Vector
Vector

Choose your topics

Blogs
What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
Blogs
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Cyber Security

Cyber Threat Briefing: Real-World Cyber Threats

Cyber Threat Briefing: Real-World Cyber Threats
Written by

Craig Moores

Published on

10 Sep 2021

Cyber Threat Briefing: Real-World Cyber Threats

 

Ransomware attacks have been taking up a large proportion of the news headlines, but that doesn’t mean there haven’t been plenty of other threats and security issues happening in the world. From security holes in Microsoft Azure, to a woman in Florida deleting crucial business data after being fired, the fifth episode of our live Cyber Threat Briefing sees Adversary Simulation Lead, Aaron Dobie, and Risk Advisory Senior Director, Craig Moores, delve into the lessons organizations can learn from these real-world threats, including the importance of Endpoint Detection and Response (EDR).

Remote VM takeover 

Our session began looking at the high-profile issue in Azure’s Open Management Infrastructure, which allowed remote takeover and privilege escalation on Linux virtual machines (VMs). Essentially, any Linux VM that was set up through Azure had a separate management framework installed. This implementation itself had vulnerabilities. If the authentication token was removed, yes, the service would still respond but instead of operating in a ‘low user’ context, or declining to process the request, it would process the request as root. A root account or root (full) privileges means that you can read and write any files on the system. So, in this case, an unauthenticated remote attacker could run code with full privileges on your virtual machine. 

Aaron explained that this issue is an interesting one as it only affects virtual machines that are deployed by users. Referring to the Shared Responsibility Models, everything up to the virtual machine is managed by Azure and then everything above that is managed by end-users. But the challenge here is that Azure was essentially injecting additional software into the operating system that users weren’t aware of, and it wasn’t automatically patching this either. Microsoft has since given guidance on how to update it, but it’s still a manual process for users. This can obviously be a significant challenge if you’re a large company and have an estate with, say, 20,000 virtual machines in the cloud.

Trust, but verify

We often trust large third parties, such as cloud providers like Azure, to manage things on our behalf in a safe and secure way, particularly if there’s a piece of software we don’t know is there. Craig mentions that there’s a lot of discussion around continuous compliance at the moment, and around technologies that assure you that things are staying safe and secure. If third parties can bypass those fundamental things, where does that leave us? You need to trust, but verify, Aaron explains. We do have to put a reasonable amount of trust in cloud providers because they are providing so much of the stack, but as users we need to do everything in our power to validate that they are in fact doing what we think they are doing. 

Insider threats

Our session then moved on to uncover the recent news that a woman in Florida, who had just been fired, deleted vast amounts of files causing enormous internal damage to the company. In the few hours between getting fired and being escorted out of the building, other employees witnessed the woman repeatedly hitting the delete key on anything she could find. It ended up costing the company more than $100,000 to remediate and recover as many of the documents as possible. 

Often, we speak about third-party threats and the importance of tying those into an organization’s risk methodology and approach, but how do we deal with insiders? Well, the insider threat is, unfortunately something that will never go away. Users need to have access to things in order to do their jobs and for the business to function. There is always the risk that someone will do something to compromise business activities, even if by accident. Instead of dropping coffee, you might accidentally drop all the tables in the SQL database, but the impact is potentially much, much higher. 

Companies can utilize ‘user monitoring’ functions that come with things like Endpoint Detection and Response (EDR) products. This is all about understanding what users actually do on a day-to-day basis and putting in blocks when things are out of step with the expected norm. This is obviously great, but requires fairly significant investment in, firstly, the EDR product itself and then tailoring it to accurately reflect what’s in use within your network. But then you will have a baseline control, enforcing least privilege across the whole network so that not everyone has access to everything that everybody uses. You have gates in place that limit the potential damage, so even if somebody does accidentally do something, they can’t cause business-wide impact. 

The malicious insider 

But, as was the case with the Florida example, it’s not always an accident. You could have disgruntled employees or those that have changed roles but retained levels of access they didn’t necessarily need. When they do then leave, they may have access to things that they shouldn’t have, which leaves the potential attack vectors that little bit wider. Aaron explains that the heuristics of EDR essentially allow you to learn user behaviors, and these behaviors can be used to help understand what controls we need to have in place to protect ourselves. 

So, effectively you collate all of this data about end users, what they do and how they’re doing it, and you can use that information to implement or acquire other products that enforce standard use cases. Privileged Access Management (PAM) solutions are great, for example, as you can make sure that user passwords are only valid for however long is required to perform the action, meaning that even if a user does lose their password, it doesn’t matter because that password was only valid for a very short period of time. 

To learn more about Endpoint Detection and Response and the real-world cyber threats that your organization should be aware of, you can watch the full briefing here.

Join the next SureCloud Live: Cyber Threat Briefing here.