Blog.

Today, Honeywell and Acalvio announced the launch of Honeywell Threat Defense Platform (HTDP) Powered by Acalvio. HTDP brings a new approach in the ongoing effort to secure Operation Technology (OT) networks including those networks running the health and safety systems in the buildings where we live, work and play. In a recent report, “Protecting Operational Technology in Facilities from Cyber Threats”, Honeywell notes that less than half (44%) of surveyed facility managers “have a cybersecurity system in place to protect their OT systems from potential threats”. This new partnership with Acalvio brings the most advanced form of cyber defense, known as Active Defense, to the security portfolio of Honeywell Building Technologies (HBT). For those without a cyber defense system, HTDP provides state-of-the-art capabilities for your initial foray into cyber security. For those with a cyber security program, well, your building’s defenses have just received a significant upgrade!

Today we are pleased to announce that Acalvio’s cloud-based ShadowPlex Active Defense platform has been awarded FedRAMP Ready status by the US Government’s General Services Administration. This award demonstrates to federal agencies, and the broader security community, Acalvio’s commitment to offering threat management solutions for even the most demanding environments. ShadowPlex is the first Deception solution to attain FedRAMP Ready status in the FedRAMP Marketplace, which gives federal agencies the assurance they need to proceed with evaluations or initial purchases of our solution. FedRAMP was initiated in 2011 as a national government-wide program to define mandatory security standards for cloud services. The intent was to accelerate federal government cloud adoption by establishing a marketplace for secure cloud service providers (CSPs). “FedRAMP Ready” requires CSPs to submit to an audit of dozens of security controls by an authorized third-party auditor (3PAO). The controls are under NIST 800-53 guidance, one of the most stringent controls sets in existence. “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector”, says President Biden’s May 2021 Executive Order. FedRAMP has been tasked with Federal cloud-security strategy for Cloud Services. Federal agencies are under constant attack and require Active Defense strategies that go beyond passive approaches Acalvio ShadowPlex not only adheres to the strict FedRAMP security controls, but also helps implement stronger cyber security standards for Federal departments and agencies by providing Active Defense. Acalvio has passed the control evaluation at the FedRAMP Moderate level for our SaaS-based ShadowPlex Deception service, placing us in Ready status. The 3PAO has attested to our security capabilities, and a Readiness Assessment Report has been reviewed and deemed acceptable by the FedRAMP Program Management Office. We invite federal agencies and other public sector entities to trial and deploy the solution with confidence.

In a previous blog, we provided an overview of AD Attack Surface and AD Attack Paths. In Part 3 of this series, we’ll explore Acalvio’s Active Directory (AD) security solution that is designed to protect AD against advanced persistent threats (APT). Cybersecurity defense is a moving target. New and sophisticated attack variants are continuously appearing, APTs are constantly revising their strategy and seeking weaknesses in business security implementations, making it imperative for enterprises to continuously refine their security stack. Organizations often use either siloed security tools or a combination of multiple cybersecurity products that collect huge volumes of data, independently. This results in disparate and disconnected systems. While standard security solutions offer capabilities for detecting and preventing a range of Active Directory attacks, they provide a limited solution for advanced threat defense against Active Directory. Cybersecurity requires an integrated strategy that augments standard security tools with an Advanced Deception Platform to effectively protect enterprises from Active Directory exploits. Acalvio ShadowPlex offers a differentiated, best-in-class AI-based deception solution for Active Directory security. The combination of deceptions with AI-powered analytics serves as a powerful mechanism to protect the enterprise from known and new variants of Active Directory exploits, such as AS-REP Roasting, DCSync, Kerberoasting, Unconstrained Delegation, Pass-the-Hash among others. This approach is built on Acalvio’s unique and powerful Active Directory Protection Kill Chain.

In a previous blog, we provided an overview of the (unfortunately quite complex) Active Directory Attack Surface. In Part 2 of this series, we’ll explore how attackers and malicious users plan their movement and traverse Active Directory attack paths once they have discovered AD vulnerabilities, misconfigurations, and other weaknesses that they can exploit.

An Active Directory (AD) compromise has been at the core of several cyberattacks, such as the SolarWinds hack and the Ransomware attack on Colonial Pipeline. Potential vulnerabilities, such as nOAuth on Microsoft Azure Active Directory, have been identified by security researchers. When the first version of Microsoft Active Directory was released two decades ago, it was built on the philosophy of inherent trust models within the boundaries of a network. Given these legacy architectural principles, Active Directory security is a challenge. As an enterprise grows, new users, computers, applications, and cloud services are added to the enterprise network. Each addition is a new object that is managed in the AD. Administrators must set up new accounts, grant required permissions to these accounts, and enable these accounts to communicate with devices and applications. These factors make Microsoft Active Directory security very complex. In this 3-part series, we look at protecting Microsoft Active Directory, which is central to most enterprise architecture. This series covers: Understanding the AD Attack Surface. A look at Attack Paths How Advanced Deception can be used to protect the AD. This first blog discusses the AD Attack Surface and Microsoft Active Directory vulnerabilities that attackers can exploit to perform lateral movement, escalate privileges, and to maintain persistence in the enterprise network.

Securing Operational Technology (OT) networks is definitely “a thing” these days. OT environments include specialized equipment (e.g. PLCs) that monitor and control production facilities such as refineries, manufacturing plants and utilities. The stakes are high with respect to potential business continuity and safety impacts if something is compromised. To be sure, it’s not that CISOs wake up and decide they need more work. Instead what’s happening is that enterprise risk management frameworks identify significant risk associated with OT cybersecurity. The IT Security team is then tasked with assessing and reducing such risk. In parallel, recent high-visibility ransomware attacks on critical infrastructure have put OT security on everyone’s radar. The Colonial Pipeline attack has been the most visible but there are plenty more that go unreported. The US federal government has certainly taken notice, issuing the “Executive Order on Improving the Nation’s Cybersecurity” in May 2021. Section 7 focuses on Detection:

That just focusing security defenses on the most common means of penetrating an organization doesn’t cut it. Sure, you should guard against phishing, fortify your DMZ and Internet-facing applications, train your staff, and so on. That will at least give you a credible response if you get hacked and you’re asked what you were doing to prevent it (which I admit is nothing to sneeze at!). However as we’ve seen, that won’t keep you safe.

Most of the time, unfortunately, malicious behavior is hidden from view. Consider that the average dwell time for cyberattackers within networks is still measured in months. Per FireEye, the global median dwell time in 2018 was 78 days, down from 101 days in 2017, but still far too long. Malicious behavior may manifest itself as the discovery or use of software designed to gain access and to leverage or create vulnerabilities that can be used to further penetrate networks, endpoints, and servers; perform reconnaissance; gain authentication data; and ultimately exfiltrate sensitive information or damage ongoing enterprise operations. Alternatively, it may manifest itself through the more subtle activities of malicious insiders.

According to the 2019 Cisco CISO Benchmark Study, “the accuracy of the tools used to determine which alerts should be investigated are not doing their jobs.” According to the report, “24.1% of the alerts that were investigated turn out to be legitimate,” down from 34% in their 2018 report.”

Over the past several years, banks using the Society for World Interbank Financial Telecommunication (SWIFT) financial network have continued to be the victim of ongoing cyber attacks. This is not to say that the SWIFT network has any explicit vulnerabilities, more that the bank network in which SWIFT is being used may have vulnerabilities that allow attackers to do the reconnaissance necessary to penetrate and perpetuate using that particular bank’s SWIFT access. SWIFT message formats were originally developed by SWIFT and then subsequently codified as ISO standards (ISO 15022). This includes well-defined definitions for system messages, customer payments and checks, financial institution transfers, treasury markets, collection and cash letters, securities markets, treasury markets – metals and syndication, documentary credits and guarantees, traveler’s cheques, and cash management – customer status.

Yet another massive breach has impacted the health care industry this June with Quest Diagnostic’s disclosure that 11.9 million customers may have their personal identifiable information (PII) access in yet another high profile cyber breached. This data was contained in systems managed by the American Medical Collection Agency (AMCA) of New York, a billing collector and apparent business associated of Quest Diagnostics. On May 14, 2019, AMCA notified Quest Diagnostics of “potential unauthorized activity” on AMCA’s web payment page. It appears that between August 1, 2018 and March 30, 2019 an unauthorized user had access to the AMCA system that contained confidential PII on Quest Diagnostics patients. This likely included financial information (credit cards, bank account information) as well as other personal information such as medical records, personal identity, and social security numbers. Early evidence seemed to indicate that attackers gained access to the AMCA website and then ran a “man in the middle” attack. This enabled the attackers to access payment and other personal information entered by website visitors. It does not appear that the laboratory test results internal to Quest were accessed, but the attackers did get any medical information that was entered through the AMCA website. AMCA was primarily part of a collection process used by Quest to track down customers, also involving a company called Optum360 that processes payments. Note that Quest Diagnostics, like many other health care institutions, was also breached earlier in 2016. Late in 2016 Quest disclosed that a data breach impacted about 34,000 medical records. These include PII to include dates of birth, lab results, and names. At that time, the cyber attackers utilized an improperly secured mobile application to gain access to the breached medical records. Quest diagnostics has certainly not been alone. Last year, in 2018, hackers breached the network at Laboratory Corporation of America (LabCorp), one of the largest clinical laboratories in the United States. Pursuant to the detection of “unauthorized activity” on the Labcorp networks, their internal networks were temporarily shut down while they investigated the breach. The number of successful cyber attacks on the health care industry is growing every year, either in records breached, number of institutions breached that year, growth in ransomware and other key metrics. The data on major data breaches, specifically those impacting more than 500 patients, is available in the HHS OCR data base which is accessible for anyone to see here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. This portal lists the number of major breaches which can be sorted to identify breaches caused by “Hacking/IT Incidents.” Central to this theme is that both Quest, AMCA, and Labcorp likely have many best-in-class security controls installed. They no doubt have very strong cyber security teams, and these teams likely utilize industry best practices to reduce and minimize cyber breach. Quest, AMCA, and Labcorp are faced with the problem that faces all commercial institutions and governments today. Most of the legacy strategies and best practices used to day depend on keeping attackers out by vigorously defending a perimeter. There is attention focused on the internal networks, and certainly hospitals have been aggressive in implementing network segmentation to protect medical devices, but this is still not enough. We know today that it is highly probable that sophisticated cyber attackers will get into health care networks. At some point, they will get past the all of the IDS/IPS systems, the next generation firewalls, network segmentation, and endpoint detection and response capabilities. All it takes is one (1) successful breach to result in a potentially disastrous breach. New technology sets must be deployed to reduce the attacker’s dwell time within the network to the absolute minimum. These new technologies must be placed in play to counter the latest attacker tactics and techniques. You don’t need to outrun the tiger, you just need to outrun the next target of opportunity for them. Said differently, you don’t need to stop every perimeter breach (you cannot do this anyway) but you do need to stop their progress within the kill chain before they can exfiltrate your data. Consider that Quest’s business associate, AMCA, likely had these attackers, per the reports released, within their networks for eight months or more before they were detected. Deception Technology can help, perhaps very substantially, reduce dwell times such as these. New to best practice for health care as a rapidly emerging technology set, Deception Technology has exceptional efficacy in finding and helping you stop these attackers. Deception Technology has been deployed over the past few years by first movers in hospitals, physician practice groups, surgical centers, long term care facilities, diagnostic laboratories, MRI/CT centers, other key parts of the extended health care ecosystem. Deception works particularly well to help protect the sea of internet of things (IoT) and medical devices which are pervasive within health care networks. When a cyber attacker touches just one of the camouflaged deception decoys within your diagnostic lab network, Deception Technology delivers a highly accurate and certain alert for your health care security operations team. The cyber attackers are decisively identified and then can be stopped. In summary, highly responsible and capable firms like Labcorp, AMCA and Quest and many other health care institutions will continue to be the targets of cyber attackers. It is certain that cyberattackers will penetrate every health care network at some point. The question becomes, “how will you rapidly detect them and shut them down?” At almost every move or turn they make, Acalvio ShadowPlex can be in their path. Once they touch a deception decoy ShadowPlex will identify them at extreme certainty, and then generate alerts of the highest integrity and importance for your SOC team. To find out more about ShadowPlex, please review our resource page here: /resources-and-documents/ or contact us for a free trial. We’d be delighted to share more about our technology and how it can help secure health care networks.

The digital transformation has been powered by several factors, the most important of which is the rapid move to the cloud. It is estimated today that 90 percent of organizations utilize some type of cloud service and that 60 percent of organizations use cloud technology to store confidential data. In fact, approximately 83 percent of enterprise workloads are going to be on the cloud by 2020. Yet despite the benefits of the cloud, most IT professionals say that security is their number one concern when they adopt a cloud computing strategy. In fact, the move to the cloud has exposed a multitude of new vulnerabilities and weaknesses, and cyber attackers have moved aggressively to take advantage of them. There are eight key areas in which the cloud has introduced new and expanded risk. Let’s take a look at them individually: Data Breaches We all know a data breach when we see one. Data breaches usually involve the exfiltration and theft confidential or sensitive data, perhaps regulated by compliance, that is stolen and accessed by an organization or individual not authorized to do so. The risk of a data breach is not unique to cloud computing, but is rather a trending topic due to many visible breaches in the cloud now identified in the media and the press. Insecure Application Program Interfaces (APIs) The cloud has brought many new application program interfaces for customers to use when interacting with their cloud services. Many services, such as logging, monitoring, set-up for orchestration, administration and management, and provisioning, all depend on these APIs. These interfaces are also used to set up the most sensitive security, such as encryption, that, when broken, can expose large amounts of data to exposure and theft. These APIs may extend accessible IP addresses outside of the organization and hence are subject to continual and ongoing attacks. Account Hijacking Accounts have been exploited by phishing and related attacker techniques for many years. Given the reuse of passwords, this makes this attack vector quite successful for the diligent attacker. Once an attacker gains access to these credentials, they can begin to gather more sensitive data and to manipulate many aspects of your business. Malicious Insiders It is a fact that many data breaches are caused by malicious insiders. This creates an obvious conundrum – not all malicious activity is anomalous, and not all anomalous activity is malicious. These are the hardest attacks to discover, as insiders often have requisite permissions to move through the clouds and networks unimpeded. Data Loss Everyone is concerned about access to data and data theft, but most never really expect to have their data completely lost or destroyed. Yet this is what many organizations are facing due to new threats like the advanced ransomware as a service (RAAS). Data in the cloud can also be lost due to physical catastrophes, administrative error, and other causes. For this reason, segregated data back-up, offsite storage, and disaster recovery remain essential and even more necessary for cloud-based data. Identity and Credential Access Management The biggest and most obvious problem is the protection of password data. It is expected that attackers will penetrate your networks and cloud, and, when they do, they will target passwords and authentication data. Worse yet, that authentication data tends to be the same across multiple systems – when an attacker gets into one they often get into other systems as well. One of the best mitigation techniques is to use multi-factor authentication. This can reduce, though not always eliminate, the effectiveness of this attacker tactic. General System Vulnerabilities Vulnerabilities have been a problem across networks for many years. The multi-tenancy advantages of the cloud unfortunately provide access to shared memory and resources, creating an entirely new attack surface. This new list of vulnerabilities continues to grow and varies by cloud provider. Denial of Service Attacks Denial of service attacks (DoS) are designed to shut down cloud access by flooding the servers and networks with more traffic than can be processed. The goal is to create extreme difficulties for the cloud service providers, shut down or severely slow their systems, and cause the system users concern over the lack of availability and performance. There are also additional vulnerabilities with the use of the shared technology in the cloud, risks due to advanced persistent threats, and much more. Given the high probability that an attacker will successfully breach your cloud platforms, the question becomes how you will detect and diagnose this attack, take steps to mitigate it, and successfully shut it down. Your goal is detection and mitigation. So long as you can interrupt the attacker’s Kill Chain, you have prevailed and your cloud will be secure. Many of the new technologies that protect clouds focus on authentication, encryption, digital rights management, data loss prevention (DLP), and configuration analysis. In the case of configuration analysis, errors that can expose security challenges can be identified and mitigated rapidly. Most of the other forms of attack are currently only being detected by probabilistic-based approaches that attempt to analyze traffic and detect malicious and/or anomalous behavior. Unfortunately, attempts to discern the relative probability of high-risk attacker behavior can generate huge amounts of spurious alerts. Adjust the thresholds too low and attackers will slip through the system undetected. Adjust the threshold too high and there are so many alerts that triage becomes almost impossible. Acalvio ShadowPlex deception technology was designed to protect the cloud. ShadowPlex Cloud, released in 2018, is our mature deception platform and is designed to protect cloud assets. ShadowPlex Cloud detects malicious activity within your public cloud environments rapidly and with virtually no false alerts. Deception is binary. Either you are touching a deception asset or you are not. If you do, you have absolutely violated security policy and your activity is to be considered highly suspect. The alerts generated by ShadowPlex Cloud will represent a true and present threat of the highest urgency. Find out more about Acalvio and how deception technology can help you reduce risk and maintain compliance. We’d be pleased to introduce you to our latest technology and share information about customers that have used Acalvio ShadowPlex to protect the most health care institutions around the world.