This past weekend I was lucky enough to experience what for some people is a “bucket list” item—I drove a 4×4 Jeep over the Rubicon Trail from Georgetown, California to Lake Tahoe. It was an amazing experience, but the best part fell into two simple categories:
1) There was a sense of danger and excitement in crawling over gigantic granite boulders, down steep chutes, up the side of a hill with a sheer drop-off on your right, and through this scary thing called “Little Sluice”—there was nothing little about it!
2) Sitting up on a rock with my friend and co-worker, Kim Ringeisen, drinking a Bud Light in fancy REI camp chairs watching meteorites go by. Also, not coincidentally, getting stung on the forehead by a yellow jacket—it must have known I was not a Georgia Tech fan. (War Eagle!)
The reason that I could enjoy both of these is that we were reasonably well prepared for this three-day journey. At least four weeks prior to the trip, Kim, our head of customer success at Skyport, made a list of things we needed. We checked it through a few times and actually overpacked more than underpacked. We each brought two sleeping bags and air pads, we made sure we had ropes to do a cliff rescue, three recovery straps for the vehicle, an air compressor to refill our tires, bear spray, a global satellite phone and alert beacon, a GPS, a CALSTAR Helicopter Medical Evacuation membership, enough food for two to three days (food was provided at camp), a yeti cooler with enough ice to last five days, and much more.
I was a Boy Scout, and the Boy Scout motto is “Be Prepared.” We took the time to plan what we needed, figure out our logistics, look at risks we would likely be facing and ensure that we had the tools and training to mitigate each risk. Because we mitigated the risks, we were able to confidently assault the trail and then casually kick back and enjoy a cold one at camp. It was a good combo!
Ok, so why is this on our corporate blog, aside from the shameless pandering that “we have fun at Skyport and would love for you to come with us next time”? (Fact!) There are also aspects of IT Cyber Security preparedness that warrant similar considerations:
1) What are the attacks you are likely to see against your organization?
On our camping trip, we knew there were bears out there, and we knew that raccoons and other such creatures loved finding camp food. We had to prepare for this! So we had bear spray, kept food away from the campsite, and put it in bear-proof containers.
In the IT world, based on your organization’s public profile and the type of information you protect, you can see a varying threat profile ranging from criminals, hacktivists, or nation states. Government organizations are largely the biggest targets in the world, and financial companies and political organizations aren’t too far behind. But as we have seen from recent scams in ransomware, just about anyone who is dependent upon their IT systems CAN be a target to extract at least a few thousand dollars out of.
2) What information/assets are they likely to go after?
The simple answer is, anything they can get to. That being said, the targets are generally authentication systems where they can gain the “keys to the castle.” This is a system such as Microsoft Active Directory. Once there, they pretty much have unfettered access to your entire enterprise.
As we have seen from the SWIFT breach, financial trading systems, systems that move money, and ledgers are targets. We have also seen, rather publicly, that if you are even adjacent to politics, your email servers are a likely target. However, your document management systems, phone voicemail, and such would be just as juicy of a target.
Employee record systems are also a great way to “dox” someone. Imagine if the HR files on every employee were dumped to Wikileaks—not a positive thought.
3) How will they get in, and how will they get out?
Going back to a previous post, in most cases, you do not need to thwart a persistent, brilliant, and well-funded aggressor. In most cases, you need to be better than your peers and have solid IT hygiene practices in place; this will make you a harder target than most. If you can self-identify as someone whose organization is likely to be a target of governments or government-sponsored criminals or hacktivists, you have a different threat, and your analysis needs to be more thorough and your defense more prepared.
In the military, the defense needs about one-third as many troops as the aggressor if the defense is well planned. The way you form your defense planning is to use the natural flow of the terrain and obstacles to steer the enemy into your line of fire. This enables you to have a force multiplier that helps you. The same holds true in cyber defense.
If we know what assets are likely targets, we can plan our defense in a way that makes the likelihood of catching the aggressor much higher—blocking and denying them from gaining the levels of access they need to own our organization.
The most likely insertion point will be a targeted phishing attack. I was joking the other day that if I wanted to get into any company in LA, I would send an email to every low-level employee saying, “Casting call tomorrow for extras on ‘Game of Thrones’; register for consideration!” Suffice it to say, at that point, the foothold is there. The other, more physical option is the classic “drop a USB key in the lobby with a label that says ‘payroll-July.xls’—game on!
From the foothold, on a user machine, the goal is to get to a machine in which an administrator has logged in. Depending on your policies for administrative credential distribution, how sanitized your AD GPO structure is, and whether or not you are following Microsoft’s ESAE guidance, you can either make this next phase really quick or deny them access.
Make sure you have systems in place that can detect and deny command and control connections. If you are in a high-risk environment, make sure you are deploying full stack protections. Ensure that they can’t “go under” your wall with a rootkit or insecure boot or “jump the wall” with an application layer vulnerability—especially an old unpatched one that you should have known about.
4) The importance of hygiene
One thing you learn and appreciate on a camping trip is good hygiene; that moment after spending all day on a dusty, dirty trail where you can wash your hands with actual soap and feel your own hands again is a rather pleasant experience.
The same holds true in IT. In fact, it’s probably one of our worst sins in IT—we are geeks. We love the shiny new toy, the faster switch, the bigger firewall, and the cool cloud API. We are not enamored by the day-to-day “IT hygiene” that needs to occur. It’s simply not fun to scour for CVEs every day or check for patches on my BIOS, Hypervisor, OS, and applications. It’s annoying to have to use an admin workstation, and it sucks to have to use a jump host, etc.
IT hygiene is just as important in your operations as personal hygiene is when out in the woods—it’s what keeps you healthy and safe. (Shameless plug: One of the key reasons we have seen explosive growth in the use of our systems is for this reason.) Since as part of our ongoing maintenance and support service we maintain all of the patch levels across our devices—including BIOS, Hypervisor, CVE monitoring, SE Linux build, etc.—it becomes simple for our customers rather than onerous.
So if you’re the person responsible for IT, Infosec, or infrastructure, take an hour this week, sit down with the business and talk about risks of unplanned information disclosure—identify those assets.
Spend a bit of time planning your defense. Ensure that you have a real “defense in-depth” strategy for those critical assets. Don’t forget your own assets such as that Active Directory Domain Controller or your RADIUS/TACACS boxes—those are very, very juicy targets.
Make sure someone is specifically responsible and accountable for the ongoing hygiene of your plant. If it’s not someone’s job, it’s no one’s.
As for the yellow jacket that stung me, it got away. The painful red spot on my forehead is a reminder of that little dive bomber’s accuracy. In the spirit of being prepared, a big thanks goes to Kim for knowing a few field remedies to keep the swelling and throbbing down. Thanks chief!
dg – @dgourlay