Microsoft Vulnerability – Never Scramble To Patch Again

On March 2nd, 2021 Microsoft informed the world of a vulnerability in Microsoft Exchange. This vulnerability is active in the wild and has already been exploited by malicious actors from China and beyond. This well documented attack found by the security researchers at Volexity in Reston VA, exploits four different vulnerabilities in Exchange to gain access to emails without authentication.

Fact is, software teams are always under pressure to continuously release new features at breakneck pace. This is driven by the urgent need to keep up with market demands and competitive pressures.

This means that the vulnerability posture of all software continuously deviates with every update and upgrade. Software that at some point was free from vulnerabilities, may be riddled with them after updates. Even if the update includes security patches, the patches themselves along with new features may introduce new vulnerabilities.

So how can you defend against these popup vulnerabilities?

The traditional recommendations have been to implement “defense in depth”  — the layering of multiple security products. However, not only is this model expensive, it also does not address the challenges new exploits introduce. In most cases, it creates complexity that further weakens security.  This is especially true for hybrid infrastructure, where many different tools have to be implemented across offices, clouds, SaaS, data centers and remote users.

So “defense in depth” is not a viable security approach moving forward. It costs a lot of money and burns a lot of resources to actually make security worse. There is more information here: 5 Reasons Security Products Make You Less Secure.

Lots of attention and budget is going to the hip new security model “Detection and Response” (xDR). But what does xDR really buy you? It tells you when something bad has happened and  that you should do something about it — patch all systems, find the compromise and inform customers.

If there was ever a whack-a-mole approach to security, it is xDR. This is often referred to as the “you’re screwed” approach to security. Not particularly proactive, resource efficient or preventative, is it?

The key to prevention is reduction of the attack surface. Today, many applications have to be exposed to the Internet at-large so users can access applications before being authenticated. This is called “Access before Auth”.

Acreto however, uses a very different approach where there is a transparent authentication before users can gain any access to applications. This is called “Auth before Access”.  This approach completely shields the application from exposure to the Internet at-large.

The Acreto approach altogether eliminates the threats and exposures from Internet connected systems. And if authorized users mis-behave, the bad behavior is automatically mitigated.

Limiting access to the attack surface avoids mass exposure. In the case of the Exchange vulnerabilities, it would limit access of the Exchange server to authorized users only, no matter where they are located or what network or networks they operate on.

Reducing your attack surface in this case basically means that the Exchange servers — or any other system, server or application for that matter — will not be exposed on the Internet.

Access is allowed only after authenticating to Acreto and going through a set of controls, as well as ongoing threat and validation checks. This ensures that 1) the user is authorized, 2) the device is authorized, and 3) they never behave maliciously.

This is the default model with Acreto SASE+, where all customer systems benefit from a reduced attack surface — without any special effort, architecture or consideration.

Remote users connect to Acreto, and are transparently authenticated before access to systems,  servers, applications, SaaS, clouds or networks including Exchange or Office365. Acreto protects against Internet or internal attacks, even if the Exchange server or other application is left unpatched.

 

Get more detail on this best practice approach to reduce your exposure to Internet-born, Ransomware or zero-day attacks.  Contact us at info@acreto.io

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Top 5 Reasons Security Products Make You Less Secure

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform, with one interface, from one provider for all of your technologies around the world.

The VPN Provider Scam

Listen 

Read

VPN providers are investing significantly in wall-to-wall advertisements with a singular purpose: instill fear.

Their mantra is simple — without us, you won’t have security and privacy. And people are buying into this hype. ExpressVPN, IPVanish, Surfshark, CyberGhost and NordVPN are all touting the same message: Be secure and keep your data private with our VPN Service!

As consumers clamor for security tools simple enough for the masses, the VPN industry has latched onto consumer fear. The VPN industry has even evolved to have dedicated media outlets and research organizations that actively evaluate and rank the providers. The number one metric at the top of the ranking criteria – Security.  

The problem is that none of these VPN providers offer any level of security. On average, not only do these providers not offer security, but even the privacy story they push falls apart very quickly.

First, some foundations — security and privacy are mutually exclusive. Privacy is not security and security by its very nature undermines privacy. In fact, privacy and security override and neutralize each other. Security identifies intent and mitigates breaches of integrity. Privacy, on the other hand, is exclusively about data confidentiality even if that data is malicious.

Keeping data private impacts the visibility security requires to determine integrity. Integrity checking often requires visibility for security functions that operate beyond the two communicating end-points. Here are a couple of examples of how security and privacy counter each other:

1. For some time, New York City Police relied on “Stop and Frisk” as a tool to help improve security. Opponents said that this infringed on the privacy rights of the individuals being searched. Proponents said that the invasion of privacy was necessary to improve security.
2. Another example is an issue that arose after 9/11. The administration was conducting warrantless wiretapping on American citizens.  The administration was emphatic that without it the country would be at risk, while many were up in arms claiming that this infringed on the American people’s constitutional right to privacy. *Full disclosure, I was the whistleblower that identified and reported to congress the then-current administration’s warrantless wiretapping mechanism.

By default, the VPN providers’ focus on privacy means that security is sacrificed. So they can not claim to offer security while they offer privacy — and vice versa. However, even the privacy capabilities they offer is at best anemic. In reality, their privacy services are limited to anonymity and nothing more.

There is a very important place for anonymity in today’s world for those in oppressed societies such as Iran, Russia, China and North Korea. Anonymity is invaluable for those that are isolated and need to communicate with the outside world. Many believe they are getting security and privacy when using VPNs. However, they are not getting anywhere near the services they were sold on.

After all these years it’s still not clear to me if the cybersecurity industry itself understands the difference between security and privacy, much less clarifying the difference for the market. A persistent and inappropriately placed “S” continues to mislead the market. HTTPS, TLS, SSL and even IPSec are not secure nor are they security. They exclusively provide privacy! The VPN providers have leveraged the cybersecurity industry’s confusion to generate fear and uncertainty that sells a security service that has no security component to it.  This is simply marketing departments-gone-wild deception.

What’s worse is that recently it has come to light that many VPN providers are unable to meet the fundamentals of their privacy commitments either. Several VPN providers, including NordVPN, recently disclosed that their systems were hacked. The details that followed highlighted out-of-control organizations that are at best “winging it”.

Either through carelessness, immaturity or rapid growth many VPN providers lack the processes and controls that are expected of organizations that sell privacy and security capabilities. Many just can’t stand up to even basic scrutiny of their many advertised claims – especially their privacy claims.

In the case of NordVPN, they have had not one but two critical compromises that undermined their service. Though they were hacked in March of 2018, they did not disclose the compromises until late 2019. Nord admitted that they were not aware of the compromises until a few months before their disclosure. They were operating compromised servers for 1.5 years. This clearly highlights that Nord does not have adequate processes and systems to manage their infrastructure.

Here is a breakdown of the two ways Nord was compromised. First, a remote management server used by their vendor who manages some of their servers was compromised. This breach gave the attackers access to the Nord servers used by customers. Second, Nord’s cryptographic keys were found to be on sale in the darknet. These keys could be used to unlock any of their customer’s private communications. These keys go beyond unlocking user confidential information to physically geo-locating them. It is uncertain if the cryptographic keys were stolen as a byproduct of the remote server compromise or as part of a separate incident.

On their part, NordVPN blamed their vendor for the compromise. However, it is unheard of for a provider, especially one who purports to be in security and privacy, to blindly outsource complete control of their systems to third-parties. This defies any logic whatsoever.

Could you imagine if your bank operated this way? For some people, the privacy these VPN providers offer is more valuable than money. In oppressed countries, people bet their lives on the promises that these providers have made. How many times did the secret police smash down a door in the middle of the night to drag somebody’s loved one away, never to be seen again because a VPN provider’s system sat compromised due to neglect? And if you believe that this is a stretch, I remind you of Willy Sutton’s famous words when asked why he robbed banks — “because that’s where the money is.” Where else would an oppressive and militant regime go to uncover dissenters?

The VPN service providers are operating in the Wild-Wild West. Nord is but one of multiple VPN providers that have been compromised – and that’s just what has been disclosed. It would be interesting to see what a thorough examination would uncover. These providers are writing checks that they do not have the technology, nor the competence, to cash. Yet, it does not preclude them from continuing to prey on the fears and concerns of the masses despite knowingly making false promises.

In their continued quest for sales and customers, it is also widely believed that the various VPN providers are waging war on one another in an effort to embarrass and undermine each other. This is very much in the same fashion as another wild-wild west industry of crypto-exchanges and mining entities that were constantly compromising and D/DoSing one another. They did this to make their competitors unavailable so they can steal the business or create reputational damage.

Ultimately, VPN providers are promoting services they just don’t have – Security. And they are overselling the benefits of the limited capability they do have – Anonymity. Along the way, they have shown a lack of the control necessary to ensure the integrity and privacy of their systems, much less their customers. And finally, many VPN providers are engaged in a back-channel civil war to defame one-another at the customers’ expense.

The concept the VPN providers sell gives hope to the people who need and sometimes bet their lives (such as dissidents) on the providers’ false claims. Yet, they unknowingly live under threat because their desperation forces them to believe the misleading marketing.

Following in the footsteps of anti-virus packages, VPNs could have been the next generation of consumer security. Security is complex and most people have a tough time understanding all of the nuanced bits and pieces. Consumers have bought into their concept because they are desperate for the benefits VPN providers are selling. Instead, VPN providers have opted to act like used-car dealers of the cybersecurity industry, pushing fear-mongering, marketing fluff, recklessness and in-fighting that victimizes customers every bit as much as any hacker.

 

About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

Undercutting the IT/OT Collaboration Delusion

Lately, I have seen two common themes whenever IoT security is brought up; 1) complete acceptance that IoTs pose unique security challenges, and 2) how they have an IT/OT collaboration process to address them. Everybody knows what IT is, but as a reminder, OT, or operationalized technologies, are network/Internet-connected technologies whose primary function is not IT related. Think network connected HVAC units, vending machines, elevator control systems, and the like.

I recently attended a Smart Building conference, and one of the stalwart technology companies was making a big deal about the addition of their fourth intelligent building. One of their talking points was how much they have learned from their last three smart building operations. With lessons learned, they continued, this fourth building incorporates an IT and OT collaboration process. This process is intended to ensure that their IoTs do not pose a risk to the organization.

Let’s get real. A people-driven process for cybersecurity has never, ever, ever worked– not even once. Perhaps a few got lucky, but last time I checked, luck is not a reliable component of security.

People-driven processes are what a lot of organizations fall back on when there are no meaningful legitimate security options and an issue is too center-stage to be brushed under the proverbial rug. People-driven processes work for business, not cybersecurity because an inevitable byproduct is exceptions. Managing exceptions in a business model is not only acceptable but a feature that can deliver good results. With cybersecurity, exceptions are a bug and can have a catastrophic impact. Why? Because exceptions add up quickly and require manual intervention. These exceptions can easily overwhelm teams and often wind up unaddressed.

IT/OT collaboration translated to practical terms means that OT needs to get approval from IT for whatever they need to purchase. This interaction results in one of three responses. “We can secure your IoTs right away!”, “We can secure your IoTs, but there’s a backlog and there will be some delay,” or “No, you can’t use this technology.”

Anything other than the first response will result in the user immediately focusing their attention on bypassing IT. So, the collaboration has now turned into a cat and mouse game where the user tries to circumvent IT, and IT tries to implement restrictive controls to prevent being bypassed.

Have we not learned our lesson from the use of Cloud and SaaS in business? The users beat IT and executive management so overwhelmingly that there was no option other than complete and utter surrender.

The learning lesson is, don’t turn your users against you because you will not win. Any delay in facilitating the requirements of OT will result in scorn from the user community. And to further exacerbate the issue, there are far more IoTs that tend to be unique.

So, what’s the answer? The right answer requires re-imagining how we secure. Our current model for security dates back to medieval times. How is the industry standard of securing networks any different than securing a castle with a moat and drawbridge? The right answer needs innovation — and not just innovative technology, but also a whole new innovative model for cybersecurity. This model must accomplish two major tasks:

The first major task is to Simplify Security:

Today’s security tools demand well over 90% of the security team’s attention. Simply put, eliminating security tools eliminates distractions. Buying and stringing together a bunch of different products to fulfill various security functions creates complexity and is overwhelming to any size organization. In fact, security tools should be so simple to use that even quasi-technology people could operate them with ease.

Moreover, what if you had one security across all those technology silos like offices, data centers, clouds, SaaS, mobile devices, and yes, even the IoTs. This single security non-tool will not be network sensitive. It should not matter which type of network technologies use. Eliminating complexity not only improves security but offers agility and cost savings.

Takeaway #1: Implement a common security platform that delivers uniform and consistent security across all technology silos in the form of a security utility.

The second major task is to achieve User Empowerment:

With security simplified, everyone is empowered to self-serve. This puts the power of security in the hands of users. Now users are contributing positively and in the best interest of the company rather than fighting to bypass the security edicts. User empowerment drives much more collaboration than the IT overlord model that has been dubbed “collaboration.”

Takeaway #2: Empower users to self-serve so they are aligned with the best interest of all rather than fighting IT in their own interest. 

Today, more so than innovative technologies, we need a sound, well-thought-out security model. After hundreds of years in practice, we need to retire the medieval model for cybersecurity– especially in areas that depend on people-driven processes. Aside from simply not working, people-driven cybersecurity actually increases workloads and has inherent gaps in the form of exceptions. How can this possibly contribute to better security? Ultimately, there are no well-known cybersecurity technologies or models that can claim to be simple or sustainable. Perhaps the cybersecurity industry just needs to dream bigger or stop playing it unreasonably safe — or both. I am announcing that Acreto is making a play for both simple and sustainable security that empowers people. The above rules are fundamental to the foundation of Acreto’s platform, which is intended to take on and overcome the challenges of generation IoT.

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

IT vs. OT – The Cybersecurity Supernova

The universally accepted rule is that the Information Technology (IT) team has the final say on all things technology — right? Not so fast! Every day new technologies are introduced and connected to organizational networks without the permission, or even notification, of the IT team. These same electronic components surround us all, yet they remain hidden in plain sight.

So, what exactly are these miraculously hidden technologies that bypass the IT organization? They are called Internet-of-Things or simply IoT. These IoT devices fall into the Operationalized Technologies (OT) category. They are “tag-along” technologies embedded into tools that aren’t typically selected by, or even involve, the IT team.

One of the many reasons that IoTs are invisible in plain sight is due to the sheer number and broad spectrum of assets that they’re embedded in. Many people do not see IoTs; they see a smart TV, surveillance camera, key card access sensor, vending machine, or HVAC system. However, all of these, and more, are IoT devices. And chances are someone other than the IT team made the decision to connect said device to the organization’s network.

Perhaps the facilities team ordered a new HVAC system, which they may or may not know is Internet-Connected. There could also be an office manager who ordered brand new desks with embedded IoTs, or even the cafeteria manager who selected food and drink vending machines.

Picture this real-life scenario: a financial organization is moving into a new office location. Among the many responsibilities that fall on the office manager, one task happens to be evaluating and selecting the office furniture. After assessing all requirements, the manager evaluates several different desks and finally picks one that’s able to convert from a sitting desk to a standing desk with the push of a button. Six hundred desks are then ordered and delivered on-site.

Some seven months later, the IT team finds out, by chance, that these desks are connected to a remote application and have been delivering ongoing “productivity” data on each user. Apparently, it turns out that the furniture people had asked someone for the WiFi password and connected to the network. The rest is history.

Also, there is the now infamous case where a casino got compromised through a water heater in a fish tank. You see, IoTs have introduced a completely new compute model called “Dependency Compute”. With this model, IoT devices share a common network, but each IoT is connected to a different remote application, and more often than not these applications are owned and controlled by a third-party.

What does this mean exactly?

It means that a third-party now has privileged access to a device on your “protected” network, but that’s not even the worst of it. Imagine all types of devices sharing a common network which offers privileged access to all types of remote applications that are controlled by a variety of third-parties.

This interconnected web creates a scenario that is untenable for security, meaning that the traditional “securing-the-network” model is short-lived. Just calculate the risk stats for a few hundred different IoT technologies that are each connected to a different remote application that you don’t control.

One comment I always hear is: “What’s the big deal – we can segment them!” Well, good luck with that. You’d typically get this response from someone without much practical experience, with a whole lot of wishful thinking, or with an overly simple network. Most organizations can barely keep track of what’s on their network, much less go through a process of adding hundreds of network segments, where each one requires VLANs, netblocks, routing, and ACLs.

It isn’t necessary to impose many complex tasks and processes which can make a whole security team rethink their life choices. A superior approach relies on an entirely new security model that takes “Dependency Compute” into consideration.

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

Hacking A $Trillion Fund – Why HTTPS is Not Secure

Some years back, a trillion dollar financial fund hired me as an Ethical Hacker to test their security system. They had just spent millions with Cisco to implement a brand new security infrastructure. We started the project and within a day had compromised them 139 different ways. Of the 139 compromises, 138 of them were over HTTPS encrypted connections.

When we reported this to the client, they were miffed. Their director of security asked “How could that be? We just spent millions with Cisco. Their engineers approved the design!” And as soon as he got his bearings, he snapped, “You have to write in your report that there was no data exposed or accessed.”

“No data was taken because we chose not to take any data,” I replied.

Instead, we had successfully planted a flag on their systems. This is a practice used by white hat hackers of installing a file at some deep point on a compromised system to demonstrate privileged access. The ensuing three months involved a ton of back and forth in educating the customer on precisely why we were able to compromise them, and the wording of the final report. However, over that same time they had successfully managed to fix only one of the 139 vulnerabilities — the non-HTTPS exploit.

So, why were we able to compromise them, and how did HTTPS play into this?

Contrary to the implications in its name, Hypertext Transfer Protocol Secure (HTTPS) does not offer security. It is privacy. That means it purely serves to ensure that 1) the communications destined to the application server is validated against DNS, and 2) the communication is encrypted. Because this encryption was between the client and the server, their gateway security tools were bypassed. The only visibility and enforcement their tools could provide was access control allowing network protocol TCP using network port 443 to communicate to the appropriate server. Because of the encryption, their intrusion detection system (IPS) could not look inside the payload to identify the content’s intention — well or mal intended.

We found multiple systems on their network that were accessible externally via HTTPS and then, we had at them. One advantage for the hacker / disadvantage for the company is that HTTPS-based attacks do not need to be tempered. We could be as aggressive as we wanted to be because their security tools had no sense that any of the communications were malicious. Once we identified vulnerabilities, we exploited them and compromised the first system.

Another limitation in their security was that it was a thin hard shell on the outside with a soft gooey mess inside. Because they used gateway security, once we were in, we had access to cross-contaminate everything. And that is precisely what we did, until we gained access to some pretty critical systems.

So, what did the customer learn from this experience?

Well, he was successful in lawyering the report to not look bad, yet not lie. But what you should learn from their experience is that when HTTPS makes a connection private, it makes it private to everyone — including you and your security tools. This applies to communications you originate and communications destined to you.

Today, every SaaS company is in a mad dash to roll out HTTPS. The term they keep using is that it’s “for your security!” And I get pissed off every time I hear this. It is not for your security, it is to ensure that your communication to their systems remains private.  They continue to tout this even though many of these same SaaS companies have learned from the experience to decrypt before a communication hits their threat management tools. This protects them – but not their users.

For the user of these applications, the HTTPS communications initiated outbound to third-party sites are significantly harder to protect. The result is that any site that uses HTTPS can behave maliciously toward the user, and it is very difficult for the user to identify and mitigate the attack. Yes, perhaps we could learn to trust some companies, but would you trust Google, or worst yet, Facebook? Would you trust some small unknown arbitrary site you may find yourself on?

A monster security hole.

Considering that over 60% of all Internet communications are encrypted, an investment in robust security tools without an effective means of decrypting all the HTTPS connections in and out of your network leaves a monster security hole.

The tunnel-visioned focus on preventing man-in-the-middle attacks has created a much greater security challenge for many organizations.

In another instance, at an IoT event, I asked the CTO of a IoT system integrator who builds large-scale “smart city” platforms, how he secures his technologies. His response: “We use HTTPS.” I waited for the rest, but it never came. This issue is not clearly understood even by technology, even some security, professionals.

As an industry we have done a piss-poor job of building clear and concise awareness that security is not any one of six things, but a harmonious combination of control, threat management, identity and yes, privacy. So the next time someone tells you they use HTTPS for security, nudge them to this article before they commit security suicide.

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

Russian Hacker Caught and Convicted: From US With Love

A little while ago, a client called me in to do a security operations ‘best practices’ education session. They were a dot com site that had recently spun off from one of the major financials. They had not yet laid down their sec ops roots and were still engaged in establishing the fundamentals. They wanted an informal education session to get the entire team on the same page.

Their conference room was packed with their security team as well as several people from their operations center, which I had requested. In many instances, the ops team is on the front line and often identifies and conducts the initial steps in handling security incidents.

At some point during the session, I started to talk about scammers. One trick that malicious people use is to acquire domain names that are similar to the site they are targeting. Since the client was a financial and their site contained personal information for hundreds of thousands of consumers, and was an attractive target. I first recommended they acquire or actively monitor all sound-alike and similar domains. For example, if their domain name is jacks.com, they should acquire or monitor jax.com and jaks.com.

Second, I recommended that all permutations of domains that could be mis-typed by users should be acquired or monitored as well; specifically, any combination of surrounding characters on the keyboard for each letter that makes up their domain name. For example, if their domain name is abc.com, they should monitor domains where the ‘A’ in abc.com is replaced with S, X, Z, W, and Q. If a company wanted to take it a step further, they would cover the immediate two surrounding characters on the keyboard as well. Should users mistype, which they often do, they should not be directed to a look-alike site that they would innocently offer their credentials.

Third, I suggested that the plural version of the words included in their domain name should be acquired and monitored. As I was making this third point, I typed in the plural of their domain name – and their site showed up. I thought I had made a typo, that through muscle memory I had entered in their correct domain name. I double checked, and I had typed exactly what I intended to type – the incorrect, plural variant.

I was impressed. I thought to myself that they were ahead of me and had already acquired the plural domain and redirected it to their site. “Smart! You guys already got this?” I said to the group. I looked around the room and saw confused expressions all around. Finally, someone said, “I don’t think that we did – I’m pretty sure we didn’t.”

After a Dig on the Fully Qualified Domain Name (FQDN) and an MTR (a better traceroute) it became clear that the site was not theirs. It looked exactly like their site including the login page. However, it was not using their IP block nor any of their ISPs. It traced back to Las Vegas, Nevada.

Needless to say, the training session abruptly ended and became a real-life incident response. The organization’s executives, their general counsel, all security team members, and all IT managers and above joined an emergency meeting in the conference room. Anyone not on-site joined via conference bridge.

During the meeting, their sharp help-desk manager offered that he had seen an increase in the number of calls for password reset requests in the past two weeks. We started connecting the dots.

We came away from the meeting with several action items:

• We needed to determine if there was a compromise, and if so, how many users it impacted and its duration.
• The help-desk team set out to cross correlate password reset support calls and the date/time of failed authentication logins in their logs.
• They would identify any users who called for a password reset whom had no corresponding failed login attempts in the logs. There was roughly a dozen dating back only two weeks.
• The help-desk team contacted these users and established completely new identities for them.
• My team was to implement an emergency infrastructure should the malicious person attempt to use the stolen identities.
• I reached out to my contacts in the FBI cyber-crime team and reported the issue, and Agent Brown from the New York cybercrimes team was assigned to our case.
• We contacted a law firm with experience in cyber crimes along with the organization’s retained counsel.
• The legal team started to outline a notice as was required by compliance in preparation, should notifications be necessary.

 

After this, my team members and I set out to execute on a plan to identify and catch the person.

First, a honeypot. The compromised user credentials correlated by the helpdesk were redirected to a training system that looked and functioned just like their application, but contained dummy data. With this in place, the risk that any (more?) data theft, manipulation or deletion was mitigated.

Then, we implemented a high performance packet capture system using a powerful server, hardware offloading network interface and several open-source tools to collect all communications from the malicious person/people. We made sure that the packet capture system was implemented and processed with proper evidentiary chain of custody standards.

Finally, we configured the units to send us text messages as soon as any of the compromised accounts were accessed.

We were finally ready to track the malicious people.

In less than forty-eight hours we architected, acquired the highly specialized equipment required, and configured and tested the infrastructure. I then set out to document everything, including the operations runbook for these new systems, which included evidentiary chain of custody handling of any evidence collected.

I personally spent near seventy-two hours straight at the customer’s data center hopped up on adrenaline and coffee. It’s rare to catch hackers and scammers, and I felt strongly that we had a good chance of doing so in this case.

In the meantime, the FBI requested and received a subpoena for the IP address of the server as well as the domain name registrar. Fortunately, the ISP provided the physical address associated with the identified IP address quickly.

Agent Brown called the FBI field office in Nevada and requested agents drive by and visualize the address location. A few hours later we received information that the address was actually a car dealership. The FBI agents in Nevada managed to trace the ISP connection to the basement of the dealership. When they inquired about the Internet connection, the dealership informed them that the basement was rented to another party who was hardly ever there.

Technically, the malicious people had not done anything substantially criminal. So between the customer, the FBI and my team we decided to hang back and wait for the malicious people to attempt access to the customer system, and more importantly, to download personal identity information. There was no risk to any of the site users since the data the malicious people would access was made up training data.

We didn’t have to wait long. At 3:00am early morning the following day my phone started buzzing with alerts. I quickly logged on to see what had transpired. Jackpot! The malicious people had logged on under three different accounts and had systematically accessed multiple identifies before generating a report that can only be identified as an identity theft starter kit.

A quick check showed a Canadian IP address as the source. Every packet of the communications was collected and logged. We had all that was required to completely recreate and replay the malicious people’s entire effort.

The session was short. It had only lasted 15 minutes. But it was all that was necessary. There were no other attempts that day.

Early the following morning, we contacted Agent Brown and the cybercrime task force supervisor and arranged for collection of the evidence. During the call we also determined our next course of action.

The FBI could have reached out to the Canadian authorities, but thought it best to try to lure the person to the US.

The plan was that the FBI would get a court order to confiscate the computer in Las Vegas. If they spotted cameras they would simply disconnect the Internet connection at the Network Terminal outside the building.

And then – the FBI surprised us. They had a person of interest in the case. They did not share many details about how they found this person of interest. Our best guess is that the person had been on the FBI’s radar, and had somehow been associated with the stolen identity which was used to fraudulently pay for the acquired domain name and the Las Vegas basement housing the computer.

If all was to go as planned, the malicious person would think there is a technical issue and come to fix it.

Later that morning the FBI Agent Brown came to our offices and we held an evidence hand-off ceremony. The next day we noticed that the scam site had gone down. Now there was not much else for us to do but wait.

All was quiet for a while and life started to resume normalcy. Two weeks later we got word that there had been an arrest!

It was a Russian whom a few days after the site had gone down had flown to Canada and from Canada to Las Vegas. He was arrested at the airport port of entry. Apparently, when presented with the evidence he made a plea bargain and soon after plead guilty at the hearing.

The team’s dedication, professionalism and expertise drove this incident’s success. Both the customer and my team operated flawlessly together, and the FBI came through in a big way. At a time when hackers attack indiscriminately, it felt great to catch one and snag a win for the good guys.

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world.