THE TIBERIUM BLOG - recent events, threats, and all things cyber

Cloudburst

Kevin Whelan - Chief Research Officerby on Categories Tiberium Tuesday

A very long time ago, 2016 in fact, some of us spoke at or attended a security event which was themed on not letting a cloudburst rain on your parade, the premise being that leaping into Cloud deployment presented many risks including: 

  • Connectivity between legacy infrastructure and the Cloud
  • Continuous management of the admin and configuration settings of a cloud environment
  • The opportunity for security issues to be introduced by haste (Agile development for instance)
  • The use of shared libraries and code without a full understanding of the resource set
  • Development and production environments not effectively separated at all levels
  • Wide open security controls between front/middle/back ends
  • Lack of documentation or understanding of the entire system
  •  No security playbooks in the event of everything going the way of the pear (pear-shaped)

None of this has changed. However, some clouds do have silver linings, one of which might be to reflect on the potential security issues and use your barometer, weather rock and wet weather gear appropriately. 

Cloudy?

You would have to have been fully immersed in Half-life: Alyx on your Occulus Rift or perhaps Beat Saber (destroying your house by accident) for the last month or so (easily done of course, especially during these strange times) to have not read about the SolarWinds compromise, in which some very serious actors compromised the code of SolarWinds which was then installed on the management systems of many organisations including US Government agencies (the Treasury, no biggy!).

This week the magnificent anti-virus outfit, who have saved many a desperate soul, MalwareBytes reported that they had been infected in this breach, just as FireEye did in December. Massive kudos to both organisations for their approach to this pestilence.

The infection of technology companies (Symantec also reported) could well be the silver lining to this Cloud. How so? We hear you ponder.

Setting aside the nature of people who work in security companies (tenacious, obsessed, mostly loyal, not good when angry, take everything personally, etc.) you don’t have to be a card carrying genius to work out what might happen when you breach FireEye for instance, who of course acquired the planet’s best forensic cyber business Mandiant in 2004, in fact, Kevin Mandia (not going to spell it out) is the serving CEO of FireEye.

That’s right. They are going to look under every rock, every stone, everywhere so that they totally understand the situation. And then, since they are professional and good citizens, will share the details (or most of them) with everyone who wants to listen (not as big a list as it should be).

This is very good news for the cybersecurity world and much less so for the adversary, who, it seems, has chucked the kitchen sink and a lot of very special homemade toys at the project. This mission’s brutal scale suggests that it was ‘now or never’ for whatever shady reason. The target breadth to include government agencies and cyber companies clearly shows off sitting on a humungous pile of never before seen exploits or a Joker being played (more about a so-called Joker later). Who knows, it might have been related to the American election!

This week, now in ruthless pursuit mode, FireEye provided details of multiple techniques used by the attackers, they have slides for download should you be interested and if you have made it this far through the blog, you clearly are.

To us, the standout infiltration methods in play are the manipulation of on-premise Active Directory together with a manipulation of Azure using “Golden SAML” attacks to create highly privileged applications. They effectively backdoored M365. Cunning, very cunning, bypassing 2FA and becoming almighty in one go. Total skills.

Diligent readers will recall our first bullet above “Connectivity between legacy infrastructure and the Cloud”. It really is a thing and will continue to be.

At Tiberium, we have vast experience with on-premise and cloud systems. Our managed service is designed from the ground up to Prevent, Detect and React to attacks (as automatically as possible or tolerable to your business).

Clearly neither our Faberge Russian crystal ball or our mystical Chinese Ming vase will reveal forthcoming nation state zero day attacks.

We can assure that our thorough approach to onboarding, best practice hardening, monitoring of controls (such as administrative privileges) and least trust between legacy and new cloud systems will provide a solid foundation for securing, monitoring, and controlling your environment. This is supported by automated response, extremely rapid reaction to novel attack techniques and a bunch of highly experienced cyber professionals.

We would really appreciate the opportunity to show you our technology of which we are very proud. We will even provide the coffee to enliven an online call should you wish!

We promised some news of a Joker, and here it is. Many of you will know about the largest’ Credit card for sale’ dark web site ‘Joker’s Stash ‘. Turns out that the Joker himself has been a little bit poorly and is shutting up shop. Great news.

We don’t have Occulus devices at Tiberium and The Old School seem to be obsessed with the 1991 game ‘Lemmings’, seemingly without irony.

Back to the Batmobile. Please test your wet weather drills.

Share on: