Marktkommentar #13: Security-Events, CISA Red Teaming, Hack-Backs

Marktkommentar /

Hello everyone,

as always, shortly after the summer break, the year-end spurt breaks over us completely unpredictably. In addition to accounting highlights and urgently completed projects, there are also plenty of security conferences.

Among other things, we were allowed to go to Cologne last week (as exhibitors) at the mysecurity event. All in all, a successful event, I thought. Anyone who has ever been there, however, knows: As a non-paying CISO or potential customer, you are surprised in the morning with a timetable that includes umpteen conversations with providers.

Exhibitors pay according to the number of conversations that have taken place. That’s why there is also a “hostess” (student) per exhibitor, who is supposed to charmingly guide the CISOs to the providers. However, the CISOs, stubborn as they are, are reluctant to stick to the imposed timetables and often run away to listen to lectures or exchange ideas with their professional representatives, for example. The students are therefore regularly on the lookout for the fugitive CISO and then have to identify the target object by means of a photo or name card. The procedure at the Cybersecurity Strategy Summit in Berlin is almost identical.

The organizers of another well-known security conference have long since taken this problem to the next level: According to participants, CISOs have a locatable chip in their name card so that they can no longer hide from the hostesses. I otherwise only knew it from dog collars 😉. As a manager of Cyber-Risks told me, she disposed of the lanyard as quickly as possible before driving home so as not to be made happy by a hostess at home. I’m really excited to see what technical innovations we can expect in our industry in the future.

CISA has published the results of another red teaming, again at a critical infrastructure operator, reading time ~30-45 min. There are some points in it that you can play through with your own security organization – especially if you don’t have a SIEM or NDR in use yet, which was the case here. Some of my aha moments:

  • In the first approach, spearphishing emails were sent to 13 users (after appropriate research). One of the users also clicked, but the execution was blocked by AV/EDR.
  • In addition, the EDR solutions (there were 2 different ones in use) were largely ineffective. On the one hand, there were enough hosts without an EDR agent, and on the other hand, due to previous testing, the CISA Red Team was able to avoid using techniques and payloads that the EDR systems would have detected => Emphasizes the need for customized customizations and rule sets.
  • Initial Access was successful because a web shell from a previous pen test was not removed, and an application on the server had an exploitable XXE vulnerability (the vulnerability was known, but for some reason was not fixed). To top it off, there was a WAF in front of the server, but it was only used in monitoring mode and did not block any network traffic. So it’s a real special case.
  • Next, an account with sudo privileges was found. This allowed (via a few intermediate steps) to read a file share server on which SSH keys and plaintext passwords were stored
  • Linux and Windows servers were not sufficiently segmented
  • More than 40 computers in the AD had allowed “Unconstrained Delegation” => This means that Kerberos TGT tickets are stored locally
  • There was also no identity protection solution or log monitoring for the local AD, i.e. techniques such as DCSync, admin account lockouts or the direct connection of the domain controller to an external host were not detected
  • The firewalls of the DMZ were without IDS/IPS.

Both Palo Alto and Sophos have recently published successes from longer “hack-back” campaigns. At Sophos, a root kit was installed on the firewalls without the knowledge of the customers in suspected cases of compromise. Of course, this is not necessarily what you want as a customer, as Jürgen Schmidt (Head of heise Security) rightly points out.

An interesting aspect of this is that tests by the attackers to bypass a cloud-based security system can at least be detected with a certain chance due to the constant connection and monitoring of the central engine, and the system can then be adapted before the attack. In pure on prem installations, the manufacturer does not notice any of this. In the long term (all other things being equal) should mean that cloud-based EDR / other security solutions can offer more precise attack detection, because the “quality assurance” of the attackers can only be carried out to a limited extent – right?

A few headlines from the M&A department:

  • Consolidation in the EDR sector is progressing: Cybereason is being acquired by Trustwave after Cybereason has been experiencing difficulties for some time and its valuation fell by 90% in the last funding round . Trustwave as an MDR/MSOC provider has so far distinguished itself with a wide range of available tech platforms (SentinelOne, Crowdstrike, Microsoft, VMWare CarbonBlack, Palo Alto). It wouldn’t make sense to give that up. Again, it’s probably more about customer access and technical staff.
  • Crowdstrike has acquired Adaptive Shield , a provider of SaaS security (posture management for 150 SaaS apps, threat detection based on user behavior such as unusual searches, geolocations, logins)
  • Bitsight buys dark/deep web CTI provider Cybersixgill
  • Silverfort (MFA) Strengthens with Rezonate (Identy Threat Detection+Response)
  • CompTIA geht an Thoma Bravo
  • Wiz buys DAZZ (vulnerability aggregation and management with a focus on cloud, similar to Vulcan, Brinqa, Strobes…) for the trifle of $450 million
  • Voleatech from Reutlingen (OT Firewalls) will be part of Hirschmann and its parent company Belden in the future

So far, I had criminally neglected managed service providers in the notes from provider conversations, although managed SIEM/SOC, MDR and other managed services are our top 1 category in bid comparisons and tenders.

In the future, I will try to integrate MSSPs, also with recourse to the know-how of my dear colleagues.

MRCS Materna Radar Cyber Security (Managed SOC):

  • Materna is certainly known to many, Austrian IT system house, approx. 4000 employees
  • There are three SOC models that are always built on top of Elastic. As I understand it: Only Monitoring and Alerting, Monitoring + Response, and the latter then optionally with managed AV/EDR (also Elastic, or MS Defender) instead of only via managed SIEM
  • 7/24, all analysts speak German
  • The SIEM can be operated in the private cloud, OnPrem, AWS, or hybrid
  • NDR can be mapped via Suricata
  • Add-on options include: Incident Response, Managed Risk Vulnerability Scanning + Patch Management, SAP Security, Pen Testing and of course other consulting services

Zero Networks:

  • Highly automated micro-segmentation (similar to Illumio or Akamai’s solutions, but also reminded me of the Threatlocker Network Control module in some places)
  • 100 MA, Headquarter US / Entwicklung Israel
  • 150 corporate customers, mainly medium-sized companies, e.g. Mediaprint, PEZ (the ones with the candy dispensers), but also a few banks
  • Segmentation of each individual host (not at the application level) without agent installation, but with a server on prem (1 per site) or in private cloud connected to a central SaaS engine. However, no network traffic of the customer is uploaded to the cloud, only rules and regulations are stored
  • Works through Service Account, which configures the host firewall rules on each of the local endpoints (and only has these rights)
  • Baselining period of ~1 month to learn rules of allowed access (without AI, simple logic: if seen, then OK)
  • For all access that has not yet been allowed, a 2nd factor is requested, so that access is then possible for a certain time
  • Automatic configuration of ACL on Cisco switches possible, the other manufacturers such as Arista or HP etc. are on the roadmap
  • Segmentation of container workloads will also be added soon
  • Integration with some common IAM tools such as Okta, CyberArk, Duo possible
  • Licensing according to the number of clients+servers (without mobile devices), the budget should probably be around 80-85 thousand EUR/a for ~2000 end devices

Pradeo:

  • Mobile Protection from France (similar to Zimperium, Lookout, Checkpoint and the EDR players with MTD solutions, but the only provider from the EU)
  • Attack vectors Operating systems and apps
  • Approx. 60-70 m²
  • Customers also in the defense sector and authorities, of course a lot in France, including the local postal service. Also used by Orange Cyberdefense in the SOC
  • Simple licensing model, only depending on the number of mobile devices. Budget indication was at the level of common EDR solutions, between 15 and 20 EUR/device and year depending on the purchase quantity
  • Of course, it can be optimally integrated into common MDM such as Intune, MobileIron/Ivanti, Knox

Hadrian Security:

  • (Semi-)Automated pen test / CTEM / ASM solution for internet-connected (=external) assets incl. public + private cloud. Similar to IONIX, SentinelOne or the Pentera module for external tests.
  • From the Netherlands – that such a thing exists at all! Around 100 employees, approx. 250 customers (a total of ~3 million assets), including DHL, ABN Amro, Siemens Energy, Holtzbrinck and the Catholic Church. It’s cool that a European company is so successful here.
  • Special feature: With secure exploits (code displayed transparently, no malicious code, logging of all individual steps), also to exploit e.g. vulnerabilities in WAF or CNAAP. This typically reduces the number of vulnerabilities found by at least 90% => Significantly more efficient prioritization
  • However, no authenticated scans are possible, and only the first vulnerability is exploited (i.e., no chaining of attack techniques is possible)
  • Unfortunately, there are no SLAs for this, but as a customer you can probably expect that within 2 days of a new vulnerability becoming known via advisories, the corresponding exploit will also be available for testing in the platform
  • Threat hunting via queries similar to Kusto possible
  • As a customer, all you have to do is set the IP range
  • Designation of a specific server or user with the aim of compromising it (“crown jewel”)
  • Nice network visualization with representation of the connections and found applications on the servers and “similar” domain names (brand protection).
  • The automatic reporting on status and progress is certainly also helpful. This, together with the multi-tenant capability, naturally predestines the tool for managed service providers
  • Shortly after the introduction of Hadrian, I got to know the open source tool Halberd , which can be used to test Entra ID, M365, Azure and AWS environments => Of course, still limited functionality (about 80 techniques implemented so far), but worth a look for the professionals
  • Pricing depends on the number of assets with an Internet-accessible IP address (domains, subdomains, certificates…), starting point is ~250 EUR/asset and year

Same procedure as always: Questions, suggestions, comments, experience reports and also opposing opinions or corrections are welcome by email.

 

Regards

Jannis Stemmann

Ready to make your cybersecurity more affordable?

CyberCompare is your independent partner to make IT, OT and IoT security easier, clearer and more affordable.
With our established cybersecurity ecosystem, you achieve cybersecurity excellence and increase your resilience: With us you save time and money but never lose focus.

Get in Touch

Get in Touch

Associations and industry collaborations

Scroll to Top