Catalin Cimpanu (1) reports in his post „Windows malware opens RDP ports on PCs for future remote access“ published on ZDNET that the Windows malware Sarwent got an upgrade: It is now capable of using the windows command line and PowerShell, adding users, and opening ports in the Windows firewall for RDP access from remote. Since the latter features require administrative privileges on the victims machine, it is very likely that the victims worked with permanent administrative privileges.
To mitigate the risk, the best approach is to revoke any administrative privileges from standard users. This will not reduce the likelihood of occurrence, but it will reduce the severity of impact of an infection with Sarwent. Furthermore, since the attacker is forced to download tools to fully compromise the victims computer, the likelihood of detectability is increased.
Revoking administrative privileges from standard users is a low-cost, high-impact means to enhance resiliency against cyber-attacks, thus should be part of each security strategy.
But it is hard to implement. Managers will face lots of discussions if users must give up beloved habits. It is very important to keep the number of exceptions as small as possible because every exception lowers the overall security level of the company.
I watched webinar ‘The Best Cybersecurity Strategy: Assume You Have Been Breached’ this week. The summary in the email invitation sounded really interesting, thus I registered, and had to compromise the integrity of my computer once again. Why on earth presents SC Magazine all content in this security nightmare Flash Player?
Young-Sae Song, Vice President Marketing, Arctic Wolf, quotes the Gartner advice ‘Shift Cybersecurity Investment to Detection and Response’ of January this year:
Experts recommend to shift focus on detection and response
Is this advice meant seriously? I don’t think so. The Ponemon Institute estimated in the ‘2015 Cost of Data Breach Study: Global Analysis’ the mean time to identify at 206 dayswith a range of 20 to 582 days (based on a sample of 350 companies). And this, despite the increasing number of SIEM installations in the past years.
CISOs are well advised to make sure, that the existing cyber defense measures, including their SIEM system, work effectively before they follow this advice.
A ray of hope is Invincea’s Advanced Attack Challenge Simulator. The simulator allows to test the effectiveness of defensive measures against a variety of adversaries. For more details, please see Anup Ghosh’s post ‘Take the Advanced Attack Challenge’. I tried to cut the number of possible defense measures as far as possible. The results are really interesting. Of course only in the context of this model?
Have a good weekend, and good luck with the simulation.