My name is Matt Mulcahy from ProSource and this is our third episode of our Ask
a Pro webinar.
Today we’re focusing on attack vectors and vulnerability management.
On the call with me, I have Chad, our Director
of Security Operations, and Rick, CEO of Atlas Inside.
And we’re going to look at some of the popular attack vectors
that are in use today and being used successfully to compromise businesses
and also how we handle vulnerabilities on a day to day basis.
To get started, I just wanted to walk through a couple of introductions.
And first up, we have Rick Valdes, the CEO of Atlas Inside.
Go ahead, Rick.
Thank you, Matthew.
Well, I’ve been working on
the cybersecurity industry for the last ten years and at Atlas Inside
we specialize in developing solutions for Managed Services Providers (MSPs).
So today we’re going to be discussing attack vectors and how to mitigate
the most frequent ways that attackers leverage
to compromise organizations.
Next up, we’ve got Chad.
Hey, I’m Chad Holstein, I’ve been with ProSource for about three years now.
I’m in charge of the initiatives around security and compliance,
and protecting not only our systems, but our clients as well.
Great. Last but not least, myself.
My name is Matt Mulcahy.
I’ve been at ProSource for about seven and a half years.
(I’m) Director Business Development now.
I oversee our sales and marketing and making sure our customers understand
what it takes to be safe and grow their business in 2022.
First off, we’re going to touch on the popular attack vectors.
Rick is going to talk
about what they see in their operation and their Security Operation Center (SOC)
being the most popular and successful vectors for compromise.
Thank you, Matt.
Well, the number one thing we’re seeing right now in our Security Operation Center
is how attackers leverage credentials that are exposed to the dark web.
Everyone, hears from time to time about big guys falling victim
of an attack on their entire database customers going to the dark web.
However, this occurs very often
and not only to the big guys, it happens also to the smaller companies.
So let’s suppose that one of your employees has an account at Adobe.
We all know Adobe had a data breach like a year ago.
So there is a 72% chance that the same person
that had the account breach at Adobe
was using the same password in your enterprise applications.
So what attackers are doing is they are going into the dark web.
They’re getting those databases
with the list of credentials, and they use that information
to try to gain access to the enterprise applications of your company.
use legitimate resources like SharePoint, HTML websites hosted in SharePoint
or even PDFs hosted in SharePoint, to leverage.
Basically use the account
of someone they gain access to and expose those resources there
and basically make users enter information
into those resources or gather information using those legitimate resources,
which makes it makes it harder for antivirus
systems to detect.
One might think, well, we have two-factor authentication (2FA) for that.
authentication (2FA) or MFA (multi-factor authentication) is not always
There are many ways to bypass that.
And many, many organizations don’t have strong policies
implemented around two-factor authentication to prevent
attackers from using legacy protocols
that could bypass that two-factor authentication.
Finally, the third and most common attack vector we’re seeing
is companies embedding malicious code
inside legitimate applications.
We see that even in the cybersecurity industry.
Cybersecurity vendors that distribute applications like antivirus, for example,
get a like DNS poisoning attack or a malicious actor gains
access to their DevOps build servers, they embed malicious code into the files.
And when these applications that have a legitimate signature are executed,
then the malicious code would be executed under a legitimate process name,
making it harder to detect by antivirus software.
So the best way to mitigate this, well, there are multiple ways to do it.
But that’s a question
for the next (speaker).
Perfect. Thanks, Rick.
So really, Rick oversees a SOC and they look at thousands of alerts
in a given day and understand what the prevalent vectors are
that malicious actors are using to access sensitive company data.
The other piece of the pie here are vulnerabilities.
That is a very large sector in which malicious actors are being successful.
So Chad is going to touch on
manage vulnerabilities and what that looks like operationally.
Go ahead, Chad Thanks, Matt.
Yeah, so we have some reactive measures that we kind of care for internally.
You know, how are we alerted on vulnerabilities?
We have an established ProSource security team internally
and basically we partner
with a Cybersecurity and Infrastructure Security Agency,
CISA, for short.
And they send us
a wide range of vulnerabilities — it could be software
related, could be hardware related, infrastructure.
We also have
direct relationships with our vendors that we support
and we have our Security Operations Center
(SOC) as well, Rick and his team,
that are monitoring in the background logs of all that sort of data.
How do we address vulnerabilities?
This one is very, very important.
So, you know, as we’re alerted, we get actions
to take along with the vulnerability that’s in place or that’s been identified.
Whether it’s zero day or something
that, you know, is really just discovered, we assess the risk.
So it’s you have a key score
that comes through from the vendor basically saying,
you know, on a scale of 0 to 10, you know, is this very emergent?
Is it is it very damaging to the infrastructure?
Whatever the vulnerability’s for.
So we kind of assess that.
And then we actually
practice change management internally.
So change management is breaking down the process
in which you’re going to implement the mitigation.
And then we actually carry out the mitigation.
We apply patches, firmware updates that are required to kind of
get around this vulnerability or, you know, fix the issue.
Then we continue to monitor as a company.
So it’s a it’s kind of a
round robin it just kind of stays in a loop.
We’re constantly doing this for not only ourselves but our clients.
And then you know, there’s also a proactive piece of this.
So the way and the ways you can be proactive are doing things like
vulnerability scans, security awareness training for your staff,
and have cybersecurity insurance in place.
These are all very, very important.
And you know, not only our organization,
but yours as well.
Great. Thanks, Chad.
So why don’t you talk about
how do we approach all of the vulnerability alerts
that we got and all of the logging alerts that we get?
And what are some methods you put in place to really surface
what’s important versus all the noise?
Risk assessment is a big part of it.
You know, just because something is a high risk
necessarily mean that, you know, the systems that we have in place
are affected as such.
So you may have like, you know,
authentication bypass vulnerability.
And that specifically is very scary,
but if it’s not a web-facing system or something like that, it’s
not as vulnerable. You know what I mean?
You have to have access directly to that system onsite somewhere to,
you know, utilize or attack
against the vulnerability.
It’s a different scenario.
So you always have to think outside of the box
of just the vulnerability itself and assess the customer,
you know, or the system you’re working with.
Yeah, perfect. Thanks.
So I’m going to move into my slide here and I really want to take
what Rick and Chad talked about.
The vectors and the nitty gritty
of how we’re handling vulnerabilities and that those internal
dilemmas and conversations
and relate them to your business and what that means from a risk perspective.
So the most important thing is to stay on top of what’s happening.
You have to understand what’s current.
The bad actors are always trying
to stay a step ahead of not only us, but our security vendors like Rick
or even the federal government and the guidelines that they are
putting out to the private sector.
So keeping up with this alone is a full time job
and then structuring your defenses against these ever-evolving,
malicious actors is also a full-time job.
And you have to understand that
no one is ever 100% safe.
All you can do is move yourself the closest
you can to that 99th percentile,
and everyone is at a different point in their security journey.
So going back to what Chad said is that you have to understand your risks.
You have to start with a baseline and you work up from there.
So understanding where your company is today
and where you want to be tomorrow is very important.
And working with someone to help you chart that path is critical.
consistent for every business is the weakest link are your people.
You can have the best firewalls, you can have the best,
you know, email spam filtering, you can have the best SOC, the best SIEM,
but that can all be blown open by somebody clicking
the link, someone circumventing controls that are in place.
So training up your people is something that we preach
very strongly because they can undercut, you know,
a large cybersecurity investment
or very robust cybersecurity controls
and understanding the controls you have
and layering those controls to make a patchwork
and really build a comprehensive strategy for cybersecurity
and defending against the attack vectors we spoke about today is key.
And that’s really building a multilayered security approach.
So, you know, understanding the current methods
of how people are attacking businesses and what successful really
you want to defend of against the successful things,
it doesn’t really make sense to invest against a method that’s not really at use
or has already been addressed by firmware updates or something.
And layering security to patch all of those holes
as a firewall might protect you, you and your edge network,
but cybersecurity awareness training is going to protect you
from your employees clicking that bad link.
So layering that in an intelligent manner gives you that comprehensive protection.
So we’ve got a couple of questions in the chat here that I wanted to pose
to Rick and Chad.
The first one from John is:
What is the last vulnerability you were alerted to?
Chad, you kind of head that up.
Why don’t you answer that one.
Yeah, so we had actually Fortinet
posted a vulnerability for
the FortiOS authentication bypass on administrative interface.
It’s a very serious one, it was rated 9.6 out of 10.
So, you know, this goes to to firewalls,
switches, any of their FortiOS products
that are out there in the wild.
You know, we have some clients that have these systems
We had to actually, you know, go through and assess the risk.
We found that in this case that neither client
that has these systems was affected.
So, you know, in this scenario,
we didn’t have to do anything.
And that’s great!
We talked to them and we actually asked them
if we can go ahead and just upgrade their firmware to the latest version,
just to stay up to date.
And the latest version is also not affected by this vulnerability.
But, you know, in this case and scenario, we did not actually have to do anything
whatsoever, which is- it’s not a bad thing.
touched on something interesting there, Chad, that, you know,
sometimes you don’t have to upgrade or be on the latest firmware to be safe.
And we’ve even seen instances where being on the latest and greatest firmware
or software actually exposes you to more risk because those changes in code
open new vectors for people to attack.
So there’s a balance to being on the latest while also
being on the most secure based on attack vectors and vulnerabilities.
So it’s kind of like a misnomer that just because you’re on the newest you’re
the safest, when that isn’t necessarily always true, it can be true sometimes.
Right. There’s- Go ahead.
There’s definitely some due diligence there, you know,
doing your research and making sure that latest and greatest is
there’s not too many changes to make you understand what was changed, right?
I mean, the changelog, that kind of thing
before you put things in place, you know, that
all kind of rolls around to change management
and you know, controlling the mitigation is really what you’re doing.
You’re laying out the foundation of what you’re doing
to mitigate the vulnerability. Yep.
So speaking, funny you say that, so speaking
of mitigation, Sherry asked: How can you mitigate
against these different threat vectors?
Rick, you want to take that one?
I’m sorry. Can you repeat the question?
How do you mitigate against all these different threat vectors?
Well, there are two things that can be done here.
So the first thing is having a multilayered approach.
When it comes to dark
web attacks — because credentials get
leaked to the dark web — the best way is probably to have
a dark web monitoring service or maybe a password manager
that sometimes have those type of services built in.
The second thing around
MFA bypass is having strong policies implemented,
especially in Office 365, we have been seeing
that many organizations have multi-factor authentication (MFA) implemented,
but they are still allowing legacy protocols to communicate
without having to go through two-factor authentication (2FA)
because well, obviously it’s not supported then.
There are other ways around that.
And finally, when it comes to command and control
coming from code
that is embedded inside applications that are trusted.
Well, yeah, even though the code is running from trusted applications,
there are always things that are going to identify the attack patterns.
For example, even though the code is running from a
legitimate application, they
will always try to connect to an external IP (address).
So basically grab the commands to have to be executed.
Or sometimes the piece of code
basically can be identified based on a specific section of a binary in a file.
And these are things that threat intelligence systems, and SIEMs
that are able to leverage threat intelligence systems, are able to detect.
So the short answer here will be have a strong SIEM, have a strong SOC.
Again, there are multiple ways to tackle this issue. But
the simple answer is have a multilayered approach to cybersecurity
and use the tools that are best for each mitigation for each use case.
Right, defense in depth.
So it seems like it’s important to understand
what the successful vectors that are being leveraged are and really mapping
your security defenses to make sure you’re appropriately protected.
The last question was kind of a repeat, so I’m not going to read that.
But yeah, we try to keep these short.
We don’t want to take up an hour of anyone’s day, an entire lunch session.
We want to give some time back to everybody.
So I really hope that everyone was able to learn what are the popular
attack vectors that are that we are seeing as a team here?
We use Rick and his team on our Security Operations Center (SOC)
and our Security Information and Event Management (SIEM) platform.
So together we talk all the time, probably every week.
What do what are we seeing?
Because it’s important for us to keep up and be on the bleeding edge and keep pace
with these bad actors to ensure that we’re applying our security approaches
properly and making sure we’re protected and our clients are protected as well.
If you have any questions for any of the speakers on the webinar,
I’ve got our contact info up on the screen.
You can also check out our websites, atlasinside.com for Rick, getprosource.com
for Chad and I.
And I want to thank everyone for joining us today.
If you have any other questions, feel free to reach out
and look forward to seeing everyone in episode four.
Thanks so much. Have a great day.