Most Sought-After Cybersecurity Skills; Real Damage from Ransomware: Meow, Garmin, and SEI

Perhaps surprisingly, some people already employed as cybersecurity analysts lack these same critical underlying skills. One of the larger federal cybersecurity contractors tested the beta version of a new course SANS developed for its undergraduate college students to ensure they have mastered the key foundational cybersecurity skills, hands-on, before diving into the challenging SANS courses required for their degree. The contractor's technical director called us last week and said he wanted to "start by having 100" of their existing cybersecurity employees take the foundations course and "the number will likely grow from there."

Alan Paller

Hands-on experience with information systems, knowing how they operate, as well as system and service lifecycle are important skills in cybersecurity. And often people wishing to enter the field are unable to do so as they don't have needed experience. Internship programs are not only great ways to get this experience, but also provide a low-risk opportunity for an employer to discover and grow talent that can become a long-term employee.

Lee Neely

We just completed a targeted survey on cybersecurity hiring needs and issues, separate from the one quoted in this piece. Among the results: (1) there is more of a skills gap than a headcount gap; and (2) the highest demand for entry level employees is for those who have experience using popular open source and commercial tools. One major finding: attrition rates in SOC teams are lower than IT industry average. Qualitative interviews gave anecdotal evidence that teams with more hands-on tool use and enhancement had the lowest attrition rates with managers saying it allowed staff to feel more creative and help fight alert burnout. Webinar on the results is on Wednesday - info at https://www.sans.org/webcasts/closing-critical-skills-gap-modern-effective-security-operations-centers-socs-survey-results-113485

John Pescatore

Take immediate action to ensure you don't have databases that are world-writeable from the Internet. Meow has been seen mostly targeting Elastic and MongoDB. It is also targeting CouchDB, Redis, Hadoop, Jenkins, and even NAS devices. Don't rely on prevention by blocking ProtonVPN address ranges; there are likely other attack vectors as yet undiscovered.

Lee Neely

Since the early days of the Verizon DBIR, we have been cautioned about orphan databases and servers. Know your own resources and vulnerabilities. These should be cheaper and more efficient for you to identify and eliminate than for your potential adversaries to find and exploit.

William Hugh Murray

This was a case of the WastedLocker Ransomware, which comes from the Russian Evil Corp group, who are also known for Dridex banking malware. WastedLocker leverages fake software update messages to get installed, and targets file servers, database services, virtual machines and cloud environments. Make sure you are installing verified updates, particularly on core business system components. The Garmin Aviation, InReach and Explore systems are now fully functional, including resolution of backlogs. Garmin Connect services are still being restored. Check Garmin service status sites: Aviation service: https://status.flygarmin.com InReach/Explore: https://status.inreach.garmin.com/ Connect services: https://connect.garmin.com/status/

Lee Neely

One thing that we should be learning from the success of "ransomware" is that our systems are too weak. By the time that a ransom demand is made, one's network is already severely compromised. Paying ransom is only one of many bad things that may result. Resist the breach in the first place; raise the cost of attack. Use strong authentication, DMARC, least privilege access control, application layer end-to-end encryption or network segmentation, and early warning systems. Use training and supervision.

William Hugh Murray

QNAP and other network-based storage devices are at the top of the list of targeted devices. Do not expose them to the internet, minimize the installed applications and at least try to keep them patched. (It is hard to do this quickly!)

Johannes Ullrich

Protect your NAS system from direct access, either from the Internet, or from other systems which have no need to connect to them. QNAP published a security advisory; if you have devices that you suspect or know are compromised, they need to be factory wiped prior to performing the firmware update. https://www.qnap.com/en/security-advisory/nas-201911-01: Security Advisory for Malware QSnatch

Lee Neely

Better yet, put NAS devices on network segments isolated from the public networks. While software quality is an issue and patching is mandatory, it operates late. Raise the cost of attack. Reduce the attack surface using compartmentation (e.g. firewalls, network segmentation, and application layer end-to-end encryption) and restrictive access control (e.g., "least privilege," "white-listing").

William Hugh Murray

We have written about these attacks a few times in the last weeks. If you still have unpatched F5, Citrix, or affected Cisco products around, assume that they are now compromised. Include SAP Netweaver in that list (but it is not as heavily targeted yet, so you may be lucky and find one that hasn't been compromised, yet.)

Johannes Ullrich

Touch base with your F5 administration team; you may find they have already patched. The Cisco patch, released last Wednesday, definably boosted the interest of attackers attempting to exploit the flaw, and may not be as well known to your network team. For both patches, make sure that staff understand the flaw is being actively exploited and immediate patching is appropriate.

Lee Neely

The documents were transferred on a portable drive against company policy. There are requirements from DoD, NIST, and CNNSI to employ technical control software to manage connection of allowed peripherals/devices to classified system to prevent these activities. In addition to the control, monitoring is necessary to assure it is operating and track changes or disablement. While not a complete solution, technical controls on media connection can slow inappropriate data transfers in and out of your enterprise.

Lee Neely

"Classified" or other sensitive data should be stored in document management systems or other object-oriented databases that preserve meta-data (e.g., classification labels), resist arbitrary copying, and preserve transparency and accountability. Such data should not be stored in file system objects or on desktop systems.

William Hugh Murray

In the SANS 2020 Top New Attacks and Threats report, SANS Fellow Ed Skoudis detailed "Living Off the Land" attacks and what to do about them for near term mitigation. Longer term, pressure needs to be applied to vendors to provide out-of-the-box configurations that have potentially dangerous services off by default. The report can be downloaded at https://www.sans.org/reading-room/whitepapers/analyst/top-attacks-threat-report-39520

John Pescatore