Cybersecurity Lessons Learned in 2020 [Webinar]

Jump to a Topic:

• Review Notable 2020 Cybersecurity Breaches 
• How Could Cybersecurity Monitoring Prevent Breaches Like These? 
• Actual Client Stories from the Field 
• Q&A 

Review Notable 2020 Cybersecurity Breaches 

Let’s start by going over a couple of notable security breaches that occurred in 2020 and what we can learn from them. 

First, the SolarWinds Orion breach, in which malicious actors leveraged a supply chain compromise to distribute malware known as Sunburst. The malware was disguised as an update that came through the IT administration tool’s usual software update channels and looked like a SolarWinds configuration file. The tools that were in place to prevent attacks allowed it through. This breach is still undergoing investigation, and cybersecurity analysts are still learning from it.  

Why was this breach notable? We don’t tell our firewalls to block trusted software updates, and we don’t teach our anti-malware tools to scan trusted configuration files. These are the exact reasons why the malware was successful. The breach was deployed in March of 2020, but was only discovered in December of 2020 after unusual activity was detected in system logs. The firewalls in the SolarWinds breach did not block the malware, because it trusted SolarWinds. 

Second, the Malwarebytes breach. This one was a little quieter. Malwarebytes is the same tool many organizations leverage to protect systems on their network. This breach did not impact the tools/software that Malwarebytes creates, so Malwarebytes itself was not the target. In this breach, the bad actors leveraged privileged access in Office 365 and Azure, ultimately gaining access to a limited subset of internal company emails. The breach was discovered when suspicious activity from a third-party application in Malwarebytes was detected in Office 365. A deep-dive investigation into Office 365 and on-premise systems then found that attackers leveraged existing credentials that allowed access to a limited subset of internal company emails. 

Why was this breach notable? This one is a notable name, and it also involved a cloud-based system. Usually when we think of Office 365 and Azure, we think that’s Microsoft’s platform. They are monitoring it and making sure it’s secure. To an extent, that’s correct. Microsoft helped notify Malwarebytes of this activity, but it’s still not clear how long the issue existed before it was detected. Also, the attackers had usernames and passwords; they could access data. While Microsoft is protecting the infrastructure and systems underneath, it’s still up to us to continually monitor and ensure that our systems are not compromised. With Malwarebytes, someone didn’t break into a data center and physically access data, but rather they gained access through somewhat legitimate means, through admin credentials. 

Back to Top

How Could Cybersecurity Monitoring Prevent Breaches Like These? 

Neither the SolarWinds Orion breach nor the Malwarebytes breach occurred because of product failures. Rather, they were operational failures, because cybersecurity experts didn’t know what to monitor, didn’t know what to check and didn’t know to keep an eye out for other suspicious activities.  

This is where the security operations approach employed by Arctic Wolf Networks can help. Security operations does not mean buying more tools, and it does not involve installing more services, software or hardware. Instead, it means stepping back and using what you already have to monitor your systems for anomalies and malicious actors.  

There are five tenants to a security operations approach: 

1. Broad Visibility  
2. 24x7 Coverage
3. Access to Expertise
4. Strategic Guidance
5. Continuous Improvement 

Arctic Wolf address the five tenants of the security operations approach with their concierge security team (CST) designed to be a group of named resources for their customers who can then be leveraged for advice, ongoing security reviews and the human interface to a technical service. They proactively hunt for threats, looking for suspicious anomalies that can indicate a breach. They also add context to an incident. If there is something they see in the IT environment, they determine whether there was lateral movement or data exfiltration. Arctic Wolf's CSTs are resources you can engage with directly instead of having to open a ticket. Arctic Wolf’s services include: 

Managed Detection and Response (MDR) 

70% of new customer environments have latent threats that are found when MDR is deployed. 

Arctic Wolf gathers meaningful log data for the entire IT environment with broad visibility. One example is network traffic. If someone clicks a suspicious link, we want to be able to detect it. Perhaps it’s phishing or a malicious download. By having broad visibility and network traffic monitoring, we can detect these things at the onset of the event. We also want to gather relevant logs from systems like Active Directory. We want to be able to look for suspicious logins or unusual patterns that could be indicative of a brute force login attempt or network traversal from something like the SolarWinds malware. Going further, we want to incorporate log data from third-party sources, so Office 365, for instance. We want to monitor for suspicious anomalies or login behavior inside of those services as well.  

All of this monitoring happens on a 24x7 basis, so constantly monitoring the output of those log systems. When something is found, we want to be able to triage it properly. Arctic Wolf doesn’t simply forward logs; we don’t just send you an alert. We need to do things first. We need to validate what we’re seeing. We don’t want to simply send you an alert when the user clicks on a malicious link, if the ensuing malicious download was blocked by endpoint security. But if it wasn't blocked, we want to escalate it to you, and for it to be meaningful by telling you who clicked on the link, the context behind what they clicked, what we saw in our investigation and most importantly, how you can best respond to the incident.

Arctic Wolf acts on your behalf. That’s the managed containment function Arctic Wolf provides. Being able to effectively block that malicious traffic and quarantine an infected asset on your network. All of this makes up the MDR service.  

Managed Risk 

80% of threats can be prevented by meeting the top 5 CIS (Center for Internet Security) controls. 

Managed risk is different from MDR. Managed risk is a vulnerability assessment system designed to scan the entire environment (broad visibility) for vulnerabilities and then provide detailed guidance to best resolve them. This means scanning inside the network, anything with an IP address, to see if there are any vulnerabilities present inside the network. Externally as well, scanning the WAN (wide area network) side of your firewall, public IP addresses, web portals you’ve established for customers or end users. Also scanning for leakage of data on the dark web. Was a corporate user part of a third-party breach?  

Managed risk is about knowing about these risks, elevating them so you know they’re present and providing detailed guidance in terms of remediation. Arctic Wolf's concierge security team is also layered in the managed risk service, because simply installing a patch or update won’t always fix the issue. Other strategies need to be discussed. Maybe an order of operations or a new plan needs to be put in place to effectively resolve the larger incident. Maybe we need to discuss other strategies, like that particular system can’t be updated right now, so we need to move it somewhere else on the network to reduce that risk.  

Managed Cloud Monitoring  

47% of the incidents detected include a cloud component. 

The third component to tie off the operational approach is managed cloud monitoring. Ensuring we are monitoring third-party systems that we leverage: Office 365, Amazon Web Services or Azure, for example. We want to scan these environments for anomalies and risks to identify them and properly remediate them. If we see unusual logins or suspicious downloads in Office 365, let’s determine what’s going on, gather context, escalate and determine how to resolve. Should we reset passwords? Have conversations with the end users who are clicking the suspicious links and begin security awareness training?  

Back to Top

Actual Client Stories from the Field 

Stories from the field, or as they’re called internally at Arctic Wolf, war stories, are actual stories that have affected the Arctic Wolf Security Operations team. These are stories of real customers. We will walk through the events and point out what Arctic Wolf started the investigation on and how the story played out. 

Insider Threat: Crypto Mining 

Business risk: Protecting the integrity of data 

An IT staff member used a production server to “mine” Bitcoin (cryptocurrency). Arctic Wolf’s concierge security engineer noticed network traffic going to a known Bitcoin server and warned the customer's IT staff about a potential rogue insider or external access to a system that was allowing this to occur. They found the server, isolated it and stopped traffic. Arctic Wolf confirmed that traffic had stopped. However, a couple of weeks later, we noticed the traffic started up again.  

Because it was now a repeat incident, we treated it a little differently. We still validated what we were seeing, but we followed a different escalation procedure. An ongoing issue like this is a little bit more of a problem. So, we escalated to all contacts and leadership within the customer’s organization chart (the contact information they provided to us.) A long story short, the customer terminated the offending employee. It was discovered that the IT administrator who had responded to that initial notification was actually the person doing the malicious traffic.  

By deploying network monitoring, we were able to discover traffic to a known Bitcoin mining operation and also detect it when it reoccurred. 

Unauthorized Active Directory Modification 

Business risk: Security policies not enforced during audit 

Do you have an on-site auditor doing routine testing/inspection? In this case, a customer of Arctic Wolf was going through their annual HIPPA audit with an auditor on site. Ultimately, IT cut that auditor an admin credential for testing purposes. Behind the scenes, Arctic Wolf was in place, monitoring Active Directory. We were already monitoring changes to high-security groups.  

The concierge engineer alerted the customer that several groups associated with one system had been modified. Users were added and other changes were made within that group. These were groups that don’t change terribly often. When they do, it could be a larger incident. Thankfully, this wasn’t malicious, but we discovered the auditor had added themselves to that group to get the necessary permissions to go do something. But it actually violates a security policy the auditor hadn’t reviewed yet.  

The company immediately disabled the auditor’s account, but they were able to check off several requirements of the audit, because they were able to show they had 24x7 monitoring in place for their crucial systems and they confirmed that by violating a security policy.  

Risky Asset Found on Retirement Home Network 

Business risk: Compromised system allowed on corporate network 

A new device was on a retirement home network that was connecting to some known gaming services (Minecraft, Steam, Fortnight). It wasn’t malicious. Unusual, but not malicious. But the corresponding traffic for that device was talking to some malware sites used to trick people with downloads to fake game enhancements that carried malware. The Arctic Wolf concierge security engineer escalated it to the retirement home's IT staff. The system led them to a child using a laptop to play video games while visiting family. They had connected it to the Wi-Fi, so the infected machine was on the retirement home’s network. The machine was removed, and the incident was later discussed during a quarterly Arctic Wolf customer meeting where they addressed the question: Why can a child put an infected asset onto the network?

This incident led to proper guest Wi-Fi implementation and network segmentation in their care facilities. By monitoring the network, we could see the malicious device and we could act right away.  

Back to Top

Q & A  

Will the SolarWinds Orion breach change the way those types of updates are scanned in the future? Short answer, yes. Not only changes to how they’re scanned, but how they’re distributed up the chain in terms of hardening that update process, so the exploit is not being taken advantage of in the future. 

How can we determine if our firm was affected by the Malwarebytes breach? The actual product (Malwarebytes) was not subject to that breach. What was compromised was Malwarebytes’s Office 365 tenant, their internal email. This has since been rectified, but I wanted to bring it up because it speaks the need to monitor the entire environment, not just what we host on-premise, but also upstream in those hosted providers.  

In the SolarWinds case where employees would not be likely to detect this as suspicious, what might be a preventative measure for the future to avoid this? Walking back through what we saw with this attack, the malware didn’t do anything terribly malicious when it was first deployed. But it did scan environments to determine what it had access to. It was that traversal activity that ultimately led to detection. If someone logs in legitimately to a service and then later on a suspicious login is detected for that same user account with anomalies in location, that’s the type of unusual pattern we’re looking for, and that’s what ties it back to discovering that initial incident.  

If security tools are being used as delivery mechanisms, are AI tools able to discover them? We always want to monitor for unusual behavior. That can be indicative of any number of attacks. In terms of AI systems being able to detect that, looking for those patterns is to analyze all that log activity and look for unusual patterns. We never want to go away from that either.  

With 24x7 coverage, is there a function where users can report suspicious activity to an agent? Yes, by running 24x7, the entire output of your environment – log data, endpoint logs, network traffic, anything that falls under that broad visibility – is subject to real-time analysis. So Arctic Wolf is looking at these strange patterns and ultimately triaging those and escalating as appropriate. If a customer needs to self-report something unusual, that would follow an internal process where someone would open a ticket and be able to escalate it to Arctic Wolf. But in terms of being able to call something out as an end user on an endpoint, that wouldn’t be a function where we’d cut out the internal IT process.  

Is there a specific industry that is more vulnerable to these types of attacks? Banking? Government? We often hear, “No one wants my data. We’re too small.” And in the past, that may have been true. But today, attackers will cast a broad net. It’s a numbers game. If they can throw that email out to 100 or 1,000 potentials and get three hits, that’s good. So they’re not concerned about who they’re targeting. On the flip side, the targeted industries are finance, legal, government, anyone with access to sensitive information can be the target of more focused attacks.  

Does Arctic Wolf only provide the SOC (security operations center) services as well as the security tools, or do they leverage our existing tools? Arctic Wolf brings a number of components underneath that SOC umbrella. We can not only collect data, but also work through it and determine what we’re seeing. When it comes to deploying the Arctic Wolf services, we do want to leverage the tools you already have in place, the firewalls, endpoint security, Active Directory, cloud services. All these are generating good log data, we want to ingest that and be able to analyze it. 

We outsource our cloud and desktop support services. Do you provide a complement or do you provide all of these services? Provided you have the access to the log data from all your support services that you can get to Arctic Wolf, they can monitor effectively. If you’re outsourcing network security, we can interact with that, but we’ll want to talk more about that offline. 

Has the increase in remote work changed the type or vector of attacks Arctic Wolf has detected? The short answer is yes. The longer answer is tuning detection criteria to look at unsecured Wi-Fi networks or using a machine at home more often so looking for other things that could be indicative of an attack. Certainly, monitoring the upstream services people are using, like Office 365. There has been a dramatic increase in phishing attacks. Unfortunately, many are related to stimulus offerings or pandemic-related information, so playing into end user fear.  

Do we have access to a dashboard or reports to see what is happening, or is that all handled through the concierge service? Yes. There is a dashboard available that shows you what Arctic Wolf is working on, what incidents they’re reviewing and access to the log data they’re capturing. But the concierge security team is also available for questions if you need to see something specific for an audit or for escalation internally.  

What are some of the tools you have to educate and train company staff? Loffler often uses KnowBe4. We use it in our client environments and can implement it in a way clients can manage it themselves if they have the time and technical savvy, but we can also manage it, too. It’s effective if it’s done in an ongoing fashion, a monthly campaign of educating and testing phishing users (or quarterly) would be highly recommended. 

Since Arctic Wolf compliments Loffler’s security services, how are they priced? By number of users, devices, locations, SLA (service-level agreement) service, etc.? All the log monitoring, the concierge security team, escalation patterns, all of that is underneath predictable pricing umbrella. All we need to know is how many users you have, how many servers you have, and how many locations do you have firewalls deployed, so we can adequately scope out how much data is coming from your environment to scale up on our end accordingly. In terms of SLA from time of detection to escalating an incident to you is 30 minutes. In practice, it’s closer to five minutes, but it includes all the triage leading up to the notification. The pricing model is complimentary to the Loffler Managed IT Services model, we price based on devices and number of users, so it scales the same way that our managed services pricing does.  

How does Arctic Wolf compare to Cybereason or other MDR (managed detection and response) services? There are plenty of MDR providers. A few components that make Arctic Wolf stand out would be the concierge security team and the unlimited nature of our log ingestion. We don’t cap or limit you. We also don’t require you to swap out any tools you have already in favor of something else.  

Would two-factor or MFA (multi-factor authentication) have prevented the Malwarebytes breach mentioned earlier? It's always smart to consider MFA in some form. It’s a fantastic solution to a larger potential incident. In the case of the Malwarebytes incident, MFA wouldn’t have stopped that because the attackers were able to leverage pre-existing authentication tokens that were part of that Office 365 tenant. An in-depth review of that Office 365 tenant would have helped in this case, because these were dormant old credentials left out there from some other deployment. Also, ongoing monitoring to detect the unusual behavior as soon as possible. 

Back to Top

Thank you to our sponsors, Arctic Wolf Networks, Ingram Micro and QS solutions.