Blog entry by Les Bell

Les Bell
by Les Bell - Friday, August 25, 2023, 10:17 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Credential Abuse Our Biggest Problem, Says Sophos

In their mid-2023 Active Adversary Report for Tech Leaders, Sophos provide some interesting food for thought. Based on data summarized from the firm's incident response investigations for the first half of this year, the goal is to provide better insight on changes in the threat landscape.

Perhaps the most significant finding is that the initial access techniques favoured by threat actors have changed. As before, attackers exploited external remote services (such as VPN's and gateways to Citrix servers, etc.) and public-facing applications, including email gateways (Exchange - we're looking at you). However, they are no longer primarily exploiting vulnerabilities to do this but rather compromising credentials - vulnerabilities lay at the root of only 23% of exploitations, while compromising account credentials accounted for 50%. Furthermore, having access to a legitimate account makes it easier for an intruder to evade detection. (Only yesterday we mentioned the Cyber Safety Review Board report on Lapsus$ and related attacks; Lapsus$ used quite simple social engineering techniques to obtain credentials, very successfully.)

The obvious implication for defenders is that there is enormous return on a minimal investment to be had in the deployment of multi-factor authentication. Sophos state that MFA was not configured in 39% of the cases examined for their report - and as confirmation of the effectiveness of strong, phishing-resistant MFA, they observe that one of the very latest social-engineering tactics is texting to encourage the recipient to disable their Yubikey.

The decline in the successful exploitation of vulnerabilities does not mean that rapid patching is less necessary, however - in fact, it might reflect the fact that we are getting better at it. Sophos point to the US Government's Binding Operational Directive 19-02, which states that:

  • Critical vulnerabilities must be remediated within 15 calendar days of initial detection
  • High vulnerabilities must be remediated within 30 calendar days of initial detection

This has prompted US Government agencies to improve their patch management, and this is reflected in CISA's 2022 Risk and Vulnerability Assessments, which found that only 1% of initial access attacks were due to exploits - but compromised credentials were responsible for 54%. Are we seeing the pattern here?

In Sophos' previous report, just two vulnerabilities accounted for 55% of exploits investigated: ProxyShell and Log4Shell, both of which already had patches released. In the FHY 2023 data, there were no Log4Shell exploits, but ProxyShell lives on, along with a few other vulnerabilities which had been patched in 2020 and even 2019. There is obviously still scope for a lot more improvement in patch management.

The Sophos report provides other insights which are, at first glance, more comforting - for example, dwell times (the delay between exploitation and detection) is falling. But looking more deeply into this, it's actually bad news: the dwell time for ransomware has fallen from 9 days to 5 days, as its operators exfiltrate data more quickly before encrypting files, making the infection obvious, while the dwell time for non-ransomware incidents has risen slightly, from 11 days to 13 days.

There's more bad news for Windows network admins, although they probably know it already: after gaining initial access, threat actors are pivoting more quickly than ever to exploit Active Directory servers, which give them greatly enhanced capabilities within networks, including the ability to manipulate accounts and policies throughout the domain. They also continue to exploit RDP (Remote Desktop Protocol) to move laterally - in fact, it was used in 95% of attacks, up from 88% in 2022.

There's a lot more to digest in the Sophos report: it discusses exfiltration techniques, the various types of attacks (ransomware, network breaches, extortion and exfiltration, web shells, denial of service, etc.) and the times and weekdays thy are run, as well as attribution to various threat groups. Much to consider, from a strategic threat intelligence perspective.

Shier, John, Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders, technical report, 23 August 2023. Available online at https://news.sophos.com/en-us/2023/08/23/active-adversary-for-tech-leaders/.

New Release of Security Onion

Many of us are running a security operations center on a tight budget, and a favourite tool is Security Onion, an open-source SOC platform which has had over 2 million downloads. Security Onion integrates well with the Elastic stack, and offers signature-based detection via Suricata, protocol metadata and file extraction using Zeek or Suricata, packet capture via Stenographer and file analysis via Strelka.

The preview version 2.4 Security Onion Console has a number of new features:

  • add a value directly from a record in Hunt, Dashboards, or Alerts as an observable to an existing or new case
  • a new DNS lookup capability
  • pivots for relational operators on numbers
  • Cases support dynamic observable extraction
  • import of PCAP and EVTX files

Among the many new admin features in the SOC Administration interface:

  • user management
  • a new Grid Members Interface to manage adding and removing nodes
  • Configuration interface for most aspects of deployment
  • Grid interface has been improved to show more status information about your nodes
  • a simplified installer
  • new members of the grid are now configured in the Grid Members interface
  • SOC authentication has been upgraded to include additional authentication protections, such as rate-limiting login requests and support has been added for passwordless login via Webauthn

In addition, the ISO image has been updated from the aging CentOS 7 to Oracle Linux 9. Security Onion is available at https://github.com/Security-Onion-Solutions/securityonion, and the 2.4.10 release can be found at https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/DOWNLOAD_AND_VERIFY_ISO.md.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: