Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
A recently discovered vulnerability in Microsoft’s Netlogon authentication protocol (CVE-2020-1472) allows attackers to establish a vulnerable Netlogon secure channel connection to a domain controller. If an attacker successfully exploits this vulnerability, they can run specially crafted applications on the device and assume full administrative privileges.
This vulnerability was rightly classified at the highest possible impact score, making it one of the worst we have seen in a long time. Patching is often the very first mitigation strategy considered when vulnerabilities are made public, but in this case because of its nature as Microsoft’s core authentication protocol, a patch may take several months to arrive and for many, it may be impossible to apply because it may break vital lines of business applications.
Let us say, for now, that it is impossible to patch your systems. Either you have an old architecture that is using out of support Microsoft servers, or you have business applications that rely on the services that, once patched, will no longer work. You must make a choice as to what to do, since leaving this risk untreated is untenable. What options do you have?
The scoring system used for vulnerabilities doesn’t account for the controls you have within your business, so even a vulnerability scored as a 10 can be brought below the threshold of acceptable risk, meaning you don’t need to patch it, as long as you have compensating controls in place to safeguard it from exploitation.
You can start by looking at the details of the vulnerability and see how it works. Even if the bulletin says the only answer is to patch, you may be able to design a mitigating solution around it that greatly enhances your resilience. In the case of this Microsoft issue, the attacker needs to be connected to the same network as the target machine, so you should ask yourself how can you prevent an attacker getting connected to your network in the first place? You might already have network gatekeeper protocols, such as 802.1x in place, which works to enforce strong authentication for systems trying to join the network, called Network Access Control (NAC). If you can also block unknown MAC address connections to your physical network, that can also provide a level of protection, and can work on Wi-Fi and wired networks. There are other network level mitigations you can consider, some of which are even stronger than these, so if you have them or can easily deploy them, you should take these into account when considering the real likelihood that an attacker can mount a rogue device from your location and attack your domain controller.
What about device takeover, where the attacker uses an already permitted device by hacking into someone’s account and using that system to launch the second attack that exploits this vulnerability? Again, this might sound like a big problem, but you can ask many questions as to how they achieved that goal. Work backwards. If they run the exploit on the victim’s machine, how did they get it there? Did they have to install software? If so, how did they get access to the computer in the first place? Was this through a brute force attack against a weak password, or maybe the user fell for a targeted phishing attack. Now consider which of your security controls might prevent each of the layers of this attack.
If you have application whitelisting, the attacker will struggle to install the malicious code needed to exploit the target Microsoft authentication protocol on the user’s system. This means that even if they successfully launched a phishing attack, the fact that they cannot run the exploit greatly reduces the risk. If the user’s password was subject to a brute force attack, then the enforcement of strong passwords, or the implementation of multi-factor authentication (MFA) will act as a strong defence.
If the user’s account doesn’t have the permissions to run system level commands, then the attacker might be thwarted because the system calls needed to launch the exploit are still out of reach. Each of these layers of protection make it sufficiently hard for an attacker to successfully exploit your systems, even with the most catastrophic vulnerability and the perfect exploit, because you have considered the security architecture as a whole and not just looked at point solutions for fixing single issues.
The Australian Cyber Security Centre’s (ACSC) Essential Eight Strategies to Mitigate Cyber Security Incidents is a list of widely regarded security controls that will protect organisations from up to 85% of targeted attacks. That is a bold claim, but when you look at the highly exploitable vulnerability we’ve been analysing above, any organisation with the Essential Eight controls in place will already have MFA, limited user privileges, application control (whitelisting), operating systems and applications under a strict patch regime, and a few other controls that help with locking down Microsoft Office and the recovery processes, in the event of a successful attack.
ACSC Essential Eight
As a cyber resilience baseline, irrespective of whether you have a dedicated Cyber Security team or whether you have one person that looks after your IT, the mitigation strategies in the Essential Eight are easily understood and can be implemented by any competent ICT administrator; they should become a mandatory implementation standard for any organisation, for all IT systems.
The only caution with the Essential Eight, as with any cyber mitigation strategy, is that while these controls are excellent at keeping out all but the most sophisticated and highly motivated hackers (nation states), as with all ICT systems, these controls can drift off compliance and leave you exposed without your knowledge. Privileges might be added to certain accounts over time, for example, and those accumulated privileges can become the chink in your organisation’s armour. Patch compliance might also drift, application control (whitelisting) might not be applied to a new fleet of laptops (because of an oversight or misconfiguration).
In order to retain your strong baseline of cyber resilience, you will need to find a way to monitor ongoing performance against the Essential Eight target state, such that any deviation from that baseline of cyber maturity is immediately flagged for remediation; what was robust yesterday, may be vulnerable today.
If you are concerned about vulnerabilities such as this critical Netlogon problem, Huntsman Security’s Essential Eight monitoring solutions report on whether you are protected or not. To find out more, get in touch today.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.