The Johari Window: How Known Unknowns Led to the Largest Cybersecurity Breach of National Security in U.S. History

“Therefore just as water retains no constant shape, so in warfare there are no constant conditions.” -Sun Tzu

This article presents a different perspective on the recent SolarWinds breach in the growing number of articles on the recent attacks. It also proposes a different approach to adversary detection by detecting the constants in a breach using the concept of active defense as described by the new MITRE Shield framework. The idea is that blue teams should detect lateral movement and living off the land after the adversary has established a beachhead instead of relying solely on detecting the attack using known knowns.
Read More

Illusive Networks Advisory – SolarWinds Supply Chain Attack

Since last week and continuing into this week, details of the attack first perpetrated on FireEye and subsequently on the US Government Departments of Treasury and Commerce continue to evolve. We now know that the attack’s origin was the SolarWinds Orion IT management software versions 2019.4 HF 5 and 2020.2 HF 1, containing a backdoor (Sunburst). According to the FireEye analysis, this campaign may have started as early as spring 2020. We recommend you follow the remediation guidelines from SolarWinds, and any other organizations directly involved in the attack.

It’s still early, and industry knowledge about the attack remains incomplete, nevertheless we have learned enough to start developing plans to assess and reduce risk for organizations running the affected versions of SolarWinds Orion software. In this attack, as with most other advanced attacks like APTs and the new forms of targeted (human-operated) ransomware, attackers establish an initial beachhead, surveil their surroundings and move laterally to harvest privileged credentials that give them access to valuable information – “crown jewels”.
Read More

3 Facts About MITRE Shield and Targeted Ransomware

You’ve probably heard me write or speak about ransomware a lot more recently, and for good reason. Targeted, APT-like ransomware attacks against large healthcare organizations and other enterprises have been all over the news. 

Recently, I had the opportunity to present a webinar along with MITRE that focused on MITRE Shield, the concept of Active Defense, and how we can use some of these proactive techniques against ransomware attackers. Below, I’ll look at 3 key facts for security teams to understand when planning your active defense strategy against ransomware threats. 
Read More

Why Are Ransomware Attacks Still Happening?

Here we go again: this past Thursday, officials from three US federal agencies issued a statement warning about an “imminent cybercrime threat to US hospitals and healthcare providers.” The threat in question comes from a Russia-based cybercriminal gang preparing to disrupt information technology systems at hundreds of hospitals and medical care facilities all over the US with ransomware. The attackers will make devices on the hospital networks unusable unless a sizable payoff is made, and indeed, at least five US hospitals already seem to be under attack. With patient populations surging in the wake of another wave of coronavirus cases and a presidential election on the horizon, the imminent threat could prove catastrophic without the proper security measures to fight back.
Read More

Better Together: Deterministic Lateral Threat Management and EDR

I am often asked how a lateral threat management solution, leveraging deterministic deception methods from endpoint to network and cloud, can be effective at stopping attacks in environments with an extensive threat detection stack already deployed. Read More

Easier Security Management Across Segmented Networks

Network segmentation—splitting up a network into smaller subnetworks—is a common practice, especially in large organizations. The benefits in segmenting networks include heightened network security, including better privilege management across different departments, isolating a successful attack (or other types of network failures) to a local network, and reduced attack surface, as well as better network performance through reduced congestion (fewer hosts in each subnetwork). Regulatory compliance can be a motivation as well. Additionally, previous mergers and acquisitions often necessitate that networks remain separate.
Read More

Preventing Attackers From Turning a Cloud Ecosystem Into a Security Nightmare

One topic we’ve written about a lot on this blog is lateral movement, when attackers leverage existing credentials and connections to move from one machine to another within an environment. When you add cloud to the mix, however, there are so many changes - from new attack vectors to methodologies and prioritizations - that the phrase seems incomplete.
Read More

Deceptive Microsoft Office Beacon Files Can Stop Threats

Shadowy attackers targeting organizations from halfway around the world grab most of the cybersecurity headlines. However, research shows that 60 percent of data breaches and other cyberattacks on organizations are actually carried out by rogue or negligent insiders. According to a recent study by the Ponemon Institute, it takes an average of 72 days to contain an insider threat, and typical organizations with over 1,000 employees spend an average of US$8.76 million cleaning up after insider incidents every year. Read More

MITRE ATT&CK Framework – How Illusive Foils Attacker Decision-Making

For a cyber attacker, every organization is a potential target. Attack frequency and degrees of severity vary with the attacker's skill level, the assets they want, choice of tactics, and the sophistication of their targets' defenses. With attacks constantly in the headlines, it's no wonder security teams might feel overwhelmed. But in reality, not all threats are equal. Not all threats are relevant to all organizations. And not all threats are known. Read More

A Deception Technologist’s View of Cloud Security

As I sat down to write this post, I couldn’t help amusing myself with yet another corny “cloud” analogy: The potential for lateral movement between different parts of the extended corporate ecosystem is a bit like all the different types of lightening there are. If, besides being a tech geek, you are also a weather geek, you can read about lighting here. Among other things, this site explains that “Anvil Crawlers are horizontal tree-like, in-cloud lightning discharges whose leader propagation is slow enough… that a human observer… can see its rapid motion across the sky.” Where cloud security is concerned, Illusive’s aim is to make malicious lateral movement to, from, and between clouds slow and visible to the human eye—so that security teams can stop cyberattacks before a successful strike. Read More