The cyber security world is incredibly dynamic and plays out like a giant game of chess across the world, with moves, countermoves, and an ever-changing set of players. If you have any kind of information technology in your organization, then you have no choice but to play the game too! But the game is not stacked in your favor. Your opponents operate at all hours of the day, every day of the year. They can be anywhere in the world, hide their moves, and are forever looking for weaknesses in your defense; and will even use your own pieces against you.
What this means in the real world, is that your cyber defense capabilities need to operate at all hours of every day as well. You need to find your own weaknesses and shore them up before an adversary finds them. You also need to be aware of what the adversary might do if they do find a weakness.
While operating system and application patching are an important ongoing concern, patching your public facing systems is mission critical. According to the Sophos Active Adversary Playbook 2021, exploitation of public facing applications is one of the top five techniques used to gain initial access during a breach. High profile recent examples include Microsoft Exchange exploits ProxyLogon (aka Hafnium) and ProxyShell, and a Confluence vulnerability that was exploited within a week of disclosure over the US Labor Day holiday weekend. Virtual Private Network (VPN) solutions from several major players have also been exploited this year. WordPress-the application behind many websites-is a constant victim of exploitation.
The only real solution is to have a solid inventory of your public facing systems, monitor those systems for vulnerability disclosures, and patch them as soon as practical. Don’t wait for news of an exploit, or a vendor to create a Common Vulnerability and Exposure (CVE) notification – Microsoft provided patches for Exchange in April and May 2021 against ProxyShell, but notoriously did not disclose the vulnerabilities until July 13, leading many to believe the patches were not important.
Keeping abreast of the latest threat actor tactics, techniques and procedures is an important part of your defense. Know thy enemy. If you see a story about the credentials of 500,000 VPN users being leaked on the dark web, and you use the same VPN technology, look into it. If you read about Exchange being exploited for ransomware deployment, and you run an Exchange server, investigate further.
Some suggested resources are listed below:
It is not unusual for the ‘business’ side of an organization to go around IT and implement a solution on their own, known as “Shadow IT”. They may want to avoid scrutiny or fast-track a project, or it may be that IT said ‘no’ so they are looking to find another way. Even though the Shadow IT solution wasn’t sanctioned, this doesn’t mean it can be ignored. Either ensure it is fully siloed or bring it back under control. Working closely with the business to find successful solutions helps prevent Shadow IT, but you also need to monitor for new systems and applications that could leave you exposed.
Constant situational awareness
You might be very comfortable with your security posture today. But it only takes one compromised account, an innocent firewall change, or a zero-day exploit to allow a threat actor in. And even though the adversary might find this access during your business hours, they will wait it out and utilize it when your guard is down. A recent security advisory from the FBI and CISA, warned organizations that attack risks are greater on holidays and weekends, citing high profile breaches of Colonial Pipeline, JBS and Kaseya as examples. As noted above, Confluence was exploited at the start of the Labor Day holiday weekend in the US.
We recommend organizations look into a managed service capable of handling a breach for you at 2am on the Saturday of a long weekend. One that has global situation awareness, and can translate that into improving the risk posture of your organization. Ensure you select a provider that can take action, not just notify you – unless you want to do the hands-on-keyboard defense (and have the expertise to do so) while trying to enjoy some time away from the office.