Merlin Labs Memo -- Week of January 1-5
Merlin Cyber
Merlin is your trusted source for best-in-class and innovative and emerging cyber solutions for the U.S. public sector.
Microsegmentation: An Effective Defense Against Ransomware Attacks
Ransomware attacks have grown substantially, doubling from 43 in 2021 to 86 in 2023, underscoring the critical need for robust defenses. Notably, microsegmentation is emerging as a leading method to counter these threats, as evidenced by a study where 93% of respondents identified it as a crucial element in their cybersecurity strategy.?
Microsegmentation, extending from the physical layer to the application level, is pivotal in safeguarding critical assets by restricting communication across unnecessary or potentially hazardous ports and protocols. Organizations with a segmented approach recover from attacks in as little as 4 hours, compared to the 15 hours required for those with a flat network.
While recognizing microsegmentation as a vital initiative, many organizations grapple with challenges such as the initial skills gap, performance concerns, and compliance implications. In the public sector, additional hurdles like budget constraints and legacy infrastructure hinder adoption despite its potential benefits.
Our Take: Microsegmentation should be a cornerstone of any robust Zero Trust Network Access (ZTNA) architecture, prioritizing its implementation across all organizations to fortify their networks and platforms for employees and customers. In collaboration with the Advanced Technology Academic Research Center (ATARC) Zero Trust Working Group, Merlin Labs successfully utilized Illumio, a microsegmentation solution, across various use cases. The implementation was straightforward, and rule creation was even simpler. Following initial configuration, the tool monitors traffic, reports findings, and enforces rules while blocking additional traffic. Although there might be a learning curve, individuals familiar with reading firewall rules can quickly adapt. Given the persistent threat landscape in both traditional and cloud networks, taking the time to minimize lateral movement and protect critical infrastructure is paramount. ?– Daniel McGregor
Additional Reading:
Backdoors and Our Devices?
Security headlines this week had much to do with Kaspersky’s report on how four iPhone zero-day exploits were used to attack devices owned by Kaspersky employees, among others. The details of the attack are intriguing and linked below in “More Reading” but they also beg a larger question: which hardware vendors don’t have backdoors like these in their products?
Our Take: To answer that question, we need to understand the history of cybersecurity. Prior to the start of World War One, the global telecommunications network everyone relied upon was the telegraph system. As the conflict between Austria-Hungary and Serbia opened up into a wider war that involved the British Empire, one of the first moves the British made was to sever the direct telegraph connection between Germany and the rest of the world. The British then followed up by placing intelligence staff in telegraph offices with orders regarding which messages to track and/or read. Big Brother existed well before Orwell coined the term in his 1948 novel,?1984.
Since 1914, national intelligence organizations have placed a high priority on being able to leverage their nations’ access to telecommunications networks in order to gain information on their rivals, both current and potential. What nations do with that access is primarily to observe and collect data. That much is evident in this attack on Kaspersky, which did not detonate ransomware or other criminal malware on compromised iPhones. The act of attacking exposes the compromise, which would lead to its being shut down as a conduit of information. Once a line of information is detected as being compromised, then the attackers will move on to other existing information-gathering tools and develop new ones.
So the short of it is that nobody need panic and trade in their iPhones for other devices. It’s likely that there are other zero-days some national intelligence organization is using to target those other devices. Where an agency has a strong physical presence, it’s more likely for it to use that presence to leverage backdoor creation. That’s why the US Government is hesitant about using Chinese hardware… and why the Chinese government would like to no longer see US-made gear in their borders.
These kinds of attacks are difficult to detect because of the use of zero-day exploits to get into their targets and their mission to pretty much only gather information is as quiet as a mission gets. This is why we benefit from a zero-trust security framework that assumes all devices are compromised and still works to protect information and business functionality. – Dean Webb
领英推荐
Additional Reading:
Kyivstar Cyberattack Aftermath – Lessons Learned
On 12 December 2023, Russia-based attackers brought down significant portions of the Kyivstar telecoms network, including mass deletion of virtual servers. Kyivstar and Ukrainian cybersecurity officials have disclosed that it is possible the attackers were in the network for perhaps as much as a year. According to Kyivstar’s website, most of their services are restored, but they are still working on restoring minor features, such as games and personalized product offers.?
Our Take: While thriller novels, post-apocalyptic movies, and conspiracy nuts like to talk about a massive cyberattack crippling a nation or even the entire world, what we’ve seen thus far in the current war in Ukraine is that cyberattacks have yet to bring a nation to its knees. What can we learn from the last two years?
Number one lesson is that cyberattacks are difficult to coordinate with major operations after the initial hostilities. The 12 December attack that crippled Kyivstar happened in a vacuum, militarily speaking. There was no coordinated attack on civilian centers, which would not be able to receive advance notifications of attacks with the SMS network offline. The attack was a one-off, not even timed with attacks on other infrastructure targets. As such, it was essentially the same thing that happens when an engineer botches an update and brings down production. These things happen, but they don’t end the world.
The lack of military coordination likely has something to do with lesson two: keeping the military on separate, hardened communications networks is a Good Thing?. Had Russian military attempted to exploit the Kyivstar outage, the Ukrainian defense forces were ready to deal with attackers on their own terms, as their communications networks were intact.?
Third lesson is that cyberdefense works. That’s why attackers couldn’t go after other targets simultaneously: they simply weren’t able to. Kyivstar was likely compromised via a leaked or stolen credential. Other potential targets didn’t have that problem, so they weren’t taken down. Good cyberdefense means that cyberattacks happen on an ad hoc basis and depend upon scarce opportunities to bring about results such as this attack.?
The final lesson, and perhaps most important, is that the Hollywood Hacker that takes all of 37 seconds from launching an attack to bringing it off is non-existent. The Kyivstar attackers were in the network for an extended period of time, likely gathering information. This goes back to the third lesson, in that if we are continuing to improve our cyber defense, we either force attackers out of our systems or force their hands to destroy things on their way out, both out of spite as well as to cover their tracks. Cyberwar is a patient, long-game sort of thing that rewards persistence, planning, and attention to detail, both for attackers and defenders. – Dean Webb
Additional Reading:
Readers of our Newsletter: What’s working, what’s not, and what’s on your mind? Leave a comment below or email [email protected] . Thank you!