Security Tool Consolidation to fight “Tool Sprawl”

I’ve been talking about the problem of “Tool Sprawl” for over four years. I may have made up the term, or acquired it from somewhere else. I don’t remember. But the core idea is that buying a ton of security tools to fill in compliance gaps and spit out alerts doesn’t equate to security.  Even the coolest cyber security technology can be rendered useless if it is part of an avalanche of technology that an enterprise is trying to manage and respond to.

The clearest example of this is the constant problem of misconfigured firewalls, both traditional and next-gen, that have created a whole new category of products centered around validating FW rules and configurations or “Rule Clean Up.”  I’ll start by saying I think that those products are worth it, and I have proposed them to customers and would advocate they be used by any enterprise looking to protect their perimeters.

The problem is that only one category of product is being addressed to double check configurations.  What about your WAF/ADC, IPS/IDS, AV, EDR, Active Directory, PAM, vulnerability scanners, route/switch, or *gasp*? Shall I go on? How do we know anything in our network, end-point, and security tool environments are set up and configured right?  Adding more tools to check our tools only compounds the problem of tool sprawl mentioned above.

As a recovering Data Center enterprise architect, and present cyber security enterprise architect, my desire is to keep things simple, yet effective.  I am drawn to products and services that provide both Security ROI and Financial ROI.  Most assume correctly what a Financial ROI is, but what is “Security ROI”?  I look at it as quantifiably moving an enterprise’s security posture forward vs. the dollars spent.  Some good quick hit products in the security field are high bang for the buck I can rank with another tools Security ROI.  Believe it or not, there are some security tools out there that actually offer a true Financial ROI as well.  The best reduces both CAPEX and OPEX costs, as well as the labor overhead needed to manage everything.

The absolute home runs have both Security ROI and Financial ROI.  These are rare of course.  Keep an eye out for our soon to be released Federal whitepaper that will detail more about enterprise architectures and some go-to solutions that do have both. One of those solutions in our whitepaper is called security efficacy testing and automation. Sometimes referred to as “Security Instrumentation”, this software exposes misconfigured security tools, overlapping security products, confirms security teams are correctly responding to incidents, and allows an agency to continuously validate and improve layered defenses.  Often deploying a Security Instrumentation platform can immediately improve the security posture of an agency, as well as improve SOC processes in dealing with an incident, both with simple changes and little capital expenditure.

This is exactly what enterprise security teams need to battle tool sprawl.  Once you are able to identify what is and what is not working, you can justify consolidation and possible removal of ineffective tools, opening up CAPEX and OPEX for new tools that can fill in the gaps.

Join GuidePoint Security and Verodin on Feb 8th to hear more about security tool consolidation and how government agencies can move their security posture forward with less funds.

 

Click here to Register for the Feb 8th, 2018 Webinar.

 

About the author:

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.

Firefox

vSOC SPOT Report: Mozilla Firefox Arbitrary Code Execution Vulnerability

Overview

On January 29th, Mozilla developer Johann Hofmann reported that there was a major Arbitrary Code Execution vulnerability (CVE-2018-5124) within the browser’s user interface (UI) that allows a remote attacker to execute specially crafted code by exploitation of the unsanitized HTML output in the browser’s “Chrome” component. The UI vulnerability has received a CVSS score of 8.8 out of 10 due to the ability for it to be easily exploited without the user’s knowledge.

Technical Overview

The attacker hides unsanitized HTML code within the Firefox “Chrome” component, which does not run separately from the HTML present on a web page. If the attacker hides unsanitized HTML inside the browser’s UI code, the execution chain can be broken away from Firefox’s UI component and allow commands to be run on the computer. The code itself runs with whatever the current user’s privileges are. For example, if the user is an administrator then the code can run SYSTEM level commands. Due to the fact CVE-2018-5124 relies on running untrusted code, it has the ability to be hidden within an iframe, loaded-off screen, or loaded via a drive-by download without the user’s knowledge.

Potential Impact

Exploit kit developers are expected to jump on this vulnerability and add CVE-2018-5124 to their arsenal of targeted vulnerabilities in order to load malware on users’ machines. The biggest impact would come from exploitation of this flaw involving a user with administrative privileges and could allow an attacker to gain a foothold due to the factors involving this vulnerability by running SYSTEM level commands on the compromised system. This security flaw allows an attacker to easily deliver malware and potentially gain control over the user’s machine. This vulnerability is not currently known to affect Firefox for Android and Firefox 52 ESR.

What You Should Do

It is recommended that users update their version of Mozilla Firefox if it is one of the following versions:

  • Mozilla Firefox 56.x
  • Mozilla Firefox 57.x
  • Mozilla Firefox 58.0.0

Mozilla has fixed the flaw by sanitizing the code executed by its chrome UI component, and this is included as part of the new patch released for the vulnerable versions.

Supporting Information

ATM

vSOC SPOT Report: Ploutus-D ATM Malware

Overview

On Friday, January 26th, vendor Diebold Nixdorf released a statement to customers housing their front load ATM appliances of an attack being leveraged against them. The Ploutus-D malware, which has previously been seen in Latin America, has been observed in several regions of the United States including the Pacific Northwest, Texas, and several locations across the Southeast. The attack is coined “Jackpotting” due to the ability to make the ATM device unload all of its funds.

Attack Details

In order for an attacker to gain access to implant the malicious binary, they must have physical access to the device. They must open the top hat of the ATM via a clone key, picking, forcing the lock or any other method. Once they gain physical access, the attacker will attach a USB or PS/2 keyboard and either load the malicious binary via USB drive or other removable media or will replace the hard drive of the system with one preloaded with the malicious operating system and program files. Once complete, this will allow the attacker to “jackpot” the ATM directly via command line or remotely via SMS text message.

Recognizing Jackpotting Attacks

Physical access is necessary to perform this attack as well as potential damage to the device. Routine sweeps should be made by the device administrator to ensure there is no damage to the locking mechanism, top hat, or casing indicating that the device has been tampered with. Additionally, if the device has a built-in tamper alarm to the opening of the top hat, it should be enabled.

ATM

Image 1: Hole drilled into ATM for endoscope – Courtesy of EuroPol

Keyboard Attached to ATM

Image 2: Top hat removed and Keyboard attached – Courtesy of FireEye

How Jackpotting Works

The attacker gains physical access to the computer inside the ATM either via forcing the top hat, or in the case of embedded systems, via social engineering their way into the maintenance area for the devices. They then load the Ploutus-D Configuration utility (AgilisConfigurationUtility.exe) along with software dependencies onto the system which permits the attacker control. Once the applications are installed, the malware hooks into the keyboard and permits the use of the “F” function keys (typically at the top of the keyboard, as in the above image) as well as the number keys to provide input. At this point, the attacker can press the “F3” key and distribute funds from the device without authorization or can close everything back up and create a cash drop where they are able to distribute funds at their leisure.

In order for this particular attack to be successful, the attacker MUST have the 8 digit activation code, which is only valid for 24 hours.

Attack Detection and Prevention

To detect and prevent this attack, the best starting point is to reinforce the device’s physical security. Additional security controls for ATM maintenance and stronger access control are critical. Additional options to reduce the attack surface are:

  • Many of the ATMs in circulation use the same keys. Replacing the top hat lock with a different lock will reduce the instances of this crime.
  • Have a technician physically inspect the device at regular intervals to ensure it has not been tampered with.
  • Use appropriate locking mechanisms to secure the head compartment of the ATM.
  • Control access to areas used by personnel to service the ATM.
  • Implement access control for service technicians based on two-factor authentication.
  • Use firmware with the latest security functionality.
  • Use the most secure configuration of encrypted communications including physical authentication:
    • Agilis® XFS for Opteva®
    • Advanced Function Dispenser (AFD) Version 4.1.41 incl.AFD Application Firmware Version – 6.0.1.0 (or later)
    • Agilis® XFS for Opteva®, Core Version 4.1.59 (or later)
    • Optional – OSD+/DSST 3.3.30 (or later)
  • Investigate suspicious activities such as deviating or non-consistent transaction or event patterns, which are caused by an interrupted connection to the dispenser.
  • Have a plan in place for what to do if someone has physically tampered with the ATM.
    • Who is the point of contact?
    • Who is your local law enforcement agency?
    • Do you have a regular contact there?
  • Running regular updates and ensuring that your operating system is still supported (Many of these attacks are made far easier due to the ATM running Windows XP).
  • Implementation of full disk encryption and encrypt the connection between the ATM and the dispenser.

Affected Systems

  • Diebold Nixdorf Front-load Opteva terminals with the Advanced Function Dispenser (AFD).
    • Opteva 500 and 700
  • Other terminals and ATM vendors without physical authentication could be affected.

IOCs

The following IOCs are available to detect the instance of the attacker:

FileSystem:
  • [D-Z]:\Data\P.bin
  • C:\Diebold\EDC\edclocal.dat

The following files should be found at the same place where the service Diebold.exe is located:

  • Log.txt
  • Log2.txt
  • P.bin – Mac address of the system, plus string: “PLOUTUS-MADE-IN-LATIN-AMERICA-XD”
  • PDLL.bin – Encoded version of P.bin
Mutex names:
  • Ploutos
  • DIEBOLDPL
  • KaligniteAPP
Services:
  • Service Name: DIEBOLDP
Registry:

\\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=”Diebold.exe,%system32%/userinit.exe”

Additional Resources

Cisco Logo

vSOC SPOT Report: Cisco Adaptive Security Appliance RCE & Denial of Service Vulnerability

Update (2018-01-31): SNORT Signatures

After further research, vSOC has located Snort signatures published by the fox-srt team, which can detect exploitation of this vulnerability.

# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1:

alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"|84|"; offset:16; depth:1; content:"|02 08 |"; distance:1; within:2; fast_pattern; byte_test:4,>,5000,4,relative; byte_test:2,>,5000,10,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,52,relative; byte_test:4,=,fragment_match,136,relative; byte_test:4,=,fragment_match,236,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:4;)

alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)

These alerts have been provided by fox-srt and can be found at their GitHub site: https://gist.github.com/fox-srt/09401dfdfc15652b22956b9cc59f71cb

Overview

On Monday January 29th, Cisco released a statement to customers that they had identified a vulnerability (CVE-2018-0101) affecting Cisco ASA (Adaptive Security Appliance) and Cisco Firepower Threat Defense Appliances via the Secure Sockets Layer (SSL) VPN functionality of the devices which could allow an unauthenticated remote attacker to create a denial of service condition by reloading the device to remotely execute specially crafted malicious code. The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is turned on for the Cisco ASA device.

Attack Details

The vulnerability makes this very easy to exploit and as a result, it was rated a 10 out of 10 on the CVSS (Common Vulnerability Scoring System). The attack involves an attacker sending multiple crafted malformed XML packets to the Cisco ASA devices and Cisco Firepower software. If the exploit is successful, the attacker will then have the ability to execute unauthorized code on the devices. Depending on the nature of the code, the attacker can gain full control over the device. This attack does not require physical access and can be carried out remotely. The ASA device(s) are only vulnerable if they have the webvpn feature enabled within the OS settings.

Attack Detection and Prevention

Attack patterns will vary once exploits are developed and used in the wild. Some possible detection methods include monitoring XML packets sent to Cisco ASA hosts via packet capture, or to monitor for sudden regular spikes in traffic sent to Cisco ASA hosts, as these spikes would likely be an attempt to force constant restarts on the device. To determine whether the webvpn service is enabled, administrators can use the command show running-config webvpn at the command line. Additionally, the show version command can be run to verify which version of Cisco ASA Software is running on the device. The Cisco Adaptive Security Device Manager (ASDM) can also show the software release in the table that appears by the login window, or in the upper-left corner of the ASDM interface.

The show version command will also show the release version for Cisco Firepower Threat Defense (FTD) devices. Version 6.2.2 of FTD devices are vulnerable because it incorporates code from both Firepower and ASA devices, as it was the first release that supported the Remote Access VPN feature.

Affected Systems

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software

Recommendations

Cisco has released several tables showing the versions to update to and the original ASA major release. It is recommended to ensure both the ASA devices and FTD software is updated to the version released to counteract the vulnerability.

Cisco ASA Major Releases

[1] Cisco ASA Major release table (Cisco, 2018)

Cisco FTD Major Relases[1] Cisco FTD Major release table (Cisco, 2018)

Workarounds

There are no workarounds for this vulnerability. However, Cisco has already released updates that address this vulnerability. Versions that include this fix are listed in the ASA Major release table above.

Additional Resouces

Intel AMT

vSOC SPOT Report – Intel AMT Vulnerability

Overview

On Friday, January 12th, 2018 researchers at F-Secure disclosed a vulnerability involving Intel’s Active Management Technology (AMT) firmware. The vulnerability can allow an attacker with physical access for as little as 30 seconds to gain full remote access to the machine.

This bypasses operating system logins, BIOS, TPM, BitLocker and local firewall credentials. Mitigation primarily involves disabling AMT or changing the AMT default credentials, which are different from that of the BIOS and the OS.

Technical Overview

Intel’s Active Management Technology (AMT) is a feature built into Intel processors that use vPro, as well as in machines using processors from their Xeon line. This limits the effect primarily to enterprise-grade workstations and servers.

The vulnerability was discovered in July of 2017 by F-Secure’s Harry Sintonen, however, it was not disclosed until the morning of January 12th, 2018. A timeline of events between discovery and disclosure can be found on his website.

Attackers can access the machine by pressing ctrl-p during the machine’s boot-up sequence to access the boot menu. From there all that’s required is to navigate to and select  “Intel(R) Management Engine BIOS Extension (MEBx)”, select “MEBx” login and type in the default password of “admin”.  Additionally, if USB provisioning has not been disabled it’s also possible to carry out the attack automatically with a properly setup and configured flash drive.

Once MEBx has been entered via the boot menu, the intruder can then change the default password and enable remote access. While ethernet access will be available “right out of the box,” wifi access is not enabled by default. However, this can be easily set with a few changes to the wireless management once ethernet access has been established. Configuring the machine to reach out on it’s own is also possible via Client Initiated Remote Access (CIRA). This means that the system can still be accessed from any network on which the client can send outbound data through the firewall.

Potential Impact

All Intel processors that utilize vPro software or possess an Intel Xeon processor are potentially vulnerable. The exception to this seems to be Asus laptops or those that have been specifically configured to request a BIOS password before allowing access to the AMT MEBx extension.

A list of all vPro systems and manufacturers is available from Intel’s website here: https://msp.intel.com/find-a-vpro-system. Unfortunately, there does not seem to be an equivalent resource for those machines containing Xeon processors.

What You Should Do

Mitigation primarily involves one of two aspects, the first of which being to disable AMT altogether, however, this is not possible in some business contexts depending upon how reliant the organization is on AMT facilitated services.

The second method of mitigation is to go in and manually set a password for AMT. This provides some measure of protection, however, it can still be bypassed by performing a CMOS reset. This is generally done by removing and replacing the CMOS battery, or shorting a jumper on the motherboard, which essentially turns the CMOS memory “off and back on again”. Simply turning off the host does not affect the CMOS.

This is still recommended if AMT cannot be disabled as it significantly increases the amount of time and difficulty for an attacker to successfully carry out the attack, reducing the likelihood of a successful compromise happening unnoticed in a public place, such as through the proverbial “evil maid” attack.

It’s also worth noting that some vulnerability and system management tools also often collect data and statistics such as hardware information. This could be useful for identifying how many and which machines may be vulnerable to the attack.

GuidePoint’s vSOC will provide additional information as it is made public to help protect our clients.

Supporting Information

vSOC SPOT Report – Spectre and Meltdown

Overview

On January 1st, 2018 Intel disclosed a critical alert around a large variety of Intel CPUs that allows an attacker to read memory belonging to other processes. Further details from Google Project Zero, Cyberus Technology private researcher Paul Kocher, and various universities surfaced January 3, including white papers. The vulnerabilities are named Spectre and Meltdown. Numerous other names also circulated in the press and on social media, including Meldown [sic], KAISER, KPTI, and FUCKWIT [sic].

Spectre has been assigned CVEs CVE-2017-5753 and CVE-2017-5715. Meltdown has been assigned CVE CVE-2017-5754. Some elements of Spectre, at least for the moment, cannot be mitigated in software.

The flaws affect Intel CPUs produced after the original Pentium (P5 architecture), with the exception of Itanium and pre-2013 Atom CPUs, on all operating systems that run on the x86 and x86-64 architecture, including but not limited to Microsoft Windows, Linux, Mac OS X, and embedded systems using Intel CPUs.

AMD states its CPUs are immune to Meltdown but some researchers report Spectre works on AMD CPUs. AMD CPUs achieved a degree of acceptance in the 2005-2010 timeframe in enterprises but are much less common in enterprise environments than Intel.

Additionally, ARM has stated its high-end Cortex CPUs are vulnerable to Spectre. Apple uses ARM-based CPUs in its iPhone and iPad products but has not released a statement regarding their vulnerability or immunity to this flaw. Devices based on Google Android and Chrome OS also use ARM. Google has released patches but in some cases the patch has to be released by the device manufacturer and/or the carrier.

Linux vendor Red Hat states a the Spectre condition exists in IBM System Z, Power 8, and Power 9 CPUs.

This vulnerability was privately disclosed to Intel and operating system vendors, but security researchers working independently have developed proof of concept code. In a statement released on January 3, Intel stated it is working with AMD and ARM, as well as with major operating system vendors, on fixes.

Microsoft released emergency patches for supported versions of Windows on January 3, and is patching Azure on an accelerated schedule. Microsoft has not stated if end-of-life systems such as Windows Vista, Windows XP, and Windows Server 2003 will be included. Apple included fixes in macOS 10.13.2, and plans more fixes in macOS 10.13.3 by the end of the month. Google addressed the issue on Android and Chrome OS in its January 2018 security patch.

Patches for Linux are in work. Amazon has released patches for Amazon Linux. Customers can roll the patch to existing AMIs; new AMIs automatically have the patch in place. Red Hat has released patches for some versions of Red Hat Enterprise Linux, with patches for the other supported versions in work. Intel’s initial recommendation regarding Linux was incomplete.

Security researcher Erik Bosman released proof of concept code on Twitter on January 3. The original researchers will release their proof of concept code after security patches are released, including code that demonstrates stealing passwords.

Technical Overview

KPTI (Kernel Page Table Isolation) is a technique to isolate kernel code from userspace, so that the code is accessible, but only indirectly. It is a key security feature in modern CPUs and operating systems. Userspace is able to make calls to the kernel even though it does not know where it exists in memory. KAISER refers to a flaw that permits an attacker to defeat these measures and jump from CPU ring 3 (where user applications run) to ring 0 (where the kernel runs).

The exploit works by taking advantage of speculative execution. When faced with a branch in program flow, modern Intel CPUs will execute both possibilities, so it has the results ready ahead of time, and simply discard the result it didn’t need. Under some conditions, such speculative code runs with fewer security measures than normal code. The exploits take advantage of this unusual condition to bypass the CPU’s normal security measures. There are three conditions under which this can occur, not all of which are present in all affected CPUs.

Early reports had suggested this was a way to overwrite code. Intel has stated it only makes it possible for a process to read memory belonging to a different process.

Potential Impact

This vulnerability can be potentially exploited to defeat ASLR and KPTI on affected systems and read memory contents belonging to other processes running on the machine. At this point, the most useful scenario for an attacker would be to use it to steal passwords, credit card numbers, or other sensitive but succinct data from memory. On desktops and laptops, it can be exploited remotely via JavaScript residing on a web page. It could also be used in cloud environments to cross over into other virtual machines and steal data belonging to other customers.

The patches for this flaw may prove to be unpopular due to early reports stating to expect performance hits ranging from 5-30 percent. Reports from the field indicate 20% is a more common worst-case scenario on database and web servers. On desktops, the performance impact generally is minimal.

What Should You Do

Having a complete inventory of IT systems is critical for addressing vulnerabilities such as this one, including hardware make and model, CPU architecture, and operating system.

Scan your network for CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. Apply any applicable patches. Keep in mind some fixes will not be available until later in the month. If your vulnerability management solution permits, scan your Mobile Device Management platform to ensure you are running post-January 2018 versions of Android. Workstations and virtual machines in cloud environments, which have the greatest exposure to the outside world, should have the highest priority when deploying patches. Servers running on virtual infrastructure under your control will be harder to exploit.

There are some caveats to patching Windows for this vulnerability. A Microsoft article on compatibility issues between this patch and certain third-party antivirus solutions is included in the Supporting Information section at the end of this document. GuidePoint recommends you confirm with your antivirus vendor that its solution is compatible with Microsoft’s update for Spectre and Meltdown. As GuidePoint learns more regarding antivirus compatibility or lack thereof, we will post updates on our blog at https://www.guidepointsecurity.com/blog/.

Furthermore, under some conditions, the update for Windows 10 can throw a false error message stating that it failed when it succeeded. Follow up patching efforts with scanning from your vulnerability management solution to validate that patches actually did apply and are no longer vulnerable.

Slowdowns, although initially overstated, still have the potential to occur. The effect on workstations will be minimal. Servers that perform heavy I/O, such as web servers and databases, will incur more significant performance hits. GuidePoint recommends testing any applicable patches for performance impact before upgrading web farms. Be prepared to update software such as Apache that may need revisions to work around performance issues introduced by these security updates.

GuidePoint also recommends you advise your employees to update their personal computers and devices, with the caveat that your IT department is not responsible for providing support. Microsoft provides free support for home users of Windows who experience difficulty related to applying security patches.

References

Managing Spectre and Meltdown at Enterprise Scale

1/05/2018 Update:  Apple announced late in the day on 1/4 that its products are vulnerable. Its most recent versions of iOS 11.2.1 and macOS 11.12.3, released before this vulnerability went public, included some fixes. Apple is still working on further updates and will release them at an unspecified time in the future.

The dawn of the new year brings with it a pair of new designer vulnerabilities, Meltdown and Spectre, which affect virtually any CPU made after Intel’s original Pentium CPU, regardless of what operating system it runs.

What is Meltdown and Spectre?

Modern CPUs use a trick called speculative execution to speed up processing. When there is a branch in program code, the CPU runs both possibilities at once, then discards the one it didn’t need. Meltdown and Spectre use different tricks to find data from those discarded results and access memory that they normally wouldn’t be able to access.

An attacker could use this to steal passwords or credit card numbers, or in the case of cloud infrastructure, steal data from virtual machines belonging to other customers. In cloud environments, it is possible to read data belonging to the hypervisor or other virtual machines.

The biggest problems occur on Intel CPUs. CPUs from AMD and ARM are susceptible to a smaller number of more complex attacks, but still must be considered vulnerable. In enterprise environments, Intel CPUs are far more common than AMD or ARM.

Why should you care?

Almost any computer made in the last 22 years is vulnerable to one degree or another for this. These vulnerabilities have received a tremendous amount of coverage, even bleeding into the mainstream press, so everyone from customers to board members have likely heard about this and are concerned.

What can you do?

First, don’t panic. So far there are no reports of reliable exploits circulating in the wild. Operating system vendors are releasing patches as we speak. Spectre is difficult to mitigate at the CPU or operating system level, so browser makers are attempting to mitigate it at the browser level, since browsers are both an effective attack vector and an attractive target.

Scan your network with a proven vulnerability scanning solution. Check your results for CVEs CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754, and check your web browser versions to build an inventory of patches that will need to be deployed and where. For best results, ensure you are scanning your entire network with authenticated scans. Vendors will be releasing updates through the end of January, so keep in mind, this is a moving target.

Chrome, Edge, Firefox, and Internet Explorer all received updates this week. Chrome will receive another update by January 23. Safari, Opera and Vivaldi will receive updates on or before January 31. Additionally, Google recommends enabling site isolation in Chrome. Opera and Vivaldi have the same feature. This setting is in chrome://flags/#enable-site-per-process.

If your vulnerability management platform is capable of scanning your mobile device management solution, scan your MDM solution as well to ensure your Android devices are running the January 2018 update from Google, and your iOS devices are running iOS 11.2.1 from Apple.

Microsoft released out-of-band updates for this, but its patch has issues with many third-party antivirus solutions. Unless you have other information direct from your antivirus vendor, GuidePoint Security recommends waiting until Monday for your antivirus vendor to catch up. On Monday, push the update to your antivirus client, then start pushing Microsoft’s update.

Patch in a controlled, prioritized fashion. Workstations and cloud infrastructure are the most critical, as they are most susceptible to attacks. Servers running on hardware you control are much more difficult to exploit, so they can be in your later round of patching. If possible, patch a test environment first so you can monitor for performance impact, as servers that do large amounts of I/O, such as database and web servers, can experience performance degradation of 20 or even 30 percent. Google and Intel have experimental mitigations to help with these degradations in the long term. However, these fixes will require recompiling code so these changes will take time to appear.

After patching, be sure to follow up with subsequent vulnerability scans. GuidePoint engineers have observed Microsoft’s patch giving false error messages that suggest the patch failed when, in fact, it had succeeded. Your vulnerability management solution has more thorough checks that can validate the patch actually succeeded. Microsoft is working on an update for this patch to fix the error messages.

If you cannot update all of your browsers, consider updating one browser and limiting general web access to one particular browser at your proxy server until you are able to update all of the browsers in your network. Please note that technologies like Microsoft EMET and Malwarebytes Anti Exploit, while very useful against certain types of exploits, are not able to protect your browser against Spectre and Meltdown.

GuidePoint Security is here to help

GuidePoint’s cybersecurity advisors have years of experience managing vulnerabilities in enterprise environments. We can help you ensure your vulnerability management solution is correctly sized for your environment, and our Virtual Security Operations Center (vSOC) Identify Team can even run your vulnerability management program for you. Learn more at www.guidepointsecurity.com.

Author

Dave Farquhar, vSOC Analyst at GuidePoint Security, is a Cyber Security professional who has worked in the field for 8 years with Vulnerability Management, Policy Compliance, and Incident Handling as his main focuses. Dave most recently managed accounts for 30 large customers at a major vulnerability management vendor, where he helped his most successful clients reduce their vulnerability counts by 50 percent. Prior to moving to security, Dave specialized in remediation management on the infrastructure side of IT. Dave has a Bachelors degree in Journalism from the University of Missouri as well as holding CISSP and Security+ certifications.

An Incident Responders Take on 2018’s Cybersecurity Predictions

In his article, The Top 18 Security Predictions for 2018, Dan Lohrmann’s roundup outlined the cybersecurity industry’s top predictions from some of the major industry vendors, including TrendMicro, McAfee, Symantec, Check Point, and others.

As with any prediction, there are always those who either agree, agree in part or totally disagree. I would place myself in the second category of agree in part, although there are a few salient points that I believe should be included.

Additionally, I am going to add a bit of fidelity to their predictions based on my market visibility and experiences. You will see some similarities and some differences in view but remember, they are based on my exposure to the industry, GuidePoint Security’s customer base, independent research I’ve performed, and input I have received from other valued Digital Forensics and Incident Response (DFIR) professionals.

Without further delay, here are my thoughts on the Top Security Predictions for 2018.

1) IoT devices will be the key victims for Ransomware

a. A lot of IoT device manufactures have implemented minimal security safeguards and these connected devices are low hanging fruit for attackers.
b. Moreover, these devices are relatively easy to target, have a highly visible public impact, and ransomware continues to provide a nice profit margin for attackers. I expect the combination of these factors to lead to a significant uptick in successful Ransomware attacks against IoT devices in 2018.

2) Most companies will take definitive action on the General Data Protection Regulation (GDPR) but only after the first set of high-profile fines or lawsuits are filed.

a. GDPR is the latest set of requirements that has companies scrambling to meet the compliance deadline, but few companies have invested the time and resources required to be properly prepared by May.
b. Also, with the EU wielding such power, European assets of American companies can be seized.

3) Malspam will increase and will focus on account compromises for Outlook Web Access (OWA) and Office 365 (O365) email/account access. Additionally, unsecured AWS and Azure environments could lead to large-scale compromises.

a. A large amount of companies are moving their email and Office environments into OWA and O365 as well as their workloads into Azure and AWS. As is often the case, security requirements are not included in these migrations in the haste to move to the new environment. (Remember, in 2017 we have already seen an uptick in the number of discovered publically accessible S3 buckets and there’s nothing to suggest that this will not continue well into 2018.)
b. Overall, malspam attacks are easy to execute and only requires gullible end-users to be successful.
c. Malspam success is based on the Human Element (HE) and you can never remove HE from cybersecurity, hence it will remain the weakest link in the chain

4) Companies in the cryptocurrency business will see the most attacks in 2018, with one or more declaring bankruptcy from the losses suffered in the attacks.

a. 2017 was a banner year for hacking the cryptocurrency businesses with at least one crypto currency dealer being hacked twice then filing for bankruptcy (e.g., Youbit[1]).

5) Non-malware and File-less malware attacks will dominate the tech industry.

a. These types of attacks were dominant and profitable in 2017 and I see them gaining strength in 2018. Many companies are ill-prepared to deal with these types of attacks, and the attackers are well aware of this weakness.

6) The Corporate Cyber Insurance industry will suffer large financial losses in 2018. This will not be a record for that industry but their claims will reach record levels.

a. I think the Cyber Insurance industry has a significant amount of maturing and change to accomplish in 2018.
b. The Cyber Insurance market will continue to explode. However, the common underwriting framework and process to measure the risk of the policies has lagged behind the policy writing.
c. I also believe the current cryptocurrency businesses are improperly designed and are too high of a risk for the cyber insurance market.

7) New POS malware variants will emerge in 2018 that will focus on EMV / Chip and PIN technologies with an increase of Ransomware targeting POS devices.

a. This is a bit of a reach for me but I refuse to believe the crime syndicates are not testing or trying to target Chip and PIN.
b. Ransomware on a POS device is simple, easy, cheap and effective and we will see it deployed effectively against retailers in 2018.

8) Online gaming agents will be used as bots in an DDoS attack. It is only a matter of time before this “innocent” avenue will be exploited and with the wide distribution of online gaming, these bots will be a force to reckon with in 2018.

a. This attack vector isn’t new but is often overlooked. I have been waiting for the past five years for this to happen and I think we are at that point in cyber-history to witness this type of massive distributed-global attack.

9) Increase in malware that targets PLC type devices. Much like we saw with the Trisis malware, the PLC device manufactures are unaware of how exposed they are to exploit and this type of targeting, especially for a Ransomware attack, can be extremely profitable.

a. With PLC devices connecting to the internet and/or to internal networks, most are not protected and large industrial corporations with deep pockets utilize the PLC devices. Therefore, with a well-planned Ransomware attack the payout could be massive.

10) NIST 800-171/ DFARS standard violations will outpace the US Government’s ability to contract and waivers will be provided to lessen the impact.

a. Many of the companies that claim compliance to 800-171 have scrambled to get a basic compliance program in place to meet the assessment criteria.
b. The DoD will need to make contracting adjustments to its FAR in order to keep up with DoD contracting demands.

Well, I guess it is a matter of record now, so we will have to revisit my prognostications in 2019 and see how close I was with each one.

Happy New Year everyone!

[1] https://www.pymnts.com/blockchain/bitcoin/2017/youbit-cryptocurrency-bankruptcy-south-korea/

Image credit: https://www.varmour.com/templates/varmour/images/easyblog/easyblog_articles/187/2108predictions.jpg

Author

Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence at GuidePoint Security, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.