Attack Vectors & Vulnerability Management | Ask a Pro, Ep. 3

Hi there.

My name is Matt Mulcahy from ProSource and this is our third episode of our Ask

a Pro webinar.

Today we’re focusing on attack vectors and vulnerability management.

On the call with me, I have Chad, our Director

of Security Operations, and Rick, CEO of Atlas Inside.

And we’re going to look at some of the popular attack vectors

that are in use today and being used successfully to compromise businesses

and also how we handle vulnerabilities on a day to day basis.

To get started, I just wanted to walk through a couple of introductions.

And first up, we have Rick Valdes, the CEO of Atlas Inside.

Go ahead, Rick.

Thank you, Matthew.

Well, I’ve been working on

the cybersecurity industry for the last ten years and at Atlas Inside

we specialize in developing solutions for Managed Services Providers (MSPs).

So today we’re going to be discussing attack vectors and how to mitigate

the most frequent ways that attackers leverage

to compromise organizations.

Thanks, Rick.

Next up, we’ve got Chad.

Hey, I’m Chad Holstein, I’ve been with ProSource for about three years now.

I’m in charge of the initiatives around security and compliance,

and protecting not only our systems, but our clients as well.

Great. Last but not least, myself.

My name is Matt Mulcahy.

I’ve been at ProSource for about seven and a half years.

(I’m) Director Business Development now.

I oversee our sales and marketing and making sure our customers understand

what it takes to be safe and grow their business in 2022.

First off, we’re going to touch on the popular attack vectors.

Rick is going to talk

about what they see in their operation and their Security Operation Center (SOC)

being the most popular and successful vectors for compromise.

Thank you, Matt.

Well, the number one thing we’re seeing right now in our Security Operation Center

is how attackers leverage credentials that are exposed to the dark web.

Everyone, hears from time to time about big guys falling victim

of an attack on their entire database customers going to the dark web.

However, this occurs very often

and not only to the big guys, it happens also to the smaller companies.

So let’s suppose that one of your employees has an account at Adobe.

We all know Adobe had a data breach like a year ago.

So there is a 72% chance that the same person

that had the account breach at Adobe

was using the same password in your enterprise applications.

So what attackers are doing is they are going into the dark web.

They’re getting those databases

with the list of credentials, and they use that information

to try to gain access to the enterprise applications of your company.

Also, they

use legitimate resources like SharePoint, HTML websites hosted in SharePoint

or even PDFs hosted in SharePoint, to leverage.

Basically use the account

of someone they gain access to and expose those resources there

and basically make users enter information

into those resources or gather information using those legitimate resources,

which makes it makes it harder for antivirus

systems to detect.

One might think, well, we have two-factor authentication (2FA) for that.

Well, two-factor

authentication (2FA) or MFA (multi-factor authentication) is not always

enough.

There are many ways to bypass that.

And many, many organizations don’t have strong policies

implemented around two-factor authentication to prevent

attackers from using legacy protocols

that could bypass that two-factor authentication.

Finally, the third and most common attack vector we’re seeing

is companies embedding malicious code

inside legitimate applications.

We see that even in the cybersecurity industry.

Cybersecurity vendors that distribute applications like antivirus, for example,

if they

get a like DNS poisoning attack or a malicious actor gains

access to their DevOps build servers, they embed malicious code into the files.

And when these applications that have a legitimate signature are executed,

then the malicious code would be executed under a legitimate process name,

making it harder to detect by antivirus software.

So the best way to mitigate this, well, there are multiple ways to do it.

But that’s a question

for the next (speaker).

Perfect. Thanks, Rick.

So really, Rick oversees a SOC and they look at thousands of alerts

in a given day and understand what the prevalent vectors are

that malicious actors are using to access sensitive company data.

The other piece of the pie here are vulnerabilities.

That is a very large sector in which malicious actors are being successful.

So Chad is going to touch on

how you

manage vulnerabilities and what that looks like operationally.

Go ahead, Chad Thanks, Matt.

Yeah, so we have some reactive measures that we kind of care for internally.

You know, how are we alerted on vulnerabilities?

We have an established ProSource security team internally

and basically we partner

with a Cybersecurity and Infrastructure Security Agency,

CISA, for short.

And they send us

a wide range of vulnerabilities — it could be software

related, could be hardware related, infrastructure.

We also have

direct relationships with our vendors that we support

and we have our Security Operations Center

(SOC) as well, Rick and his team,

that are monitoring in the background logs of all that sort of data.

How do we address vulnerabilities?

This one is very, very important.

So, you know, as we’re alerted, we get actions

to take along with the vulnerability that’s in place or that’s been identified.

Whether it’s zero day or something

that, you know, is really just discovered, we assess the risk.

So it’s you have a key score

that comes through from the vendor basically saying,

you know, on a scale of 0 to 10, you know, is this very emergent?

Is it is it very damaging to the infrastructure?

Whatever the vulnerability’s for.

So we kind of assess that.

And then we actually

practice change management internally.

So change management is breaking down the process

in which you’re going to implement the mitigation.

And then we actually carry out the mitigation.

We apply patches, firmware updates that are required to kind of

get around this vulnerability or, you know, fix the issue.

Then we continue to monitor as a company.

So it’s a it’s kind of a

round robin it just kind of stays in a loop.

We’re constantly doing this for not only ourselves but our clients.

And then you know, there’s also a proactive piece of this.

So the way and the ways you can be proactive are doing things like

vulnerability scans, security awareness training for your staff,

and have cybersecurity insurance in place.

These are all very, very important.

And you know, not only our organization,

but yours as well.

Great. Thanks, Chad.

So why don’t you talk about

how do we approach all of the vulnerability alerts

that we got and all of the logging alerts that we get?

And what are some methods you put in place to really surface

what’s important versus all the noise?

Risk assessment is a big part of it.

You know, just because something is a high risk

doesn’t

necessarily mean that, you know, the systems that we have in place

are affected as such.

So you may have like, you know,

authentication bypass vulnerability.

And that specifically is very scary,

but if it’s not a web-facing system or something like that, it’s

not as vulnerable. You know what I mean?

You have to have access directly to that system onsite somewhere to,

you know, utilize or attack

against the vulnerability.

It’s a different scenario.

So you always have to think outside of the box

of just the vulnerability itself and assess the customer,

you know, or the system you’re working with.

Yeah, perfect. Thanks.

So I’m going to move into my slide here and I really want to take

what Rick and Chad talked about.

The vectors and the nitty gritty

of how we’re handling vulnerabilities and that those internal

dilemmas and conversations

and relate them to your business and what that means from a risk perspective.

So the most important thing is to stay on top of what’s happening.

You have to understand what’s current.

The bad actors are always trying

to stay a step ahead of not only us, but our security vendors like Rick

or even the federal government and the guidelines that they are

putting out to the private sector.

So keeping up with this alone is a full time job

and then structuring your defenses against these ever-evolving,

malicious actors is also a full-time job.

And you have to understand that

no one is ever 100% safe.

All you can do is move yourself the closest

you can to that 99th percentile,

and everyone is at a different point in their security journey.

So going back to what Chad said is that you have to understand your risks.

You have to start with a baseline and you work up from there.

So understanding where your company is today

and where you want to be tomorrow is very important.

And working with someone to help you chart that path is critical.

Something that’s

consistent for every business is the weakest link are your people.

You can have the best firewalls, you can have the best,

you know, email spam filtering, you can have the best SOC, the best SIEM,

but that can all be blown open by somebody clicking

the link, someone circumventing controls that are in place.

So training up your people is something that we preach

very strongly because they can undercut, you know,

a large cybersecurity investment

or very robust cybersecurity controls

and understanding the controls you have

and layering those controls to make a patchwork

and really build a comprehensive strategy for cybersecurity

and defending against the attack vectors we spoke about today is key.

And that’s really building a multilayered security approach.

So, you know, understanding the current methods

of how people are attacking businesses and what successful really

you want to defend of against the successful things,

it doesn’t really make sense to invest against a method that’s not really at use

or has already been addressed by firmware updates or something.

And layering security to patch all of those holes

as a firewall might protect you, you and your edge network,

but cybersecurity awareness training is going to protect you

from your employees clicking that bad link.

So layering that in an intelligent manner gives you that comprehensive protection.

So we’ve got a couple of questions in the chat here that I wanted to pose

to Rick and Chad.

The first one from John is:

What is the last vulnerability you were alerted to?

Chad, you kind of head that up.

Why don’t you answer that one.

Yeah, so we had actually Fortinet

posted a vulnerability for

the FortiOS authentication bypass on administrative interface.

It’s a very serious one, it was rated 9.6 out of 10.

So, you know, this goes to to firewalls,

switches, any of their FortiOS products

that are out there in the wild.

You know, we have some clients that have these systems

in place.

We had to actually, you know, go through and assess the risk.

We found that in this case that neither client

that has these systems was affected.

So, you know, in this scenario,

we didn’t have to do anything.

And that’s great!

We talked to them and we actually asked them

if we can go ahead and just upgrade their firmware to the latest version,

just to stay up to date.

And the latest version is also not affected by this vulnerability.

But, you know, in this case and scenario, we did not actually have to do anything

whatsoever, which is- it’s not a bad thing.

So you

touched on something interesting there, Chad, that, you know,

sometimes you don’t have to upgrade or be on the latest firmware to be safe.

And we’ve even seen instances where being on the latest and greatest firmware

or software actually exposes you to more risk because those changes in code

open new vectors for people to attack.

So there’s a balance to being on the latest while also

being on the most secure based on attack vectors and vulnerabilities.

So it’s kind of like a misnomer that just because you’re on the newest you’re

the safest, when that isn’t necessarily always true, it can be true sometimes.

Right. There’s- Go ahead.

There’s definitely some due diligence there, you know,

doing your research and making sure that latest and greatest is

there’s not too many changes to make you understand what was changed, right?

I mean, the changelog, that kind of thing

before you put things in place, you know, that

all kind of rolls around to change management

and you know, controlling the mitigation is really what you’re doing.

You’re laying out the foundation of what you’re doing

to mitigate the vulnerability. Yep.

So speaking, funny you say that, so speaking

of mitigation, Sherry asked: How can you mitigate

against these different threat vectors?

Rick, you want to take that one?

I’m sorry. Can you repeat the question?

How do you mitigate against all these different threat vectors?

Well, there are two things that can be done here.

So the first thing is having a multilayered approach.

When it comes to dark

web attacks — because credentials get

leaked to the dark web — the best way is probably to have

a dark web monitoring service or maybe a password manager

that sometimes have those type of services built in.

The second thing around

MFA bypass is having strong policies implemented,

especially in Office 365, we have been seeing

that many organizations have multi-factor authentication (MFA) implemented,

but they are still allowing legacy protocols to communicate

without having to go through two-factor authentication (2FA)

because well, obviously it’s not supported then.

There are other ways around that.

And finally, when it comes to command and control

coming from code

that is embedded inside applications that are trusted.

Well, yeah, even though the code is running from trusted applications,

there are always things that are going to identify the attack patterns.

For example, even though the code is running from a

legitimate application, they

will always try to connect to an external IP (address).

So basically grab the commands to have to be executed.

Or sometimes the piece of code

basically can be identified based on a specific section of a binary in a file.

And these are things that threat intelligence systems, and SIEMs

that are able to leverage threat intelligence systems, are able to detect.

So the short answer here will be have a strong SIEM, have a strong SOC.

Again, there are multiple ways to tackle this issue. But

the simple answer is have a multilayered approach to cybersecurity

and use the tools that are best for each mitigation for each use case.

Right, defense in depth.

So it seems like it’s important to understand

what the successful vectors that are being leveraged are and really mapping

your security defenses to make sure you’re appropriately protected.

The last question was kind of a repeat, so I’m not going to read that.

But yeah, we try to keep these short.

We don’t want to take up an hour of anyone’s day, an entire lunch session.

We want to give some time back to everybody.

So I really hope that everyone was able to learn what are the popular

attack vectors that are that we are seeing as a team here?

We use Rick and his team on our Security Operations Center (SOC)

and our Security Information and Event Management (SIEM) platform.

So together we talk all the time, probably every week.

What do what are we seeing?

Because it’s important for us to keep up and be on the bleeding edge and keep pace

with these bad actors to ensure that we’re applying our security approaches

properly and making sure we’re protected and our clients are protected as well.

If you have any questions for any of the speakers on the webinar,

I’ve got our contact info up on the screen.

You can also check out our websites, atlasinside.com for Rick, getprosource.com

for Chad and I.

And I want to thank everyone for joining us today.

If you have any other questions, feel free to reach out

and look forward to seeing everyone in episode four.

Thanks so much. Have a great day.