How does @HyTrust #CloudControl provide #defenseindepth to prevent #ransomware on @VMware?

Yesterday we saw a disclosure on the popular site Reddit by an administrator for thus far an unnamed corporation talk about how their VMware infrastructure was successfully ransomwared.

The culprit system appears to have been an IT jumpbox, which was used to 1) concentrate IT administrative access, and 2) to access critical and sensitive systems for remote administrative tasks.

For many years, IT admins have been using jumpboxes, aka bastion hosts, to leap frog from one system to another in order to administer their total IT environment. It's not a new concept. The challenge we've seen over time however is the jumpbox has become a target for evil perpetrators because of the immense power that can be wielded through it. For instance, one of the commenters said:

So attacker gets into a management server, dumps memory, finds VMware admin creds, and is able to have admin access to vCenter? Is that right? From there, starts powering off VMs and encrypting datastores?

If that's what happened, then I'm not sure how you avoid that by "segregate ESXi management from the VMs."

And there were several other comments regarding incident response rates of similar breaches happening recently as well:

I learned this the hard way about a year ago. Compromised domain admin credentials led to all domain computers connected to the network to have files encrypted by a ransomware attack.

and

I work in Incident Response and recovery and I have witnessed this more and more in the last 6 months. The way this works is, the attacker gets domain level rights, checks the network to see how much they can encrypt and also try the same domain admin creds in vCenter. If they can, the will enable SSH and will return later. They will then encrypt all virtual windows guest systems, shut them down, then move to VMware and encrypt the datastores effectively encrypting the environment twice.

These comments are not alone, and there are even more in the thread I would encourage you to read of other threats to be concerned with. What these comments do indicate specifically though is that 1) there's a rising threat that is targetting the virtualization layer, and 2) some of the methodologies used for many years need to be re-thought as they no longer provide the protection that administrators once thought they enjoyed.

To that end, I should point out that HyTrust has been around for ~13 years now and was originally founded to solve some very critical security concerns regarding the management of the VMware platform. Defense in Depth only protects you to a certain extent, and the typical security tool vendors do not have the expertise in the VMware platform to provide the necessary controls.

Defense in depth inherits much of it's MO from the idea of the Swiss Cheese Model in risk analysis.

Essentially, you want layers upon layers to work together to make exploitation and exfiltration as difficult as possible.

So if the model above and the graphic at the very top represent the traditional capabilities of security vendors, you can think of the following capabilities of HyTrust as additive to those layers.

1. Proactive - Centralized authentication (2FA) and authorization to vCenter, NSX, and ESXi hosts and avoids the need for jump boxes which can be compromised. **EDIT 2021** - In light of new information from the reddit post-mortem I will also call out the need to bifurcate AD with a Token system for 2FA. The breach in question, and many since (including Solarwinds) have shown a propensity to attack Active Directory. By using a 2FA system, even if your AD gets breached, you can still be protected against a breach of your hypervisor by using 2FA via HyTrust to ESXi, vCenter, and NSX Manager.
2. Proactive - HTCC Proxy is application specific to vCenter, NSX, ESXi. Meaning it doesn’t allow for general purpose applications, and removes the ability for an attacker to gain privileged credentials through subsequent attacks. Also, if someone tried to execute a protocol attack against a known/unknown vulnerability in vCenter/NSX/ESXi, HTCC could act as a Virtual Patch to the back-end protocols and application stack in use by the vmware platform. We've also proven to be an intricate part of the Cyber Kill Chain.
3. Proactive - Root password vaulting (RPV): as part of our secrets management in HTKC, ESXi root passwords are vaulted and only allowed to be “checked out” by authorized users through HyTrust’s management interface
4. Proactive - HTCC Proxy RBAC/ABAC controls: More granular controls on RBAC, Tagging of critical assets and preventing all admin types from damaging critical systems maliciously or inadvertently.
5. Proactive - HTCC Proxy SecondaryApprovals: Prevent an admin from using vSphere Encryption or VSAN encryption (or changing existing settings) without an approval chain. Thereby protecting vSphere/vSAN from itself.
6. Proactive - HTCC Configuration Assessment/Remediation: HyTrust can automatically assess and remediate hosts against NIST and other compliance guidelines. This will lock down vulnerable systems with things like SSH enabled so that an attacker can’t get SSH access to open systems in the environment. 
7. Reactive - Logging: Attempts to connect to either HTCC Mgmt UI or any of the systems behind an HTCC proxy would show denial attempts from originating source.
8. Reactive - Alerts: Would provide early warning system to security teams that nefarious activity was in process.

These 8 layers of additional defense in depth controls are tailor made to the VMware platform and have been proven in some of the largest VMware infrastructures in the world with the highest quality security requirements. CISOs and CIOs should seriously examine their own virtual and cloud infrastructures for similar controls and capabilities. When HyTrust did a market analysis a few years ago, we recognized these controls were lacking in not only the VMware native platform, but also across Kubernetes, AWS, Azure, & GCP to name a few. That's why we've been expanding our capabilities to include these other platforms.

Some of these new platform capabilities will naturally also lend themselves to being valuable on the VMware platform. For instance, K8s support includes the ability to define a Trust Manifest for limiting only private, authorized, image repositories to be used for container deployments. A natural extension of this would be to build a VMware KMS Trust Manifest to only authorize HyTrust KeyControl KMS for connecting to vCenter for vSphere & vSAN encryption. This would also prevent an attacker from using their own KMS to sabotage the VMware platform from within its own tools.

As you can see, from just the little bit of information above, HyTrust has been at this a long time and has built a variety of controls you cannot find elsewhere in the marketplace. The protection we provide could be invaluable in your infrastructure to avoid your own potential ransomware or other catastrophic event.

HyTrust is here to help, and to back that up, we're offering a no-cost assessment scan of your existing VMware environment to help you baseline what you're working with. You can think of this as similar to the Capacity Planning capability that VMware offered in teh early days of virtualization, to provide you with data to help make the best decision possible for your organization. Contact us here if interested!

#cio #cios #ciso #cisos #riskmitigation #riskmanagement #risks #fsisacsummit #isaca #vmworld2020 #vmware #awssecurity #k8s #CIO #CISO #cybersecurity #openshift #PCI #GDPR #HIPAA #HITRUST #NERC #CIP #CIS #K8s #IBM #IBMCLOUD #IBMsecurity #nist800171 #VCF #fedramp #CIO #cisos #ciso #CEO #riskmanagement #riskmitigation #riskassessment #risk #riskgovernance #CSAResearch #cloudcompliance #cloudsecurity #cloudgovernance Cloud Security Alliance #ISACA ISACA #cloud #cloudcomputing #cloudsec #devsecops #devops #CISSP #crisc #AWS #awscloud #amazonaws #amazonec2 #fsisacsummit #fsisac #vmworld #leadership #digitalmarketing #marketing #twopersonrules #secondaryapprovals #vmware #vmwaretam #multicloud