Blog Layout

Finally spent (too much) time to diagram my home lab/network (credit in comments)

/u/rst-2cv • August 4, 2020
By Brennon Walker July 1, 2021
When a cyber threat grows in magnitude by 35 times in one year, and continues to become even more prevalent the next, every organization should pay attention. This is exactly what happened with ransomware. Cyber criminals have targeted organizations from many different industry segments, as well as businesses of virtually every size. Ransomware-as-a-Service (RaaS) and other kit-like tools have lowered the entry bar for cyber criminals, enabling even novice attackers to be successful against scattered security infrastructures. And monetary technologies like bitcoin make it virtually impossible for law enforcement authorities to track ransom payments. With the exponential growth in ransom paid to ransomware groups, the prospect that this will continue—and at a faster rate—in coming years is great. Recognizing the growing threat, banks are stocking up on bitcoin so their customers can quickly pay cyber criminals to unlock hacked data. The Runaway Ransomware Threat FortiGuard Labs analysis of global data showed a substantial increase in overall ransomware activity in the second half of 2020, compared to the first half. In fact, FortiGuard Labs analyzed the activity for all signatures that it has classified as ransomware, which showed a sevenfold increase in ransomware activity in December compared to July 2020. Among the most active of the ransomware strains in the second half of 2020 were Egregor, Ryuk, Conti, Thanos, Ragnar, WastedLocker, Phobos/EKING, and BazarLoader. Each of these exhibited varying degrees of prevalence, but the common trend among them was an increase in activity over the period. Threat actors have discovered that cryptolocking critical systems and demanding a ransom for the decryption key is a relatively easy way to extort money from organizations regardless of size or the industry to which they belong. This more targeted and sinister form of ransomware scheme has come to be known as “big game hunting.” It’s been all the rage with the ransomware gangs throughout 2020, and the larger paydays netted by such schemes virtually ensure the trend won’t go away anytime soon. Many adversaries took advantage of the disruptions caused by the COVID-19 pandemic to ramp up ransomware attacks against organizations in the healthcare sector in particular. In October, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services, and the FBI issued a joint advisory warning U.S. hospitals and healthcare services of increased ransomware activity involving TrickBot and BazarLoader malware. Other sectors that were also heavily targeted in ransomware attacks in 2H 2020 included professional services firms, consumer services companies, public sector organizations, and financial services firms. Multiple trends characterized the ransomware activity that FortiGuard Labs and others observed in the last half of 2020. One of the most troubling was the steady increase in ransomware attacks that involved data exfiltration and the subsequent threat to release the data if a ransom was not paid. The use of data theft as additional leverage in ransomware campaigns really only emerged as an adversary tactic in early 2020, but became part of a majority of attacks by the end of the year. The operators of most major ransomware strains, including Sodinokibi, Ryuk, Egregor, and Conti, all deployed data exfiltration as part of their standard operations last year. Some reported incidents were attacker (sometimes false) claims of data theft to try and scare victims into paying a ransom. In many cases, when victims paid to get attackers to delete stolen data, the attackers reneged and instead leaked or sold the data to others anyway. For organizations, the trend means that robust data backups alone are no longer enough protection against ransomware demands. How Ransomware Happens Distribution of Ransomware So, how does ransomware happen? Let’s begin by addressing how it is distributed. Any digital means can be used: email, website attachments, business applications, social media, and USB drivers, among other digital delivery mechanisms. Email remains the number one delivery vector, with cyber criminals preferring to use links first and attachments second. In the case of email, phishing emails are sent as delivery notifications or fake requests for software updates. Once a user clicks on the link or the attachment, there is often (but less so recently) a transparent download of additional malicious components that then encrypt files with RSA 2048-bit private-key encryption, leaving it nearly impossible for the user to decrypt the files. In other instances, ransomware is embedded as a file on a website, which when downloaded and installed, activates the attack. Types of Ransomware Ransomware attacks come in different forms. This past year has seen a substantial evolution in ransomware attacks. Traditional ransomware goes after data, locking files until the ransom is paid. But as mentioned above, with the rapid growth in Internet-of-Things (IoT) devices, a new strain of ransomware emerged. It doesn’t go after an organization’s data, but targets control systems (e.g., vehicles, manufacturing assembly lines, power systems) and shuts them down until the ransom is paid. Let’s take a quick look at some of the most prevalent types of ransomware that exist today: • Off-the-shelf ransomware. Some ransomware exists as off-the-shelf software that cyber criminals can purchase from darknet marketplaces and install on their own nefarious servers. The hacking and encryption of data and systems are managed directly by the software running on the servers of the cyber criminal. Examples of off-the-shelf ransomware include Stampado and Cerber. • Ransomware-as-a-Service. CryptoLocker is perhaps the most well-known RaaS model. Since its servers were taken down, CTB-Locker emerged as the most common RaaS attack method. Another RaaS that is rapidly growing is Tox, a kit that cyber criminals can download. The result produces a dedicated executable file that can be installed or distributed by the cyber criminal, with 20% of gross ransoms being paid to Tox in bitcoin. • Ransomware affiliate programs. The RaaS model uses affiliate hackers with a proven track record to spread the malware. • Attacks on IoT devices. Ransomware infiltrates IoT devices that control systems critical to a business. It shuts down those systems until a ransom is paid to unlock them. Interestingly, in addition to polymorphic code, ransomware often uses metamorphic code to change its digital identity while operating the same way. This rapid growth and constant evolution make it even more difficult for organizations that rely on traditional signature-based antivirus solutions to keep pace. By the time one strain has been identified and blacklisted, cyber criminals have already moved to a new variation. The Ryuk and Sodinokibi ransomware families, for example, both contributed to an increase in the ransom amounts demanded by attackers in Q1 of 2020. Ransomware Targets Virtually every operating system is targeted by ransomware today. Attacks also extend to the cloud and mobile devices. The cloud had been left largely untouched by ransomware, so it’s a new market opportunity for hackers. Cyber criminals also target nearly every industry. In 2020 alone, CISA issued alerts about ransomware targeting pipeline operations, healthcare, the public sector, K-12 schools, and more. Another recent strategy of ransomware hacktivists is to target and compromise vulnerable business servers. “The DearCry ransomware targeting the newly discovered vulnerabilities in Microsoft Exchange in early 2021 is a good example of this tactic, as well as demonstrating the agility of cyber criminals.”6 By targeting servers, hackers can identify and target hosts, multiplying the number of potential infected servers, and devices on a network. This compresses the attack time frame, making the attack more viral than those that start with an end-user. This evolution could translate into victims paying more for decryption keys and an elongation of the time to recover the encrypted data. Conclusion The financial impact of ransomware is much larger than just the ransom being paid to cyber criminals. Downtime translates into thousands, hundreds of thousands, or even millions of dollars in lost revenue and productivity. Organizations across multiple industry sectors can attest to these implications. Piecemeal approaches to security are not sufficient to thwart ransomware attacks. Integrated models enabling layered security using next-generation firewalls (NGFW), modern endpoint security, and more are required. These security controls must also use proactive threat intelligence when mounting a defense against cyberattacks.
By Brennon Walker June 29, 2021
Managing Access While Maintaining A Secure Network. Managing identities and access entitlements while providing ease-of-use authentication, accessibility to applications, and optimal user experience to end-users is becoming increasingly challenging in a rapidly changing business and IT environment. These challenges are compounded with the disruption to society and business due to the COVID-19 pandemic. As a result, the workforce of many organizations has become even more remote and mobile. Enabling effective access rights for every user to protect the organization from cyber adversaries must evolve. They must keep up as an organization’s security guardrails rapidly move from protected network perimeters out to the new home office branch. According to the 2020 Verizon DBIR1, passwords continue to be a weak link. The “Use of Stolen Credentials” is the #1 “Top Hacking Action” and password dumping malware is on the list of “Top Threat Actions.” The OPSEC identity and access management (IAM) solution gives organizations the ability to centrally control and manage the life cycle of user access to critical information, both in the cloud and on-premises. It provides strong authentication through the use of multi-factor authentication (MFA) for identity assurance, audit trails for business regulatory compliance, end-user single sign-on (SSO) to various resources without repeated authentication to increase security while enhancing end-user experience, and X.509 certificate management for onboarding guests and bring-your-own-device (BYOD) policies. The OPSEC IAM solution is available in physical, virtual, and cloud-hosted form factors for deployment on-premises or in the cloud that fulfills your organization’s business needs. Solution for Disparate Access Management Systems Most organizations are using a multitude of disparate systems across departments to manage employees, contractors, partners, guest identities, and data access. For example, a human resources department may use a variety of software solutions to identify employees and contractors and provide access to various resources. The marketing department may be integrated with third-party partner applications and using a variety of software to analyze and execute data and workflows based on user identity data gathered through collaborative partnership initiatives. And meanwhile, IT may use multiple systems, including multiple IAM systems, to provide secure access to the organization for a variety of users and devices. In total, the number of disparate systems and resulting siloed data housed within a modern enterprise are cause for alarm. Not only do disparate systems create an arduous, non-unified experience for end-users, they increase risk and make risk assessments more difficult. Also, managing disjointed systems requires a vast amount of IT time and resources. An effective IAM system provides centralized authentication, SSO, and authorization enforcement for targeted applications that are hosted on-premises or in the cloud. These and similar functions ease IT operations, administration, and maintenance, remove the risks of unforeseeable gaps between systems, and provide secure access for the organization—while providing end-users with a consistent and improved experience during the authentication and sign-on process. Organizations across the globe and across all verticals are increasingly adopting the OPSEC IAM solution. OPSEC IAM is comprised of OPSECAuthenticator, OPSECToken, and OPSECToken Cloud—an “MFA-as-a-service” solution that helps organizations adopt and implement advanced IAM practices. OPSEC IAM: OPSECAuthenticator—A Source of Identity with Centralized Management At the center of the OPSEC IAM is OPSECAuthenticator. OPSECAuthenticator functions as an organization’s source of identity, and is deeply integrated into the OPSEC Security Fabric. OPSECAuthenticator strengthens an organization’s user access by simplifying and centralizing the life-cycle management and storage of user identity information obtained from various systems of record. Through integration with existing Active Directory (AD), Lightweight Directory Access Protocol (LDAP) authentication systems, or cloud-based identity stores, OPSECAuthenticator provides user authentication, including MFA, certificate-based and adaptive authentication, and SSO controls for organizations to assure identity and enable access rights for all users, at any time, and from anywhere, whether through corporate wired, wireless, or remote virtual private network (VPN) connections. OPSECAuthenticator is built with high availability (HA) designed to ensure business continuity and resiliency. HA deployment is simple, and it functions seamlessly during a failover, whether for maintenance or during an unexpected failure. OPSECAuthenticator also includes user self-registration and password recovery options, allowing users to reset their password without engaging the help desk, which can represent a significant cost savings for many organizations. OPSECAuthenticator is available for deployment on-premises, in a virtual environment, or via the public cloud. OPSECAuthenticator licensing is structured simply, with perpetual, nonrecurring costs for all features. OPSECAuthenticator reporting also makes it easy to demonstrate return on investment (ROI) throughout the decision and deployment process. And with OPSECAuthenticator flexible form factors, organizations can choose whichever deployment method best meets their IAM initiatives and budgets. And because of its integrated suite of solutions and powerful engines, organizations can save more than 50% annually as compared with alternative solutions. OPSECAuthenticator protects user access with advanced, streamlined Identity Access Management features such as centralized user access policy, user privilege management, MFA, SSO, audit trails, and more. By increasing user access protection, OPSECAuthenticator makes it more difficult for adversaries to steal credentials, impersonate users or devices, and gain unauthorized access to applications or network resources. Additionally, its centralized management simplifies IT operations and reduces unforeseeable security gaps that can be overlooked when managing disjointed IAM systems. OPSEC IAM: OPSECToken—A Comprehensive Option for MFA MFA is an essential security feature for any IAM solution because it enforces the verification of multiple credentials. MFA needs to include at least two of the following: • Something the user knows: a username and password. • Something the user has: a one-time passcode (OTP) in the form of a token or code. This is sent to the user via email or SMS, to a hardware token generator, or to an authenticator application installed on the user’s smartphone. • Something specific to the user: biometric information such as the user’s fingerprint, facial recognition, or iris scan. OPSECToken (FTK) offers a widest range of OTP tokens and MFA use cases to suit any organization’s needs. FTK also comes in a variety of form factors and the following options are available at a perpetual, nonrecurring cost: • Application: time-based and user-friendly, with PUSH to accept/deny credentials during the MFA process. It supports either iOS or Android platforms. • Standalone: a physical, tamper-resistant device with time-based OTP. These tokens come in the form of a USB stick, half credit card size, or a small keychain size, each with a large screen to display the token. • Email and SMS tokens Token activation can be performed online or offline (making it suitable for closed environments). FTKs can also be transferred between authenticating devices, such as a OPSECGate or OPSECAuthenticator, or between mobile devices (i.e., iOS or Android). This provides visibility, simplifies two-factor authentication management, and increases security to protect organizations from adversaries seeking unauthorized access (even if a cybercriminal has a username and password, they cannot access the system without the other information). OPSECAuthenticator has token options for all users and scenarios to confirm user identity using MFA. With its centralized management, OPSECAuthenticator and FTKs provide organizations with the ability to assure identity and control user access to corporate VPNs, network devices and resources, and on-premises or cloud-based applications. OPSEC IAM: OPSECToken Cloud—Cloud-based “MFA-as-a-Service” OPSECToken Cloud (FTC) provides everything an organization needs to adopt and manage multi-factor authentication in their OPSECGate or OPSECAuthenticator environment. There is no additional authenticator hardware or software required, nor any changes needed to the existing security policy on the OPSECGate or OPSECAuthenticator. FTC is a subscription service available through the purchase of points. FTC points can easily scale as an organization’s needs change. Through its intuitive dashboard, organizations can get a summary of useful metrics such as overall usage, active users, remaining points, and logs that capture key information about both active and closed sessions. OPSECToken Cloud makes it easier for organizations to implement MFA by extending user identity further through the verification of something the user has. MFA makes it more difficult for adversaries to gain access to corporate resources even if they have and use stolen credentials, the #1 “Top Hacking Action” and “Top Threat Actions” leading to network breaches. OPSEC Provides a Full Suite of Market-leading Security Solutions OPSEC is a recognized leader in networking and cybersecurity technologies. The OPSEC IAM solution is an excellent value for organizations. It provides the right IAM tools combined with flexible deployment options to enable access rights for every user, ultimately protecting the business from cybersecurity breaches. The fact that it provides life-cycle management and centralized operations, administration, and maintenance, along with ease of use for end-users, makes the OPSEC IAM an easy choice for an organization’s IAM advanced practices.
By Brennon Walker June 28, 2021
Do you know what is happening on your network? Do you receive notifications about suspicious behavior on your network? Do you have security protocols in place to block the exfiltration of sensitive data on your network? What about unwanted surveillance, do you have a way to ensure you are not being watched? Are you data communications encrypted? Can your data be intercepted? If it is intercepted, will it be usable? These are the important questions that the average home network user does not have answers to, nor have they typically considered. That is why the work we do is so important. The home network exposes a soft underbelly to an otherwise formidable foe. Businesses are secured with the latest and greatest in enterprise cybersecurity hardware, software, and knowledge. What happens when the users of the enterprise networks go home? Home to their neglected and overlooked home network. A network supported by vulnerability filled consumer grade technology built by foreign companies and operated with reckless abandon. As we saw in the Wikileaks files, even our own government has developed techniques and tools to circumvent the limited security of the home network to surveil and track our fellow citizens. All on a scale that is shocking to the uninitiated. OPSEC will armor this underbelly. Protection from all enemies, foreign and domestic. OPSEC is the only grass-roots independent cybersecurity firm that is capable of taking on such a task. All our technicians and solutions are vetted to ensure transparency and so that we can deliver peace of mind to our customers. Our principles encompass moral integrity and constant refinement and enrichment of the individual. We require secure moral compass and intestinal fortitude of our operators. Secure operators ensure secure operations with uncompromising moral integrity and discretion. Talk with a cybersecurity operator about how we can help you answer some of the aforementioned questions today! Click Here.
By Brennon Walker June 28, 2021
Cyber Security has become one of the biggest concerns for business. Business and Enterprise have increased their spending to an incredible 150 billion dollars in 2021, according to a recent Gartner study. The driving force is to secure remote workers and the ever expanding digital footprint of business. Emerging threats from foreign nation-state actors, ransomware enthusiasts, and even our own governments have spurred a renewed imperative to secure operations. But, what about your home network? You the individual have a right to know that your home network is secure from unwanted digital communication, wire-tapping, and data harvesting. What is the individual person to do about ransomware and other emerging threats that can cripple and decimate a network that isn't backed by enterprise grade cyber security technicians? The average home user does not have the budget to implement the security countermeasures warranted by such insurmountable threats. Gartner did not include recent security events that spurred further spending. This spending was to remediate and secure vulnerable systems from real world bad-guys. These events likely pushed the annual spend closer to 200 billion dollars. This year saw one of the biggest cyber security compromises of recorded history. The SolarWinds/FireEye hack took everyone by surprise and exposed some very real vulnerabilities that were overlooked by even the most prepared security teams. Complacency is to blame. Furthermore, the Microsoft Exchange Server vulnerability gave cyber criminals access to confidential and encrypted communications from some of the highest levels of government and enterprise. These vulnerabilities exist in the enterprise environment due to the shear complexity of modern business. These same exploits do not pose a risk to the average home user. However, home users typically deploy consumer grade hardware to create the home network. These consumer grade devices are full of vulnerabilities that are easily exploited. There are an estimated 110 million individual home networks in the U.S. as of 2017 and those numbers likely exploded in 2019 during the COVID-19 lockdown and stay-at-home orders. There is a new imperative to secure America; American business, American homes, and American data. The majority of business and government compromises come from the individual. Social engineering and phishing attacks are some of the most effective. Even if you have the latest and greatest in enterprise cyber security hardware, software, and technicians, the users of the network, the people that access the critical data can often be exploited and it is often at home. The home network presents a unique opportunity for cyber criminals and a blind spot for most cyber security teams. Users have personal email accounts, social media, and a digital footprint all of their own. The security of this footprint is the responsibility of the individual and so is subject to their individual cyber security acumen or lack thereof. The average home user does not typically consider vulnerabilities and exploits when they purchase their home network equipment. Even with the hardware recommendations of cyber security professionals, the average home user does not have the skills or time necessary to monitor, control, or implement cyber security countermeasures. The gaping hole in the American cyber security defense becomes ever expansive. OPSEC aims to patch this vulnerability, house by house. By securing the home network, we secure America. Applying enterprise grade technology and solutions to the average consumer's home network. Supplying enterprise grade cyber security technicians and experience to provide solutions to common home network vulnerabilities with cost effectiveness at the forefront. OPSEC already secures businesses with our Network Operations Center and Security Operations Center. Staffed 24x7 and redundant, OPSEC is poised to supply enterprise IT solutions at massive scale. This easily scalable model can be pointed at any network, business or home. OPSEC had zero systems compromised during 2019, 2020, and 2021. OPSEC looks to spread our impeccable track record to the consumer market and make America secure from all enemies, foreign and domestic. Talk to a cybersecurity technician today. Click Here.
By Brennon Walker May 17, 2021
New executive orders on cybersecurity have been signed. What does it mean for you? It means it is time to invest in the much needed infrastructure upgrades that your cybersecurity consultant has been telling you that you need. If you already listened? Good job, you've done what you are supposed to do. If you, like many of your peers in the private sector, have postponed these upgrades, the time to act is upon us. Constant threat of infrastructure compromise is no longer reserved for systems of high value. In the wild, OPSEC technicians have observed nation state actors attempting to compromise new systems on new internet circuits with brand new IP blocks within seconds of initial interconnection. While most attempts seem to be simple brute force attacks that are "shotgunned" en masse to all known public IP blocks, there is a very serious component behind it. Just like the triage of IT support tiers, these nation state actors pass compromised systems up to higher levels and to technicians with far greater knowledge and skill. So what started as a simple brute force that got lucky with a weak password, soon becomes a compromise on the scale of the SolarWinds incident in a nanosecond. What is rational person to do in these dire times? Secure your operations. If it plugs in, it needs to be secured against all possible attack vectors, known and unknown. Now is not the time for half-measures. The theory of "just good enough, is good enough" is wrong. It is easier to stop a fly from intruding through a pinhole than it is to bar its entry through an open door. Implementing automation, zero day countermeasures, and behavior analytics are a great start. But true security is multi-layered, redundant, and disaster resilient. So, not only do you have sensors and AI monitoring the pinhole for anything suspicious. You should also have 24x7 staff of fly-swatting enthusiasts jacked up on coffee and general contempt for all fly-kind. This team should further be supported by bug spray, glue traps, poisoned honey-pots, and a claymore as a last ditch failsafe insurance policy. These nation state actors don't play. Neither does OPSEC.
By /u/Megabeets September 1, 2020
submitted by /u/Megabeets [link] [comments]
By /u/Struppigel September 1, 2020
submitted by /u/Struppigel [link] [comments]
By /u/zenomeno September 1, 2020
submitted by /u/zenomeno [link] [comments]
By /u/navneetmuffin September 1, 2020
submitted by /u/navneetmuffin [link] [comments]
Share by: