If You Haven’t Patched Log4Shell Yet, You’ve Been Compromised; FTX Disclosure Reaffirms “Cryptocurrencies” Have More Risk Than Reward; Look at Engenuity ATT&CK Evaluation If You Are Considering Managed Endpoint Detection and Response Services

Log4Shell is a tricky vulnerability in that exploitability depends first of all on how the library is exactly used, and secondly on the creativity of the attacker to reach the vulnerable code. Please do not underestimate the creativity of the attacker as you are assessing how this vulnerability impacts you. Patch.

Johannes Ullrich

Sage advice – assume compromise, apply patches or implement workarounds. It’s been a year since discovery of the Log4j vulnerability. Patches have been produced, workarounds documented and available; yet the government still has to issue an alert. Organizations and their leadership have to be held accountable for not establishing a standard duty of care.

Curtis Dukes

You knew this was coming, even so you couldn't get support to update everything. It’s time revisit all your systems where you've not deployed the patches and forensicate them to make sure they are still pristine. And patch them. Make sure that you're not exposing unneeded services to the internet, like your VMware management network, use MFA judiciously, particularly on your internet facing services, and make sure that everything is plumbed into your centralized logging, and then that appropriate alerts are in place both for your SOC and IT staff. Implement a service which checks credentials against breach dumps and require immediate change or account lock when discovered. Now, a tricky one, make sure that you are using access controls to limit credentials to only operate on authorized services/systems to restrict lateral movement.

Lee Neely

Or if you are a customer of SolarWinds. Indeed, assuming that one is compromised can be a prudent and useful assumption. Finding and eliminating covert and dormant compromise is a daunting problem. Consider structuring one's network and implementing least privilege access control so as to resist its spread and exploitation.

William Hugh Murray

Even for blockchains, the first rule of IT still applies: Garbage in, garbage out. If you don't have any processes to manage your funds, who knows what is moved to what cold wallet, and who controls the respective keys. In the end, you may just end up with a cryptographically sound record of what funds the administrators decided to allow the "investors" to fight for. Sadly, I doubt that this incident will kill cryptocurrencies.

Johannes Ullrich

Even though assets were secured, $473M was allegedly stolen, and it's postulated this was an insider. From the court filing by John Ray III, "Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here. From compromised systems integrity and faulty regulatory oversight abroad, to the concentration of control in the hands of a very small group of inexperienced, unsophisticated and potentially compromised individuals, this situation is unprecedented." The takeaways, if you're interested in Cryptocurrency, are both to make sure that there is sufficient separation of duties, and appropriately mitigated risks to include MFA, cold and encrypted (client-side) wallets as well as multi-signature wallets which require multiple keys to perform a transaction. Even if you're not in the Cryptocurrency business, ensure you have sufficient separation of duties, and traceability on transactions.

Lee Neely

Really what this and the numerous other incidents point out is that “crypto” “currencies” are not currencies and often don’t implement cryptography very well. From a business perspective, use of them by legitimate businesses over other forms of electronic payments doesn’t provide any cost savings or revenue gains that would offset the enormous increase in risk.

John Pescatore

I’m a big fan of the ATT&CK-based product evaluations but a few caveats: (1) It takes a skilled/experienced security person to understand the results and compare across the tested products. This is not a simple ranking. (2) This latest test is not really of broad MSSPs, more a test of vendors with Managed Endpoint Detection and Response offerings based on their own products. (3) Each year, Engenuity tests something new: there is no year-to-year continuity, so the next version of these products and services will change as far as which are more effective.

John Pescatore

The MITRE ATT&CK framework is the Industry accepted way to describe cyberattack details. The jury is still out on its applicability in assessing security capabilities of individual products that make up the cybersecurity ecosystem. MSSPs offer a much broader range of cybersecurity tools and capabilities that support managed service providers.

Curtis Dukes

As much as 50% of organizations are using MSSPs these days. The evaluations don't rank, qualify or disqualify any of the assessed vendors, but rather give you the results of a ten-step response to the TTPs of OilRig (an Iranian Government aligned ATP.) Consider not only how these MSSPs performed, but also if your team, insourced or outsourced, is considering all aspects of these ten steps. Drill down on making adjustments where gaps are found.

Lee Neely

Remember that even the systems controlling good old gas pumps are still vulnerable. Why would anybody expect that companies will learn from old mistakes and do things "right" if they work faster and cheaper done vulnerable.

Johannes Ullrich

This pretty much reads like early studies of the lack of security being built into Internet of Things. The good news is that funding to improve cybersecurity and safety overall of EV charging systems is included in the National Electric Vehicle Infrastructure Formula Program under the US Federal Highway Administration.

John Pescatore

While many of us consider the risk or EV charging from the perspective of load on the grid or power where the owner has the car parked, this report focuses on the technology behind that charging. Skim the paper to get a sense of all the technologies involved in EV charging. As such, the researchers were able to use low power SDR to interrupt the car charging, use RFID cloning to allow charging on someone else's account, let alone exploiting insecure web interfaces discovered. This feels like the familiar story of time to market and cost to deliver versus security. The fixes aren't unsurprising including securing access to physical ports, using proper encryption, removing unneeded services and keeping components updated. It is hoped that standards and best practices emerge from ongoing research between the Sandia, Idaho and Pacific Northwest National Labs. You may want to take a pause and reflect to see if you have projects which could benefit from increased attention to cyber hygiene.

Lee Neely

Cybersecurity has been both a board and executive leadership team focus area for several years. Any new product that is internet connected, has to be reviewed for security vulnerabilities prior to release; it’s part of the development cycle and factors into the risk management process. Cybersecurity best practices exist today—use them.

Curtis Dukes

Ambulance chasing is legal, stealing patient records to sell to ambulance chasers is not. If you are subject to HIPAA, another data point to highlight is that violations can result in prosecutions not just fines. In this case, employees are being charged with misuse of patient data and it is not a big leap for investigators to ask why the hospital didn’t detect this activity.

John Pescatore

Harvey was a fugitive, arrested in August after fleeing to Arizona. He faces seven counts of obtaining patient information for financial gain. In this particular case, he is accused of bribing folks to get that information. In general, make sure that users, when pressured to turn over (sensitive) information, understand what their obligations are to protect the information as well as what the intended use is. When in doubt, defer to the data owner, privacy officer or legal counsel who are better versed in regulatory restrictions on information handling. Also make sure they understand the reporting mechanism for coercion or bribery.

Lee Neely

The new proverb, “data is the new currency” rings true in this case. Hospital administrators should integrate this case into the training employees receive on the HIPAA law.

Curtis Dukes

Most of the comments are focused on more definition in the draft language where squishy terms like “covered entity,” “covered incident” and “reasonable belief” were used and that is needed. There are 16 “Critical” Infrastructure sectors defined by CISA but what would be considered a “critical” incident within one of those sectors needs better definition, much the way the SEC had to provide guidance on what constitutes a “material event” that would require financial reporting.

John Pescatore

This comes down to signal to noise ratio. Understanding what is reporting and what matters is key. In our own shops, we already know what is most critical and categorize the types of events which matter. The risk is missing events which may be early indicators or possibly indications of a wider spread problem than anticipated. If you're having trouble getting your arms around how to categorize what's critical, take a look at the PDF to get some ideas for down-selecting and refining your approach.

Lee Neely

Prevention, prevention, prevention. Mandatory reporting starts as admiration of the problem and rapidly turns into expensive boiler plate.

William Hugh Murray

A natural forcing function for collaboration amongst federal agencies with SLTT’s is the Multi-State Information Sharing and Analysis Center (MS-ISAC). As part of its network monitoring service, the MS-ISAC publishes a monthly Situational Awareness Report to the SLTT community that includes the Top 10 malware [including ransomware] events found.

Curtis Dukes

Coordination and collaboration helps build our overall situational awareness as well as making it easier to "phone a friend" when things get dicey. An interesting finding is that an incident at a school can cause a loss of between 3 days and 3 weeks of learning. Things are rough enough in the school systems without that added impact. If you're involved in coordinated communication and outreach, step back and make sure that everyone is both included and participating. This is an opportunity to add incredible resources to your rolodex.

Lee Neely

This is a problem of many targets at least some of which lack the scale to adequately protect themselves, rather than one of "coordination." Coordination among Federal agencies may reduce waste, possibly even improve efficiency, without addressing the problem.

William Hugh Murray

These threat actors are penetrating networks by taking advantage of single factor authentication, RDP and VPN, or bypassing MFA like CVE-2020-12812 in FortiOS servers, as well as exploiting Exchange vulnerabilities. We've talked about this before, (yes, I'm telling you this is preventable,) don't expose RDP to the Internet, use strong MFA on anything Internet facing, and keep those updates flowing. Not to ignore your internal systems, you need to do this internally, as the old castle & moat model is not sufficient with today's threat landscape. Leverage what you learned hardening your external services, you know what to do from here.

Lee Neely

As ransomware attacks get faster, IoCs become irrelevant; the ransomware will announce the compromise. Unless there are mitigations that are specific to the ransomware, prevention is more efficient than mitigation. Strong authentication, structured network, and least privilege access control will resist ransomware of all stripes and also resist other kinds of attacks.

William Hugh Murray

These are difficult to exploit, so you can do regression testing and plan your outage. Even so, don't assume these are not exploitable; with the publishing of the fix and vulnerability, that is actively being worked. Implement the recommended mitigations from F5 to restrict access to the management interfaces from both the self IP address and your network until you can apply the updates. Consider leaving long term restrictions on where management connections to your F5's can originate from.

Lee Neely

The trend of DOD incidents in the GAO report indicates things are heading in the right direction overall, this is about completing initiatives designed to properly collect/report and act on that information. When collecting incident information make sure that you have all the relevant information. Review the collection process to make sure it's still adequate. Then make sure you know what gets reported on what timeline. Verify that those reporting lines are not only functional but also include appropriate data handling to ensure that appropriate confidentiality and integrity is maintained. Make sure that projects needed to support these efforts complete. Some may need reassignment to achieve success.

Lee Neely