Category Archives: Opinion

Mean Time to Hardening: The Next-Gen Security Metric falls short in tackling the patching problem

12 January 2020

In report “Mean Time to Hardening: The Next-Gen Security Metric”,(1) published at 12/30/2019 on ThreatPost, Richard Melick proposes a new metric MMTH (Mean time to Hardening) to tackle the patch problem. I like the 24/72 MTTH approach. But when it comes to attacks of APTs on critical infrastructures this approach is from my point of view not effective.

Let me illustrate this with an example. CVE-2017-5638, a remote command execution vulnerability in the Apache Struts framework, was used in the Equifax attack (2) in 2017. In the case of remote command execution vulnerabilities, especially if the systems are operated in the DMZ, the 24/72 MTTH approach is the best strategy to survive. But let us look on the timeline.

NVD Exploit-DB Exploit-DB
CVE-2017-5638 EDB-ID 41570 EDB-ID 41614
Published NDV Published Exploit-DB Published Exploit-DB
3/11/2017 3/7/2017 3/15/2017

Exploit 41570 was published 4 days before the CVE was published. The 24/72 MTTH strategy will fail in this case. Exploit 41614 was published 4 days after the CVE was published, so the 24/72 MTTH strategy is successful.

Figure 1

Figure 1

This is not an isolated case. Between 2013 and 2019 56% of the exploits were published before or at the same day the vulnerability was published in the NVD. For mapping the exploits in the Exploit-DB to the CVEs the NVD reference map for the Exploit-DB (3) is used. Figure 2 shows the details in the range 30 days before and after the CVE publication date.

Figure 2

Figure 2

Figure 3

Figure 3

34% of the exploits for Remote Code/Command Execution (RxE) vulnerabilities like CVE-2017-5638 or CVE-2017-0144 (WannaCry) were published before or at the same day the vulnerability was published. Figure 4 shows the details. RxEs are selected from the NVD as follows: CVSS V2.0: Attack Vector: Network, Attack Complexity: Low + Medium, Authentication: None, Loss of Integrity: Complete, Keywords “remote code execution” or “exec arbitrary”.

Figure 4

Figure 4

So, the 24/72 MMTH approach falls short if the exploit is published before the vulnerability.

Please keep in mind that we only investigated published vulnerabilities and exploits. We can expect, that many yet unpublished, and unused, vulnerabilities exist in the arsenals of the APTs.

In the case of critical infrastructures, we are well advised to invest in solutions which increase the resilience against cyber-attacks. A simple Apparmor profile would probably have prevented the attack on Equifax. Whitelisting solutions should be considered in environments where industrial control systems are operated. This makes the 24/72 MTTH approach to patching not obsolete. We just buy time.

Have a great week.


References

  1. Melick R. Mean Time to Hardening: The Next-Gen Security Metric [Internet]. threatpost. 2019 [cited 2020 Jan 12]. Available from: https://threatpost.com/mean-time-hardening-next-gen-security-metric/151402/
  2. Brook C. Equifax Confirms March Struts Vulnerability Behind Breach [Internet]. threatpost. 2017 [cited 2020 Jan 12]. Available from: https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/
  3. NIST NVD. CVE – CVE Reference Map for Source EXPLOIT-DB [Internet]. [cited 2020 Jan 12]. Available from: https://cve.mitre.org/data/refs/refmap/source-EXPLOIT-DB.html

World Cafe@IMI 2019: No Backup, No Mercy!

24 November 2019

IMI 2019: Presentation DOW Cyber Security Framework

IMI 2019: Presentation DOW Cyber Security Framework

The motto of the IT meets Industry 2019 (IMI) conference in Mannheim was What happens if shit happened. During the World Cafe session, the participants dealt with the following scenario:

  1. The cyber-criminal overcame all hurdles you put in place to protect your production systems from attacks.
  2. The anomaly detection capabilities in place recognized the attack late.
  3. The engineering station (ES) is compromised.
  4. You isolated the engineering station from the network for further analysis.
  5. The good news is that the process control system (PCS) is still operable.
  6. The bad news is that it’s not clear whether the control program in the PCS is also compromised.

You decide to download the control program from the backup into the PCS. This is no uncommon scenario. The Rogue7 (1) attack described at the Black Hat 2019 and Triton (2) work this way. One of the participants put it this way: No Backup, No Mercy! Unfortunately, it’s not that simple.

Where is the current backup stored?

Under normal conditions, the current control program is stored on the engineering station. But this version is not usable because the engineering station is compromised.  If the backup is well organized, a copy of the control program is available from a NAS or a dedicated backup system

Is it really the current version?

This is very important if you want to recover the PCS to the state before the attack happened. Unfortunately, the Recovery Point Objective (RPO) in production is zero. That means, that the latest version of the control program is required for recovery. Older versions require, in the best case, manual reworking, thus a longer downtime and higher financial loss.

Is the PCS restorable from this version and fully operable afterwards?

Have you ever tried a restore test during scheduled maintenance to make sure that the PCS is fully operable after the restore of the control program? Is it clear what is meant by fully operable? Do you have a procedure and check list in place to verify this?

But the worst is yet to come. If you do daily backups there is a small chance that all backup versions are compromised.  In the above scenario, the anomaly detection system detected the attack late. If you keep for instance the latest 10 versions online and the attacker was active for 14 days, then all backups are potentially compromised. So, you must retrieve a backup from a tape library, if any.

Summary

Backup in the age of cyber attacks and ransomware is a hard job, especially in production. Without a strategy and preparation for the worst case a cyber attack may become a financial disaster. The 7 Ps Rule shows the direction in incident response:

Prior Preparation and Planning Prevents Piss Poor Performance!

Want to participate in real peer to peer knowledge exchange and a World Cafe on hot topics? Join the IMI 2020 in Mannheim.

Have a great week.


References

  1. Biham E, Bitan S, Carmel A, Dankner A, Malin U, Wool A. PPT: Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs [Internet]. Powerpoint Presentation presented at: Black Hat USA 2019; 2019 Aug 8 [cited 2019 Aug 16]; Mandalay Bay / Las Vegas. Available from: https://i.blackhat.com/USA-19/Thursday/us-19-Bitan-Rogue7-Rogue-Engineering-Station-Attacks-On-S7-Simatic-PLCs.pdf
  2. Sobczak B. SECURITY: The inside story of the world’s most dangerous malware [Internet]. 2019 [cited 2019 May 11]. Available from: https://www.eenews.net/stories/1060123327

Application control solutions for protecting critical infrastructures

13 October 2019

Application Control Solutions (ACS) are easy to deploy and manage protective security controls in process automation. From my point of view, they are essential when it comes to critical infrastructures. The major SCADA vendors recommend and certify them for use with their product suites.

Rick Gorskie, Global Sales Manager Cybersecurity at Emerson Automation Solutions, recommends “using both solutions for an effective “one-two” punch against malware infection. Using applications whitelisting to protect from “zero-day” attacks as well as using antivirus blacklisting to scan for malware yields the best result.”(1)

Schneider Electric recommends the application control for their Power SCADA systems: “Power SCADA has been validated with the McAfee Application Control whitelisting application. Power SCADA and McAfee whitelisting can make your system more resilient to zero-day threats.”(2)

In addition to the protection against zero-days, application control allows to reduce the patch frequency and to extent the life of legacy systems.

The ACS kicks in during the exploitation phase of the Cyber Kill Chain. It checks every object at execution time whether it is known in the white list. Since new malware is not on the list, ACS just blocks the execution. This is a plain, but very effective approach.

Cyber Kill Chain - Application Control Solutions

Cyber Kill Chain – Application Control Solutions

This works for file-less malware like Nodersok (3) as well as for file-based malware like Reductor (4) or COMpfun (5). Even crypto worms like WannaCry are blocked.

In the case of COMpfun, for example, two DLLs are loaded into the users AppData directory. Both DLLs are not on the white list, so the execution is blocked although they are defined as COM objects.

Reductor uses two delivery methods, COMpfun and infected software installers. If COMpfun is used for delivery, the ACS blocks the malware.

But if the Reductor is delivered through infected software installers, ACSs will not work because they have their Achilles heels.

ACSs must be suspended during deployment or update of software.

A malware, for example a trojan disguised as part of a software suite, will become a legitimate program after the ACS is enforced again. Thus, the malware will never be blocked because it’s on the white list.

ACSs allow exceptions.

Some SCADA vendors request exceptions for the execution of some of their software tools. If malicious actors exploit these exceptions, they can inject malware outside regular installations.

So, we have a residual risk, depending on the threat actor and the environment.

For non-critical infrastructures, ACSs provides great protection against all threat actors. But in the case of critical infrastructures, APT and, to some extent, cyber criminals have the resources and the know how to exploit the Achilles heels of ACSs.

Additional security controls must be implemented to reduce this risk. Operators and engineering service providers must work together to solve this issue.

This may include an extended integrity check of all software before installation in the SCADA network and the encryption of all media during transport.

By the way, ACSs provide effective protection against zero-days only if they are not suspended. So, it’s a good idea to check regularly if the ACS agents are operated in enforced mode on the systems.

Have a great week.


References

  1. Gorskie R. Should You Be Using Application Whitelisting? [Internet]. Emerson Exchange 365. 2017 [zitiert 22. September 2019]. Verfügbar unter: https://emersonexchange365.com/products/control-safety-systems/f/deltav-discussions-questions/6792/should-you-be-using-application-whitelisting
  2. Schneider Electric. Power SCADA Operation 9.0 System Guide | Schneider Electric [Internet]. 2019 [zitiert 22. September 2019]. Verfügbar unter: https://www.schneider-electric.com/en/download/document/PowerSCADAOperationSystemGuide/
  3. Microsoft. Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware [Internet]. Microsoft Security. 2019 [zitiert 28. September 2019]. Verfügbar unter: https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/
  4. GReAT. COMpfun successor Reductor infects files on the fly to compromise TLS traffic | Securelist [Internet]. Kaspersky Securelist. 2019 [zitiert 12. Oktober 2019]. Verfügbar unter: https://securelist.com/compfun-successor-reductor/93633/
  5. G Data. COM Object hijacking: the discreet way of persistence [Internet]. G Data Blog. 2014 [zitiert 12. Oktober 2019]. Verfügbar unter: https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence

How to get the best ROI for investments in cyber security?

28 September 2019

During a workshop this week we had a discussion on risk management and investment in cyber security. Risk is the product of likelihood of occurrence (LoO) and severity of impact (SoI). So, to reduce the risk we can either try to reduce the SoI, or the LoO, or both.

We do risk management because we have limited resources. The big question is always: Where shall I spent my resources?  Or, where can I gain the best ROI? Shall I reduce the likelihood of occurrence or the severity of the impact? Or both?

The Cyber Kill Chain is a great model to study this.

Cyber Kill Chain - Risk Management - Cost

Cyber Kill Chain – Risk Management – Cost

We can reduce the likelihood of occurrence starting during the delivery phase up to the command & control phase. Once the attacker crosses the red line the LoO is 100 %.

The severity of impact can be reduced starting at the midst / end of the exploitation phase. WannaCry, for example, started the encryption immediately during installation of the malware and contacted in parallel its command & control server. Once the attacker crosses the red line, the impact and thus the costs for recovery are high.

The big problem with reducing the likelihood of occurrence is that we have in the best case only some seconds to minutes until the attacker crosses the red line. For efficient use of this time we need to invest in preventive or proactive means.

Cyber security awareness training, for example, is a very efficient preventive measure to reduce the LoO during the delivery and exploitation phase, because the exploitation of about 35% (Data NIST NVD, CVSS V3, UI:R) of vulnerabilities published in 2018 requires user interaction. Priority patching is another preventive measure with can stop an attacker early.

Backup and emergency recovery are great means to reduce the severity of impact. But the latest attack on Norsk Hydro makes clear that, even with the best crisis management, the recovery of some thousand systems from scratch takes some time.

When used in context with the existing security controls, the Cyber Kill Chain provides support in setting priorities in cyber security investment. The Mitre ATT@CK framework, which is based on the Cyber Kill Chain, brings the required methodology in the planning process. Give it a try.

Have a great weekend.

NetCAT – a new side-channel vulnerability. Who should be concerned?

15 September 2019

Swati Khandelwal’s report (1) on NetCAT, published on 9/11/2019 in The Hacker News, scared me somewhat. Security researchers (2) from the Vrije University in Amsterdam discovered a new type of side-channel attack in Intel server processors which can be exploited across the network. This is really frightening.

As always in the case of hardware vulnerabilities, NetCAT is broadly discussed in the security community. A Google search for “CVE-2019-11184” shows 6.340 hits (as of 9/14/2019 8 pm).

CVE-2019-11184 CVSS V3 Specification

CVE-2019-11184: CVSS V3.1 Specification

Intel (3) classified CVE-2019-11184 as follows: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Attack vector Adjacent is defined in the CVSS V3.1 specification document as follows: “The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology.”

With this, the attacker must have compromised the network before he can start the attack. In addition, the attacker must compromise “a machine which communicates over RDMA to an application server that supports DDIO”.(2)

So, NetCAT is not that dangerous than the reports suggest.

What goals can be achieved by exploiting this vulnerability?

In secured networks with latest patches applied, this technique can be used to spy on all kind of secrets, e.g. the passwords of high privileged accounts, for the complete takeover of the network.

What organizations should be concerned?

CVE-2019-11184 Threat Landscape

CVE-2019-11184 Threat Actor Targets

My conclusion: From a technical point of view, NetCAT shows again the shortcomings of the current processor architectures. Regarding the applicability in attacks, NetCAT is somewhat overestimated.

Have a great weekend.


References

  1. Khandelwal S. NetCAT: New Attack Lets Hackers Remotely Steal Data From Intel CPUs [Internet]. The Hacker News. 2019 [cited 2019 Sep 12]. Available from: https://thehackernews.com/2019/09/netcat-intel-side-channel.html
  2. Kurth M, Gras B, Andriesse D, Giuffrida C, Bos H, Razavi K. NetCAT: Practical Cache Attacks from the Network. 2019. Available from: https://www.cs.vu.nl/~herbertb/download/papers/netcat_sp20.pdf
  3. Intel Security Center. INTEL-SA-00290 [Internet]. Intel Security Center. 2019 [cited 2019 Sep 12]. Available from: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00290.html

Threat Intelligence – What is it good for?

31 August 2019

I attended a virtual summit on threat intelligence this week. I watched two interesting presentations and found that I am still not convinced of the value of threat intelligence.

In vulnerability management for example threat intelligence speeds up decision making. But is speed in the decision-making phase of vulnerability management an issue?

OODA Loop

OODA Loop

When we deal with critical vulnerabilities, e.g. vulnerabilities of the WannyCry Class, speed is crucial. The OODA procedural model is perfectly suited as execution procedure for environments where speed is crucial for survival.

OODA, an acronym for Observe, Orient, Decide, Act, was developed by John Richard Boyd in the 1950’s as survival strategy in aerial combat. Colonel Boyd, one of the most influential military strategists ever, transferred OODA to other domains after he retired from the US Air Force.

The picture below shows the OODA procedural model adapted for vulnerability management.

OODA for Vulnerability Management

OODA for Vulnerability Management

We must decide whether urgent action is required if a new critical vulnerability is published. Data collected from OSINT sources, asset details, and experience in the evaluation of vulnerabilities are required for creating a well-founded decision.

Threat intelligence speeds up the Observe and Orient phase by e.g. providing data on exploits seen in the wild. But threat intelligence will neither replace current asset data, which are crucial for the Orient phase, nor speed up the Act phase, where the affected assets are patched, and their correct operations is verified.

So, if you decide on investing in threat intelligence ask yourself the question: What benefits do I expect to gain from threat intelligence in what use cases? Otherwise, it is very likely that you get disappointed.

Have a good weekend.

New LYCEUM Threat Group targets Oil and Gas firms. Don’t panic! Enforce 2 Step Verification!

29 August 2019

Lindsey O’Donnell’s report (1) on a new APT named LYCEUM is well worth reading.  LYCEUM targets oil and gas firms in the middle east. The group leverages PowerShell once they created a foothold on computers in the victim’s network to exfiltrate company secrets. PowerShell is a good choice because the attackers can go undetected for a long time.

For launching the attack, LYCEUM draws on industry attack standards like password spraying: “LYCEUM initially accesses an organization using account credentials obtained via password spraying or brute-force attacks. Using compromised accounts, the threat actors send spearphishing emails with malicious Excel attachments to deliver the DanBot malware, which subsequently deploys post-intrusion tools.”(2)

The group aims at company mail accounts hosted by cloud service providers. Why? Credibility matters most in [spear] phishing attacks. A spear phishing email on a popular topic, send from a company account has a very high level of credibility and increases the attack’s probability of success.

This increase in credibility justifies the effort required for collecting email addresses from OSINT sources. Password spraying is then used to get a valid password for login with the victim’s account to the cloud service.

Here, the industry defense standard against password attacks, 2SV (Two Step Verification) or MFA (Multiple Factor Authentication), comes into play.

Yubikey for 2 Step Verification. Own work.

On 27 August, Catalin Cimpanu reported on ZDNet that Microsoft sees 300 million fraudulent sign-in attempts to O365 every day.(3) Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft, explained that “enabling a multi-factor authentication solutions blocks 99.9% of these unauthorized login attempts, even if hackers have a copy of a user’s current password.“(3)

So, by enforcing 2SV/MFA for login to all company cloud services we can stop all threat actors which use similar password mining technologies, including LYCEUM.

Alastair MacGibbon, National Security Advisor, Australian Cyber Security Center, shows the direction:

“Cyber security is about risk management. You can’t eliminate risk, but you can strengthen your defences to reduce the likelihood of the risk being realised, and the harm caused when it is.”

Let’s get started with 2SV. We have no time to waste.


References

  1. O’Donnell L. New Threat Group Found Targeting Critical Infrastructure Firms With Spear [Internet]. threatpost. 2019 [cited 2019 Aug 27]. Available from: https://threatpost.com/oil-and-gas-firms-targeted-by-new-lyceum-threat-group/147705/
  2. Secureworks Counter Threat Unit. Cyber Threat Group LYCEUM Takes Center Stage in Middle East Campaign [Internet]. Secureworks. 2019 [cited 2019 Aug 27]. Available from: https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign
  3. Cimpanu C. Microsoft: Using multi-factor authentication blocks 99.9% of account hacks [Internet]. ZDNet. [cited 2019 Aug 28]. Available from: https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks/