The joint alert last week issued by CISA, the FBI, the NSA, and UK’s National Cyber Security Centre (NCSC) asks organizations to aggressively patch certain known vulnerabilities in response to updated Tactics, Techniques, and Procedures (TTP’s) used by Russian Foreign Intelligence Service (SVR) Cyber Operations group, known as APT29, Cozy Bear, etc. The alert follows the recent public attribution of the SVR to the SolarWinds compromise in 2020. An expert with Veridium offers perspective.
<p>Once again, we see Russian cyber attacks targeting vulnerabilities in popular networking and web server applications including FortiGate, Cisco, Oracle WebLogic, Citrix, VMWare and F5. As long as there are still unpatched systems accessible on the open internet, we will see attacks like this. The payloads may change depending on what the threat actor is after, but attackers will continue to leverage vulnerabilities in web servers, routers and virtualization software until there aren\’t any vulnerable hosts to exploit. This series of attacks is a reminder of how important it is to patch security vulnerabilities, and to make sure the network is protected with an up-to-date security stack.</p>
<p>The old saying \"the only two things certain in life: death and taxes\" should be modified to \"death, taxes, and vulnerabilities\". One viable strategy for managing this inevitability is network micro-segmentation following a zero trust architecture. With this, vulnerable endpoints can be properly isolated from the network to proactively limit any potential damage that can be done if these vulnerabilities are exploited.</p>
<p>A common theme in these exploits is a broken authorization model, whether that is granting access to unauthenticated users or granting more privileges that needed to authenticated users. Deploying strong authentication that is contextual, paired with a dynamic risk-based trigger will reduce the overall threat surface area.</p> <p> </p> <p>We recommend following a zero-trust approach, Identify, Authenticate and Authorize. Do not allow any unauthenticated users, devices, or systems to touch your network. Use least privilege concepts to grant entitlements, reduce the danger of lateral movement, and shut down all anonymous access no matter how trivial.</p> <p> </p> <p>The fact is that no amount of security can help with a broken authorization model. That is why context-aware anomaly detection should be a mainstay in organizational security: strong authentication is good, and context-aware strong authentication is better. The goal for security teams should be to go back to the first principals: if you are not identified and authenticated, you should not be on my network. The thinking should be: Identify, Authenticate, Authorize; wrapped in contextual analysis.</p>