Welcome to RSA – How boards and management teams are stopping attackers amidst macro headwinds, the year of great resignation, digital expansion, and escalated cybersecurity activities

<p>RSA has finally arrived in person. We look forward to seeing our customers, partners, and many others in the broader security ecosystem. At Anomali, we exist to stop attackers and given the current environment, we want to share relevant insight from the ecosystem and the excitement around our unique delivery of open XDR. In fact, we feel compelled to make it available to test for free.</p> <p>Let’s start at the top of the lighthouse, and then distill the best way to navigate the infinite chess game with adversaries, including ransomware and exploits. While doing so, we will also focus on automation, reducing response time and ultimately making security spend more efficient.</p> <p>Boards and management teams are navigating a complex new terrain of macro headwinds (including inflation), geopolitical uncertainty, and escalated cybersecurity activities at a time when digital transformation is paramount and talent scarcity is at an all-time high. What is unequivocal is that management teams must continue their laser focus on the efficacy of their security posture and in tandem, they must optimize cost and efficiency.</p> <p>More than ever, management teams need relevant business insight to swiftly protect themselves and their stakeholders from cyber-attacks. That is our obsession at Anomali – our open XDR solution is helping management teams amplify visibility, enrich with relevant context and in turn, stop the attackers and predict their next move<em>.</em> We deliver unique use cases, starting with a proprietary attack surface management report after ingesting all relevant telemetries including cloud platforms and correlating literally hundreds of trillions of telemetry events times cyber threats per second. In tandem, we are automating processes, reducing response time and optimizing security spend across the environment.</p> <p>The advent of the Cloud, digital transformation at large, and the dynamic of remote workforce have collectively expanded the attack surface of organizations to exponentially new levels. Today’s attack surface comprises all the entry points where there is unauthorized access to digital assets. These assets can be externally facing such as a web application server or an API server, or inadvertently exposed due to a misconfigured firewall such as a network storage device, etc.</p> <p>According to Gartner, External Attack Surface Management (EASM) is an emerging cybersecurity discipline that identifies and manages the risks presented by internet-facing assets and systems. EASM refers to the processes and technology necessary to discover external-facing assets and effectively manage the vulnerabilities of those assets.</p> <p>Anomali XDR is a unique solution to identify your attack surface and highly targeted assets. With proprietary big data technology, you will be able to ingest all security telemetries (SIEM, EDR, NDR and public clouds), distill what’s relevant by correlating with the largest repository of global intelligence to deliver actionable insight across your entire security environment.</p> <p>Our XDR solution provides continuous detection of exposed assets and identifies threat actors that are attempting to breach them. Additionally, our XDR solution identifies assets that need urgent patches or other remediation for known vulnerabilities allowing additional insights into the criticality of the exposed asset.</p> <p>Following is summary of recent attack scenarios and how the Anomali Platform has been used in quickly and efficiently detecting and blocking adversaries. Before we start, let us summarize the initial reconnaissance that we have developed with CIOs, CISOs and their team. Do you know your organization’s Attack Surface? Even more importantly, what assets in your organization are highly targeted and who are the actors behind these targeted attacks? Can you continuously monitor the ever-changing landscape of actors and proactively block them? Are you constantly trying to reduce your attack surface? Are you able to quickly take prioritized actions to discover and secure your vulnerable/highly targeted assets when a new vulnerability emerges?</p> <p><strong>Ransomware</strong></p> <p>Log4Shell was exploited to target unpatched VMWare Horizon Servers. These attacks are a precursor to ransomware attacks targeting Log4j flaws in unpatched versions of VMware Horizon server.</p> <p>We used Anomali XDR’s attack surface asset report to help our customers using VMWare Horizon servers identify and remediate vulnerabilities in their externally facing and highly targeted VMware Horizon servers, thus securing their organization against ransomware attacks.</p> <ul> <li><a href="https://www.darkreading.com/vulnerabilities-threats/log4j-attacks-continue-unabated-against-vmware-horizon-servers" target="_blank">https://www.darkreading.com/vulnerabilities-threats/log4j-attacks-continue-unabated-against-vmware-horizon-servers</a></li> <li><a href="https://slashdot.org/index2.pl?fhfilter=VMware+horizon+" target="_blank">https://slashdot.org/index2.pl?fhfilter=VMware+horizon+</a></li> </ul> <p><strong>BIG-IP Infrastructure Vulnerability</strong></p> <p>A recent F5 BIG-IP vulnerability was discovered, which if exploited allows attackers to run commands with root privileges on unpatched internet-facing BIG-IP servers. This vulnerability exposes many F5 servers that are usually deployed close to the network edge of an organization. Days after being announced, this vulnerability had been exploited multiple times on exposed F5 servers.</p> <p>Anomali’s customers who use affected F5 network servers were able to use our XDR attack surface asset report to identify and remediate their unpatched BIG-IP servers before being exploited.</p> <ul> <li><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-138a" target="_blank">https://www.cisa.gov/uscert/ncas/alerts/aa22-138a</a></li> <li>From <a href="https://slashdot.org/index2.pl?fhfilter=Big+IP" target="_blank">https://slashdot.org/index2.pl?fhfilter=Big+IP</a></li> </ul> <p>Researchers are marveling at the scope and magnitude of a vulnerability that hackers are <a href="https://arstechnica.com/information-technology/2022/05/hackers-are-actively-exploiting-big-ip-vulnerability-with-a-9-8-severity-rating/" target="_blank">actively exploiting to take full control of network devices</a> that run on some of the world's biggest and most sensitive networks. The vulnerability, which carries a 9.8 severity rating out of a possible 10, affects F5's BIG-IP, a line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing into and out of networks. There are more than 16,000 instances of these F5 servers discoverable online, and F5 <a href="https://www.f5.com/customer-stories" target="_blank">says</a> they are in use at 48 of the Fortune 50 organizations. Given BIG-IP's proximity to network edges and their functions as devices that manage traffic for web servers, they often can see decrypted contents of HTTPS-protected traffic.</p> <p><strong>End-Of-Life Software</strong> – We discovered that malicious actors from Russia, Iran and China targeted end-of-life Microsoft IIS 7.5/secure transfer software.</p> <p>Assets running end-of-life (EOL) software are exploits waiting to happen. This is very common for assets that are accidentally exposed or are forgotten due to organizational changes, such as employee attrition or M&amp;A activity. Malicious actors target such assets to gain easy and undetected access.</p> <p>We recently helped our customers identify such assets running end-of-life Microsoft IIS 7.5 software on Windows 7, enabling to block attacks on exposed systems, and to prioritize patching of affected systems to close the vulnerability.</p> <p><strong>Compromised Credentials</strong></p> <p>Compromised credentials are one of the most common and prevalent ways your attack surface area is exposed. Bad actors use the stolen credentials to initiate brute force attacks on your infrastructure. More than 80% of hacking breaches happen using brute force or the use of lost or stolen credentials against internet facing assets.</p> <p>Using Anomali’s XDR asset report helped locate and remediate these assets.</p> <ul> <li><a href="https://www.darkreading.com/attacks-breaches/time-to-focus-on-compromised-credentials" target="_blank">https://www.darkreading.com/attacks-breaches/time-to-focus-on-compromised-credentials</a></li> <li><a href="https://www.darkreading.com/attacks-breaches/compromised-credentials-show-that-abuse-happens-in-multiple-phases" target="_blank">https://www.darkreading.com/attacks-breaches/compromised-credentials-show-that-abuse-happens-in-multiple-phases</a></li> <li><a href="https://slashdot.org/index2.pl?fhfilter=compromised+credential" target="_blank">https://slashdot.org/index2.pl?fhfilter=compromised+credential</a></li> </ul> <p>We hope that this has been helpful. Please let us know how we can help, including setting up a free test run in your environment. Our booth is #1743 located in the South Hall.</p> <p>Ahmed Rubaie</p>