Unified threat management firewalls, endpoint protection, and email gateways are all designed to protect the network from outside threats. Security awareness training is designed to educate employees about how to spot threats and become instrumental in defending against threats.

The issue at hand is that no matter what security defenses are in place, corporations still need to follow a zero-trust mentality to safeguard customers, employees, and proprietary information. The threat that can be one of the hardest to protect oneself against is the threat from inside the corporation. For the most part, this is not part of a malicious plan, but one of human error, or the result of a third-party breach.

On the other hand , employees can be duped via social engineering or phishing;, even experts within the security industry have been victim to this. Hopefully, when this occurs, the employee reaches out to the IT team to let them know that they provided their credentials to a fake website or that they clicked on a link that they should not have. What happens if one of your employee’s credentials has already been part of a previous breach?

In the last couple of weeks, there have been numerous reports of stolen information that are available for sale on the dark web, and either you or your co-workers could be among them. If you’re concerned, you can check to see if your credentials were disclosed by going to haveibeenpwned.com. You may find the results surprising , and maybe even a little scary.

The other potential weakness is the mass migration to working from home due to COVID-19. Organizations implemented collaboration and meeting tools rapidly, and employees had to use their existing internet connection from home, which may not have a robust firewall and often have a shared (family) connection.

Reviewing the log files from your employee’s desktops and laptops is critical; they are the breadcrumbs of activity and can be essential in determining if there is an active threat on your system.

A threat actor can gain entry to your network using a username and password and then try to gain privileged access to the more sensitive information on your network, such as financials, customer list, or proprietary and patented information to sell for profit.

Snare Central is one of the few systems that can provide an early alerting system for unusual activity by a user or if a user is attempting to escalate their privileges with little configuration . The bonus is the event logs are transmitted in real-time, ensuring that the threat actors cannot cover their tracks.

Integrating Snare Central with your SIEM/UEBA will provide a robust monitoring system to safeguard your organization from an insider threat.

The year of 2020 has been a tough time for many and will be remembered for a while given this global pandemic where we have not seen anything like it in over 100 years. The impacts of COVID-19 will be talked about for many years to come.

Given the nature of the modern world and how we are all interconnected, the bad guys waste no time in coming up with new and innovative ideas on how to scam or cause havoc with peoples personal lives as well as finding new ways to extort money from individuals and businesses. The COVID-19 pandemic is just another way they attack everyone for some form of gain. There are been hundreds of phishing attempts and ransomware attacks trying to gain access to peoples and business.

The US Cert put out a recent announcement on the 5th of May 2020  https://www.us-cert.gov/ncas/alerts/AA20126A that details some of the new APT threats that exist for the healthcare and essential services industry. All industries need to keep a heightened awareness of what is going on with their environments. Obviously and cyber incidents to the healthcare industry would severely impact the critical care they provide to the populations of the world during this pandemic. Many of the systems that are used for critical care run on windows-based platforms which can be susceptible to malware and ransomware attacks. Some regions have already seen these impacts not long ago which caused large number of systems and services to be shutdown.

The CERT advisory has many good recommendations and mitigations that all businesses need to review and check that they are doing enough in these areas. They are worth reading for everyone:

A number of other mitigations that can be of used in defending against the campaigns detailed in this CERT advisory are as follow:

While most of this is good cyber hygiene it may highlight some weakness with the corporate environment that needs to be addressed. In particular, Snare are specialists in security monitoring capabilities. We often see organisations that only collect logs from a small subset of systems. Often some server infrastructure is not even monitored. As many know the end user is often the weakest link in the corporate network and their systems are not monitored at all. Users can receive emails and attachments from various sources and click on things they should not. While security awareness campaigns, anti-malware protection and other technical controls help, things often happen that were unexpected which then allows the bad guys in. Anti-malware protection and technical controls are not infallible, and threats get through. In the case of healthcare systems like MRI scanners, ultrasound, respirators etc. they are often running older operating systems and not fully patched and won’t allow anti-malware tools to be loaded as the vendors won’t warrant the system if things change on the system, it could impact on its performance or operation. Then there are the business and finance systems which are also connected to the corporate networks and can be vulnerable. In years long past this may have been an acceptable risk but now with everything connected to the corporate network it allows for easy propagation of worms and ransomware and other APT threats. Many healthcare systems have been impacted on this. Upgrading this technology is expensive when compared to IT systems but so it the mass disabling of the systems from an incident as the impacts are much larger when peoples’ lives are at stake. APTs often gain access and sit quietly for months or years before they activate and quietly trickle information out of the business.

At Snare we have many technologies to help customers make sure they can monitor as much of their environment as possible. Having the forensics to help in any incident or APT threats that are trying or have gained access to the business systems is a critical part of any incident management and response. We need to know:

  • how they got in – via networks, VPN, system remote access, web server, database, application exploit, lost user id and password information, etc.
  • what they did – did they just read data, change it, ex-filtrate and steal intellectual property (IP), what commands they ran, etc.
  • when they did it- what was the sequence of events and actions they performed, how did they pivot from system to system to get to the target, this also means having accurate time and using things like NTP from a trusted source on all systems.
  • the why – often this can be financial like ransomware to encrypt your systems then ransom your for money, if it’s for stealing your IP then its espionage related if you are a research company which is often financial in a way as they think it’s easier to steal then invent on their own.

Businesses in the healthcare industry may also have HIPAA and other regulatory requirements depending if they operate in the USA or other parts of the world. For more information refer to https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html. However, in general the controls need to cover various technical security requirements are:

  • Access Controls
  • Audit Controls
  • Integrity Controls
  • Transmission Security

So Snare agents and Snare Central are core components to our solution to help with the forensic collection of audit log data from servers, databases, desktops and other syslog devices like firewalls, routers, switches then keep them in Snare Central for long term storage, reporting and analysis. The access to the data is secure and away from the system that generated the data. The integrity of the data is monitored and reported on if changed, and the transmission security of the audit log data is protected with encryption. We can collect all the core operational security events and other application data for all systems in an enterprise. Having this data all collected and stored away from the systems that generate the event is critical in managing the cyber operations of businesses. By collecting the log data in near real time there is less opportunity for the bad guys to delete all the activity they performed on the system. Once they fully compromise the system via some exploit or zero-day vulnerability they can do whatever they like. But if the data was collected up until the point they break the system, it gives the security teams evidence of what happened and how they got access to the system. Snare Central allows the customer to store the logs for as long as they need, and they can grow the system at any time to use more disk as needed with no additional cost.

From other aspects of monitoring user activity Snare can track critical files and registry settings, Snare SQL agent monitors all MSSQL activity in a database to see which users accessed or changed any data in the MSSQL database. Besides all user activity all commands like select, insert, update, delete and table calls, like create, drop, truncate, etc. can all be tracked. We have some good white papers on how to setup FIM, FAM, RIM and RAM settings using Snare.

https://www.snaresolutions.com/products/snare-agents/

https://www.snaresolutions.com/products/snare-central/

https://www.snaresolutions.com/portfolio-item/how-snare-makes-fim-easier/

https://www.snaresolutions.com/portfolio-item/complying-with-iso-27001/

So, if your healthcare environment has gaps in its cyber security logging posture and you want to do more to monitor your systems or your research organisation then please contact our friendly sales representative in your region.

In 2017 defense contractors became subject to a cybersecurity mandate by the Federal Government, starting with the Defense Acquisition Federal Regulation Supplement.  DFARS required DoD Contractors to adopt cybersecurity standards according to the NIST SP 800-171 Cybersecurity Framework.

On January 30, 2020, the Department of Defense  released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) to ensure cybersecurity controls and processes would be put in place to protect controlled unclassified information (CUI) on DoD contractor systems.

CMMC will be mandatory for 300K Government Contractors, establishing cybersecurity as a foundation for future DoD Acquisitions.   This imposes cybersecurity requirements on a large base of contractors that has never dealt with Federal Contractor Information (FCI) requirements.

CMMC requirements will flow down to all subcontractors from prime contractors.  All future RFPs will require adherence to various levels of CMMC.  Government Contractors will have to pass a CMMC audit so they can become certified and continue to offer their products and services to the DoD.  The required CMMC level will be a pass/fail evaluation at the proposal stage for contract awards.  Contracts will not be awarded to organizations that do not meet the required level.

Between June and September of 2020, the initial round of audits will begin for a select number of Department of Defense Programs/RFIs, with the required CMMC Levels identified. A CMMC 3rd Party Assessment Organization (C3PAO) will ask Defense Contractors to prove how they process, store and transmit Controlled Unclassified Information (CUI).  Government Contractors will need to be certified to the required Level in order to receive and bid on the RFP.

The timing of Accreditation Audits is now projected to be Q4 2020 (Calendar) going forward, with RFI’s including CMMC references as early as June and RFPs including CMMC references by Q4.

CMMC requires policy, process and plan documentation covering all security domains

The CMMC Model has 5 Levels with a number of defined Practices and Processes in each Level

NIST Controls
Level 1 17 Basic Cyber Hygiene Basic safeguarding of FCI
Level 2 65 Intermediate Cyber Hygiene Transition step to protect CUI
Level 3 119 Good Cyber Hygiene Protecting CUI
Level 4 123 Proactive Protecting CUI and reducing risk of APTs
Level 5 128 Advanced/Progressive Protecting CUI and reducing risk of APTs

 

Government Contractors can use the “Self Assessment Handbook – NIST Handbook 162” provided by the National Institute of Standards and Technology (NIST).

CMMC Level 3 is based on compliance with NIST 800-171, plus 20 additional Practices, including the following:

Access Control:

  • Limiting information system access to authorized users
  • Separating the duties of individuals to reduce the risk of malevolent activity
  • Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs
  • Prevent unauthorized access using authentication and encryption

Audit and Accountability

  • Create and retain system audit logs and records to enable monitoring, analysis, investigation and reporting of unauthorized system activity
  • Review and update logged events
  • Alert in the event of an audit logging process failure
  • Collect audit information (logs) into one or more central repositories
  • Protect audit information and audit logging tools from unauthorized access, modification and deletion
  • Correlate audit record review, analysis and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity
  • Provide audit record reduction and report generation to support on-demand analysis and reporting

Media Protection

  • Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport
  • Save security event log data in one or more central repositories

Recovery

  • Regularly perform complete, comprehensive and resilient data backups

Security Assessment

  • Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls

Level 3 of the CMMC model specifically points to the requirement for Security Event Log Management Software.

Prophecy International has been providing Event Log Management Solutions to the Intelligence Community, Military, Non-Military and Government Contractors for over 15 years, and continues to invest in software that supports event log collection, forwarding, analysis and reporting.   SNARE Enterprise Agents and Log Management Servers will help government contractors address CMMC Level 3 Requirements.

More information about SNARE Log Management Software can be found at www.snaresolutions.com, with options for a software demonstration and free supported software trials.

AustCyber did a piece on Australian companies and listed Snare among those with strategies in place to cover your remote workstations. You can find the article on their site and if you want to learn more about how we can help you collect logs from remote workstations, reach our and contact our helpful staff or request a consultation with one of our senior engineers!