New CISA Directive On Persistent Threats

|

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an order requiring all federal agencies to take additional precautions to restrict access to Internet-exposed networking equipment.

To limit potential breaches, the directive calls for restricting access so that only authorized users on an agency’s internal network can reach these devices’ management interfaces.

This decision comes in response to escalating cyber-attacks that capitalize on undiscovered vulnerabilities in commonly used security and networking devices.

The target of these attacks is federal agencies that use devices that allow remote authentication or administration. The attackers exploited zero-day vulnerabilities in popular networking products, such as those made by Barracuda Networks and Fortinet, to launch ransomware and cyber espionage attacks.

Hackers have been exploiting Barracuda Networks since at least October 2022, resulting in data breaches. As the company tried to fix the issue, the adversaries adjusted their tactics to bypass the mitigation efforts, forcing Barracuda to replace compromised devices.

As for Fortinet, a vulnerability in its FortiOS firmware allows an attacker to run malware on virtually any Fortinet SSL VPN appliance. Just gaining access to the administrative panel of a vulnerable Fortinet SSL VPN appliance is sufficient for an attacker to compromise the device fully.

It is clear that the threat actors who exploit these zero-day vulnerabilities are highly adaptive and respond quickly to changes in cybersecurity measures. This means that we cannot afford to let our guard down or become complacent. Instead, we must continue to refine and reinforce our cybersecurity infrastructures, focusing on both preventive measures and swift, effective response strategies.

Acreto Solution

Acreto provides a comprehensive and proactive approach to cybersecurity that could help organizations adhere to CISA’s directive and ensure the security of their digital assets.

  • Acreto’s ‘Ecosystems’ inherently restrict access only to those users, devices, systems, and applications that need to interoperate together. It limits access so that only authorized members within an agency’s network can reach management interfaces. This significantly reduces the potential for security breaches.

  • These Ecosystems can be configured as open, closed, or hybrid. This means they can be tailored to meet the specific needs and security requirements of the organization, providing both flexibility and robust protection.

  • The Acreto Solution eliminates any and all access from the Internet to the Ecosystem, while still allowing its members to interoperate with authorized systems and applications. It offers effective micro-segmentation and nano-segmentation capabilities, thereby eliminating internal attack surfaces and isolating data flows.

  • Acreto can decrypt, scan, and re-encrypt communications in real-time, blocking any malicious content embedded in the encrypted payload. This feature is particularly relevant in the context of vulnerabilities like those found in the FortiOS firmware, where an attacker can run malware on any Fortinet SSL VPN appliance by simply accessing the administrative panel.

  • The Acreto Solution offers comprehensive control features, including access, network protocol/port, application protocol, application program, and content controls. These mechanisms give the organization granular control over the flow of data and the operation of applications within its network.

  • The Acreto Ecosystems are easy to provision, deploy, and sustain, reducing the complexity and logistics often associated with cybersecurity management. It also simplifies traditionally complex tasks such as change management and policy management, making it an efficient and effective solution.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Open → With inbound or outbound access from or to the Internet or a third-party

Closed → Fully contained with access limited to Ecosystem members

Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

  • Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

  • Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications are encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

Access Control

Identity with MFA

  • User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

  • Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

Network Protocol / Port

Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Protocol

Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Program

Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Content

Content Category

Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.

File Type Upload / Download Controls

Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.

Data Leak Prevention

Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:

  • Credit Cards Upload / Download Controls

  • Social Security Number Upload / Download Controls

  • RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of the network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Threat Signature

Identifies and mitigates known bad exploits, malware, botnets and ransomware.

Zero-Day Behavioral Analysis

Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when it’s time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

About The Author: Acreto Threat Labs

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.