Last year’s SolarWinds attack and its aftermath have provided numerous lessons concerning the dangers of IT supply chain attacks. Not all apply to every small and medium-sized business—most are unlikely to be targeted by highly trained state-backed hackers with virtually limitless funding—but some will be.
We learned, for instance, that even IT pros could use a refresher on basic password hygiene through security awareness training. A more substantive lesson is the importance of defense in depth, an approach that prioritizes mutually reinforcing layers of security.
In the case of SolarWinds, the Trojanized Orion update was able to elude endpoint security because it was issued by such a trusted source. As we’ve discussed, however, the damage from the compromise could have been limited significantly by using a defense in depth approach backed by leading threat intelligence.
A firewall with the right threat intelligence embedded could have blocked communications with the command-and-control server thus preventing a Trojanized Orion install from connecting back to the attackers and stopping them from furthering the attack. An endpoint DNS solution could have stopped the Trojanized Orion version by refusing to resolve the domain names of the command-and-control servers, again disrupting the infection to the point that no real damage could be done.
This is what we mean when we stress the importance of a layered defense. Take a hypothetical scenario in which the opposite happens, for example. A zero-day threat with no known connection to malicious IPs, files, or other data objects may not be known to the threat intelligence feed informing a network security solution. Once it has made its way to the endpoint, however, it begins to engage in behaviors known to be malicious. Examples include elevating privileges, moving laterally, or trying to establish outbound communications to name a few.
In this case, it is the endpoint security solution’s turn to save the day. If equipped with a rollback or remediation feature, endpoint solutions can not only stop the activity but also remediate the damage already done. These two layers work in concert to pick up the slack left by the other, helping organizations remain resilient against different types of attacks.
Remote work threatens defense in depth
Most larger organizations and a growing number of smaller ones have caught on to the need for layering endpoint and network protection. Firewalls embed threat intelligence and DNS security solutions are used to both block malware and control internet use. But recent events have worked to undermine this growing understanding.
Remote work exploded in 2020 with the advent of COVID-19, rapidly ushering in a new way of working before all of the security details could really be worked out. This presents a new set of stubborn challenges for IT security admins that’s not likely to fade soon. Outside of the corporate firewall, it is the Wild West. Every employee’s home network has a different set of security protocols and internet use is unregulated.
Webroot’s report on COVID-19 work habits found that three out of four people (76%) worldwide admit they use personal devices for work tasks, use work devices for personal tasks, or both. The 2020 Webroot Threat Report also found that personal devices were about twice as likely to encounter a malware infection as business devices. Together these numbers suggest a significant security threat for companies with remote workers.
DNS security solutions are one way of addressing this risk. Installed as an agent on each corporate endpoint, they route traffic through protected DNS servers that can identify, stop and disrupt communications threats. Of course, personal device use still represents a problem for companies not enforcing strict policies against their use. Nevertheless, DNS security remains a way to protect business-issued devices beyond the company network.
The “next one” will look different
Focusing solely on how the SolarWinds attack is not the key to preventing future breaches. The next large supply chain attack will likely look very different than the SolarWinds attack. In fact, other than the infamous CC Cleaner hack of 2017, in which more than 2.3 million users of the computer cleanup software were duped into downloading malware onto their own machines, these types of attacks leveraging trusted but Trojanized updates are relatively rare.
But this fact makes defense in depth more critical, not less. Zero days will continue to be encountered. There is no telling which techniques the next one will employ, so it is important to make use of multiple tools to limit potential damage.
Cybercriminals will continue to undermine individual defenses. Smart organizations will hedge their cybersecurity bets so they are not all overcome at one time.
If your critical systems, website or customer data were suddenly inaccessible due to a cyberattack, how soon would you be able to get back up and running? That’s a question that should be on every business leader’s mind. We’ve written before about cyber resilience and why it’s so important, but in today’s increasingly disruptive threat landscape, it’s more important than ever for managed service providers (MSPs) and small to medium-sized businesses (SMBs) to embrace cyber resilience so they can mitigate disruption.
Threats such as hacking, phishing, ransomware and distributed denial-of-service (DDoS) attacks are only the tip of the iceberg and have the potential to interrupt critical business operations and cause reputational damage to organizations of all sizes. With attacks such as the SolarWinds security breach making headlines, as well as increasing threats targeting remote workers and taking advantage of COVID-19, MSPs and SMBs must concern themselves with threats that were once only a concern for much larger organizations. To stay resilient, it’s essential that leaders understand how to protect their businesses using a multi-layered approach.
What’s driving the need for cyber resilience?
Cyberattacks are, unfortunately, a matter of “if,” not “when.” Being cyber resilient means that a company has both the ability to prevent attacks and also to mitigate damage and maintain business continuity when systems or data have been compromised. Where cybersecurity focuses more on protecting an organization before an attack has occurred, cyber resilience encompasses an end-to-end approach that keeps the business operating even in the midst and aftermath of an attack.
Without a holistic approach to security and recovery, catastrophic failures can occur. For example, many SMBs rely only on free cybersecurity solutions or eschew security all together. Our data shows only 26% of SMBs deploy enough layers of security to cover their users, networks and devices.
Complicating matters further is the digital disruption that stems from the rapid shift to remote work. The challenge for both MSPs and SMBs is in securing a remote workforce and new, unsecured perimeters, especially across home networks and personal devices, which are already at increased risk for an attack.
SMBs will look to MSPs to achieve cyber resilience
Business leaders have a significant opportunity to bolster confidence in the business through cyber resilience, especially as employees look to management to protect them against increasingly sophisticated threats. According to data from a recent report, only 60% of office workers worldwide believe their company is resilient against cyberattacks. Nearly one in four (23%) admit to not knowing whether their company is resilient, while nearly one in five (18%) flat-out think it isn’t. What’s more, only 14% of office workers worldwide consider cyber resilience to be a responsibility all employees share, meaning that the burden of championing resilience starts with leadership. These statistics indicate a clear gap, and it’s safe to say that many SMBs are grappling with how to keep their businesses safe from cyberattacks.
As prominent attacks and the flow of threats continue, SMBs will look to MSPs to protect their businesses and help them achieve cyber resilience. This creates a unique opportunity for MSPs to guide customers through the maze of cybersecurity and data protection solutions and ensure they are receiving relevant education on protecting the business. MSPs can ensure that customers have defense in depth by offering ongoing security awareness training as well as endpoint protection. Those looking to transition to managed security can lean on Webroot’s training modules and phishing simulations to provide world-class training and monitoring.
It can take a village to prevent cyber threats
While getting support from MSPs is a great stride towards keeping businesses safe, a big piece of the cyber resilience puzzle is teamwork. There’s no single solution or approach that can protect a business, and it really does take a village to protect against today’s cyberattacks. Just as SMBs look to MSPs to become cyber resilient, MSPs can rely on security expertise to fill in the remaining gaps.
Cyber resilience solutions can be custom built for MSPs and their SMB customers, and further tailored to each individual business. By partnering with Webroot and Carbonite, you can offer a customizable set of solutions including endpoint protection, ongoing end user training, threat intelligence, and backup and recovery.
To learn more about cyber resilience and stay up to date on security tips and industry topics, follow our Hacker Files and Lockdown Lessons podcast series.
IPv6 has been a long time coming. Drafted by the Internet Engineering Task Force (ITEF) in 1998, it became an Internet Standard in 2017. Though the rollout of IPv6 addresses has proceeded at a glacial pace since then, adoption numbers continue to inch higher.
Worldwide IPv6 adoption, according to Google’s handy tracker, is around 33 percent. It’s higher in the United States, at just shy of 45 percent. The graph has been trending relentlessly up and to the right since the mid-2000s.
This increased adoption means more cyberattacks are originating from IPv6 addresses. That means security vendors and device manufacturers who rely on embedded threat intelligence should insist on visibility surrounding the successor to IPv4.
Why we needed IPv6
Since the late 1980s, the internet’s architects realized they were cruising toward a problem. IP addresses, those numbers assigned to every internet-connected device, or node, were designed to contain 32 bits. That made for just under 4.3 billion possible number combinations under the IPv4 system. It was apparent even thirty years ago that these possibilities would be exhausted.
That day came in February 2011, met with a dramatic announcement by the Internet Corporation for Assigned Names and Numbers. Its opening line reads, “A critical point in the history of the Internet was reached today with the allocation of the last remaining IPv4 (Internet Protocol version 4) addresses.”
It seemed like the end of an era. But it wasn’t really one at all. IP addresses are frequently recycled, reallocated and many millions were never used at all. There’s even a famous story about Stanford University giving back a block of millions of unused IPv4 addresses. That helps explain why we’ve gotten so far from the adoption of IPv6 as an Internet Standard to majority adoption.
On the other hand, IPv6 is based on 128-bit encryption. This allows for a whopping 3.4 x 1038 permutations, or roughly 340 trillion trillion trillion. So, while the day may come when we need to revisit the IP system, that day is unlikely to be soon and it almost certainly won’t be because we’ve run out of assignable options.
By the way…whatever happened IPv5? Didn’t we skip a number? Well, it did exist, but was never officially adopted because it used the same 32-bit architecture as its predecessor. Begun as an experimental method for transferring streaming voice and video data, IPv5 lives on through its successor, voice over IP (VoIP).
What continued IPv6 adoption means for internet security
Hackers tend to set their sites on new targets only when they become worthy of their attention. The same goes for IPv6. As the rest of the internet pursues its perfectly logical reasons for making the migration, increasing numbers of cybercriminals are looking to exploit it. As IPv6 adoption becomes more prevalent, threat actors are increasingly using its addresses as an attack vector.
If threat intelligence feeds haven’t prepared to analyze IPv6 addresses, they’re faced with big black holes in their data sets. As we’ve seen in recent attacks, the ability to monitor anomalous web traffic is key to detecting a breach. So, in addition to having visibility into the threat status of an IP, it’s also critical to have location data and be able to cross-reference its activities with known malicious ones.
Device manufacturers, too, should look to account for accelerated IPv6 adoption when it comes to securing their products. This is especially true for IoT devices. Not typically armed with the highest security measures to start with, they now face the additional threat of an intelligence blind spot if the manufacturer makes no effort to analyze IPv6 addresses.
As internet-connected nodes in the form of IoT devices continue to proliferate, millions of new IPs will be needed. IPv6 will thankfully be more than up to the task of accommodating them, but manufacturers should make sure their devices are designed with the capabilities to analyze them.
IPv6 may have been a long time coming, but it’s too late in the game to ignore. When it’s time to choose a threat intelligence partner, choose one that’s prepared.
To learn more about the Webroot BrightCloud IP Reputation Service, click here.
Spanish labor agency suffers ransomware attack
Multiple systems were taken offline following a ransomware attack on the Spanish government labor agency SEPE, which has affected all 700 of their offices across the country. While some critical systems were impacted by the attack, officials have confirmed that the systems containing customer and other sensitive payroll data were not compromised. The Ryuk ransomware group are believed to be behind the attack. The group were involved in nearly a third of all ransomware attacks in 2020.
Latest phishing campaign targets NHS regulatory commission
Officials for the Care Quality Commission (CQC) have been received roughly 60,000 malicious phishing emails over the past three months that seems to be linked to the release of the COVID- 19 vaccine. The campaign has followed a pattern of spreading false information and requesting sensitive information for user’s NHS accounts. The use of the pandemic to scare recipients of fraudulent emails continues as many look forward to their turn to receive the vaccine.
Hackers gain admin access to surveillance company cameras
Hackers from a known collective were able to gain access to over 150,000 Verkada surveillance cameras in various sensitive locations across the globe after finding an access point available on the web. Viewable feeds included jails, banks and internal entry cameras for top companies like Cloudflare, which has since confirmed that they have taken these cameras offline. It remains unclear how long the hackers had access to the systems. They have stated they were able to steal roughly 5GB of data from the Verkada systems, which will likely be leaked in the coming months.
Ransomware distributor arrested in South Korea
An individual was arrested by South Korean police late last month after a lengthy investigation tracked ransomware payments to withdrawals made by the individual. The man in custody is believed to be responsible for distributing more than 6,000 phishing emails spoofing local law enforcement. These used malicious attachments to trigger GandCrab ransomware payloads to encrypt systems. This is the second reported GandCrab affiliate caught by law enforcement in the past year as global law enforcement agencies work together to transnational ransomware organizations.
REvil ransomware group puts 170GB of data up for sale
Officials for the Pan-American Life Insurance Group have issued a statement regarding recent outages in their systems, which were the result of a ransomware attack. Though there was a post on a known REvil ransomware group forum claiming to have taken 170GB of data from this breach, that post has since been removed, which could indicate that Pan-American could be in negotiations with the group to restore their systems.
Every device on an MSP’s managed network provides insight into what’s happening on that network. This includes network routers, switches, printers, wireless devices to servers, endpoints, IoT devices and everything else connected to the network. Each creates a log in its own format, or syntax, that a technician can review for troubleshooting, configuration confirmation, the creation of specific alerts based on a device’s activity or a host of other reasons. These records of each devices’ activities are known as syslogs.
Syslogs present information in a variety of ways, including custom formatting, industry-standard formatting, even raw data lacking a consistent format. The good news is that any activity requiring a security review is buried somewhere in these syslogs. The bad news is that data can buried in these syslogs.
Whole mountain ranges of information are regularly processed by these systems. Millions upon millions of data points may be present, making the set overwhelmingly confusing. At best, sorting meaningful information from noise is a daunting task, even for well-staffed IT departments.
Fortunately for security professionals—and more specifically for MSPs and MSSPs focused on providing insight into their managed networks—there is a mature product category that can be incorporated into their technology stack to help. Security information event management (SIEM) solutions have existed for years, but they’ve recently been gaining traction among MSPs and MSSPs. For good reason: knowledge of a network’s activity is essential to protecting it.
Is setting up a SIEM worth the cost and effort for an MSP?
The short answer is: YES. If you want to synthesize information from various sources to determine if a security event has or is taking place on a customer network, then yes, a SIEM is the natural evolution of the MSP security stack.
The longer answer is, well, longer. Let’s break out a couple of options for those interested in establishing a more sophisticated security information and event management solution.
SIM, SEM or SIEM? That’s the question to begin with. While security information management (SIM) and security event management (SEM) solutions have been in place for some time, they’re now commonly combined into the offering referred to as a SIEM.
So, where does an MSP get started? There are three common choices for getting a SIEM stood up and configured:
- On-premise – Stand up a server, add some software (a bunch, actually), point all the syslogs to the device and get started. Easy, right? In reality, on-premise solutions have a higher cost and can be daunting to get started. Software costs range based upon the solution provider’s model. But if control and compliance are important, on-premise solutions may be a great option.
- Cloud-based – Any one of a number of existing solutions that cater to MSPs are simpler to get started. The challenge with cloud-based solutions entails pulling data from many sources and pushing it through firewalls and networks to a public cloud solution.
- Hybrid – As its name implies, some options blend cloud-based solutions with a local collection server to gather information and push a single source, securely, to the cloud for analysis and processing.
Feeding your SIEM a healthy diet of data
Before deciding on a SIEM component, a log collection or data collection solution must be set up to feed it. Syslog collection refers to a number of different activities, but in a SIEM or security-specific sense it usually comes down to what makes the most sense for the application: purpose-built or generic.
- A syslog aggregator or log collector – These are devices that take in all syslog information from all devices. They range from sophisticated solutions with alerting and performance reviews to feeds that simply “normalize” the data, distilling the most relevant input and then reworking the details into a consistent standard and reporting on the highlights.
- Syslog bridges – These are more generic solutions that act mostly as log collectors. Simply point devices to this collector and it maps the data.
- Syslog collector – These are generic log collectors much like a bridges, but they usually provide a little more intelligence, cost more, and often serve multiple purposes like performance, device status and security event reporting.
Log gathering is the most misunderstood aspect of a SIEM and is often overlooked. The key is finding the most appropriate strategy for your needs.
For most MSPs, a basic bridge with a specific security purpose for feeding a SIEM may be the most efficient and cost-effective option. For additional needs like performance or status determinations, a more sophisticated syslog may be good. But most performance and status information is already provided by RMM solutions, so why reinvent the wheel?
What to expect from your SIEM
After deciding on a syslog collector and SIEM setup, it’s time to put the SIEM to work parsing data and making sense of the output. This is the intel that allow technicians to make sound decisions regarding security events.
Which SIEM to incorporate into a given MSPs operations depends on the level of services offered. MSPs building out a SOC or offering managed detection and response (MDR) services may require more sophisticated output from their SIEM. MSPs simply looking to distill information for their respective technical teams to analyze and make security decisions can usually rely on tailored, cloud-based solutions.
Regardless of the provider, a SIEMs should at least do the following:
- Perform log gathering – If log gathering is not directly accounted for by a SIEM, another solution will be necessary for feeding data to it.
- Correlate security events – To spot security threats that may be spread across a network, not only native to a single device’s syslog, a SIEM must be able to track data across multiple devices.
- Connect to threat intelligence feeds – To keep up with a rapidly shifting threat landscape (and therefore useful to preventing attacks) it must be informed by strong threat intelligence feeds, preferably those using machine learning to recognize even zero-day threats.
- Issue security alerts – A key SIEM benefit is the ability to provide timely alerts regarding security events based on large amounts of data to assist with decision making, making it possible to stop attacks before they develop
- Present reports – Many SIEMs can produce reports in a cadence that makes sense for an MSP or MSSP depending on their needs and the needs of their clients.
- Enhance compliance – Because SIEMs aggregate information on a network, it can produce compliance reports for clients based on industry-specific needs.
A good SIEM solution can minimize technician workload and minimize manual data interpretation. It also benefits clients by beefing up your own security capabilities. A SIEM is a natural step for any growing MSP’s looking to provide the best security solution for customers with workable margins.
With a little focus, it shouldn’t take months or an act of congress to setup and use a SIEM. The above guidance should enable any MSP, regardless of size, to devise a viable plan for putting one in place.
Despite the rising ransomware numbers and the numerous related headlines, many small and medium-sized businesses (SMBs) still don’t consider themselves at risk from cyberattacks. Nothing could be further from the truth. Smaller organizations are a prime target, and ransomware authors have only upped the ante in their methods to ensure they get paid. For example, many ransomware groups now threaten to expose or sell company data stolen in a breach if victims refuse to pay, meaning the business in question could have to shell out for heavy fines due to GDPR and similar regulations. In many cases, paying the ransom may be the most cost effective (and least publicly embarrassing) option. But what if your business can’t afford it? Or if the downtime from the attack is too much to recover from? And what’s the long-term psychological and emotional toll?
Here are 3 myths about ransomware that businesses need to stop believing to stay resilient against these evolving and insidious attacks.
Myth #1: My company is small, so attackers won’t bother.
Today, any business is a target for ransomware, no matter its size. Since 2018, up to 86% of SMBs have reported being victims of ransomware each year. And, according to Verizon, “[Ransomware] is a big problem that is getting bigger, and the data indicates a lack of protection from this type of malware in organizations.”
We’ve put this myth at the top of our list because it’s particularly dangerous. For many small organizations, a single cyberattack could put them out of business. Bigger enterprises with more robust data recovery and bigger security budgets are much more likely to weather an attack, while a smaller business may have no way of making up for the loss of time, revenue, and damage to customer trust that an attack could have.
Ransomware is not going away, and it’s getting more costly for SMBs. Businesses can’t afford to underestimate the risk.
Myth #2: There’s no way to prepare for a ransomware attack.
The sad truth in today’s cyber climate is that an attack is practically inevitable. The trick is reducing the likelihood of an attack, and making sure critical data is protected in case an attack succeeds. To prepare your business to weather the storm, there are a few key steps you can take.
- Proactively defend against ransomware attacks.
Ransomware typically gets into an organization by tricking a user into downloading a file and/or enabling macros. Combining reliable endpoint protection that can stop macros and malicious scripts with security awareness training for end users is an excellent step toward a proactive and in-depth defense.
- Protect your data.
The ransomware business model works because losing access to your data can cause serious damage. A strong backup solution is vital. Full-server backups or asking end users to manage their own backups aren’t the most feasible options. But with the right solution set, there are significantly more efficient ways to ensure data on endpoint devices, servers, and within the Microsoft 365 suite is secured.
Myth #3: I already have a backup, so I’m safe.
If your business gets hit with an attack, you can and should expect some downtime. And if we accept the maxim “time is money,” then any amount of downtime is costly and potentially damaging. Having backups in place is crucial, but you also need to be able to recover the data you need quickly from safe backups that haven’t also been infected with the ransomware.
Bigger organizations have more resources to invest in redundant servers in secondary locations, but these protections can come at too high a cost for many SMBs. If that sounds like you, you’re not alone. We recommend you look into disaster recovery as a service (DRaaS), so you can leverage the cloud to ensure that critical business systems are online and accessible, no matter what happens on your network.
The one-two combination of proactive prevention and recovery is key for staying cyber resilient. If you start working to address the tips in this blog, you’ll drastically improve your chances of avoiding a ransomware attack entirely; and getting through it successfully if you do get breached.
For more details on these and other misconceptions to watch out for, get your free copy of our guide, Rip the Target Off Your Back: Debunking the Top 5 Myths about Ransomware and SMBs.
One of the reasons why there’s so much cybercrime is because there are so many ways for cybercriminals to exploit vulnerabilities and circumvent even the best defenses. You may be surprised to find that one of the biggest vulnerabilities is users. Many successful attacks could actually be prevented if users just knew what to look for. In that spirit, we put together this blog post to explain the different hacker types and methods they use against us.
For even more tips from Webroot IT security experts Tyler Moffitt, Kelvin Murray, Grayson Milbourne, George Anderson and Jonathan Barnett, download the complete e-book on hacker personas.
Today’s cybercriminals are masters at exploiting basic human trust. Pretending to be someone else, these hackers manipulate their victims into opening doors to systems or unwittingly sharing passwords or banking details. This type of cybercriminal is skilled at masking their true intentions behind seemingly harmless requests or legitimate-looking websites. Impersonators are increasingly sophisticated, often hosting malicious content on legitimate sites.
Opportunists exploit common human traits such as trust and familiarity. They rely on targeted or focused attacks, and carry out their crimes against specific businesses or individuals. These hackers thoroughly research their targets, often running tests before launching the actual attack. Opportunists look for existing weaknesses or vulnerabilities they can exploit at scale to pull as many victims as possible into their nets.
Infiltrators rely on virtual back doors and unprotected points-of-entry to slip through hidden
cracks. Hiding in the shadows, this type of cybercriminal watches and waits for the opportunity to invade systems. DNS (Domain Name System) is especially vulnerable. Once the criminal redirects internet traffic to malicious websites or takes control of servers, the damage is inevitable.
One of the most common methods of infiltration includes internet-based attacks, such as Denial of Service (DoS), Distributed Denial of Service (DDoS) and DNS poisoning. By default, DNS traffic is unencrypted, allowing internet service providers and other third parties to monitor website requests, surveil browsing habits, and even duplicate web servers to redirect traffic. However, cybercriminals can also use legal DNS traffic surveillance to their advantage.
Cybersecurity Tips for Individuals and Businesses
Aside from arming yourself with the knowledge you need to identify attacks, it’s important to install threat detection and remediation software on your devices. Be sure to update and patch software and firewalls as well as network security programs. You should also be skeptical of any requests for financial information or passwords, and scrutinize all COVID-related emails, links or apps. To learn more tips on how to identify and prevent attacks, download the complete e-book below.
Italy targeted by Ursnif banking Trojan
Over 100 banks in Italy have fallen victim to the Ursnif banking trojan, which has stolen thousands of login credentials since it was first discovered in 2007. The attack may have compromised up to 1,700 additional pairs of banking credentials through a payment processor, some of which were already confirmed to be legitimate by multiple Italian banks. The attack likely began as a malicious email using social engineering to trick users into clicking links.
Telemarketer leaves thousands of records exposed
A California-based telemarketing firm was recently alerted to an exposed Amazon AWS bucket containing over 100,000 records and requiring no authentication to access. Among the records were hours of customer phone calls and text-based communications. These contained sensitive information that could be used to launch further social engineering attacks, endangering the identities of thousands of clients. The AWS bucket has remained unsecured for more than two months since the company was notified.
Third party exposes decade of Malaysia Airlines customer data
Officials for Malaysia Airlines have announced that a third-party IT service provider had suffered a data breach that may have exposed information belonging to the airline’s Enrich frequent flyer program members for nearly a decade. While it remains unclear how many members had their information leaked, the airline has reached out to all members regarding updating their login credentials. None of their internal systems have been reported compromised.
Microsoft releases patches for multiple zero-day vulnerabilities
Microsoft has pushed out fixes for at least seven known vulnerabilities related to Exchange Servers in an off-cycle release. Four of the zero-day exploits are being actively targeted by malicious actors. These vulnerabilities were believed to have been compromised for nearly two months and are being used to steal sensitive information from within the affected systems. Users looking to deploy the patches should note that it will not cleanse already compromised systems, but would only prevent future exploitation.
Cyberattack takes PrismHR offline
Officials for PrismHR are working to restore functionality to their payroll platform after a suspected ransomware attack. IT workers were able to shut down the remainder of their unaffected systems before the attack could spread further, though the attack occurred over a weekend. The company has also confirmed that no customer information was stolen during the attack and that it is working to restore functionality from backups.
For most small businesses, the chances of falling prey to a long-term covert surveillance operation by well-resourced, likely state-backed actors are slim. To recap, that is what the evidence suggests happened in the SolarWinds compromise discovered last December. Many believe the company’s Orion update was used to conduct cyber espionage for months prior to being discovered.
However, data shows the time to detect a data breach for businesses averages 280 days, according to research conducted by IBM and the Ponemon Institute; a significant gap between the time a network is compromised and its discovery. This shows that stealthily surveilling a network is not a tactic exclusive to highly sophisticated threat actors targeting enterprise businesses.
What would reducing the time to discovery mean for small businesses? Likely it would mean less of their data on the dark web, fewer important pieces of intellectual property leaked, ransomware attacks thwarted or less reputational damage to companies.
Here are some ideas IT admins can use to detect a network compromise sooner, potentially limiting the damage of an adverse cyber event.
Consider booby trapping your network
As swashbuckling as it sounds, adopting an “offensive defensive” posture against cyberattacks can help your organization level the playing field against attackers. Because so much of cybersecurity relies on passive forms of protection (think firewalls, antivirus solutions, password protection, etc.), hackers have an asymmetrical advantage when probing defenses. Passive protection is good and necessary, to be sure, but network “booby traps,” sometimes called canary tokens, can help reduce the advantage held by hackers.
These measures may include setting up a domain administrator account that is bound to look like a juicy target to a network intruder. It may be configured according to default settings or with a particularly weak password – some way that makes it easy for a determined hacker to access. Once inside, though, the intruder’s presence triggers alarms alerting IT staff that an attack is underway and even locking out the suspicious user.
Researchers have laid out several ways booby trapping could work, but all rely on the principal of an action being taken by an attacker that would typically not occur otherwise. While they may not reveal who is behind the attack or their motivations, booby traps trigger a response alerting admins and allowing time to react.
Configure and pay close attention to failed login attempts
Allowing attackers unlimited tries at cracking passwords is never wise, but sometimes the configurations for preventing this are overlooked. This is especially dangerous when remote desktop protocol (RDP) is enabled. RDP-enabled machines can often be located using search engines like Shodan.io, making them sitting ducks for attackers armed with brute-force tools.
When configured properly, however, RDP and other password protected tools should lock users out after a given number of incorrect attempts and alert an admin. This would force a user, legitimate or otherwise, to wait some predetermined time before attempting to login again. Reaching out to the locked-out user could then help determine if the credentials have been stolen or if it is a genuine case of “fat fingers.”
If credentials have been compromised, it is a good idea to force password resets and keep an eye out for further failed login attempts. If there is no limit to the number of times a password can be tried without being timed out, an organization may never know it is in an attacker’s crosshairs.
Monitor anomalous web traffic
Skilled threat actors like those involved in the SolarWinds attack take steps to conceal their true locations when attempting to compromise a network. This can prevent alarm bells from ringing when, suddenly, an IP address from Eastern Europe is trying to connect to a network housed in Silicon Valley. Other times, malicious hackers do not have the skills or resources to cover their tracks. Their attack may also be so broadly aimed they simply do not care to.
That is why the difference between looking for malware and looking for “weird stuff” matters. It takes time to gather the data to truly know what constitutes “anomalous activity,” but once it is there it can automatically alert admins when it occurs. This could include communication with previously unknown IP addresses or uncommon application traffic patterns. In other words, a platform that has never talked to a domain in China but now does so often should be cause for alarm.
Monitoring access lists, including who is logged into what and whether anything is out of the ordinary, is another good option for spotting potential breaches early on. These so-called “spot-checks” can be too resource intensive for small businesses without dedicated IT positions, and too expensive to farm out to MSPs, but they are good to consider for businesses with dedicated IT resources.
Staying on guard against attacks
The best strategies for ensuring cyberattacks are not successful – and do not go unnoticed if they do – involve a mix of active and passive defenses. But poor configurations can undermine both. While small businesses are unlikely to become targets of highly skilled state-sponsored attackers, there are steps they can still take to make sure defenses are not undermined by the same common tactics.
Here are a few quick tips:
- Do not rely on the default configuration for RDP. Enforce 2FA and passwords time outs.
- Disable powerful tools like PowerShell, Office macros and WMI where not needed.
- Limit access rights on your internal network so that only those who need access have it.
- Strictly control access to the dev and QA processes if these take place within your organization.
Buzzwords and acronyms abound in the MSP industry, an unfortunate byproduct of marketing years in the making. Cybersecurity is a hot watercooler topic at any business. Well, now probably more likely a virtual happy hour than a watercooler, but nevertheless cybersecurity remains top-of-mind.
To sleep at night, MSPs feel they must enhance or expand their security offerings beyond the standard layers, like; firewalls, firewall filtering, active directory protocols, DNS Filtering and antivirus/malware detection. One of the ways many MSPs feel they can satiate their cybersecurity concerns involves buzzword-y new acronyms floating around involving “EDR” or endpoint detection and response. But what is EDR really and what can it do for MSPs and their clients?
But first, besides EDR, there’s also ADR, MDR, xDR and the industry can surely expect newer blank-DR acronyms coming in the next few years. What are all these acronyms and how do they help MSP protect their clients? Here are a few definitions:
- EDR (Endpoint Detection and Response) – Technically, every security agent sitting on an endpoint is an EDR solution. The information the agents feed back to administrators determines what action to take and when.
- ADR (Automatic Detection and Response) – Newer technology allows the agent to automatically make a decision without human intervention. Ideally, ADR automatically remediates a situation and reports to the administrators on action taken.
- xDR – This newer acronym refers to agents across a network communicating to make a remediation decision or report decision across multiple endpoints.
- MDR (Managed Detection and Response) – A best-of-breed solution using EDR, ADR and possibly xDR tools in various combinations, MDR allows a human team to make decisions and respond to situations. While more complex and administrative heavy, MDR closes the gap that arises when suspicious applications are being monitored and observed, but not reacted to by an ADR or xDR solution. Human-driven MDR ferrets out the suspicious and reacts.
Here are five things MSPs should consider when evaluating EDR solutions:
1. All security tools with an endpoint agent are basically EDR.
Their job is to detect malicious code, applications, scripts or other malicious files and make a status determination on the fly. Most security agents use various methods like physically scanning file hashes, scanning file content, watching behaviors, looking at scripts, detecting known attack surfaces and other techniques to try to ascertain if a newly encountered file is good or bad.
How the security agent reports its activity depends on the EDR tool. So, while many security tools claim they offer an “EDR” solution, the key is to determine the level of threat, suspicions and action taken in reporting or alerting that adds value for MSPs.
2. The “R,” or response, is key to a successful EDR solution.
While many security tools report and alert, the level of response is the most important aspect of any security practice. If the security agent provides minimal information for decision making, it’s of limited use to the technical personnel responsible for intervening.
On the other hand, technicians can take advantage of security tools with consoles that display alerts, reports and visibility into whether an agent responded, how and the agent’s current status. Too often tools don’t provide necessary insight for reviewing or comparing threat data or approaches – like the MITRE attack framework or other sites with relevant threat information.
Solutions with a more comprehensive API are advantageous for custom review, integration into more dedicated threat review tools or for alerting through a log gathering and reporting tool. APIs are valuable for providing added information from which human technicians can make decisions.
3. What can be done with the EDR information? Is it actionable?
Once a tool has been selected, what should be done with the information it provides? Answering this is key to successfully setting EDR expectations for customers. If a client requires an MSP has an EDR solution in place, installing an agent is only half of the equation.
Gathering the information into a comprehensive tool or suite can be daunting. If the security solution provider has tools like alerts, reports or an API, start there. However, these tools are often limited and need to be supplemented by a solution with higher performance or a faster response time.
Log gathering tools are a higher performance option that allow many tools to feed into a single system. Once such a solution is in place, the next challenge is to build rules for sifting through the millions of ingested points of information. These rules provide human reviewers more details for making decisions. It may take several cycles to hone in on the rules that lead to successfully spotting suspicious or malicious activity and protecting customers.
4. Understand what’s behind the EDR hype.
What’s the buzz around EDR and why has it become such a topic for discussion? Fair question considering level of effort to stand up, manage, monitor and address a situation when it arise can be costly and time consuming. Simply having a security vendor “supports EDR” isn’t enough. Selecting a check box to satisfy a requirement is, again, only half of the equation.
So, why go through the time and expense of implementing EDR? Here are three top reasons:
- Cybersecurity insurance – With the rise of breaches across business and public sector landscapes, cybersecurity insurance on the rise. Many providers have requirements from governance to tools that meet a specific scope. EDR is one such requirement.
- Good practice – Having layers of protection for customers is important. Extending security offerings by adding an EDR solution with a process will increase that security footprint.
- Managed Security Service Provider (MSSP) – More and more MSPs are adding value to their customers by adding cybersecurity-specific services. With cybersecurity challenges on the rise, many service providers can increase revenue and provide greater security posture for their customers. Implementing an EDR solution will contribute to that effort.
5. Plan out next steps for adopting EDR at your MSP
- Evaluate the need. Investing in potentially costly new solutions because of a buzzword is not advisable.
- Determine the level of effort required to adopt an EDR solution and devise a plan for doing it.
- Review existing tools and determine if existing solutions are being leveraged most effectively today.
- Build the team. Part of the plan for adopting EDR should include designating a security team to both manage the solution and respond to its findings.
Simply selecting ticking an EDR box won’t necessarily contribute to client security. MSPs should evaluate the needs EDR will satisfy, the level of effort it takes to implement and how EDR fits into their overall service offering. Vendors won’t hesitate to offer “EDR solutions,” but it’s up to the MSP to properly implement and establish process to support expectations. Simply having the solutions does no good. EDR done right requires the additional team focus, rules, review and responses. Implement an EDR offering with caution and planning.
Most people would categorically agree that increased privacy online is a good thing. But in practice, questions of privacy online are a bit more complex. In recent months, you’ve likely heard about DNS over HTTPS, also known as DNS 2.0 and DoH, which is a method that uses the HTTPS protocol to encrypt DNS requests, shielding their contents from malicious actors and others who might misuse such information. It can even address several DNS-enabled cyberattack methods, such as DNS spoofing or hijacking. On the other hand, obfuscating the content of DNS requests can also reduce admins’ visibility and control, as well as negatively affect business network security.
Ultimately, this DNS privacy upgrade has been a long time coming. While its creators’ original 1983 design has undoubtedly proven itself by scaling to meet the demands of today’s internet, privacy just wasn’t a consideration 38 years ago; thus, the need for DoH.
“Privacy just wasn’t a consideration 38 years ago; thus, the need for DoH.”
When weighing the obvious privacy and security benefits against the visibility and potential security drawbacks, some businesses are having difficulty managing these new protocols. That’s likely why the NSA recently released a guide that not only explains the need for DoH, it strongly recommends that businesses protect their networks from rogue DNS sources to improve their network security. But what their guide doesn’t really focus on is how.
Correctly managing encrypted DNS can be very challenging. Here’s what businesses need to know about the NSA’s guide and how to successfully embrace DoH.
What does the NSA guide recommend?
The NSA supports the privacy and security improvements DoH provides. However, they also recommend that DNS be controlled, which may leave some admins scratching their heads.
“The enterprise resolver should support encrypted DNS requests, such as DoH, for local privacy and integrity protections, but all other encrypted DNS resolvers should be disabled and blocked.”
What does the NSA caution against?
The NSA specifically warns about applications that can make DNS requests for themselves. Previously, if an application needed DNS, it would ask the local system for the resolution, ideally following whatever configuration the admin had set. These requests would then be sent to the network DNS resolver. This process provides a wealth of information to the network, helping with visibility in the case of a malware attack, or even in the event of a user accidentally clicking a phishing link.
With DNS encryption like DoH, this visibility not only disappears, but now DNS itself becomes incredibly difficult to control. The real challenge comes in as DoH hides the DNS requests using SSL, just as your web browser does when connecting to your online banking website. With this method, DNS requests appear as regular website traffic to most firewalls and networks, and can’t be identified by them as legitimate or malicious.
What other challenges should I consider?
DoH is fairly early in its adoption and only a few applications currently use it, though adoption will continue to grow. In North America, Mozilla Firefox uses DoH for DNS resolution by default. Other browsers, such as Google Chrome and Microsoft Edge have also begun to support DoH, though their default behavior will not enable DoH on most business networks.
Worth noting is that Microsoft itself has yet to support DoH on their DNS servers, so enforcing the NSA’s recommendations may be somewhat difficult. Additionally, as DoH traffic runs on port 443, just like a secure connection to a website, it is not easily regulated or blocked. You can’t just block port 443 at your firewall either, as this action would also block all secure websites. You could block some of the known DoH providers, but as with any new technology solution, more DoH resolvers appear daily.
How does Webroot address security with DoH?
The Webroot® DNS Protection agent already secures DNS requests by using DoH for all of its communications and leverages the power of Webroot BrightCloud® Threat Intelligence to identify and block alternate DoH connections. Our DNS Protection solution also includes an option to echo all DNS requests to your local resolver, so it maintains visibility into the DNS requests being made, leaving intact the powerful information provided by DNS.
Essentially, with a solution that works like Webroot DNS Protection, you still get the power of DNS filtering while also benefitting from DoH encryption. This protection secures remote and on-site users, devices, and networks, effectively fulfilling the NSA’s recommendations.
In today’s rapidly evolving cybersecurity landscape, the battle for privacy and security is relentless. Cybercriminals are masters at using technology and psychology to exploit basic human trust and compromise businesses of all sizes. What’s more, they often hide in plain sight, using both covert and overt tactics to cause disruption, steal money and data, and wreak havoc with MSPs and SMBs.
While cybersecurity advice is often focused on technology like endpoint protection, firewalls and anti-virus, it’s important to remember that behind every breach is a human. Knowing who they are and why they target your business is essential to remaining cyber resilient.
As we mentioned in a previous blog, hackers come in many forms, but their methods can generally be classified into three distinct types of cybercriminals:
- The Impersonator – Hackers that pretend to be others, often using social engineering and human psychology to trick users.
- The Opportunist – Hackers that exploit public events and socio-political crises for disruption or personal gain.
- The Infiltrator – Hackers that target specific organizations and work to breach systems using a variety of tools and tactics.
Each one has their own methods and protecting against them requires a multi-layered approach. Let’s look at a few primary examples.
Who is the Impersonator?
An impersonation attack recently made headlines with the 2020 Twitter/Bitcoin scam, in which 130 high-profile Twitter accounts were compromised by outside parties to steal bitcoin. The perpetrators gained access to Twitter’s administrative tools in order to pose as legitimate CEOs and celebrities to trick users into sending bitcoin with the promise of doubling their investment. Unfortunately, attacks like this work, and the hackers received $121,000 that was never paid back. This is a scam that’s been around for years and since no one can reverse a cryptocurrency transaction, it’s very likely here to stay.
This type of cybercriminal manipulates victims into opening doors to systems or unwittingly sharing sensitive information by pretending to be someone you would inherently trust. The most notable attack is the “Nigerian prince” email scam, also known as “foreign money exchange” scams. These typically start with an email from someone overseas claiming to be royalty, offering to share a financial opportunity in exchange for your bank account number. Nowadays, you’re more likely to receive an email from your boss’ boss asking for gift cards or money, but these scams are still active in many forms, as the Twitter attack shows.
Impersonators are known to use phishing, Business Email Compromise (BEC) and domain spoofing to lure victims, and they’re always looking for new ways to innovate. In fact, our 2020 Threat Report found that impersonators are now imitating legitimate business websites to release malicious payloads or steal data, and a shocking 27% of phishing sites use HTTPS to trick the user into clicking phishing links, which makes these attacks even more dangerous. It’s easy to assume an official-looking website with an HTTPS address is safe, but hackers can also use HTTPS sites to launch phishing emails and distribute BEC scams as obtaining SSL certificates is trivial now. This is why a multi-layered approach that can block phishing sites (including HTTPS) in real time, is key for staying safe.
What Does the Opportunist Want?
While attacks of opportunity are nothing new, the tactics of the opportunist have gone to a new level with the recent coronavirus pandemic. According to our COVID-19 Clicks report, at least one in three people have fallen for a phishing email in the past year. This year has been all about the pandemic and the fear surrounding it. These phishing attempts often appear in the form of articles about the best ways to avoid coronavirus or links to documents that have lists of people with COVID-19 “in your area.” These documents will ask users to enable an embedded macro that then delivers malware, usually in the form of ransomware. Over 90% of malware campaigns used the pandemic in their initial phishing email this past year.
Opportunists wait for the right opportunity to strike, and just as impersonators take advantage of trust, opportunists also rely on trust and familiarity to deceive users into downloading malicious payloads. Unlike other hackers, however, they don’t have specific victims in mind. The opportunist capitalizes on urgency, fear and unpreparedness to catch as many victims in their net as possible.
As we point out in a popular Hacker Personas podcast, other opportunist attacks like those exploiting U.S. government stimulus payments are also on the rise. Business leaders in particular should watch out for these tactics, as phishing emails can compromise company devices. With the increase of remote workers using unsecured systems and personal devices to access corporate networks, all businesses are at risk from opportunists who bait remote employees.
How Do Infiltrators Breach Systems?
One of the best examples of an infiltration attack is the 2020 SolarWinds breach, in which a foreign state hacked the SolarWinds supply chain to infiltrate at least 18,000 government and private networks including over 425 of the fortune 500. Nation-state hackers took advantage of SUNSPOT malware to insert the SUNBURST backdoor into software builds of the Orion platform, and unbeknownst to SolarWinds developers, they released it as a normal update to their customers. Several significant US agencies, including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury were attacked. What’s more, the fallout of this attack is still ongoing and we may never know the full damage.
The Infiltrator is the opposite of an opportunist in that they target specific victims and have a clear-cut approach to getting what they want. Rather than casting a wide net and hoping for the best, they usually know the system they want to infiltrate, and they use stealthy measures to breach systems, often coming away with a large payout in the form of a costly ransom to criminal enterprises or valuable intel to nation states.
What Steps Should MSPs and SMBs Take to Stay Cyber Resilient?
If knowing your enemy is the first step to protecting your business, the next step is to develop a strong cyber resilience posture that protects against their attacks. Part of that is understanding that cyberattacks are often a matter of “when, not if.” Even if you’re not the target of an infiltrator, for example, your business or employees may be the unknowing victims of an opportunist or impersonator.
Protecting your business includes:
- Implementing a multi-layered cybersecurity approach that includes complete endpoint protection, firewalls, real time anti-phishing as well as Security Awareness Training
- Continuously educating and training employees, staff and customers to follow cybersecurity best practices and to stay up to date on cyberattack news
- Using a backup and recovery solution that can restore critical files after an attack and keep the business up and running during a crisis.
To learn more about hacker personas and strategies to protect against their various attacks, check out our eBook, Hacker Personas: A Deeper Look Into Cybercrime. You can also follow our Hacker Files and Lockdown Lessons series that include a variety of guides, podcasts and webinars covering these topics and more.