disaster recovery as a service (DRaaS), so you can leverage the cloud to ensure that critical business systems are online and accessible, no matter what happens on your network.
Next Steps
The one-two combination of proactive prevention and recovery is key for staying cyber resilient. If you start working to address the tips in this blog, you’ll drastically improve your chances of avoiding a ransomware attack entirely; and getting through it successfully if you do get breached.
For more details on these and other misconceptions to watch out for, get your free copy of our guide, Rip the Target Off Your Back: Debunking the Top 5 Myths about Ransomware and SMBs.