Proactive Cybersecurity Against Threats - Reactive Cybersecurity

March 2, 2021

The Cyber Rants Podcast

Episode 18 - Proactive vs. Reactive Cybersecurity

There is a lot of talk about "proactive cybersecurity against threats" but what does that really mean and is it better than reactive? On this week's show, the guys discuss proactive versus reactive cybersecurity considerations and where to focus.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber security criminals and now here's your hosts mike rotondo zach fuller

and lauro chavez hello and welcome to the cyber ants podcast this is your co-host zach fuller

joined by lauro chavez and mike rotondo mike why don't you kick us off with the news today good

morning some headlines today i think i got 13 or 14 of them the first one is researchers uncovered

a new malware builder dubbed apo macro split it's used to create weaponized excel documents

they've seen this in the wild already experts warn of threat actors abusing google alerts to

deliver unwanted programs what's happening here is clicking on links sent by google alerts related to

matches and fake stories uh users are redirected to malicious websites so be careful out there new

silver sparrow malware in facts 30 000 max for unknown purpose there's uh malware out there

they've detected about 30 000 devices across 153 countries primarily in the united states and uk

it's delivered it's distributed two different files updater pkg and update pkg or dot pkg

and uh no one knows what it's there for so interesting from the creepy side of cyber

criminals if there is such a thing a nursery cam daycare cam server shut down after security breach

uh this is a service in the uk apparently someone had breached the system and was watching

children's sleep so yeah you go shadow attacks let attackers replace content and digitally sign us

pdfs uh basically what's happening is that they're able to create a pdf with

two different contents one is of the party expected to sign something the other pieces

of hidden content that that's displayed once the pdf has signed and they're using this as

a back door these hackers sell network logins to the highest bidder and ransomware gangs are buying

we now have a new development in cyber criminals that we now have brokers that break into networks

rather than exploiting the campaigns they just resell them to middlemen access to remote desktop

protocol rdp is the most sought after listing obviously uh but yeah this is a new a new thing

uh i think a couple weeks ago we talked about the the malware the cyber criminals that were stealing

other criminals credit cards that they'd stolen well now we've got brokers selling access bitter

apt enhances its capabilities with windows kernel zero day exploit there's a new exploit new zero

day that supposedly was patched february 2021 so sometime this month it was patched uh it's

exploit cve 2021-1732 needs to say another microsoft exploit um legal firm leaks 15 000

cases via the cloud an unsecured aws s3 bucket containing 55 000 documents is left wide open

uh so be careful with your legal providers out there abt-32 state hackers are targeting human

rights this comes from amnesty international which said that uh certain bloggers i've been receiving

spyware email emails containing spyware between 2018 and november 2020. 100 and this

one blows my mind 119 000 threats per minute were deducted detected in 2020. i said that seems low

yeah email born threats such as fishing attacks accounted for 91 percent of the 62.6 billion

threats blocked by trend micro last year this is just trend micro's number so yeah it probably is

well nearly 14 million unique phishing urls is detected by the company with home networks

being the primary target uh this is scary the home the cyber attacks on home network starts

210 percent year-over-year to just under 2.9 billion vast majority strikes however are

against brute forcing logins on smart devices and routers so make sure those are secured make sure

you get a long password uh make sure you change it every once in a while microsoft president

asked congress to force private sector orgs to publicly admit when they've been hacked okay

well when microsoft admits it then we'll admit it uh smith argued it's time not only to talk about

a way to force uh private entities to admit publicly that they've been hacked so that's some

more good news from your government there's two note stories that came out about critical flaws

in the vmware esxi vsphere clients basically patch it immediately the error allows unauthorized users

to send specially crafted requests which will later give them an opportunity to

execute arbitrary commands on the server and it is accessible from the internet and has been seen in

the wild so um check out that headline in the blog um microsoft lures populate half of credential

swiping phishing emails according to researchers beyond the 45 percent of credential stealing

phishing attacks targeting microsoft basically microsoft's a huge target and uh always will be

and that includes sharepoint onedrive and office 365 but they're also attacking google forums and

adobe file sharing services but microsoft is the big target out here lastly criminals

are targeting quickbook databases there's two different attacks there's a powershell command

that runs inside the nemosis email and the other one is a word document that has a malicious macro

or link in it so if you got quickbooks be careful and with that said laurel anything you got for us

yeah i got a few things i got a shirt design um idea for anybody out there listening that wants

to make me a shirt i i'd like a can or a ryu from street fighter shooting at a fireball only it says

powershell i think that'd be cool anyways uh so for this week really is only one thing to talk

about um so if you're not if you're not familiar with uh with raxis uh their their security

firm specializes in penetration testing one of their senior guys um ryan matt dunn i was able

to produce a really cool metasploit module that takes advantage of the remote desktop web access

uh client so when you've got rdp open you can enable that web access portion of that and so this

is an authentication timing attack and it's just it's a it's a really cool it's it's a really cool

method to validate um user names that you might have for admins and stuff like that and so uh

it's not verified but just taking a look at all the the python 3 code that it i mean it

i can't imagine it wouldn't work but i'm really excited to try this out so i'm trying to get up a

windows 10 vm spun up so i can i can see if this if this actually um works is designed

uh but for everybody else out there make sure that your windows desk if you're running rdp external

at all make make sure you've got some form of security boundary in place to protect that whether

you're using whitelisting or hardware certs or vpn or however you're doing it i just know that these

these these types of attacks are becoming more prevalent especially from a proof of concept

perspective and now they're just adding these to the they're just building metasploit modules

for you so cool stuff that's all i got before we dive into it mike i can't help but bring this up

for the people on office 365 because i hear about it over and over and over again just heard about

another one please please please make your users use hard passwords and two-factor authentication

with the authenticator app not text to your cell phone because office 365 continues to get breached

left and right like crazy it's just it's just nuts but you'd be amazed how many organizations are not

using the basic security features uh to prevent this just wanted to throw that out there hopefully

it saves somebody from getting an email compromise and sending out wires to um malicious actors

that said that dovetails right into our topic today and the topic is all about reactive versus

proactive security but what does that mean you know you hear a lot about proactive security

and being proactive with your security program and all those things but very few people stop

and really talk about that and define the the difference and talk about both sides

of the equation right so that's what we're here to answer today and i think just to talk on the

proactive side briefly and kind of what what that's generally uh used for in in in terms of

content on websites and blogs and everything else are generally talking about proactive being you

know getting in front of the threat as meaning the threat being an attacker but i would argue

that it's also getting in front of security questionnaires coming down before they come

down to your organization right so growing tech companies for example right getting in front of

compliance requirements before there's an audit those things i think also need to be taken into

account so that's what we're here to talk about today mike lauro any thoughts any any ideas start

out on on recommendations on how to look at each and where you really need to be focusing

the majority of your time or at least how to balance your time between the two

good topics zach i think to talk about it i think a lot of organizations may

you know may be in various i mean they're all in various you know places with this right with cyber

security both you know from understanding it to just getting some base level tools

installed where they're you know really kind of reactive and and sort of just trying to understand

the data that the tools are delivering and that if you're there um and you know we i'm sure we'll get

into a little deeper here but i mean just for high level right if you're if you're stuck in

that mode that's okay i think a lot of a lot of organizations are you know you have to kind of

go through this evolution right where you you know you don't know what's going on you get

some tools now you have a lot of data you're not quite sure what's going on um and then you know

now once you once that once the dust settles on that you can begin sort of a proactive um posture

now um but while you're being reactive and while you're still trying to understand the data that

you're getting today with maybe new tools or new capabilities telemetry that you may have installed

make sure that you're thinking ahead right you also need that parallel track because

defensive and reactive is not near enough you need to have that proactive visibility toward

attack surface modeling and threat hunting and those sorts of things yeah absolutely um i think

we we have the uh technology aspect and then the governance aspect as well and i think that's what

a lot of the tendency to be reactive in nature from a cyber security perspective is because the

strategy and upfront planning hasn't been done for the organization

uh and and so that just kind of forces them into default mode i think by

by default the reactive mode is is kind of you know the way companies will operate if they don't

actually take the time to stop and think through their program and start to formalize that program

and it's not just on the technology side but also we have to look at the human element

right in a big way equipping them so there's lots of information out there on security awareness

training and such one you know that's not the purpose of today's episode but that's a big factor

i think in in uh trying to get ahead of threats um looking at it from all angles of the organization

uh rather than waiting for a tool to pop up a red flag and saying oh wait now we got to

investigate this so it's an interesting thing and then you know but on on the reactive side

there there's certainly a need to define that as well right where we see a lot of

organizations fall short is in their incident response planning for example

if something happens they don't necessarily know how to quantify it how to how to classify it

and as a result they don't know the appropriate actions to take uh and are kind of [ __ ] caught

off guard completely uh that's that can be a very very big problem so i think that

there's a certain amount of consideration that needs to go into the reactive side as well but

um how to blend the time i i don't know if there's a i don't know if there's a magic

answer for that you know where do you spend more of your time so for your ir and dr plans which

are arguably reactive plans but there's a proactive component to it and that's

the blend is proactively we're going to test this we're going to do tabletop exercises occasionally

we're going to do a full failover to our hot site we're going to have our workers work remotely

one day this week just to verify although this is less relevant now because most people are just

to verify that our infrastructure can handle it right we ran into this prior to covid and

we had a client that swore up and down they would have no problem and all of a sudden covert hidden

went they went all crap nothing's working so um that's the proactive side of that reactive piece

right and so you know what they say about assuming it makes butts out of everybody

anyways you know it you know you're right zach a lot of organizations they they don't know this i

mean out of all the clients that i've ever worked with i've only ever been outside the department

of defense only ever been with one public sector client that was like we're gonna build something

that sounds like a cool idea how do we secure it from the get-go it's only happened one time

one time right um so i wish it was more common but everyone else seems to speed to market and

then realize that in order to obtain a hold in you know maybe some places or into some

larger companies they they have to meet you know these these sort of compliance regulations and

that is like you said that when they begin the whole pathway of like oh we want the sale so how

do we how do we implement security and they'll be reactive and then that'll be a bare minimum right

isn't that kind of how the tone goes right well how can we what's the cheapest way we can do this

and meet the meet this initiative um as opposed to looking at the what what the principle should be

is how do we secure our business so that we don't have a loss of integrity we don't have a lot of

customers we can maintain that you know we've we've thought about this from the get go right

it's when we look at it from a reactive from a perspective of an attack happening or some

sort of potentially malicious activity uh you know something out of the norm that's that's one side

of the equation but another thing that can be detrimental is like you said when when all of a

sudden a company is reacting because a prospect a prospective client engagement is on the line right

and they could lose that i think where that can be detrimental from a revenue perspective is that

it you know the companies spend all this time building beautiful websites great user interface

everything is really dialed in they got their sales process set everything's looking good so

on the front end um that their their prospects say okay all this looks good but as soon as they pull

back the curtains the very next thing they're going to look at is a cyber security program

and when that's not in line and the company can't show it that undermines all that other

work that they did and they can lose the client i mean it happens it happens daily

uh out there and so that that can be tremendous in terms of looking at you're looking at um

you know the the risk factors it's not just a risk factor from a breach it's opportunity costs lost

revenue right and and um money spent on trying to acquire clients that don't come through because

you get stuck in the vendor vetting process and they go elsewhere um not to mention that they're

willing to pay more for companies that are secure that are really dialed in do have their ducks in

a row from a security standpoint so we see that uh regularly out there in the markets phase in

the b2b b2b environments especially supply chain security that's what they're calling

it right they want all the third parties that are involved in you know providing something

technical for your business is that technical supply chain they want those all to be secure

you know secure third parties right they're gonna assess you and and and they're gonna expect you

to um you know to answer properly or like you said they'll they'll pay more to not have their

the integrity loss uh to their business brand yeah absolutely yeah um but you know i mean

it's it's interesting and you know even even security tools i'm gonna throw this out here

right we we get we get pitched cyber security tools a lot because we're a cyber security firm

right and there's a lot of cool stuff out there and what is the very first thing we ask well what

are you doing on the behind the scenes have you had a pen test can we can we talk about methods

you're using today to secure you know access controls inside the code of the application and

today we've we've not had a solid answer even from organizations that are building tools that you

know cyber security professionals and team cyber security teams would use for their businesses

it's kind of interesting right you still have that that kind of method of thinking um out there

even even with the prevalence of cybersecurity today and the need for it yeah absolutely i mean

in in in kind of looking at it in a in a linear fashion let's talk a little bit about

how companies should get into a more proactive state as an organization

while still having the reactive side covered right because you can't stop everything um nothing's 100

secure so you need you need the reactive side but let's let's talk a little bit about about um you

know from getting getting from point a to point b in this and that's uh you know for us it's always

starts with clients with pretty much anybody that we're working with on an ongoing basis to build

a formalized security program we need to start out by choosing an industry standard framework right

doing a risk assessment a gap analysis against that framework and then creating a roadmap with

a plan of action milestones to move forward right so to me um and certainly opened it to

your thoughts but to me it's the the step number one priority number one is creating clarity across

the org the entire organization understand where you are today where you need to go and and plot

the route to get there and then from there and i'd even say in parallel we're already starting

to do some preventative measures right getting to understand the environment doing pen testing doing

vulnerability scanning understanding where the potential attack surfaces are to to seal those up

um and and then that that kind of gives us the we call it the system's triage phase right trying to

get under understand what the low-hanging fruit is what attackers are seeing um or could potentially

see and then taking care of that first right it's kind of the immediate because they're the

the implementation of everything else is going to take take a while but at least we can kind

of cover the basis uh first and to me i think that's the kind of the first phase of proactive

cyber security any any other thoughts on that any any ideas yeah i mean you know i think you know

you make a good point so if we look at other just common things in the world like

um if you have a cdl right for those of out there that have cdls before you can

move that that commercial vehicle anywhere there has to be an inspection done on it you have to

go around and make sure all the lights work right make sure you've got air in the tires and there's

just there's a you can't just same thing for pilots you can't just get in hit the button and go

um we should think about technology and delivering you know these types of

built for purpose uses in the same manner and to zach your point you know i i would i agree

with you that is absolutely the plan but before that i'd say step zero has to be commitment right

and we've talked we taught this before you you have as a business as a leader you have to commit

to cyber security because once you get that gap assessment there are no more there there is no

more ability for for plausible deniability right there are no not going to be any unknowns anymore

they're going to be unknown unknowns but you're gonna now see where you where you sit against a

framework and it's most times it's gonna be on the low bar and you're gonna need to you know start

making that that stairway to heaven so to speak and so that that's gonna take time and it's going

to take patience and it's certainly in most cases going to take a little bit of money being moved

around in certain aspects depending on what you've done already sometimes not so much sometimes a lot

more but i think that commitment piece is key would you agree yeah it has to start with uh it

has to start with a leadership decision commitment and then that has to be articulated well to the

rest of the organization because everybody's going to be involved and have some level of of

capability in terms of preventing cyber attacks right totally and at the other side of the coin

right once you've done all this you know because we've talked a lot there's probably a lot of

organizations listening to this that are you know in this probably spot but there's probably

a small aspect that have already gotten through all this they have the road map

they've got a team they've got telemetry they're investigating they're writing tickets right

they're chasing ghosts in the machine they're getting to the point where they're starting to

parse out the data that's meaningful to them in a dashboard style so that they understand

you know from from from millions and or billions of bytes of data what's really

meaningful right the actual couple kb that's actually a meaningful thing

they're getting to that point and i think it's it's a good thing for them to know that that's

you know that's great that you're there but you know it's like getting to the top of mount

everest that's fantastic now you've got to go back down so don't don't forget that there's still you

know there has to be that proactive window that we've talked about right threat hunting

maybe consistent penetration testing campaigns with you know automated tools

that are going out there you can certainly use automated bots to do a lot of work for you

um and the more often you do it the the the more you're going to know about the organization so if

you're to that place right if you've already got the maturity there and you've got an attestation

to a framework and you've been doing it for a couple years and your teams are starting to

kind of plateau on chasing ghosts in the machine and actually ignoring all that stuff and now your

telemetry is giving you really meaningful data that's you know even before this though but it's

hard for organizations to start that proactive piece with threat hunting and all those things

while they're still just trying to understand the tools they have um

perfect world you would be doing both at the same time but if you're if you've plateaued that's

where you need to start looking for advanced threats and those things in the architecture

that may not be visible to the automated tools where you're going to need domain knowledge

of the deployed architecture to understand what weaknesses may exist right real real threat honey

well then staying over vigilant just telling off what you were saying is is the key right you're

never cyber you're never secure there's always a threat that as we you know know in the headlines

they're evolving daily if not hourly um so you got to stay up you got to stay up you got to

stay on trends you got to stay trained you got to stay you know in the news you got to

read what's going on and and stay proactive from that perspective as well keep your people engaged

send them the training send them the seminars all those things keep keep you secure long term

and for those organizations that are uh have have a bit more matured cyber security program

like you're like you're referring to um that's outstanding but keep in mind too um there there

are there's always a next next evolution right of the program and a lot of times what we see

for organizations that have built a good program they're monitoring well they're they're being

proactive in their assessment of the organization testing of the organization um a lot of times the

next uh struggle is always staffing right and the the actual human element side and so that's

another thing when you're when you're at that point everything's looking really good we'll look

at start looking at the human element in more detail do we have redundancies in our subject

matter experts um how is our uh recruiting going right do we have a pipeline of of people that um

we could potentially work with if we lose somebody right what are what are those those backups in

place um and then also the the um managerial side or the the leadership side of it right are we

going to continue to get full buy-in i think one of the one of the things is that we look outside

of the organization for threats and such in terms of of trying to be proactive but then

we also have to look at the fact that you know i hate to say it but when nothing happens in cyber

security um a lot of times it gets you know kind of put put by the wayside right the executive

leadership will tend to just say well you know where else where can we cut costs here and there

we see this happen out there when things are going well from our perspective it means that

the rest of the organization doesn't have to hear about it right there's nothing there's nothing to

report because uh that you know there's no bad news it's a cyber security's offer an

afterthought until something breaks and then it's like well where are the security people

exactly exactly we have to have to remember that otherwise you know i hate to say it but funding is

going to dwindle support from the organization's going to dwindle so you have to be constantly

putting out that message internally don't think of your threats as all you know all as you know

um apts and such out there in the world and and you know nation state adversaries that are after

um you know money and everything else it's it's not that's not always the biggest threat for

organizations a lot of times it's internal know i think you also have to change the

mindset and think about that we're actually i mean it's really war it's cyber warfare out

there i mean these are people that are trying to take your stuff they're declaring war on you um

and i i think you know and you guys can speak this better than i can but you know if the army gets

complacent in the battlefield then it is apt to lose its edge and become you know ineffective and

it's the same thing with internal cyber security people and your cybersecurity thinking is if you

become complacent then problems are going to arise absolutely yeah proactive doesn't mean

outpacing the threats proactive means continually getting better yourselves as an as an organization

right regardless of what the the world around you is doing

um continuing to push um and i think that's true in any business or even with athletes and such uh

you know it's all it's all about that continuous improvement continuous focus rather than than

uh checking the blocks so that said we are there we could we could talk on all kinds of different

uh nuanced aspects of this but we're uh running out of time here any final thoughts for the day

uh you know one thing if you're if you're if you're to the point where you're doing you know

you've got your incident response you need to be running tabletop exercises make it fun

i like to uh those who get to work with me know that i do a d and d style kind of larp with the uh

with the incident response and the dr exercises and so you know think of things like this to

make it fun so it's not so um you know not so not fun that's it well also you know bring in a

third party to run it so you're not having you know the same people running the dr exercise

or the ir exercise that'll add it to us too of uh uncertainty as well that's a good idea great point

outstanding well thank you everybody for joining us today thank you for listening please rate us uh

rate the podcast let us know what you think let us know of uh topics you'd like us to cover in

the future and we will be happy to address those thank you so much have a great day take care bye

pick up your copy of the cyber ants book on amazon today and if you're looking to

take your cyber security program to the next level visit us online at www.silentsector.com

join us next time for another edition of the cyber rants podcast

Episode 18 - Proactive vs. Reactive Cybersecurity

Send Us Your Questions & Rants!

Categories

Archives

Transcript