Every month, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity. In November, the team discussed notable vulnerabilities and trends, gave a crash course on security operations center (SOC) metrics, and provided insights on a recent SOC engineering exercise.
Vulnerabilities and Trends
The Vulnerability Management Team Lead, looked at vulnerabilities and trends from October. As many as 2,500 vulnerabilities were disclosed, and 16 of those vulnerabilities were high risk. Of those 16, nine were zero-day vulnerabilities, which is within the historical range of nine to 10. The zero days impacted products from Microsoft, Apple, Apache, Atlassian, Citrix, F5, HTTP/2 protocol, and GNU C Library.
He talked in detail about three of the zero-day vulnerabilities, providing an overview on how the vulnerability occurs and how to remediate it:
- Citrix Bleed: CVE-2023-4966, which affects NetScaler ADC and NetScaler Gateway, allows the threat actor to take over authenticated sessions and circumvent authentication measures such as multifactor authentication (MFA). On Oct. 28, 20,000 Citrix servers were observed being attacked, and on Nov. 8, as many as 4,300 vulnerable servers were still exposed to the internet. Currently, four active campaigns are targeting this vulnerability, and their targets are mostly technical organizations and legal firms in the United States, Europe, Africa, and Asia. The Vulnerability Management Team Lead explained that Citrix has released a patch clients should apply, though the threat actors within a system can remain active even after patching occurs.
- HTTP/2 Rapid Reset: This vulnerability leads to a layer 7 distributed denial of service (DDoS) attack. During these attacks, Google has had as many as 398 million requests per second, an all-time high. As a remedy, Microsoft has botnet protection and rate-limiting rules to reduce DDoS attacks, and CloudFlare has an IP Jail capability that uses subnets, which flare up during the attack but are later freed to keep from blocking legitimate traffic after the attack subsides.
- Linux Root Access: CVE-2023-4911, dubbed Looney Tunables, is a local privilege escalation vulnerability that allows threat actors to gain full root privileges on a Linux environment by exploiting a buffer overflow flaw in the GNU C Library. Most Linux distributions were impacted. As a solution, clients were encouraged to apply an appropriate patch for all Linux operating systems.
SOC Metrics
The SOC Operations Lead, provided metrics on the vast number of alerts that Pondurance experiences in a given month. He explained that the SOC ingested a total of 118 billion total log messages during the month of October, and those log messages were related to more than 245 million log events! Of those events, the SOC triggered 17,263 alerts, for an average of over 550 alerts per day or 20 alerts per hour for the entire month. Of those triggered alerts, the SOC determined that 454 alerts (2.6% of them) were worthy of escalation or seen as something that could have been actionable.
To further break down the alert metrics, the SOC Operations Lead explained how the triggered alerts for October were divided into critical, high, moderate, low, and informational categories. There were 407 informational alerts, 2,704 low alerts, 6,804 moderate alerts, 6,156 high alerts, and 1,192 critical alerts. Criticals and highs are the alerts that warrant the most attention, with the team checking on the endpoint, checking the alert, checking the history of the machine for the alert, and performing an in-depth investigation as needed.
He also discussed the October numbers for mean time to acknowledge (MTTA) and mean time to resolve (MTTR). MTTA, the time it takes for the SOC to identify and prioritize an alert, totaled 11 minutes, 42 seconds. MTTR, the time it takes to address and escalate the alert to the client with corrective actions or recommendations, totaled 1 hour, 1 minute, 34 seconds.
SOC Engineering
The SOC Engineering Lead, discussed an internal SOC-led phishing exercise that was conducted in February. The five-day phishing campaign included an initial email to Pondurance clients, an artificial intelligence (AI) website, and a follow-up email. The Pondurance team used endpoint detection and response (EDR) to see who clicked on what link and who ran what command. The EDR had the ability to track when users clicked, investigated, or visited the website on their own. The team was interested to see which users would dig deeper and what they did with the data.
- Initial email. Users were asked to execute commands as directed in the email and on the website. Within the second paragraph of the email copy, there was a link that was not listed anywhere on the website, so if a user clicked on the link, the team would know the user engaged with the email. The email was flagged as phishing by the email client, even before anyone reported it.
- Website (indy-ai.com). The team used a fully fleshed-out template with some customization on the About Us and Contact Us pages. The website offered users the ability to play with an AI image generation tool where they could view board members in various genres, including cyberpunk hacker, Greek statue, Disney princess, and more.
- Follow-up email. The team sent a second email to entice users to interact with the website. The bottom portion of the email included a chat between two apparent users as “social proof” that other users were having a good time using the tool. This email was delivered with less of a phishing label than the initial email.
He discussed the lessons learned from the campaign. Overall, the campaign did entice people to engage with the website, though it didn’t generate as much interest as the team had expected. Only a few people clicked the “report as phishing” button. The EDR was able to track the users that clicked on or ran a command. The team found people interacting with the website from nonwork devices. The team also found that users went to VirusTotal or UrlScan or investigated the website in some other way before they clicked, which means they were doing their due diligence and not just blindly running commands or visiting the website.
The SOC Engineering Lead also offered several phishing tips for users:
- Confirm via a separate means of communication that the action you want to perform is coming from a valid source
- Carefully consider any call to action that is urgent in nature, especially if it is unexpected
- Verify your action before clicking or downloading
- Know your company standards or know who you can ask about them
- Trust your instincts — if something feels wrong, it probably is
- Move to a number matching MFA to avoid push fatigue and never share your authentication number
Next Month
The Pondurance team will host another webinar in December to discuss new cybersecurity activity. Check back next month to read the summary.
