Merlin Labs Memo: Lateral Movement is Increasingly Happening in the Cloud -- What Are We Doing About It?
Merlin Cyber
Merlin is your trusted source for best-in-class and innovative and emerging cyber solutions for the U.S. public sector.
Cisco Confirms Breach
A Cisco employee’s Google account was compromised by an attacker who used a cached password to connect to Cisco’s VPN. The attacker then contacted the employee via the phone in order to convince the employee to grant MFA access for the attacker's connection to the VPN to succeed.
Our Take: We’re starting to see more stories like this, where attackers gain partial access via a compromised, synced account, and then voice phishing to get MFA access. They can also do it with “MFA Fatigue ” attacks, where they generate so many MFA requests in a short time period that the victim accepts the illicit request just to get their phone to stop blowing up. We need to add language to the now-standard help desk disclaimer that they’ll never ask a user to accept an MFA validation of a logon or that they’ll never require a user’s MFA to grant them access. -- Dean Webb
Additional Reading:
Virtualization and Cloud IT Leads to Unique Lateral Movement Vulnerabilities
“The majority of incident response professionals surveyed for VMware's [2022] 'Global Incident Response Threat Report' observed lateral movement in at least some attacks in the past year.” Released during?Black Hat 2022 , the report also covers topics such as ransomware attacks which impacted 57% of respondents last year, deep fakes ?which are used to bolster social engineering activities, and other emerging attack vectors. -- Via Tech Target
Our Take: Lateral movement as a part of attackers’ kill chain tactics, techniques, and procedures (TTPs) is not a new concept. And whether the lateral movement involves a single node from which the attacker accesses multiple other nodes or involves movement from node to node to node in an island-hopping fashion, it’s happening all too often on too many systems.
The explosion of cloud computing has ramped up virtualization and containerization. Virtualized hosts, API-based integrations required for orchestration and automation, and container-based architectures often mean traditional network devices like routers and switches have no insight into significant amounts of traffic. That means they have no ability to monitor and analyze that traffic to identify malicious activity, paving the way for undetected lateral movement. Such internal node-to-node transactions are often overlooked by security controls, and worse yet, may be enabled through unencrypted credentials and secrets stored in code.
I can’t imagine a better story that highlights the importance of employing zero trust architecture (ZTA) principles as an approach to modern-day IT system design. Applying zero trust to users, devices, networks, infrastructure, applications, data, visibility and analytics features, and orchestration and automation activities needs to become the new normal. This means access in any IT system should be limited to only the actors that need that access, when they need that access, and only for the purposes of that access. These least privilege constructs and encryption must be implemented throughout the nodes within a system - and are no longer adequate at just the perimeter. -- Sarah Hensley
Additional Reading:
Are Bug Bounty Programs Effective At Closing Security Holes??
The Department of Homeland Security's is preparing for the second phase of its "Hack DHS " bug bounty program by issuing a new contract request that is "geared toward companies that can conduct crowdsourced events and competitions for vetted security researchers, to help bolster DHS’ cyber resilience." -- Via Nextgov ?
Our Take: Bug bounty programs are more mainstream and popular than ever, as evidenced by DHS' solicitation for phase two of Hack DHS (the program was established as required by law under the?SECURE Technology Act in 2018).?Bug bounty programs are especially popular with big-name technology firms like Google, who paid out a record $8.7 million to bug hunters in 2021 alone.?Zoom paid out more than $1.8 million in bug bounties in 2021, quadruple the previous year.?Search the internet for bug bounty programs and you might be surprised at the number of results.?For example, Guru99 maintains an updated list of the top bug bounty programs and websites.?
领英推荐
Companies see bug bounties as a way to supplement their in-house security programs to find more vulnerabilities, reduce risk, and ultimately lower the cost of identifying them.?While large technology companies are finding success with bug bounties as evidenced by the continued increase in funding, these programs are not a panacea for all companies.?Many organizations may start out strong with their bug-bounty programs but "at about the 18-month to two-year mark they start to collapse under their own weight," according to Katie Moussouris , Founder and CEO of Luta Security.?Companies that are not properly prepared can be quickly overwhelmed by the sheer volume of bugs reported by bounty hunters.??This is usually the result of inadequate internal processes for security vulnerability testing and software applications that go to testing riddled with basic security flaws.??
Companies would be wise to mature their underlying cybersecurity program's practices, including asset visibility, vulnerability management, developer training, etc.?Ultimately, Moussouris believes a bug-bounty program shouldn't just highlight the low-hanging fruit that can be discovered from traditional application security practices, but also provide incentives for surfacing the complex, hard-to-find, and harder-to-exploit flaws.?-- Joe DiMarcantonio, PMP
Sources:
Who Pays? Most Businesses Lack Ransomware Insurance
In a recent survey from BlackBerry and Corvus, more than one-third of 450 IT decision makers stated their organization does not have coverage for ransomware demands. About 59% of the respondents hoped that the U.S. Government would cover ransomware damages from nation-state attackers and more than half hoped the government would increase its financial aid for all ransomware incidents.
More than a third of the respondents indicated they could not get cyber insurance due to shortfalls in endpoint detection and response (EDR) requirements. Of those who did have cyber insurance, 43% were not covered for outside costs such as employee downtime or court fees.
Our Take: It all starts with EDR. If an organization can use security tools to get EDR installed on its endpoints, it’s well on its way to being insurable because it’s also better-defended. As we look more into supply chain security, we’ll see firms providing primary or intermediate assembly unable to get cyber insurance on the outs when it comes to contract renewal with the final assembly giants. It all starts with EDR… -- Dean Webb
Additional Reading:
Text or SMS-based 2FA At 20% Risk Based on the Number of Compromised Databases For Sale on the Dark Web
The simplest form of two-factor authentication has long been the SMS password (receiving a text message with a one-time code). If bad actors obtain the necessary information to place themselves between the communication of a device and server, they can execute an adversary-in-the-middle (AiTM) attack and intercept the one-time passcode. The compromised databases found for sale on the dark web contain phone numbers, users’ names, email addresses, and passwords which give attackers the ability to execute “smishing ” and AiTM attacks.
Our Take: Continuing to educate our loved ones, whether young or old, not to click anything and not trust anything is our due diligence. But to protect and prevent in today’s game of chess with bad actors, our society needs to adopt a phishing-resistant lifestyle. Fortunately, the federal government already outlines this guidance via OMB Memo M-22-09 for our federal technology infrastructure's march towards phishing-resistant authentication. -- Tony Ko
Additional Reading:
Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected] . Thank you!