On Mother's Day, I put my wife and my 9-year-old daughter on the 6:09 am train out of Southeast to NYC. They had a special mother/daughter breakfast reservation at 9 am.
As I am standing there waiting for the train, I am staring at all the warnings beneath my feet to "watch the gap".
It is there to remind us to be safe getting on and off the train. Gaps are dangerous for passengers. If you are paying attention, it is pretty easy to keep yourself from danger.
The same is true with your district's security posture. You need 100% of your endpoints having some type of active defense starting with a high-end EDR such as Acture's various SentinelOne and SOC offerings.
Having "eyes on glass" and "eyes on firewall" is vital to see the activity on your network. Increasingly the bad guys are tiptoeing around many traditional defenses.
Someone needs to be playing centerfield in your security landscape to see what is moving around.
Someone has to be checking the front door, back door and every other door.
Gaps create blind spots. In the past I've talked about EDR killers that blunt the telemetry from major EDR products so you can't see the endpoints warning you they are under attack. This allows bad guys to blind you and then hack your favorite EDR product out from your endpoints so they can do what they want with your network.
This week it was announced that now there is a fake AV/EDR version of Windows Defender that fakes out real Windows Defender to believe it has a "real" EDR type product and shuts down and step out of the way! All your reports would still say you have antivirus, and it is current.
Recently there was another major cybersecurity incident in the region. The number of things done wrong by the site was truly amazing.
The result was the site was riddled with blind spots that their EDR SOC simply could not see. This was combined with an open VPN connection to a third-party vendor that was completely unmanaged by the site. The site used a low-end AV/EDR which still could kill bad things but had no ability to see or understand modern threats. They had many of their machines without any protection at all. Then they topped it off by having unmanaged staff machines inside their network!
The result was the threat actor immediately entered through the blind spot of the unmanaged third-party connection. They found an environment that was poorly defended. It was easy to see where defenses were located and where they were not. Using "living off the land" techniques they quickly deployed ransomware. They spread throughout the WAN connections and repeated their evil deeds across the entire network.
By the time anyone noticed it was over, and they were dead.
The gaps provided to the threat actor were huge.
The lessons learned:
- All endpoints need a current, robust EDR product like Acture's SentinelOne offerings. Those endpoints need "eyes on glass" from the SOC team watching over these endpoints.
- You need SOC oversight over your entire network including "eyes on firewall" so that no one can enter or leave your network without the SOC's knowledge.
- You need to make sure that third-party vendors are forced to "stay in their lane" and kept away from your core network so they are not a threat regardless of the vendor's cybersecurity competence.
- You need to make sure every non-district asset, whether a mobile phone or a laptop or desktop, is kept off the internal network and away from district assets.
This was ugly. This should have never happened. In a well maintained and well-designed network, this should have quickly been detected by the SOC and the threat actors removed from the network before it got this far along.
If you'd like help evaluating or re-evaluating your current network defense status, give us a call. We are happy to help.
Scott Quimby
Senior Technical Advisor
vCISO
CISSP
You must be logged in to post a comment.