| "Legends state that Achilles was invulnerable in all of his body except for one heel because when his mother Thetis dipped him in the River Styx as an infant, she held him by one of his heels. Alluding to these legends, the term "Achilles' heel" has come to mean a point of weakness, especially in someone or something with an otherwise strong constitution."
-Wikipedia
As many know, I have traveled a fair bit of the world over the years. I have tons of pictures. I have screen savers and wallpaper and sign-on screens rotating through my pictures. I like it.
For the better part of 15 years, I have used a specific product that does an awesome job and randomizing pictures for all these different ways to display from a myriad of picture sources. It is from a company that was long ago a significant player in the early Windows security environment.
When we evolved from basic antivirus into EDR products, I put our CSEDR powered by SentinelOne on this personal machine. Periodically they would flag the picture software in an update and then the SOC analyst would come back and state it was okay. Every couple of months we'd have this interaction.
Recently SentinelOne once again flagged this item and took it out. I reached out to the SOC stating that this was most likely the same update noise that we had seen for the last year or so.
Immediately I got back a very different answer.
No, it was not.
My cute little boring program that had been "safe" for as long as I can remember had just dropped a keystroke locker into my machine.
I was confused and questioned the result.
A minute later I had a screenshot from the SOC team showing exactly what my boring little program did. And it in fact did flip from benign to an active threat. SentinelOne and the SOC acted accordingly. It was dead before I even got to my questions.
This reminds me of a few things:
1 - You are strong as your weakest link. While this was a personal machine, my desire for my cute program opened the door to an outside source of bad actors. This honestly isn't limited to just my program. A number of major hardware and software vendors we all know have suffered similar fates over the years where something bad got into safe code and leverages the update framework to disseminate it. This same process has happened with a lot of seemingly safe adware and browser extension products as well where somewhere down the line the boring, stupid thing turns into a very evil attack vector.
2 - There are Group Policy settings that allow web browsers and Windows Defender to intentionally block "potentially unwanted programs" (PUP) to try and cut down the noise, maximize performance, and cut down on the attack surface. If your browser is under management, you can probably limit your browser extensions to approved extensions only. All of you should have all your users (including your techs) as limited users for their day to operations
3 - While I wouldn't bet my network on it, Malwarebytes continues to be the best potentially unwanted programs checker I have seen in quickly clearing out the crud that good and bad folks try to push into your endpoints.
4 - You should be keeping a tight reign on what applications you install limiting them to apps that are legal, supportable, and appropriate for what your users need to do.
5 - You should have a third-party patching framework to keep on top of the security updates on these core third-party apps as much as practical. There is no 100% solution here, but we can do a lot.
5 - And knowing that even the most powerful defenses have some sort of weakness, we need layers of protection such as CSEDR powered by SentinelOne one Huntress and leaving Windows Defender as a second or third opinion layer.
6 - And finally, having a 24x7x365 Security Operations Center watching over your endpoints who really don't care about your story, but only live data, protecting you even when you think you don't need the protection, is invaluable.
There are a number of suggestions here for you to implement. CSI is happy to help you close your district's vulnerability gaps. If you want to talk, give us a call.
-Scott Quimby |
