2024 Gartner® Market Guide for Managed Detection and Response
2024 Gartner® Market Guide for Managed Detection and Response Get the Report
Novel Threat Tactics, Notable Vulnerabilities, and Current Trends for August
Every month, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity. In August, the team discussed threat intelligence, notable vulnerabilities and trends, security operations center (SOC) updates, and SOC engineering insights.
Threat intelligence
The Senior Manager of Digital Forensics and Incident Response (DFIR) discussed the risk of insider threats within an organization. Most cybersecurity programs are focused on preventing initial compromise or attack from outside the organization, but insiders can cause serious harm. The DFIR team groups insider threats into three categories:
Identity theft. The team investigates identity theft with two types of actors in mind. These are unauthorized employees who get hired based on falsified documents and authentication information and espionage actors who are covertly involved in corporate espionage, extortion, or IP theft.
Willing insider. This bad actor is often a disgruntled employee who seeks to cause damage to the organization itself. The damage could involve instigating a financial situation that will cause a negative impact to the organization or creating operational disruption.
Unwitting insider. This employee ignores established security policies due to negligence or as directed by a malicious external actor. The external actor may convince the employee to grant access; then, once access is granted, the external actor can circumvent other security controls in place. The employee is unlikely to report the action, possibly causing much greater damage than expected.
When the DFIR team investigates an insider threat case, evidence collection must be covert. Physical evidence may be unavailable, so investigators must rely on externally available data such as logs or backups. One of the team’s main goals is to achieve containment or mitigate any continued risk, and the outcome may take time since most organizations don’t have an access management system that allows the team to quickly identify the assets and evidence for an investigation.
The team suggests several best practices to keep an insider threat from impacting your organization:
• Use stringent background checks and authenticate documentation when hiring
• Implement granular auditing of your internal, authorized, day-to-day user activities to establish a pattern of normal behavior
• Establish granular access control and an access management strategy to understand where an employee could potentially cause harm
• Enforce a separation of duties for critical processes and components of your security controls
• Reinforce the activity of least privilege, including performing a regular access review of internal users and identifying where an employee might creep outside the initial scope of engagement
• Enforce mandatory periodic leave to ensure visibility into the activities of all employees
Vulnerabilities and trends
The Vulnerability Management Program (VMP) Team Lead reviewed notable vulnerabilities from July. As many as 2,500 vulnerabilities were disclosed, and nine of those vulnerabilities were high risk. Of those nine, five of the vulnerabilities were known to be exploited in the wild on products including ServiceNow, Secure Shell (SSH), GeoServer, Acronis Cyber Infrastructure, Apache HTTP Server, Cisco Secure Email, Progress Telerik Report Server, and Exim.
The VMP Team Lead talked in detail about the ServiceNow vulnerability, which is actually three vulnerabilities chained together to breach networks and conduct large-scale exfiltration of data and sensitive files. Two of the vulnerabilities (CVE-2024-4879 and CVE-2024-5217) allow the threat actor to achieve unauthenticated remote code executions, and the third vulnerability (CVE-2024-5217) allows the threat actor to gain access to multiple files stored on the affected server. The ServiceNow vulnerability targets government entities, energy sector companies, data centers, and software developers, making observers suspect that these bad guys may be nation-state actors aiming to steal trade secrets. Tens of thousands of vulnerable systems are still accessible for exploitation over the internet.
Throughout July, the team saw a notable trend where vulnerabilities were being exploited well after the release of patches. Examples of this trend include the Log4Shell vulnerability (CVE-2021-44228), patched in December 2021, that impacts the Log4j library and the SSH vulnerability (CVE-2024-6387) that was disclosed in July.
In August, the VMware ESXi hypervisor vulnerability (CVE-2024-37085) was exploited to deploy ransomware by numerous threat actors, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest. This authentication bypass vulnerability in VMware ESXi can be deceiving as it has a medium range Common Vulnerability Scoring System score of 6.8, which doesn’t rank as a high or critical threat. However, the score is only that low because the vulnerability requires the threat actor to have existing permissions in the organization’s active directory. If the threat actor indeed achieves those permissions, the attack can be quite critical as the threat actor then has full administrative access rights over the VMware environment. The team strongly recommends that organizations apply patches and take any mitigation steps required.
To wrap up, the VMP Team Lead discussed that a whopping 90 reported vulnerabilities were addressed on Microsoft Patch Tuesday in August, and six of them were actively exploited zero-day vulnerabilities. The team stresses the importance of staying current on applying the Microsoft patches each month.
SOC updates
The SOC Director discussed recent cybersecurity trends that the SOC team observed in July.
Credential stuffing attacks. These attacks, which are much like password sprays or brute force attacks, are on the increase. During an attack, the threat actor takes a large number of usernames and passwords from a spreadsheet, loads them into some type of automation, hits the login page, and tries every single username and password combination. Fortunately, Okta and Microsoft 365 customers have built-in protections against credential stuffing attacks. For example, Okta uses dynamic zones so that a user can allow anyone coming from within the United States but can deny someone from outside the country.
Ransomware. Trending steady, ransomware is still the most prevalent malware attack that the team experiences in the wild.
Social engineering tactics. The SOC sees a steady trend in compromises that originate from social engineering help desk calls. As always, the team recommends that organizations use strict verification procedures and continue with user awareness training.
Phishing emails are prevalent, with a vast majority linking to credential harvesting pages. Successful credential harvesting attacks usually involve access to Microsoft Office 365 mailboxes. The SOC Director discussed how Pondurance recently overhauled inbox rules to more accurately detect phishing threats. He also suggested that risk can be drastically reduced by enabling multifactor authentication for all accounts and offering user awareness training to employees.
SOC engineering insights
The Manager of SOC Engineering introduced Pondurance’s new dashboard and provided an overview of its many features. The dashboard was built to give analysts a clear view of traffic going through the network sensors and to provide greater insights for clients with network sensors. Dashboard features include details and rich data that can help users troubleshoot issues on the network and investigate security issues, all with more than 30 different modules relating to various protocols. For example, the dashboard has a domain name system (DNS) lookup that shows DNS requests, the DNS response, and SSL certificates; connections that let users see how much traffic is transmitted; status codes that display what is in the HTTP request header; and much more.
As an extension of a discussion from the July SOC webinar, the Manager of SOC Engineering reviewed how the SOC team, working closely with the DFIR team, uses encounters from attacker-in-the-middle phishing and business email compromise cases to understand the context of a threat and compute a risk score. From there, the team is able to escalate threats based on that risk score to keep clients better protected.
As always, the team asks clients to share their “crown jewels,” including important hosts, significant IP addresses, VIP lists, honey tokens, and anything distinct to the network that can help it protect against threats.
Next month
The Pondurance team will host another webinar in September to discuss new cybersecurity activity. Check back next month to read the summary.