Critical Vulnerabilities - What's your approach?

How does your team deal with critical vulnerabilities? For Alert Logic it's all part of the day job. Here's a great example of how we responded to the latest Microsoft vulnerability (https://www.theregister.co.uk/2020/03/12/smb_patch_microsoft/).

What happened?

During the Microsoft 'Patch Tuesday' March Updates, Microsoft accidentally leaked information about a critical remote code execution vulnerability (CVE-2020-0796) in Windows 10 and Windows Server OSs (v1903/v1909). Another “WannaCry” kind of a bug that could be exploited over a network without any authentication. BIG Deal!

How did Microsoft react?

Given the critical nature of the vulnerability, Microsoft got into out-of-band patching mode and released a patch on March 12th 2020 (afternoon US Time).

Alert Logic Threat Intelligence Into Action

As soon as the news of leak came out, our team started work on 2 parallel tracks:

1. Scanner Detection Check: This is to ensure we can scan any and all vulnerable systems across our customer base to inform them of the issue and any workarounds.
2. Network IDS Signatures: For detecting active exploits on the network

However, before creating IDS signatures, it was required to find the technical detail on the vulnerability i.e. Reverse Engineering the Vulnerability Details

When there is scant technical information out there on a Windows vulnerability, security researchers really dig into the bits and bytes of the Windows patches, this is where our experts come into play.

What is Reverse Engineering?

Amongst many areas of cybersecurity, this is an area that is complex and requires good expertise & regular practice. Reverse Engineers are able to take Windows patches or malware binaries apart and analyze what a piece of compiled code can do. In this case, our team went through the process of looking in detail at the Microsoft patch – to find out what was changed. The team mapped that information to how the vulnerability would be exploited on the network and suggested IDS Telemetry Signatures for network detection.

We updated our Network IDS signatures across our customers Globally, and our Threat Intelligence teams and SOC are now monitoring for any active exploitation attempts across customers via our internal Threat Hunting portal.

Alert Logic Next Steps

Due to the danger of this vulnerability, we are actively informing any customer that have this vulnerability, and for any customers that are attacked via this route will be called by our SOC 24/7 with our 15 minute SLA.

It’s great to be part of a global team that works tirelessly to secure our customers.