Security Archives - rSolutions

Our Summer Reading List: 13 Must Read Cybersecurity Books

One popular activity to do in the summer in Canada is to lay out in the sun and enjoy a good book. If you are looking for a good Cybersecurity related book to read (or listen to), here are some of our favourites.

General History

Cult of the Dead Cow / Fatal System Error by Joseph Menn. One is about the evolution of the other about the evolution of a hacker group. Both are great.

Tribe of Hackers by Marcus J Carey and Jennifer Jin. There are currently four books in the series. We read them in the order they came out but start wherever your interests lie.

The Cuckoo’s Egg by Cliff Stoll. Some of us are old enough to have read it when it first came out. Little did we know how that while technologies have changed, the practices for detection and response would still be valid decades later. For a look at the other side of the story, check out CYBERPUNK: Outlaws and Hackers on the Computer Frontier by Katie Hefner and John Markoff

Spam Nation The Inside Story of Organized Cybercrime by Brian Kreps. Gives the reader a deep view of the dark side of the web. $spam nation\$

This is how They tell me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth. Not a technical book but an explanatory book about cyber events that have happened over the last 30 years with a focus on exploit development. While there has been some talk in the security community about some potential factual errors, we still think this is a great read/listen.

Lights Out A Cyberattack, A Nation Unprepared, Surviving the Aftermath by Ted Koppel. With everything connected imagine a cyber attack on our power grid and we have to go weeks or months with no power. What would we do? Can this really happen?

Fiction (or are they)

Freedom™ Daemon Series – Daniel Suarez – An excellent plot and full of action. There is also a great audible version read by Jeff Gurner.

Avogadro Corp: The Singularity Is Closer than It Appears by William Hertling. Once you read this, every time you start replying to an email you wonder it ELOPe is there.

Pretty much anything by Neal Stephenson but Cryptonomicon and Reamde stands out.

The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win by Gene Kim, Kevin Behr, George Spafford. The title says it all. If you have worked in IT for any amount of time, particularly in a management capacity, you will be able to identify with this story.

There are dozens more that we would have liked to include, but it would have taken you whole summer to read our list ;-). If you want even more options, we highly recommend checking out the Cybersecurity Canon project at Ohio State University.

Stay tuned for our back-to-school edition where we will list some of our favourite learning by doing books.

August 18, 2022

Your Network and the Cyber Attack Life Cycle

Resources, Security

In our third installment (Post 1: XDR technology and how it works, Post 2: XDR: How the Evolution of Endpoint Technology is Moving Beyond the Endpoint) of our blog, we explore the Network piece of the XDR pie. Mmmmmm… pie…

Why focus on the Network? As we work our way through a global pandemic with virtually everyone working from home and fully taking advantage of BYOD and hyper-expanded IoT-enabled everything – it’s immediately evident: businesses can’t rely on just endpoint or email detection to uncover threats anymore. We need something more sophisticated.

As more organizations opt for Digital Transformation and adopt cloud-based resources, employ encryption, and concurrently adapt to remote employees, it’s easy to see that nearly all cyber threats generate communications that are visible on the Network. Additionally, most EDR solutions are dependent on agents for monitoring, however, it may not always be possible to install the agents on all systems in an environment. NDR helps close potential EDR gaps and detect malware that attempts to circumvent EDR monitoring. This makes NDR a partner to EDR and wrapped into XDR indispensable as it provides perspective where others can’t.

Let’s take a little side trip and talk about attacker life cycles. In case you hadn’t noticed, the cybersecurity industry likes it when it can put things into a framework including the way cyber-attacks happen. Various versions of the attack lifecycle have been created to break down the structure of an attack to help determine where defenders can detect/prevent attacks. For our purposes, we will use the Cyber Attack Lifecycle from Mandiant:

Defending against each stage is a critical skill for organizations, and as you might suspect, one tool probably can’t do it all. Imagine this: exploits that can subvert EDR or malicious activity may not be reflected in logs and so are not prevented/detected in the initial compromise and establish a foothold, but, their activity is visible by network tools as soon as they interact with any system at the internal recon, move laterally and maintain presence stages – even if that system doesn’t have EDR. Need another example? A nation-state attacker has such sophisticated attacks they employ hidden HTTPS tunnels that mimic standard web traffic to launch command and control as part of their maintain presence and attempts to complete their mission. NDR ferrets out that activity and respond with alerts.

With effective AI and ML – bingo! – Network Detection and Response platforms will collect and store the “right” metadata and enrich it with security insights. The result is finding attackers in real-time and incident investigations launched in record response time.

And truly – can we afford anything less?

Your Network and the Cyber Attack Life Cycle

July 27, 2022

rSolutions Recognized as a FireEye Partner of the Year

Resources, Security

Originally posted on BusinessWire here: FireEye Recognizes Carahsoft, NTT Communications, Sopra Steria, NTT Australia and rSolutions as Partners of the Year.

We couldn’t be more proud to be listed in this group of elite organizations. To be a partner of the year for the Americas is no small feat and we owe it to our dedicated team and leadership.

FireEye, Inc. (NASDAQ: FEYE), the intelligence-led security company, today announced the winners of its 2020 Partner Awards. Each award recognizes the achievements of the top FireEye partners in 2020, highlighting their contributions to help protect customers around the world and the growth of their security business with FireEye. The award ceremony was held virtually this past week during FireEye Momentum, the company’s annual partner and sales conference.

“Over the past year, organizations around the globe have had to react to some incredibly difficult situations, many of which couldn’t have been anticipated,” said Bill Robbins, Executive Vice President and Chief Revenue Officer at FireEye. “The channel community found themselves at the epicenter of this change, and we want to acknowledge each of these winners for their adaptivity, creativity, and their overall commitment to helping ensure that our joint customers have strong defenses in place.”

Recipients of the 2020 FireEye Partner Awards include:

Distributor of the Year:
- Carahsoft (Global) – Recognized for continual innovation and the addition of resources to drive record bookings in the FireEye public sector business.
Top Partner Performance:
- rSolutions (Americas) – Teaming exclusively with FireEye, rSolutions crafted a seamless MSSP offering backed by Managed Defense, more than doubling bookings year-over-year.
- NTT Australia (APAC) – This partner demonstrated phenomenal success in 2020, growing bookings 3-fold, due in great part to embracing the FireEye® Solutions stack and Mandiant® Security Validation solutions to enable joint customers to quantifiably understand if individual tools are protecting as expected.
- NTT Communications (Japan) – Over the past three years, the largest MSSP in Japan has greatly expanded its business with FireEye, showing significant growth by incorporating FireEye Endpoint Security, Email Security and Network Security solutions as part of its standard security platform.
- Sopra Steria (EMEA) – Since forming a strategic relationship with FireEye three years ago, Sopra Steria has really embraced a “Winning Together” team spirit; this was exemplified with a 7-digit endpoint security project win with a large Aerospace customer.

“We are honored that FireEye has recognized us with its Distributor of the Year award,” said Chris Clarke, Director of Sales for the FireEye team at Carahsoft. “Over the past year, we worked closely with the FireEye team to establish streamlined workflows to meet the needs of the Public Sector for enhanced security solutions. It’s this level of coordination, paired with the breadth of FireEye’s offerings and expertise, which has driven our companies and reseller partners to joint success.”

For more information on becoming a FireEye partner, please visit https://www.fireeye.com/partners.html

About FireEye, Inc.

FireEye is an intelligence-led security company. Working as a seamless, scalable extension of customer security operations, FireEye offers a single platform that blends innovative security technologies, nation-state-grade threat intelligence, and world-renowned Mandiant consulting. With this approach, FireEye eliminates the complexity and burden of cyber security for organizations struggling to prepare for, prevent, and respond to cyber-attacks. FireEye has over 9,900 customers across 103 countries, including more than 50 percent of the Forbes Global 2000.

© 2021 FireEye, Inc. All rights reserved. FireEye and Mandiant are registered trademarks or trademarks of FireEye, Inc. in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

July 19, 2022

XDR – How The Evolution of Endpoint Technology is Moving Beyond The Endpoint

Resources, Security

Now that you’ve learned a little about the XDR technology and how it works from our first blog post in this series, let’s go further down the path of cyber security. Let’s go all the way down to the end. Let’s go all the way down to the endpoint.

As it is with all business technology, cyber security has seen it’s fair share of change. Where simple anti-virus software is used to meet our safety requirements, we now see more robust and preventative capabilities in play to identify and respond to threats and attacks.

The thing now is the ‘assumption of breach’. Assumption of breach asks security teams to assume their systems are already compromised and that internal attacks are already underway from the inside. This assumption begs action to proactively protect data, and ultimately, your endpoints.

More on the endpoint; what is it? Let’s be real about what the endpoint is, or rather who the endpoint is. Endpoints are people. Human users. Ordinary folk who access your company’s data every day, who forget to log out, lock their devices, or leave them on the bus in a moment of distraction. It happens all the time.

What’s important to remember is that endpoints are among the most vulnerable areas for cyber attacks. More endpoints (people) mean a wider risk to your organization. Perhaps it’s useful to think of endpoints

With more and more people working remotely and connecting through the cloud, endpoint protection just makes sense. Think about it: most remote workers connect to your company’s data through at least two devices – mobile and a laptop or perhaps more depending on their set-up outside the office, and their requirement to be in the office.

That’s a big battlefield to manage. Increased endpoints expand your security perimeter and increase general risk. What XDR presents is a management system for cyber security.

So, let’s start at the end. Endpoint protection platform (EPP) prevents attacks by blocking (or allowing) access, providing an area to test threats, and uses AI to report suspicious activity. EPP is often cloud-based and analyses data before delivering it to security analysts and often has an Endpoint Detection and Responses (EDR) component. If a threat has already compromised your platform, EDR technology responds with action to recommend either an automated or manual response to find a resolution to the threat.

What does that really mean though?

Imagine a threat slips through your firewall. EDR technology gets your IT security team indicators of compromise in real-time. From our last blog post, you’ll remember that XDR (Extended Detection and Response) forms a security system – it creates an integrated response by leveraging the intelligence of your EDR to move from detection to response across all platforms. XDR is leveled-up protection and is widely considered to be the logical progression in cyber protection technology.

If we were to (again) borrow a comparison from the armed forces theatre, EPP is supporting to threat detection working behind the front line to support and assist. EDR supports at the front line while XDR coordinates as a super-intelligent HQ to propel the sharp end of the stick allowing protection between layers of your IT components to reach every one of those human users – the endpoints – mitigating risk and reducing time expended and cost to respond and ultimately keeping your organization and your people safe.

XDR – How the evolution of endpoint technology is moving beyond the endpoint

July 9, 2022

Detect. Analyze. Prioritize. Take your time back with XDR.

Resources, Security

If you’re reading about cyber security anywhere these days, you’ll already know there’s a lot of talk about XDR (Extended Detection and Response) technology and its benefits. You might also see that there is a lot of confusion about what XDR actually means. So what is it, anyway? Let’s dive in.

We could give you the textbook definition, but let’s take our cue from the XDR technology itself and simplify to level up our sophistication.

XDR, or Extended Detection and Response, is garnering attention in the security world as an elegant integrated approach to identify, respond to and manage security threats.

What does it do? And, what does ‘integrated approach’ mean?

XDR takes multiple security technologies and transforms them into a security system. Imagine you have multiple programs, each good on their own, and each working to protect, detect and respond to security threats on their own. You’ve got everything you need to react to threats, right?

That sounds great until you realize that you may receive dozens of alerts from multiple technologies from a single incident creating what might be a lot of noise and potentially causing alerts to be missed and not having visibility into related events that are picked up by different programs.

XDR technology brings each of those independently operating programs to the next level and brings them together and form an alliance. What XDR builds from those individual programs into an allied front to create a united visibility and response to security threats. In the war against cyber threats, we can all agree that allies are a worthy investment. Integration through XDR is bringing your components together to build something with integrity that’s tractable.

After implementing XDR, and with all of your security components working together seamlessly, what can you expect?

An XDR unified security system means real-time and actionable information on which to make decisions. To borrow a term from armed forces intelligence – you’re no longer operating and making decisions from inside the “fog of war”. You have better intel, and that means better and faster decisions and security outcomes. Short story: it means you get down to the business of security faster, leaner, and with satisfied end-users.

When you implement XDR, expect:

Improved protection, detection, and response to cyber security threats.
Better productivity of your IT security personnel (which often leads to happier people!)
Lowered costs
Better visibility and control of your security platform

What does this look like in an everyday scenario? Your shop may be a team working with resources that are stuck in the detecting and investigation cycles chasing false positives. With XDR, the time from valid detection to triage is reduced and security is extended across endpoints, networks and the cloud. It’s pretty slick, wouldn’t you agree?

Targeted attacks, for example, are triaged faster with the distillation that the XDR approach brings to your now united security components. XDR will even prioritize which threats to respond to first by assigning threat levels to indicate where to send your heavy guns in response. XDR shows your team which incidents are worthy of manual investigation. It can even automate repetitive tasks to boost your team’s productivity. (Did we already mention happier people? That too.)

Detect. Analyze. Prioritize. Take your time back with XDR.

June 29, 2022

“If it sounds too good to be true, it probably is” Richard Baker’s Interview by CyberNews

News, Resources, Security

Originally Published on CyberNews on May 3, 2022 after they interviewed our Founder and CEO Richard Baker.

Cyber felons don’t discriminate – no matter the individual or the sector the company is in, anyone can fall victim to the hands of a cybercriminal.

Data breaches, ransomware, fraud – there are many threats that are lurking in the corners of cyberspace. And the worst part is that it can result in irreparable damage, whether it’s financial or reputational.

Sure, regular users get themselves a high-quality antivirus for their personal computing needs as a means of providing some protection, but companies need more advanced solutions, including managed cybersecurity services.

That’s why we invited Richard Baker, the Founder and CEO of rSolutions – a company that specializes in cybersecurity solutions. Baker agreed to share his views about cybersecurity, common threats, and efficient prevention methods.

How did the idea of rSolutions come to life? What has your journey been like?

Having worked as a CISO in the public sector and then at a big 4 Consulting firm, I recognized that I wanted to build an organization that focused on the rising demand for cybersecurity concentrated on customer service. Like many entrepreneurs, I leveraged my personal assets and relationships to start rSolutions. During this journey, we faced growth challenges (staffing, capital, expertise, partnerships), and throughout all of those, the dedication to our clients allowed us to prevail and grow into the viable company we are today.

In the 12 years of operation, we have grown from two employees to fifty employees across Canada and into the US. We have served over five hundred clients across North America and have won North American Partner awards from the strategic vendors we partner with.

Can you introduce us to what you do? What are the main challenges you help navigate?

We are a full-service cybersecurity company delivering enterprise-grade cybersecurity services and solutions to the clients we serve, with a focus on delivering managed security services.

Providing security is challenging given threats are constantly evolving… it is a constant state of change. This means our advice, services, and solutions are all a point in time. This is a challenge for clients as security is never final – it is rather a journey.

What would you consider the most important changes you have witnessed in the cybersecurity industry throughout the years?

Number one is the challenge of finding and retaining qualified staff. Few youths grow up dreaming of a career in cybersecurity and there are still even fewer higher education programs focused on cybersecurity. Commonly, cybersecurity resources are in the second or third phase of their career when entering cybersecurity from previous careers in systems administration, network administration, or application development. This has really driven the demand for managed security services providers as the breadth of knowledge and the variety of experts required to effectively run a cybersecurity program costs too much for small and mid-sized organizations to bear.

While there is an increase in news about the increased sophistication of attacks, most incidents occur due to a lack of fundamental security (e.g. insecure authentication, poor security architecture, lack of logging and visibility, etc). We are starting to see a shift in clients’ belief that any one technology is a silver bullet to keeping clients secure.

How did recent global events change organizations’ approach to cybersecurity? Were there any new features added to your services as a result?

Global events tend to impact the specific industry sectors targeted. For example, Covid-19 put focus on healthcare clients, both those delivering healthcare and those doing research and developing vaccines.

To mitigate these new threats, we began offering additional threat intelligence offerings and enhanced our external threat monitoring and identification services. The new services are designed to help clients at identifying and prioritizing which threats need to be mitigated first.

With work from home becoming the new reality, what are the best practices companies should incorporate to keep their workload and customer data secure?

Work from home, combined with many companies’ pushes to the cloud, has left many companies exposed to a lack of visibility. First, the shift to the cloud has not always been done with security in mind. Moving critical workloads to the cloud has often been completed with the priority on ensuring functionality first. Security is often an afterthought as companies realize they do not have the same visibility into who is accessing their cloud systems as easily as when they ran systems on-premise.

Examples of failures we have seen include limited knowledge of secure cloud configuration, a lack of audit and logging trails in cloud services, or a lack of getting logs into client security incident and event management systems. This is often due to the ease at which cloud systems can be deployed, whereby business units are firing up cloud services vs the traditional approach of IT systems folks being instrumental in building on-premises solutions.

Secondly, working from home has meant cloud environments are being accessed over the Internet without the need of going through a corporate network. This has removed the visibility of standard cybersecurity controls, such as IDS/IPS, DLP, and UBA systems that protect corporate networks. This has given rise to Secure Access Services Edge (SASE) services to provide similar security controls to users, whether they are on the corporate network, working from home, or in their local coffee shop.

Why do you think certain organizations struggle to keep their cybersecurity up to date, despite all the solutions and providers available today?

Until a client experiences a breach, they do not often associate the impact a breach will have on them should a malicious incident happen. The cost and effort of maintaining cybersecurity are always in competition for funding from other business initiatives and are still too often viewed as an expense rather than a business enabler.

In your opinion, what kind of cyberattacks can we expect to see more of in the near future?

Follow business and technology trends and you can predict attacks. We are likely to see increased attacks on critical infrastructure in retaliation for the war in Ukraine. As well, increased cloud adoption will make attackers focus on ways to attack the new cloud environments.

What measures should individuals implement to protect themselves from these threats?

If it sounds too good to be true, it probably is. Some Prince from a distant land doesn’t need your banking information for a wire transfer, so be sure to avoid bad emails that promise free things or consider you a winner for things you did not even enter. Watch web addresses to be sure you are dealing with a legitimate source.

Unfortunately, just about everything from phone calls (if you still answer them), to email, social media apps, SMS messages, and IOT devices have the potential to be misused. While I am not suggesting being paranoid, sometimes it is okay to take a step back and say, “Does it make sense for this app to ask me to do this?” (Why does this calculator need access to my Facebook account, could my bank really have accidentally sent me a funds transfer?). As Canadians, we are sometimes overly polite, but in some cases, it is okay to ignore a suspicious friend request or call your bank to validate a suspicious request no matter where you’re from.

Remember that the convenience of technology makes it easy to do things quickly, sometimes faster than we are thinking things through. Technology’s speed and convenience come at the cost of risk.

Share with us, what’s next for rSolutions?

We are growing in step with demand for cybersecurity and we have already doubled our endpoints under management in the first quarter of this year. We want to be the best Cybersecurity Managed Security Services Provider in North America. We have a 100% retention rate in our managed services and aspire to maintain the trust our clients have placed in us to protect their systems and networks.

rSolutions will continue to enhance our managed security services and is looking to align our cybersecurity services with the potential of helping our clients mitigate the rapid increases in cost for cyber risk insurance.

For more articles from CyberNews click here!

June 4, 2022

Seven things to consider in Cybersecurity

Resources, Security

January 21, 2021

Filling the Cyber Security Skills Gap

Resources, Security

If you do a quick Google search for ‘Cyber Security Skills Gap’, you’ll see countless articles on the gap and the enormous need for skilled workers in Cyber Security.

The cyber threat landscape is continuously broadening. While the security tools arsenal is adapting to meet the threats, the people to build, adjust and maintain them aren’t exactly a dime a dozen.

Often there seems to be a bit of a disconnect between what an organization wants and what they need. Many want educational requirements like a Bachelors degree or Masters in Cyber Security for their teams; however, these academic achievements are difficult to find due to the relative newness of the field and academia’s “big wheels turn slowly” bureaucracy. If you find one, undoubtedly they’re committed to the field, but they can be extremely difficult to find. We suggest that what many organizations need is the right person with the proper training and a desire to keep learning.

So who’s the right person? People with the ability connect technology and your business, but also the ability to connect with the people within the organization – suddenly soft skills are the hard skills. We offer that the character of an employee in Cyber Security requires someone who is curious, good at figuring out the problems, and can conduct the detailed analysis that it entails. People who don’t give up until the puzzle is solved. You want people who even question the puzzle itself and can carry concurrent lines of thought. Are the people in your organization already that show incredible aptitude for learning new things quickly? Do they know your business and the business of the clients they’re tasked to?
You may have found your candidate.

Training is the next piece of the puzzle.

When we’re looking for those afore mentioned degrees we want, we may actually need the proficiency gathered in a candidate’s training, often buried in the educational section of their resume. Many of the requirements we seek are gathered through IT specific security training, such as (shameless plug #1) a SANS certified mentor class being offered here at rSolutions: Hacker Tools, Techniques, Exploits and Incident Handling on March 21 through April 11, 2017. Courses like these take people with working knowledge of your systems and business, and transform them into the knowledgeable Cyber Security resources required. Other training is available too through many other organizations and it’s important to note we feel continual training isn’t just a good idea, it’s fundamental. Here at rSolutions we train at a ratio of 3:1 meaning our peeps are training one hour for every three they work.

This keeps rSolutions not only current, but ahead, which is where you need to be. If you want some quick suggestions, here’s our top four training choices, and yes, rSolutions have all these and far more:

CompTIA Security+
GSEC: SANS GIAC Security Essentials
CISSP: Certified Information Systems Security Professional
CISM: Certified Information Security Manager

In your neck of the woods there may simply be few options for good hires. Your existing staff resources may be too valuable to their current teams to train elsewhere (replacing one problem with another isn’t a good idea). The training required for the resource may be out-of-reach due to time or budget restraints. Lastly, once trained, you’ve created a highly sought after resource and you might want to broker a non-compete clause. We’ve all heard about the “million unfilled InfoSec jobs”, that’s why you read the article this far, and the other side of that is retention of highly skilled resources. So why buy, when you can lease?

At rSolutions (shameless plug #2), we started our business on Cyber Security and have advanced resources that teach the classes and proctor the exams for InfoSec designations. We provide Managed Cyber Security services that have the clearances, industry referrals across every major vertical in business and the business-first focus that can help improve your security posture in the short-term and will even work with you to prepare for the long-term.

So why is outsourcing such a good idea?

Cyber Security is advancing so quickly that it’s a challenge to get a handle on the breadth of the threat landscape, the evolution of threats within that landscape and the proper tools to mitigate them. Outsourcing to a managed security model shifts some of the responsibility for your information security and puts it in the hands of qualified experts, allowing you the time to focus on the business and the day-to-day operational demands of supporting your information infrastructure.

June 17, 2017

Cybersecurity – Which security tasks and roles can be outsourced?

Security

Rick Fink, rSolutions

The cybersecurity talent shortage is something that we repeatedly hear about and see firsthand in our consulting work. According to some sources, there are currently up to 200,000 unfilled security positions in the United States, and an estimated one million open positions globally. By 2019, experts say there could be 1.5 million unfilled cybersecurity jobs. We hear these things in reports from IBM, Symantec and Cisco, to name a few. But, even if you debate the exact number, we still can agree the shortage is real.

Indeed.com recently did a study on two years’ worth of relevant job posting data worldwide, in which Canada is reported. It becomes clear that demand is simply outpacing supply.

Learn More

The risk in this shortfall in supply is that many companies are finding themselves performing work arounds to their IT security challenges. It’s a race to the basement, which increasingly erodes security teams’ footholds on defence and makes security posture proactivity more and more difficult to attain. In the meantime, the threat landscape is increasing in size as the market for stolen data increases and successful attackers propagate in-step.

In this environment of increasing threats to the organization, decreasing availability of skilled workers and inherent risks to performing workarounds with available resources, an honest question is: Which security tasks and roles can be outsourced?

Assessments

Whether you are part of a major corporate enterprise or a public-sector organization, it’s hard to probe your own organization for vulnerabilities. Skill and smarts aside, our own connection to the environment may actually impede objective analysis of the security posture. It can be difficult to gain the necessary perspective from inside your organization. Kind of like creating, writing and scoring your own test, if you do well – you wonder, if you do poorly – you wonder.

A proper vulnerability assessment will be performed by a third party and look at network, application, email phishing and social engineering vulnerabilities. It will probe your infrastructure, help you understand your security posture as it currently exists and prioritize actions your team can carry out to make improvements.

These assessments typically follow a quarterly or annual reporting period timeframe and will provide even greater insight over time as Vulnerability Assessment findings are remedied and awareness is created of the things to look for within your unique environment. We regularly recommend annual or bi-annual reporting, as fixes to systems and training of staff can take time and a quarterly measurement may simply be too short a timeframe to see results from the findings of the previous quarter.

Monitoring

Security monitoring is big piece of IT Security success, but is often underachieved due to many factors. The first is the underlying premise of this article – simply too few people to do the jobs required. The other lies in the tools required to do the job. In IT Security there are tools for endpoint protection, email protection, firewalls, privilege access management, mobile device management, security policy management and often there are multiple and overlapping tools used for each piece of the security required for each. This requires security professionals to continually pivot in and out of different security products reporting windows to provide some nebulous understanding of their security posture.

Imagine that you have all these reports from all these different security products and your job is to reconcile and make sense of these reports, but also in real time that allows you understand your organization’s up-to-the-minute security posture. I hope that didn’t conjure an image of a happy and diligent worker, because that peaceful image would be a blatant lie in most cases. The complexity and enormity of the reporting alone doesn’t lend positively to having anything close to real-time understanding, and as we know, our computing environments rely on instantaneous connectivity.

Outsourcing to professionals who can set up your IT Security posture, with single pane of glass reporting is a serious consideration and is available and will provide the quick response times necessary. Now this doesn’t mean your security team will all get the day off, but it may afford them the time to trouble shoot, patch and actually get ahead of the curve in becoming more progressive than defensive.

Testing

Often times our application development teams and security teams don’t communicate well. Just because they all fall under the IT banner, don’t assume they share common objectives. Development teams are tasked with developing and updating new and existing software so it performs a business function. For the development team, they are pushed hard to meet taxing deadlines and to get these systems operational as soon as possible.

In their pursuit to economically meet deadlines, at times, they have been known to forklift in code from similar applications or code that performs a similar unique function they require the application to perform. Let’s face it, it’s standard practice. However, in this haste, we can actually open vulnerabilities and import existing vulnerabilities into new applications. It’s not the development team’s job to think about security and this prevailing attitude exists. On the flip side, imagine a developer that tested all their code for security compliance. It’s safe to assume the pace of their work would be somewhat like making an ejector seat reservation.

Your security team will likely lack the time and resources to effectively search for vulnerabilities in newly developed/updated apps. The development team is on a different track and in all likelihood will lack the capability to ensure security compliance. So, the onus falls where? This is where a dedicated security team focused on this one task can help.

Response

Whether your security monitoring is outsourced or on-premises, once it finds an incident is where the rubber meets the road. Sure, you can prepare for the immediacy and importance of a security incident, knowing that your resources are positioned well to respond, knowing who will start the chain of notification for internal and external audiences (and know the new policy and legislative requirements too) and so on. Yes, in some cases your team might be well suited to respond. But, if you stand-up right now and walk out to your in/out board you’ll find one or two key resources away, on training, away from their desk, or in a meeting. That’s just life and the point is that we tend to think idealistically in resource allocation around a crisis, not that we’ll be ill-equipped in some way. And, if you’ve ever been in midst of a major security incident, even with a highly-prepared and competent team, the challenge is all about the readiness of the people who were there at the time. When we think about it, it’s a slim entry vector that will either allow us to descend safely back to earth or bounce off the atmosphere into oblivion, so establishing a good relationship with a IT Security firm that specializes in incident response and forensics is wise. Because it allows for a bit more wiggle room in that re-entry vector for better odds of a safe landing.

Training

Training is becoming or will be a requirement of policy compliance, insurability requirements, or just plain-old sound business risk management. Security training takes a variety of forms and there are a few choices and a few more products on the market that provide out-of-the-box security awareness content for your organization’s customization. It is our assertion that targeted, meaningful training helps raise the profile of security threats to wider audience beyond the IT silo. When those messages are communicated outside of IT, everyone wins, as the challenges and threats to the organization get more attention. This can contribute positively to more than just awareness and contribute positively to the bottom line.

As we grapple with the widening threat landscape and an unnatural pace of evolution of threats on that landscape, we are met with fewer resources to choose from to keep us safe from harm. Outsourcing your security services to a fully or partially managed IT Security solution may just be the wise way to go, heck, soon enough, it may be the only way to go.

April 19, 2017

Got Meterpreter? PivotPowPY!

Resources, Security

My how time flies.

It seems like only yesterday I was fortunate to be asked by the one and only Mr. Ed Skoudis (thank you, thank you) to write a post for SANS PenTesting blog “Got Meterpreter? Pivot!“, but it has been almost five years. In our industry, the only thing constant is change so let’s revisit this topic to see what has changed.

Once again, we will start with the same scenario:

We have a Metasploit Meterpreter shell with Admin/System privileges on an in-scope target Windows box. We will call this system X and it is in the DMZ. Do the root dance, pillage the heck out of it and get ready to pivot!

There are many ways to leverage the exploited system to discover, scan, and pivot to other devices in the target network. This article will discuss some ways to leverage the Metasploit Framework (https://www.metasploit.com/) (hereafter referred to as Metasploit) to accomplish various kinds of pivots, although there will be some non-Metasploit tips scattered throughout as well. Where a technique from the previous post is still valid, it will be referenced. Our test system, X, uses a dual-homed network, one network connected to the 172.16.33.x DMZ network and one connected to the 192.168.100.x internal network. The same techniques described below can be used for VLANs or physically separate networks that have paths to route to different networks.

Let’s go.

Sniffer

Watching the network interactions between devices is still one of my favourite ways to learn who, what, when and why an exploited system communicates with others on the network.

Meterpreter still has the sniffer module discussed in the last post available. In fact it has been updated with x64 support since then. However, rather than rehash sniffer, we will use the Packet Recorder sniffer extension written by Carlos Perez.

Packet Recorder uses sniffer, but makes it even easier. Start by executing the command run packetrecorder –li in the Meterpreter session to list out the available network interfaces, then execute the command run packetrecorder –i 3. To end the capture, carefully press CTRL-C then open up the capture and look for interesting info. The example below shows the entire process.

Not using Metasploit?

For some reason when writing the post in 2012, I didn’t mention the built in netsh capability so let me correct that oversight now. The netsh trace command can be used. There are all sorts of filters that can be used but a simple method is just to use the IPv4.Address as shown below.

This capture is saved in ETL format and can be viewed using Microsoft Message Analyzer. You can also convert the ETL capture to PCAP format with a couple of PowerShell commands. See the Internet Storm Center post in the references for more details.

Route and Auxiliary scan

There are more than 250 post exploitation modules currently available in Metasploit. A lot of them are used to gather info from the exploited system and a few of these are very useful in a pivoting situation.

A couple of good ones, again compliments of Carlos Perez, which can be used to determine what other systems are on the network are post/windows/gather/arpscanner and post/multi/gather/pingsweep.

As illustrated above, these scans identified a few systems we can potentially pivot to.

Routing and Proxy

Routing is even easier then it was in 2012. From within your Meterpreter session simply type run autoroute –s subnet, then ctrl-z to go back to the Metasploit console and use the new route with some of the auxiliary TCP based scan modules and if we find something juicy, even exploit through the autoroute. The example below shows using our exploited system as route to identify listening ports from the systems discovered during the ping_sweep.

PORTFWD, SOCKS proxy and SSH Tunnelling illustrated in the previous post still works well. If you haven’t used them yet, you should. Re-read the post and setup a test lab to ensure you see it in action. You won’t regret it.

One new development since that post is the addition of PowerShell version of SSH. Personally, I have only done limited tunnelling testing with the Microsoft backed version https://github.com/PowerShell/Win32-OpenSSH. If you have had some successes or challenges using PowerShell implementations of SSH for pivoting I would love to see them in the comments below.

No MSFMAP

Unfortunately, it appears that the module MSFMap by SecureState is no longer working in the current versions of Metasploit. All is not lost, though. There have been some very handy additions to Meterpreter that we can use in its place.

PowerShell

There are many ways to get a PowerShell session with Metasploit. One of the easiest is to use an existing session to create a PowerShell session. Background the existing session and do the following run the module exploit/windows/local/payload_inject with the Windows/powershell_reverse_tcp payload as shown below.

From here you can run (almost) any PowerShell module. In the example below, a PowerShell script, Invoke-TSPingSweep, which was modified a bit to make it more display friendly, was uploaded via Meterpreter, imported and then executed.

Note that some scripts will behave differently when run in the injected session. In particular watch our for scripts that use out-host and some that do not handle network connection timeouts will return big ugly errors like this one below, but will typically continue.

Python

Another new addition is the ability to run Python directly in a Meterpreter session!!

This ability is still being developed and currently, there are some technical issues that limit some of the usefulness, for instance you can’t have the Python script run in the background (https://github.com/rapid7/metasploit-framework/issues/6369). Still, this is an great addition and one that certainly will be useful when pivoting.

Imagine being able to easily use your favourite Python code from Black Hat Python, Violent Python or the SANS Security 573 class. Wonderful!

Not using Metasploit?

As briefly shown above, PowerShell is a very powerful tool for the penetration tester and can be especially handy for post exploitation activities. All the automated penetration testing programs provide PowerShell modules and a lot of very good work is being done on utilizing PowerShell for both defense and offense. Immunity has a nice video showing off some pointy clicky PowerShell interactions here https://vimeo.com/140723133, although that guys voice drives me crazy.

PowerShell remoting may not always be enabled, but if it is, it can be a quick way to pivot around a network. From an existing PowerShell session run the command New-PSSession –ComputerName abc.fg.hi then to interact with the shell run the command Enter-PSSession X.

What’s next?

I don’t see any slowdown in the opportunities to pivot through the network anytime in the near future. Do you have a favourite I haven’t mentioned? If so, please share it in the comments.

Thank you for your time
Cliff

References

February 23, 2017

Building a Culture of Cyber Security Awareness

Security

What good is all the effort you put into bolstering your company’s IT Security posture if your end users continually pipe a new stream of ever-evolving threats directly into your environment?

Sure, the robustness of your security controls gets a steady work-out, but we assert that adding a little awareness of security can go a long way. Even a nominal awareness program holds the potential to reduce the scope and severity of risks to your environment; so you can focus your time, money and effort to bolstering your security posture instead of the hand-to-mouth servicing of one-off security threats.
You likely you have read The Art of Deception by Kevin D. Mitnick (and William L. Simon) (if not, you should) and know that all the work that goes into building a robust security posture doesn’t mean squat if your end users are clicking on every attachment and bad link they come across.

In Mitnick’s words, “…the human factor is truly security’s weakest link.” Try as we might, we can’t solve every problem with a blinky light.

So you might be thinking, “how do I create (or improve) a culture of security at my company?” Many of the clients we serve at rSolutions are larger enterprises and have both external and internal communications departments, so we preface this advice under the assumption you’ll be working with a communications team, but we also provide this advice so it is large enough in scope so any sized company can derive some benefit.

Frame the Issue

Communications teams are likely largely unaware of all the efforts that go into making a company’s security posture as tight as possible. An overview of the number of threats handled over a defined set of time will help show what you’re dealing with and how more awareness can help. Provide the history and evolution of the problem you are trying to solve as well as some examples of what could happen, and has happened to other companies, that have fallen victim to the threats you outline (consequences). Do not include any FUD facts. Stick to the true facts. This will help build context for the problem with a non-technical audience that can help you reduce your time in incidence response. Consider bringing the CTO or CISO around as a champion so you have the support from the top to the bottom.

Define the Audience(s)

Well, everybody needs to know about security, you say. That is very true, but we suggest you approach it like you would eat an elephant; one bite at a time. The likelihood of success increases if you start on a smaller test group, ironing out what works and what doesn’t, before spending the time, money and resources on a corporate wide awareness program. Consider a test group of your greatest offenders. You likely have the data to present the case. Have you talked to them about why they keep falling into the same traps? Do you have data that supports which user groups are the greatest offenders or at the very least an anecdotal indication of who the greatest offenders are? Package this information to build profiles of these audiences so you approach the communications team with a target audience. An audience you can measure against your actions.

If you had three wishes from these audiences, what would they be?

I wish they’d just:

follow the strong password policy (and keep it a secret).
quit clicking on spoofed links.
quit opening bad attachments.

Thanks to KDnuggets Carton for the awesome cartoon!

Yours might be the same, or maybe they are different. Whatever they are, be sure to target your lowest hanging fruit. The idea is that if we want to make a more cultural workplace change, we need to start somewhere basic, then as you move forward on a continuum you can address more detailed subject matter over time. Try to keep in mind that cultural change is a big wheel that turns slowly, so start with your highest payoff activities balanced against the concepts that are easiest to grasp for non-technical people outside the IT silo. Consider focusing on what messages will bear the most fruit if scaled up for the entire organization.

Where do your targets get information and where do they mess up?

Being in IT Security gives you visibility into where your users get their information and the kind of information they access. Basically, where they are hanging out and what they’re doing there. Keep an eye out for trends and patterns (like you’re not already) to find places of higher traffic. Where are the people you are trying to reach getting information, for their work and not-so-work related information needs?

Where do the people you’re trying to reach keep messing up? Is it around use of a certain application(s), network destination or internet? Just like our kids, we often have to catch them messing up or remind them of a rule when we notice they’re about to do something bad to ensure they are changing behaviour. It’s not that your fellow professionals in your organization are children, its just that many still view IT Security to be IT Security’s problem. They may not realize how their behaviour is a danger to the business. So your audiences need to be informed and re-informed of the rules, consequences and potential pitfalls in the places threat is most prevalent.

Create messages to influence behavior

Our primitive human mind is programmed to be on the look-out for things that are new, different, or may pose a threat on a level of our baser animal instincts. Keep your messages consistent around a central theme of complementary messages or a single message. But keep the delivery of that message dynamic and changing. As we are trying to secure a digital environment, it makes some sense to keep our messages to that space, but the human mind requires similar or complementary messages presented in different ways to break through to our consciousness. Using analogies from outside of the digital space can increase chances that you’ll reach desired outcomes.

Put your skin in the game

Consider putting some of your budget aside to address this with a professional. Many marketing and communication efforts stall when the responsibility for who’s going to pay starts becoming the issue. Consider cost sharing or proportional funding of these efforts going in, so there is a partnership developed and there is common understanding of the resources available to reach the audiences. Strategists, designers, production and placement aren’t always cheap, but there are ways to respect costs in-step with the desired outcomes. Having understanding of the budget going in helps save more time and effort in the long run.

Measure your results

Validate the actions carried out with the desired response through your measurement of the intended outcomes against the info and metrics you collected to frame the issue earlier. We’re not talking about seeing drastic up-ticks in security compliance moments after putting up a poster in the staff lunchroom, but try to look for behavioural changes. If you’ve started with your worst offenders, is there a change in the number of incidents? Is there lower instances of help desk calls, has their network reliability improved? Ultimately, have your efforts delivered the fruit you expected or want? If so, you’re on the right track. If not, you may need more information from your targets and understanding of which messages failed. It’s important to note that humans aren’t as easy to diagnose as systems, they may not perform as expected if something rubs them the wrong way or is placed somewhere they can’t see it.

For more information on building IT Security awareness for your organization, we’re rSolutions and we have access to the professionals that can help.

January 27, 2017

Splunk Everywhere! Insider Threat

Security, Splunk

May 20, 2016

Our Summer Reading List: 13 Must Read Cybersecurity Books

Your Network and the Cyber Attack Life Cycle

rSolutions Recognized as a FireEye Partner of the Year

XDR – How The Evolution of Endpoint Technology is Moving Beyond The Endpoint

Detect. Analyze. Prioritize. Take your time back with XDR.

“If it sounds too good to be true, it probably is” Richard Baker’s Interview by CyberNews

Seven things to consider in Cybersecurity

Filling the Cyber Security Skills Gap

Cybersecurity – Which security tasks and roles can be outsourced?

Got Meterpreter? PivotPowPY!

Building a Culture of Cyber Security Awareness

Splunk Everywhere! Insider Threat

Who We Are

What We Do

What’s New?

Cybersecurity firm, rSolutions named Trellix 2022 Disruptor of the Year for North America

Our Summer Reading List: 13 Must Read Cybersecurity Books

Your Network and the Cyber Attack Life Cycle