Highlights of the January 26, 2022 webinar hosted by Bill Heaven, CPA, CISA, CITP, CSCP, Senior Director IT Development and featuring Damon Hacker, MBA, CISA, CSXF, CMMC-RP, President & CEO, Vestige Digital Investigations
A Case Study: HAFNIUM Exchange Vulnerability
• Surfaced in early 2021.
• Affected many companies and 125,000 servers around the world: on-premises exchange services (such as email) for companies housing them themselves, not cloud-based services.
• Allowed access to emails without authentication.
• Some attackers installed viruses and some installed backdoors that allowed access to servers for an extended period of time.
• Exploited four vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.
• Became aware of vulnerability in March 2, 2021. Was initially discovered in December 2020 and reported to Microsoft in early January 2021. Three hacker groups picked up on it in late February and started their exploitation.
A Case Study: Log4j/Shell exploit
• Discovered December 9, 2021.
• Zero-day exploit is an exploit that becomes available before vulnerability is widely known.
• Allowed remote code execution: someone in another location can execute an arbitrary code on your system to carry out their purpose.
• Is a java application (library); a login utility – a very powerful library everything you can conceive of doing from a login standpoint.
• Is embedded in all kinds of applications, software that relies on other software that has been infected.
• Nearly half of all corporate networks had been already targeted by days after it became known.
• Hundreds of million of devices are at risk.
• Hackers use the exploit to add cryptomining malware, cobalt strike, ransomware, credential theft.
You might become a victim via:
• A crime of opportunity: hackers are testing for vulnerabilities 24/7.
• Collateral damage: someone else’s system or email gets compromised.
• Part of an unlucky targeted group: if you see others in your peer group getting attacks, it’s time to start paying attention.
• Could be purposefully targeted: perhaps if you were a previous victim.
• Tools available to hackers allow them to rise to the same sophistication as state-sponsored espionage and weaponization.
The APT (Advanced Persistent Threat) life cycle:
• Can start with intelligence gathering, background research.
• An initial attack: hackers find some vulnerability and can get in; they enable persistence so they can get back in.
• Once in, they conduct enterprise reconnaissance.
• They might move laterally to other systems.
• They look to escalate privileges.
• They gather and exfiltrate data.
• Average time an attacker is inside the organization before the organization finds out is 7.5 months, and is usually discovered by someone outside the organization.
• How to combat attacks: Need a program to identify the vulnerabilities before the attacker gets in.
• Log4j is ubiquitous: developers need to be aware; can’t blindly accept that products are good to bring into their environments, especially open source software where anybody could add something to it.
• Need a succinct process or system, a security practice designed to proactively prevent exploitation of vulnerabilities.
• Identify assets and the vulnerabilities, then mitigate and fix known vulnerabilities.
• Good vulnerability management programs:
-Promote consistent processes over a wide range of threats
-Align with risk appetite of the organization
-Are easy to understand and conduct
-Have high visibility among decision makers
• Vulnerability management options:
-Vulnerability scanning – simply identifying the vulnerabilities that exist in an environment and determine if they are exploitable.
-Formal process of risk analysis of frameworks
-Best approach: a combination of the two
• Recommendations for conducting a risk assessment:
-Do a NIST 800-30 formal risk assessment.
-Decide on frequency and scope.
-Decide on objective or subjective scoring for likelihood of occurrence and potential impact.
-A formal risk assessment provides a picture of where you need to start and priorities.
-Vulnerability scan: an automated process or tool run across an environment to test hundreds and thousands of devices.
-Vulnerability scan does not identify whether someone can get in or how.
-Has to be inside as well as from outside to identify all locations where there are vulnerabilities.
-Will produce a deluge of vulnerabilities, which need to be prioritized; finding the core problem spread across systems can reduce the workflow many times.
-Create and update a risk register to help ensure issues are being addressed.