Posts

January 2020’s Patch Tuesday

Guardicore Labs extracts what you need to know regarding the January 2020 Patch Tuesday and data centers.

Threats Making WAVs – Incident Response to a Cryptomining Attack

Guardicore security researchers describe and uncover a full analysis of a cryptomining attack, which hid a cryptominer inside WAV files. The report includes the full attack vectors, from detection, infection, network propagation and malware analysis and recommendations for optimizing incident response processes in data centers.

Iran Cyber Threats and Defenses

Guardicore Labs explains the danger and current status of online Iranian attacks

How to Identify Accounts and Prioritize Risk for Privileged Access Management

Privileged Access Management (PAM) is understandably a high priority for today’s enterprises. The misuse of privileged accounts can allow attackers to escalate credentials and permissions across complex IT networks, finding open paths to access critical assets or steal sensitive data. This can have a dangerous impact on an enterprise’s ability to remain compliant with third-party regulations as well as internal governance mandates.

Let’s look in more detail at deploying Privileged Access Management, and how to prioritize risk for your own business needs.

Identifying your privileged accounts and credentials

In some cases, you might have hundreds of thousands of privileged credentials in your IT ecosystem, and in an increasingly connected world, this information might exist in an attack surface that’s larger than you’ve considered before.

Your first step is visibility, ensuring that you can uncover all credentials, from passwords and SSH keys to password hashes, access keys and more, and that you can do so across your entire environment, on premises, on the cloud, and across DevOps processes.

According to CyberArk, there are 7 types of accounts you need to consider, as poor hygiene or practices with any of them makes your enterprise a target for APTs and other dangerous cybercrime.

  • Emergency accounts: Access to these accounts requires IT management approval, and is only given in case of an emergency. As a manual task, it usually does not have any security measures in place.
  • Local Administrative accounts: These accounts are shared to provide admin access to the local host or session. Whenever IT staff need to perform workstation or server maintenance, or work on network devices, mainframes and other systems, these are the accounts they will use. Password hygiene may well be poor across these accounts, as IT professionals sometimes share passwords across an organization to make access easier. This is an open door for attackers.
  • Application accounts: Privileged accounts usually have access to critical applications or databases, used to access databases, run scripts, or provide access to other applications. Passwords might be embedded and stored in plain text files, copied across multiple channels and servers.
  • Active Directory or Windows domain service: Password changes for these accounts are complex, as your business will need to sync any updates across applications and infrastructure. Because of this, many businesses fail to regularly update application account passwords. If this happens in a critical system such as your Active Directory, you have created a single point of failure.
  • Service accounts: These local or domain accounts will interact directly with the operating system using an application or service. These may even have administrative privileges depending on their roles and requirements.
  • Domain Administrative accounts: These accounts have complete control over all domain controllers, and can access and make changes to all administrative accounts within the domain. The access they have extends to all workstations and servers within the organization network, and so therefore, these credentials are under regular attack from hackers, no matter the environment involved.
  • Privileged User accounts: One of the most common forms of account access granted on an enterprise domain, with these accounts users can have admin rights for their local desktops, or across a particular system. Users might choose complex or strong passwords, but this is often the only security control in place.

Identifying the risk of each kind of account will differ from enterprise to enterprise, and depend on your own digital crown jewels and most critical assets, as well as how you store and manage data, what systems hold intellectual property or other sensitive information, and where you’ve uncovered vulnerabilities in your own unique ecosystem. It’s common to start with your highest risk accounts, and then use a phased approach to build out your PAM.

What does protecting these accounts mean in practice?

Once you’ve established the accounts and credentials you want to protect, this should be approached in a number of ways. Credentials can and should be placed in a digital vault which uses multi-factor authentication for access. The best solutions will provide encrypted video monitoring of all privileged sessions, with alerts set up against suspicious activity and an easy playback option. In case of an audit or escalation,

IT admin should be able to access granular information about each session, down to single keystrokes, escalating this to the SOC or the next level where necessary. In case of a breach, automated behavior could include suspending or terminating sessions, or automatically rotating credentials to protect from further harm.

It’s also important to think about the local administrative access, even those these might seem less dangerous at a glance. Protecting these accounts is essential if you are working towards the principle of ‘least privilege’ or a Zero Trust security model. Every endpoint could be an entry point for hackers, allowing them to make lateral moves until they hit what they’re looking for, and many users have far more permissions and access than they need to do their job each day. Look for a solution with least-privilege server protection for both Windows and *NIX, allowing you to tightly manage permissions and gain insight into activity on each user. This can go a long way to remove the coarse controls and anonymity which often exists in today’s data centers. For *NIX, it also removes the risk of unmanaged SSH keys, a known exploit that can be taken advantage of to log in with root access control.

The same mentality needs to be front and center when you’re considering third-party applications and services, many of which require access to your network. These can be hard to keep track of, so a strong monitoring solution is essential. Think about best-practice hygiene for commercial off the shelf apps, such as removing hard-coded credentials and managing and rotating these privileged accounts in your digital vault.

Protect from on-premises to cloud deployments

The vast majority of today’s enterprises are working in a hybrid reality, with a network that spans on-premises and bare metal servers all the way to cloud and container systems. Any PAM solution that you deploy needs to be able to handle both, seamlessly. Managing DevOps secrets and credentials is an important part of your strategy, and that your code can retrieve the information it needs on the fly, rather than having them hardcoded into the application. This will allow you to rotate and secure these secrets and credentials the same way that you can on premises.

Another large area to consider is SaaS. These often have wide permissions, such as CRM software like Salesforce that is used by multiple teams. Privileged business users who access these applications are one click away from sensitive customer data, and the ability to move around a network far more freely than other stakeholders. Multi-factor authentication can help here, as well as isolating access to shared IDs.

Compliance and Privileged Access Management

Many of the benefits of Privileged Access Management support compliance and internal governance strategies. Firstly, you have one centralized repository for all of your audit data, reducing costs and making reporting fat easier. By enforcing privileged access automatically and monitoring this in real-time, many audit requirements are met, protecting all systems that handle information processing across a heterogeneous environment, and enforcing visibility and control over account usage.

In case of a breach, you have immediate insight into the incident, including where the breach occurred, when it happened, exactly what took place, and how to shore up defenses in the future. It’s easy to see how the right PAM solution can support compliance with a wide range of regulatory authorities, from SWIFT, and MAS-TRM, to SOX, GDPR and ISO 27001 certification.

Partnering with the best in the business

Guardicore has recently formed a partnership with market leader CyberArk, providing customers with a Privileged Session Management solution free of charge, ensuring that all Guardicore deployments meet the high security standards held by its customers. Joint customers will be able to leverage centralized control of all their privileged accounts and credentials, without duplication or sharing.

To download the Guardicore Privileged Session Management tool, head to the CyberArk Marketplace.

Windows Server 2008 R2 and Windows 7 are End of Life

Discover the steps to harden machines running Windows 7, Windows Server 2008 and Windows Server 2008 R2 against the inevitable unpatched vulnerability that will be disclosed for these systems.

Guardicore Centra Integration now available on CyberArk Marketplace

We had our first integration with CyberArk in 2016. One of our very early adopters, a CISO for a large telecommunications company, realized that Guardicore Centra was becoming a critical part of his security infrastructure and decided to integrate the two products.

The CISO understood that one of the biggest security threats for his organization was the misuse of privileged accounts with elevated permissions on IT systems. He decided to use CyberArk with Guardicore in order to manage privileged accounts and protect his critical assets. Guardicore secured access to critical assets via micro-segmentation and detection capabilities, and CyberArk managed the privileged access on these systems.

Since then, we have added additional features such as identity-based policies to provide a stronger overall solution, and many other customers have benefited from these integrated capabilities.

I am happy to update you that this integration of Guardicore Centra security platform and the CyberArk Privileged Access Security Solution has recently been made available on the CyberArk Marketplace, helping our joint customers accelerate their ability to meet compliance requirements and reduce security risk without introducing additional operational complexity.

By providing the Guardicore plug-in via the CyberArk Marketplace, customers can now more easily evolve their privileged access management programs. Our integration enables CyberArk customers to protect their hybrid cloud and data center while maintaining strong privileged access controls.

As a CyberArk C3 Alliance member, Guardicore will continue to work alongside CyberArk to deliver value to shared customers through an integrated plug-in, as part of their security stack.

Privileged access is pervasive and provides attackers the “keys to the IT kingdom.”

It is widely recognized that nearly all damaging cyber-attacks involve privileged account compromise. Attackers are then able to exploit this legitimate privileged access to establish a foothold and make lateral moves across enterprise IT infrastructure. Additionally, without least privilege, internal users might abuse their access rights. By integrating the capabilities of Guardicore Centra with the CyberArk solution, customers can be better positioned to detect and stop lateral movement using both software-defined segmentation and privileged access management.

Thinking about zero trust implementation? CyberArk combines with Guardicore to take you that much closer to the adoption of the zero trust model of security.

Want to read more about how Guardicore micro-segmentation can take you closer to adopting a zero trust framework? Download our white paper on getting there faster.

Read More

Where to Start? Moving from the Theory of Zero Trust to Making it Work in Practice

Going back many years, perimeter controls were traditionally adequate for protecting enterprise networks that held critical assets and data. The hypothesis was that if you had strong external perimeter controls, watching your ingress and egress should be adequate for protection. If you were a more sophisticated or larger entity, there would be additional fundamental separation points between portions of your environment. However these were still viewed and functioned as additional perimeter points, merely concentric circles of trust with the ability, more or less, to move freely about. In cases where threats occurred within your environment, you would hope to catch them as they crossed one of these rudimentary borders.

The Moment I Realized that Perimeters Aren’t Enough

This practice worked moderately well for a while. However, around fifteen years ago, security practitioners began to feel a nascent itch, a feeling that this was not enough. I personally remember working on a case, a hospital – attacked by a very early spear phishing attack that mimicked a help desk request for a password reset. Clicking on a URL in a very official looking email, staff were sent to a fakebut official looking website where these hospital professionals were prompted to reset their credentials – or so they thought. Instead, the attack began. This was before the days of the Darknet and we even caught the German hacker boasting about what he had done – sharing the phishing email and fake website on a hacker messaging board. I worked for a company that had a fantastic IPS solution and upon deploying it, we were able to quickly catch the individual’s exfils. At first, we seemed to be winning. We cut the attacker off from major portions of a botnet that resided on the cafeteria cash registers, most of the doctors machines and to my horror, even on the automated pharmacy fulfillment computers. Two weeks later, I received a call, the attacker was back,trying to get around the IPS device in new ways. While we were able to suppress the attack for the most part, I finally had to explain to the hospital IT staff that my IPS was merely at the entrances and exits of their network and that to really stop these attacks, we needed to look at all of the machines and applications that resided within their environment. We needed the ability to look at traffic before it made its way to and from the exits. This was to be the first of many realizations for me that the reliance on perimeter-based security was slowly and surely eroding.

In the years since, the concept of a perimeter has all but completely eroded. Of course, it took quite a while for the larger population to accept. This was helped along by the business and application interdependencies that bring vendors, contractors, distributors and applications through your enterprise as well as the emergence of cloud and cloud like provisioning utilized by Dev Ops. The concept of being able to have true perimeters as a main method of prevention is no longer tangible.

It was this reality that spurred the creation of Forrester’s Zero Trust model- almost a decade ago. The basic premise is that no person or device is automatically given access or trusted without verification. In theory, this is simple. In practice, however, especially in data centers that have become increasingly hybrid and complex, this can get complicated fast.

Visibility is Foundational for Zero Trust

A cornerstone of Zero Trust is to ‘assume access.’ This means that any enterprise should assume than an attacker has already breached the perimeter. This could be through stealing credentials, a phishing scam, basic hygiene issues like poor passwords, account control and patching regimen, an IoT or third-party device, a brute force attack, or literally limitless other new vectors that make up today’s dynamic data centers.

Protecting your digital crown jewels through this complex landscape is getting increasingly tough. From isolating sensitive data for compliance or customer security, to protecting the critical assets that your operation relies on to run smoothly, you need to be able to visualize, segment and enforce rules to create an air-tight path for communications through your ecosystem.

As John Kindervag, founder of Zero Trust once said, in removing “the Soft Chewy Center” and moving towards a Zero Trust environment, visibility is step one. Without having an accurate, real-time and historical map of your entire infrastructure, including on-premises and both public and private clouds, it’s impossible to be sure that you aren’t experiencing gaps or blind spots. As Forrester analyst Chase Cunningham mandates in the ZTX Ecosystem Strategic Plan, “Visibility is the key in defending any valuable asset. You can’t protect the invisible. The more visibility you have into your network across your business ecosystem, the better chance you have to quickly detect the tell-tale signs of a breach in progress and to stop it.”

What Should Enterprises Be Seeing to Enable a Zero Trust Model?

Visibility itself is a broad term. Here are some practical necessities that are the building blocks of Zero Trust, and that your map should include.

  • Automated logging and monitoring: With an automated map of your whole infrastructure that updates without the need for manual support, your business has an always-accurate visualization of your data center. When something changes unexpectedly, this is immediately visible.
  • Classification of critical assets and data: Your stakeholders need to be able to read what they can see. Labeling and classification are therefore an integral element of visibility. Flexible labeling and grouping of assets streamlines visibility, and later, policy creation.
  • Relationships and dependencies: The best illustration of the relationships and dependencies of assets, applications and flows will give insight all the way down to process level.
  • Context: This starts with historical data as well as real-time, so that enterprises can establish baselines to use for smart policy creation. Your context can be enhanced with orchestration metadata from the cloud or third-party APIs, imported automatically to give more understanding to what you’re visualizing.

Next Step… Segmentation!

Identifying all resources across all environments is just step one, but it’s an essential first step for a successful approach to establishing a Zero Trust model. Without visibility into users, their devices, workloads across all environments, applications, and data itself, moving onto segmentation is like grasping in the dark.

In contrast, with visibility at the start, it’s intuitive to sit down and identify your enterprise’s most critical assets, decide on your unique access permissions and grouping strategy for resources, and to make intelligent and dynamic modifications to policy at the speed of change.

Want to read more about visibility and Zero Trust? Get our white paper about how to move toward a Zero Trust framework faster.

Read More

Guardicore Infection Monkey for Zero Trust

Guardicore Labs provided assistance in a ransomware investigation. We analysed the decryption process of the IEncrypt ransomware and provided a safe-to-use version of the attackers’ decryptor.

Guardicore’s Infection Monkey Becomes the Industry’s First Zero Trust Assessment Tool

Open Source Infection Monkey Provides Enterprise Leaders the Ability to Examine Adherence to Zero Trust Security Posture and Prescribe Recommendations for Faster Zero Trust Adoption

Boston, Mass. and Tel Aviv, Israel – September 12, 2019 – Guardicore, a leader in internal data center and cloud security, today unveiled new capabilities for its Infection Monkey that make it the industry’s first Zero Trust assessment tool. Added features extend the functionality of the already successful Infection Monkey, a free, open source breach and attack simulation tool used by thousands to demonstrate and analyze their environments against lateral movement and attacks.  The latest version of Infection Monkey enables both enterprise security leaders and network engineers to determine how their environments perform against a Zero Trust security posture on their path to overall Zero Trust adoption. Infection Monkey now provides security and network infrastructure teams the ability to easily and accurately examine an enterprise’s adherence to key components of the Zero Trust framework as established by Forrester with detailed explanations of security gaps and prescriptive instructions on how to rectify them. Guardicore will preview the Zero Trust capabilities of Infection Monkey with attendees of the Forrester Security & Risk Forum in National Harbor, MD this week.

“A concept first developed by Forrester Research nearly a decade ago, the Zero Trust approach to information security is gaining momentum and driving strategic technical alignment and implementations toward a process focused on building security from the inside out,” said Pavel Gurvich, Co-founder and CEO, Guardicore. “Yet many organizations are still unsure of how to move from theory to deployment and apply the principles of Zero Trust in their environment. Infection Monkey is the first tool of its kind that allows organizations to safely and easily test their environment’s Zero Trust posture and generate specific recommendations to accelerate and enhance Zero Trust adoption and ensure continued adherence. ” 

Infection Monkey with Zero Trust Assessment

Infection Monkey enables cybersecurity and infrastructure architects to operationalize Zero Trust by accurately examining an enterprise’s adherence to the pillars of Zero Trust, including detailed explanations of where the enterprise falls short, and instructions on how to address these shortcomings. Easy to deploy and run, Infection Monkey tests implementation of the Zero Trust framework by attempting to communicate with machines residing in different segments of the enterprise network, demonstrating policy violations, and generating test results with actionable recommendations for remediation.With prescriptive reporting that can be easily implemented without any additional staff or education, Infection Monkey offers security leaders the ability to illustrate enterprise Zero Trust posture against the Forrester framework with an easy to understand red, yellow, green color scheme. Like previous versions of Infection Monkey, the latest version runs on bare metal, VMWare, other hypervisors, AWS, Azure, Google, and private clouds.

Availability & Contributions

Developed by Guardicore Labs Infection Monkey is an open source breach and attack simulation tool for securely and automatically testing the resiliency of private and public cloud environments. Guardicore Infection Monkey source code is currently available from the GitHub repository. Added capabilities for Zero Trust assessment and deployments for the AWS Marketplace, Microsoft Azure Marketplace and Google Cloud Platform Marketplace will be available for download at the end of the quarter. Infection Monkey is available for Linux, Windows, AWS, Azure, Google Cloud Platform, VMWare and Docker environments. For questions, suggestions and guidance join the Infection Monkey community.

Infection Monkey is open source, developed on GitHub under the GPLv3 license. 

Guardicore Labs

Guardicore Labs is a global research team, consisting of hackers, cybersecurity researchers and industry experts. Its mission is to deliver cutting-edge cyber security research, lead and participate in academic research and provide analysis, insights and response methodologies to the latest cyber threats. Guardicore Labs helps Guardicore customers and the security community to continually enhance their security posture and protect critical business applications and infrastructure.

Creators of Infection Monkey, a popular open-source network resiliency test tool, Guardicore Labs’ high-profile threat discoveries include Nansh0u advanced crypto-mining attack,  the Hexmen multiple attack campaigns targeting database services, the Bondnet botnet used to mine different cryptocurrencies, and a privilege escalation vulnerability in VMWare. Guardicore Labs also hosts Cyber Threat Intelligence (CTI), a freely available threat intelligence portal to assist security teams in identifying and investigating malicious IP addresses and domains in data centers. To learn more visit Guardicore Labs.

About Guardicore

Guardicore is a data center and cloud security company that protects your organization’s core assets using flexible, quickly deployed, and easy to understand micro-segmentation controls. Our solutions provide a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment. For more information, visit www.guardicore.com.

Moving Zero Trust from a Concept to a Reality

Most people understand the reasoning and the reality behind a zero trust model. While historically, a network perimeter was considered sufficient to keep attacks at bay, today this is not the case. Zero trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network. This added layer of security has been shown to be much more useful and capable in preventing breaches.

But how organizations can move from a concept or idea into implementation? Using the same tools that are developed with 15-20 year old technologies is not adequate.

There is a growing demand for IT resources that can be accessed in a location-agnostic way, and cloud services are being used more widely than ever. These facts, on top of businesses embracing broader use of distributed application architectures, mean that both the traditional firewall and the Next Generation are no longer effective for risk reduction.
The other factor to consider is that new malware and attack vectors are being discovered every day, and businesses have no idea where the next threat might come from. It’s more important than ever to use micro-segmentation and micro-perimeters to limit the fallout of a cyber attack.

How does applying the best practices of zero trust combat these issues?

Simply put, implementing the zero trust model creates and enforces small segments of control around sensitive data and applications, increasing your data security overall. Businesses can use zero trust to monitor all network traffic for malicious activity or unauthorized access, limiting the risk of lateral movement through escalating user privileges and improving breach detection and incident response. As Forrester Research, who originally introduced the concept, explain, with zero trust, network policy can be managed from one central console through automation.

The Guardicore principles of zero trust

At Guardicore, we support IT teams in implementing zero trust with the support of our four high level principles. Together, they create an environment where you are best-placed to glean the benefits of zero trust.

  • A least privilege access strategy: Access permissions are only assigned based on a well-defined need. ‘Never trust- always verify’. This doesn’t stop at users alone. We also include applications, and even the data itself, with continuous review of the need for access. Group permissions can help make this seamless, and then individual assets or elements can be removed from each group as necessary.
  • Secure access to all resources: This is true no matter the location or its user. Our authentication level is the same both inside and outside of the local area network, for example services from the LAN will not be available via VPN.
  • Access control at all levels: Both the network itself and each resource or application need multi-factor authentication.
  • Audit everything: Rather than simply collecting data, we review all the logs that are manually collected, using automation to generate alerts where necessary. These bots perform multiple actions, such as our ‘nightwatch bot’ that generates phone calls to the right member of staff in the case of an emergency.

However, knowing these best principles and understanding the benefits behind zero trust is not the same as being able to implement securely and with the right amount of flexibility and control.

Many companies fall at the first hurdle, unsure how to gain full visibility of their ecosystem. Without this, it is impossible to define policy clearly, set up the correct alerts so that business can run as usual, or stay on top of costs. If your business does not have the right guidance or skill-sets, the zero trust model becomes a ‘nice to have’ in theory but not something that can be achieved in practice.

It all starts with the map

With a zero trust model that starts with deep visibility, you can automatically identify all resources across all environments, at both the application and network level. At this point, you can work out what you need to enforce, turning to technology once you know what you’re looking to build as a strategy for your business. Other solutions will start with their capabilities, using these to suggest enforcement, which is the opposite of what you need, and can leave gaps where you need policy the most.

It’s important to ensure that you have a method in place for classification so that stakeholders can understand what they are looking at on your map. We bring in data from third-party orchestration, using automation to create a highly accessible map that is simple to visualize across both technical and business teams. With a context-rich map, you can generate intelligence on malicious activity even at the application layer, and tightly enforce policy without worrying about the impact on business as usual.

With these best practices in mind, and a map as your foundation – your business can achieve the goals of zero trust, enforcing control around sensitive data and apps, finding malicious activity in network traffic, and centrally managing network policy with automation.

Want to better understand how to implement segmentation for securing modern data centers to work towards a zero trust model?

Download our white paper