CYBER THREAT ARTICLE - RANTINGS OF A CYBER SECURITY ANALYST (OCTOBER EDITION)
Rantings of a Cyber Security Analyst - (October Edition)
Layered Defense. I am sure many in the security field has heard this term. Most understand
this as having different solutions to protect different portions of the infrastructure. A
firewall
for networking, endpoint protection for the devices, some form of Multi Factor
Authentication for better verification of access… the list goes on.
What I personally feel goes wrong is treating this as a checklist. Do I have a firewall?
Check. Endpoint Security? Check. Once all these requirements are checked, my
security is good. Right?
Not completely in my opinion
During the time when I was still new to cyber security, I got into a meeting with a bank’s
security team. One of the team members said “We can buy all available solutions, block
everything, but is that feasible? If it is not, what is the risk of this and how do we minimize
or control the risk?”
This statement stuck with me and really made sense. Another, more general statement
that should always be remembered is, “if it's too good to be true, it probably is”. Let’s use
a simple example of a house.
Let’s say you just built a house and naturally you would want to secure it. Maybe fence
up the entire property? What is the crime rate like in the area? What would be the risk of
not having a fence? Even with a fence, you would still have a door into your home. If the
risk is high or you are just paranoid, you may even consider having a gate before the
door. As you shop for locks, this salesperson comes over and tells you the lock he sells is
unpickable and you need not even bother to get an additional gate. Too good to be
true?
Now you look around your house and notice it is possible to climb through the windows
on the first floor. Solution would be to get grilles, but what about the second-floor
windows? What are the chances of someone climbing and reaching the second-floor
windows? Do I want to spend my budget on getting grilles for the second-floor or invest
in some alarm system?
In the example, the planning and design of the security is based on risk. Ideally, I think it
would be great if all cyber security personnel planned their security in this way. As the
term “Layered Defense” states, you build layers to reduce risk. There is no silver bullet
solution and there should be decisions on what product should be purchased and even
how it is configured with the goal of reducing risk in mind. But remember, there is no such
thing as zero risk. It simply does not exist and there is no way to reduce risk to zero.
Back to the cyber world, a common example that I hear is companies using legacy
operating systems due to the business-critical software not designed to run on the newer
supported operating systems. With that, there is no way to patch should there be any
vulnerabilities and there is a security risk involved. So how do you secure these systems?
Do you still treat them as your other servers running on supported operating systems? Slap
on an anti-malware solution and call it a day? Now use a risk management approach to
deal with this. Must this server be public facing? Is it possible to restrict access and even
protocols to these servers? For the service to function, must it be part of the domain? It is
possible to have the important data store on another server which can be better
secured? All that thought process helped to create a feasible security for the legacy
systems, with risk that is much more manageable. Even if the server is compromised, the
access to other systems have been considered.
So where does Cyber Threat Intelligence come into play here? Remember there is no
silver bullet to security, and Cyber Threat Intelligence is just another layer. As the name
implies, it is not a product, but information. The value of CTI is having the capability to
learn of methods used to breach environments. One common way is to monitor for
intelligence of threats against companies of the same industry.
For example, monitoring the healthcare industry, if the company I am securing is a
hospital. Understanding how a threat actor is currently targeting exposed MSSQL servers,
for example, allows the team to firstly check if they do have an exposed MSSQL server. If
they do, the next step will be to check if they see similar traits, such as build version of the
MSSQL service, signs of attempts to remotely exploit and run commands on the system.
Even if all these are secured (server is patched, XDR in place to monitor the system and
perform threat hunts on related indicators), the 5 Ws 1 H, which I talked about in the last
article, should be asked. Why is this server public facing? What other services is this server
running? How can I reduce the risks of this exposed server? Should this MSSQL server,
holding data which poses risk if stolen, be exposed to public or is there a way to restrict
access, such as restricting access through a VPN or only allowing a specific remote IP to
access it?
This entire process is a cycle as threats will always evolve and continuous understanding
of these threats will allow the security team to learn of the risks and adapt a strategy to
defend against the new threat.
Another common mistake I often experience is companies getting a NAS and backing
up data to it. That is a great first step towards having data resiliency in the event of hard
disk failure, but that does not reduce the risk of a breach.
“I have data backed up, so if I get hit with ransomware, I can recover from the NAS.”
That’s the statement I often hear, but when hit with an actual ransomware attack, failure
to realize this is a human adversary whose goal is to make sure all your business-critical
data is encrypted, including the backups is devastating. Adversaries easily realize there is
a NAS in place; through mapped drives, applications on the server itself or looking at the
scheduled tasks. And often, for convenience, access to the NAS from the server is
unhindered. The result is data in the NAS gets encrypted too. I have also seen cases of
adversaries simply resetting the NAS to factory default, wiping out all data in the process.
In a risk management approach, questions such as “What if the NAS gets
compromised?”, “How do I secure the NAS?”, “Do I have another copy of the data,
maybe a week old, stored offline?”, should be asked.
This is the reason many security practitioners say, “Assume breached”. Daunting as it may
sound, companies need to understand this is the way to design their security and for
smaller organizations, they should approach a security advisor who plans, using the same
risk management approach.
Biography
Harvey Goh
Harvey Goh is a cyber security specialist having been in the cyber security industry for over 15
years as technical personnel. Currently he is working as part of Sophos’ Managed Threat Response
team. He is also a member of AiSP CTI SIG, EXCO and volunteer at CSCIS CTI SIG.
Views and
opinions expressed in this article are my own and do not represent that of my places of work.
While
I make every effort to ensure that the information shared is accurate, I welcome any comments,
suggestions, or correction of errors.