Tech Tidbit – What I am afraid of

September 24th, 2021
Tech Tidbit – What I am afraid of

 

As I have gotten older I have developed claustrophobia. MRI machines are now my nemesis. Fortunately, I have not needed one in a long time.

However, in my 43 years of working in IT there is another thing I am now afraid of - these internet-based attacks on our clients.

So many people want to do us all harm and steal our information and hold it for ransom.

One of the most terrifying items to me is being notified "after the fact" that something bad has been going on before there was a fix released from the vendor - or even a notice of an issue. In the last year I have heard way too many, "this isn't a big deal" or "no known exploits" scenarios only to find out later that the statement was simply untrue.

When faced with these repeated scenarios, I ask myself a few questions:

  1. Who of our clients could potentially be affected?
  2. Is there a patch?
  3. Does the patch actually work? Too many times in the last year the answer has been "no" - after we did the work to install it.
  4. Does the patch break anything? Too many times the answer in the last year has been "yes".
  5. How do I know if the bad guys already breached any of our potentially exposed client's networks? You hear me say over and over, "how do I know what I don't know?"
  6. If I find evidence of a breach, how do I know if there is movement? I absolutely hate being operationally blind with so much at stake and this vendor imposed fear, uncertainty and doubt is dropped in our laps - often at very inopportune times such as nights, weekends and holidays.
  7. Does the site have any internet facing servers?
  8. Are they isolated in a DMZ?
  9. Are holes poked through the firewall directly to a server on the inside? In the most recent server active attack that CISA talked about a week or so ago; they recommended that the server not directly touch the internet. That means a proxy server in the DMZ to re-route traffic from the outside to the inside to keep everything at arms length. That means LDAP calls go to Read Only Domain Controllers vs. ordinary DCs. If that is not how you are setup, you need to evaluate what touches the internet and make these connections more secure.
  10. What is the site's backup status?
  11. Are there secure off-site backups?
  12. Are the backups tested?

Then I go through whether the potential effected clients have the tools in place to give me piece of mind to quickly do what needs to be done to keep them safe:

  • Does the site have our Paladin Sentinel Monitor service that provides an overview of visibility and easy access to quickly look at servers and potentially shut down servers or services that are at risk while we figure out what is next?
  • Does the site have our CyberSentinel Endpoint Detect and Respond (CSEDR) clients installed so we have not only the advanced protection well beyond antivirus but visibility into lateral movement of attacks, 24x7x365 eyes on the devices from the Security Operations Center (SOC) with the option of automatically shunning devices that are infected as a first response until the SOC validates it is safe and puts it back into service - even if it 3 am on July 4th?
  • Do they have a patch management process to push out Windows and Third Party and custom patches?
  • Do they have our Managed Firewall Service where we can see if any unusual traffic is going on - especially if we identify a specific threat and how it talks.
  • Do they have an Active Directory Audit Server to quickly look for unusual rights escalations, and file activity?
  • Do they have Cisco Umbrella to filter out and report on malicious DNS queries of know bad sites and reports on the activity? Previously I wrote about the server that tried to download a Tor browser from Germany. The good news was that Cisco Umbrella blocked the query which killed the download. Knowing that attackers get their footprint and attempt to download Tor to setup shop that was a “shields up” moment. An attack was being staged. We were able to quickly stop the attempt and secure the site and validate it was clean with all the other tools.

One of the most amazing tools to know whether an attacker has breached your network and established persistent foothold and whether they are hopping across your servers or workstations doing their nefarious work is the Huntress Agent. It creates a baseline of the machine to understand what “normal” is. Then it evaluates changes against known threats both with AI and live security analyst. It doesn’t block anything, but looks for behaviors. It sees what antivirus, EDR, and other advanced protections can't. Many of these breaches recently have things that were actually allowed so nothing traditional blocked "legitimate traffic or files". In these most recent breaches that were disclosed after the fact, the security folks at Huntress were able to take the latest vendor and industry information on breaches and file patterns and apply it against their vast database of endpoints retroactively and identify machines with Huntress agents that had the file pattern finger prints of the exploit. They were also able to identify the devices that lacked the patch to prevent the exploit. It is all quite remarkable to watch them in action when it really matters.

The Huntress agent doesn’t replace anything. It is just another layer in your security stack looking at your security from an entirely different perspective with a completely different set of eyes.

Think of it like a smoke detector. It didn’t stop the fire, but it does tell you there is smoke or flames and allows all of us to quickly focus on killing the threat that is already inside your network past your other defenses before it kills you. It has proven invaluable to providing piece of mind that we are not at risk both now and in the future.

I believe the Huntress agent should be on everything, but If that is not yet achievable, I want it on absolutely everything that touches the Internet first. Then all your domain controllers. Then your remaining servers. And then your workstations starting with your most sensitive workstations and then everything else.

When I am afraid of what I don't know, I wanted the Huntress agent feeding me this information when it actually matters.

These are the tools that give me piece of mind that I believe you should also have in your network.

If you want this level of visibility and added piece of mind, give us call and let’s talk about your district’s overall security strategy.

Scott Quimby