Tales from the Trenches – S01E02
Know Your Enemy but Know Yourself First
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle” – Sun Tzu, The Art of WarNo self-respecting cybersecurity article would be complete without at least one Sun Tzu reference and if you have spent any time in the industry, you will have heard this mantra several times. At the recent Secure Miami conference, there was a great discussion on career opportunities within cybersecurity. As usual, the sexy, tier 1 roles like ethical hacker and penetration tester got the limelight. It is in this context that this Sun Tzu quote is usually applied. You need to understand how the enemy thinks in order to be better prepared. I won’t disparage the value of these roles however, I’m going to share an alternative, yet the equally important application of Sun Tzu’s adage.
The following tale focus on knowing yourself. These two incidents happened nearly ten years apart with different organizations. Both organizations fell victim to malware. In the older case, the malware created a denial of service condition rendering the Windows systems inoperable. In the more recent case, the malware in question was a form of ransomware and rendered the infrastructure inoperable and extorted the organization for their own data.This first story has two parts and goes back a few years – to a kinder and gentler time when malware was less malicious! It started when a customer called me about some malware that had infected a couple of systems. I rolled out and we quickly determined that it was a new strain that was not yet detected by the antivirus signatures. It was, however, spreading rapidly across the local network. This was evidenced by the infected systems becoming very slow. We immediately shut down the WAN connections, particularly those to other countries. Within an hour we had an emergency AV signature file from our vendor and began the deployment. As we had all hands on deck to assist with this location, we also made a point of walking to each office and ensuring that the computer was updated, rebooted and an explicit AV scan performed of the local drives. We all know that new malware surfaces daily, but the puzzle was how it managed to spread so quickly, in particular from workstation to workstation. After a bit of digging, we discovered that the Windows Domain Users group was made of a member of each computers’ Local Administrators group. It was and is still all too common practice for IT administrators to take this shortcut and grant users administrative rights. The result of this shortcut was that the source of the infection, a single user, was able to infect every workstation in the local office! Had administrative rights not been granted, the infection would have been contained to that computer and the user’s connected network shares. Within 12 hours, we had the incident resolved with no loss of data or reputation to the organization. As part of the after-action plan, we began implementing a relatively new file-reputation add-on to their AV that reduces the risk of new malware impacting systems before the vendor can develop, test and release signatures.
The second part of this tale actually occurred in parallel. During our initial investigation, I called some peers to see if they had recently experienced anything similar. As it turns out, one of my peers was also in the midst of an incident response and for the same malware! This organization had recently deployed, the previously mentioned, file-reputation add-on. Most of this organization was protected and was actively alerting security administrators as to the source of the infections. The problem was that the source of the infections was a set of computer labs, previously unknown and undocumented. These labs were funded out of a separate budget and connected to the organization’s network – all without ever informing central IT or security. As a result, the organization standard security policies and tools were never implemented. Eventually, through clever use of a host intrusion prevention system, the infections in the labs were contained and the systems cleaned and secured.If you have attended one of my classes, workshops or seminars, you will know that I am a great fan of keeping things simple. The simpler it is, the easier it is to understand, manage, troubleshoot and document. When it comes to cybersecurity, focusing on infrastructure, here are five simple questions or points to address:
- What is connected to your organization?
- What is running in your organization?
- Who has administrative rights?
- How is your organization being monitored?
- How do your various tools work together for correlation, integration, and automation?
Trackback from your site.