One month after disclosing four zero-day vulnerabilities in Exchange Server, Microsoft addresses four additional vulnerabilities discovered by the National Security Agency (NSA).

Background

On April 13, as part of its April 2021 Patch Tuesday release, Microsoft addressed four critical vulnerabilities in Microsoft Exchange Server.

The disclosure follows last month’s out-of-band (OOB) security update which addressed four zero-day vulnerabilities in Exchange Server that were exploited in the wild by an advanced persistent threat group known as HAFNIUM.

As with last month’s OOB security update, these latest Exchange Server vulnerabilities affect only on-premises versions of Microsoft Exchange Server; Microsoft Exchange Online is not affected by these flaws.

Details

CVE-2021-28480 and CVE-2021-28481 are pre-authentication vulnerabilities in Microsoft Exchange Server. A pre-authentication vulnerability means that an attacker does not need to authenticate to the vulnerable Exchange Server in order to exploit the vulnerability. All the attacker needs to do is perform reconnaissance against their intended targets and then send specially crafted requests to the vulnerable Exchange Server.

Both of these vulnerabilities would operate similarly to CVE-2021-26855, also known as ProxyLogon, which is a separate pre-authentication vulnerability in Exchange Server that was included as part of the fixes from March’s OOB security update.

CVE-2021-28482 and CVE-2021-28483 are post-authentication vulnerabilities in Microsoft Exchange Server. Unlike CVE-2021-28480 and CVE-2021-28481, these are only exploitable once an attacker has authenticated to a vulnerable Exchange Server. However, these flaws could be chained together with a pre-authentication Exchange Server vulnerability to bypass that requirement. Last month, attackers leveraged ProxyLogon in combination with post-authentication vulnerabilities in order to implant webshells on compromised Exchange Servers and maintain persistence.

NSA credited with discovering these vulnerabilities

In their acknowledgements, Microsoft credited the NSA with the discovery of all four vulnerabilities, though the two pre-authentication vulnerabilities (CVE-2021-28480, CVE-2021-28481) were also credited to the Microsoft Security Team.

Rob Joyce, the NSA’s new Director of Cybersecurity, warned that threat actors will move quickly to utilize these vulnerabilities. In a statement to the press, Joyce encouraged organizations to prevent that from happening by applying the available patches, stating that, “Network defenders now have the knowledge needed to act, but so do adversaries and malicious cyber actors. Don't give them the opportunity to exploit this vulnerability on your system.”

The NSA also issued a statement via their Twitter account, urging the importance of applying these patches as successful exploitation “could allow persistent access and control of enterprise networks.”

NSA urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks.https://t.co/SYkqmjeM2h

— NSA Cyber (@NSACyber) April 13, 2021

CISA updates Emergency Directive 21-02 to account for latest Exchange Server flaws

On March 3, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-02, following the OOB security update from Microsoft in March. The Emergency Directive provides guidance and required actions for Federal Civilian Executive Branch agencies regarding threats to their networks. It also provides deadlines for when these agencies need to complete certain actions, such as deploying security updates.

On April 13, CISA updated Emergency Directive 21-02 with Supplemental Direction v2 in response to the vulnerabilities disclosed to Microsoft by the NSA. According to the latest Supplemental Direction, these agencies have until the end of day Thursday, April 15 to deploy the Microsoft security updates to all affected Microsoft Exchange Server assets.

Proof of concept

At the time this blog post was published, there were no disclosed proof-of-concept exploit scripts for any of the four newly disclosed Exchange Server vulnerabilities.

Solution

As part of its Patch Tuesday release, Microsoft addressed all four Exchange Server vulnerabilities for the following versions:

Absent from these patches is a fix for Exchange Server 2010, which was included as part of last month’s OOB security update as a defense-in-depth measure. However, Microsoft says Exchange Server 2010 is not affected by these new vulnerabilities.

Tenable strongly advises all organizations to apply these patches as quickly as possible to thwart any future exploitation attempts by cybercriminals and advanced persistent threat actors.

For organizations that did not apply the OOB patches for last month’s Exchange Server flaws, the patches released today are cumulative in nature, which means they will address all eight vulnerabilities Microsoft patched in Exchange Server since March 3. However, your organization will need to be using a supported Cumulative Update in order to apply these updates.

Image Source: Microsoft Exchange Team Blog

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Microsoft Blog: April 2021 Update Tuesday packages now available
• Exchange Team Blog: April 2021 Exchange Server Security Updates
• Tenable Blog: Four Zero-Day Vulnerabilities in Microsoft Exchange Server
• Tenable Blog: Microsoft’s April 2021 Patch Tuesday Addresses 108 CVEs

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

The simplicity of the zero-trust concept belies the complexity of implementing it in most large organizations. Here are four factors to consider before you begin the journey.

Zero trust, a cybersecurity concept first introduced by Forrester in 2010, is emerging as the answer du jour for a wide range of challenges facing today's digital enterprise. It accommodates the perimeter-busting work-from-home trend necessitated by the COVID-19 pandemic. It addresses the fundamental issues raised by the SolarWinds breach. And it complements the cloud-based infrastructure, platforms and applications that are fundamental to digital transformation. 

Prior to COVID-19, you could say the world was trundling toward a zero-trust future at a speed of about 10 mph. In the post-COVID era, we find ourselves barreling toward zero trust at a pace that feels more like 90 mph.

The premise of zero trust is relatively straightforward. According to the U.S. National Institute of Standards and Technology (NIST), zero trust is "a cybersecurity strategy that focuses on moving network defenses from wide, static network perimeters to focusing more narrowly on dynamic and risk-based access control to enterprise resources, regardless of where they are located." 

While we at Tenable agree that the realities of today's work environment have rendered the notion of a perimeter obsolete, we also believe the simplicity of the zero-trust concept belies the complexity of implementing it in most large organizations. The Zero Trust Progress Report, released in February 2020 by Cybersecurity Insiders and Ivanti (formerly Pulse Secure), surveyed 400 cybersecurity professionals and found 47% lack confidence applying a zero-trust model to their organization's security architecture. 

In its August 2020 report, Implementing a Zero Trust Architecture, NIST debunks the  "misconception that zero trust architecture is a single framework with a set of solutions that are incompatible with the existing view of cybersecurity." Instead, the agency advises that zero trust should be viewed as "an evolution of current cybersecurity strategies." The report further articulates three key challenges:

1. No single solution exists for zero trust, but instead requires integration of many different technologies of varying maturity. Indeed, The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q3 2020 evaluated the top 15 providers. NIST states: "The spectrum of components within the wider enterprise is vast, with many products focusing on a single niche within zero trust and relying on other products to provide either data or some service to another component (e.g., integration of multifactor authentication for resource access)." 

2. Migrating an existing IT ecosystem, particularly one with legacy applications and systems, requires investments in time, resources and technical ability to retool them to adhere to zero-trust principles. We believe the resource investment required makes adhering completely to a zero-trust model across an enterprise simply not possible today. Further, NIST notes that a lack of standards makes it difficult for organizations to assess the compatibility of various products, making it difficult to build a five-year roadmap. 

3. Security concerns, such as a compromise of the zero-trust architecture control plane, must be thoroughly assessed and vulnerabilities identified and mitigated. In our view, no organization should begin a zero-trust journey without first nailing the basics of cyber hygiene. According to NIST, "An enterprise should reach a baseline of competence before it becomes possible to deploy a significant [zero trust-focused] environment. This baseline includes having assets, subjects, business processes, traffic flows and dependency mappings identified and cataloged for the enterprise. The enterprise needs this information before it can develop a list of candidate business processes and the subjects/assets involved in this process." We believe this baseline requires full visibility into the entire attack surface, continuous dynamic monitoring of assets and user permissions and the means to prioritize remediation based on risk.


Getting started on the zero-trust journey: consider these four factors 

Describing the implementation of zero-trust architecture as a "journey," rather than a wholesale replacement of infrastructure or processes, NIST predicts that "most enterprises will continue to operate in a hybrid zero-trust/perimeter-based mode for an indefinite period while continuing to invest in ongoing IT modernization initiatives." 

No matter where you are on your zero-trust journey, we believe the four functional components of NIST's zero-trust model also serve as the building blocks of a sound cybersecurity strategy:

1. Data security, including all the data access policies and rules used to secure information, and the means to protect data at rest and in transit. 

2. Endpoint security strategy, technology and governance to protect servers, desktops, mobile phones, IoT and operational technology (OT) devices from threats and attacks, as well as to protect the enterprise from threats from managed and unmanaged devices.

3. Identity and access management, including the strategy, technology and governance for creating, storing and managing enterprise user accounts and identity records and their access to enterprise resources. 

4. Security analytics, encompassing all the threat intelligence feeds and traffic/activity monitoring for an IT enterprise and continuously monitoring those assets to actively respond to threats or malicious activity. 


Each of the above components requires:

• Visibility into the full range of connected assets on a network; 

• Continuous, dynamic assessments of these assets; 

• Dynamic monitoring of user databases such as Active Directory for misconfigurations and lateral movement; and

• Prioritization of patching efforts based on detected threat activity and business risk. 


We at Tenable believe zero trust is a model that every enterprise should strive toward. That's why we have always advocated that every single endpoint and device in the environment should be assessed for security, misconfigurations and missing updates. At the same time, we recognize the very real challenges involved in implementing these principles and advise organizations to invest in the cybersecurity fundamentals before embarking on a zero-trust journey.

Nine new DNS-related vulnerabilities have been identified across TCP/IP stacks embedded in millions of devices.

Background

On April 13, 2021, researchers at Forescout and JSOFpublished a report called NAME:WRECK. The report details the discovery of nine Domain Name System (DNS) vulnerabilities across four widely used open-source TCP/IP stacks. Conservative estimates suggest that the flaws are present in over 100 million devices. NAME:WRECK is the third TCP/IP report to stem from research conducted through PROJECT:MEMORIA; the prior reports include NUMBER:JACK, which highlights nine vulnerabilities across nine TCP/IP stacks and AMNESIA:33, which details a staggering 33 vulnerabilities across four TCP/IP stacks. This research also highlights the risks involved with using open-source TCP/IP stacks in operational technology (OT), internet of things (IoT) and IT, which can affect millions of devices.

Analysis

The potential impact of these vulnerabilities includes DNS Cache Poisoning, Denial of Service (DoS) and Remote Code Execution (RCE). The nine vulnerabilities are identified in the following table:

Root cause analysis

The vulnerabilities stem from implementation problems within the various TCP/IP stacks due to the complexities and misinterpretation of Request for Comments (RFC) standards. For example, the standard RFC 1035, also known as “Domain Names – Implementation and Specification,” specifies the reduction of DNS message sizes, including DNS resolvers and multicast DNS (mDNS), through a compression mechanism. To address these in the future, Forescout researchers created a draft of an informational RFC to help developers avoid making the same mistakes in DNS implementations moving forward and highlighting the identified anti-patterns from their research.

The gift that keeps on giving

In the initial research surrounding these TCP/IP stacks, most of the focus was on the implementation of the DNS message compression. Four of the Nucleus NET TCP/IP vulnerabilities in the table above (CVE-2020-15795, CVE-2020-27736, CVE2020-27737 and CVE-2021-25677) were discovered as a byproduct of the initial research. The NAME:WRECK report highlights how chaining together these four unrelated flaws with CVE-2020-27009 or CVE-2020-27738 could increase their impact and achieve RCE.

Three of the most critical DNS vulnerabilities in NAME:WRECK

CVE-2016-20009 is a stack-based buffer overflow vulnerability in the message compression function of the IPnet stack which could potentially lead to RCE. This is the most critical of the nine vulnerabilities, with a CVSSv3 score of 9.8, and, as the CVE naming structure would suggest, also the oldest. CVE-2016-20009 is actually a bug collision, as it was originally reported in 2016 by Exodus Intelligence but never assigned a CVE. Forescout and JSOF asked the original finders of the vulnerability to request a CVE ID in January 2021, agreeing it should be assigned an end-of-life CVE ID.

CVE-2020-15795 is a vulnerability in the DNS domain name labeling functionality of the Nucleus NET TCP/IP stack that improperly validates the names in the DNS responses. Successful exploitation would allow an attacker with elevated privileges to write past the end of the allocated structure and execute code in the context of the current process or force a DoS condition. Exploitation would require an attacker to create a malformed DNS response to a legitimate DNS request, which would then be parsed by a vulnerable function.

CVE-2020-27009 is a vulnerability in the DNS domain name record decompression function of the Nucleus NET TCP/IP stack that occurs as an improper validation of the offset values in a pointer. Successful exploitation would allow an attacker with elevated privileges to write past the end of the allocated structure and execute code in the context of the current process or force a DoS condition. Exploitation would require an attacker to create a malformed DNS response to a legitimate DNS request, which would then be parsed by a vulnerable function.

Millions of devices potentially affected

The report highlighted a number of statistics for the affected TCP/IP stacks, but the most alarming statistics were associated with FreeBSD. A Shodan search result provided in the report showed that over one million FreeBSD devices were internet-facing. While this does not indicate all these devices are vulnerable, it does highlight the potential attack surface.

Source: Forescout NAME:WRECK Report

Drilling down into industry-specific figures, the report examines a dataset of 13 million proprietary devices. The numbers in the chart below are representative of over 235,000 FreeBSD devices running the affected stack/operating systems. One of the most concerning figures in this chart is the number of affected devices found within the healthcare sector. As we’ve reported previously, healthcare is one of the most targeted sectors, particularly by ransomware groups.

Source: Forescout NAME:WRECK Report

Exploitation scenario: Let’s get creative

The NAME:WRECK report demonstrates one possible scenario that was tested to gain a foothold on a target network using the Nucleus TCP/IP stack as an example. According to the report, the steps involved were as follows:

1. Initial access to an organization's network is obtained by exploiting one of the Nucleus Net RCE vulnerabilities and compromising a device issuing DNS requests to a server on the internet. This highlights the key caveat with exploiting DNS-based vulnerabilities: an attacker needs to reply to a legitimate DNS request with their malicious packet. There are a few ways this can be achieved including man-in-the-middle (MitM) attacks targeting the queried DNS servers themselves using known vulnerabilities such as DNSpooq, a list of vulnerabilities disclosed in dnsmasq by JSOF earlier this year.
2. Once the attacker has gained initial access, they could move laterally by setting up a Dynamic Host Configuration Protocol (DHCP) server and leveraging this to target FreeBSD servers broadcasting DHCP in order to execute malicious code on them.
3. The final step involves using these compromised servers to maintain persistence on the network and/or exfiltrate data via the internet-connected device that was used to gain the initial foothold.

Source: Forescout NAME:WRECK Report

Proof of concept

At the time this blog post was published, there was one proof-of-concept (PoC) available for CVE-2020-7461, the message compression vulnerability in FreeBSD. This particular PoC will only result in a DoS condition.

Solution

Each of the maintainers/vendors of the vulnerable TCP/IP stacks identified in the report were notified of these flaws. FreeBSD, NucleusNET and NetX stacks have been patched recently. The following table contains the list of the stacks, their vulnerable versions and fixed versions (if available).

While these vulnerabilities may be addressed by their relevant vendors, there are millions of devices worldwide implementing these stacks spanning hundreds of manufacturers. Action is required by these manufacturers to ensure that fixes are deployed for their vulnerable devices.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. Please note that at the time this blog post was published, the NetX vulnerability did not have a CVE assigned to it yet. We will update this blog post once a CVE is assigned.

Get more information

• NAME:WRECK Report PDF
• Tenable Blog Post for NUMBER:JACK
• Tenable Blog Post for AMNESIA:33

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Threat actors are leveraging a zero-day vulnerability in Pulse Connect Secure, for which there is no immediate patch scheduled for release.

Background

On April 20, Pulse Secure, which was acquired by Ivanti last year, published an out-of-cycle security advisory (SA44784) regarding a zero-day vulnerability in the Pulse Connect Secure SSL VPN appliance. In addition to the advisory, Pulse Secure also published a blog post detailing observed exploit behavior related to the zero-day as well others linked to previously disclosed vulnerabilities in its Pulse Connect Secure solution.

Analysis

CVE-2021-22893 is a critical authentication bypass vulnerability in Pulse Connect Secure. While no specific details about the flaw are available yet, it is likely that a remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable device. Successful exploitation of this vulnerability would grant an attacker the ability to execute arbitrary code on the Pulse Connect Secure Gateway. The vulnerability has been assigned a CVSSv3 score of 10.0, underscoring its severity.

Attackers leveraging multiple Pulse Connect Secure vulnerabilities

The Pulse Secure blog post notes that the bulk of attacker-related activity is centered around the following three previously known vulnerabilities.

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on April 8 and reflects VPR at that time.

One of the three flaws, CVE-2019-11510, is a pre-authentication vulnerability in Pulse Connect Secure that has been exploited in the wild since August 2019, including by ransomware groups and foreign threat actors. Attackers have also leveraged CVE-2019-11510 as part of a vulnerability chain to gain initial access before pivoting into using CVE-2020-1472, also known as Zerologon, to gain domain admin access over an organization’s Active Directory infrastructure. CVE-2019-11510 is also one of the Top 5 vulnerabilities we highlighted in Tenable’s 2020 Threat Landscape Retrospective report because of its ease of exploitation and continued preference amongst a variety of attackers long after patches were made available for it.

The other two vulnerabilities, CVE-2020-8243 and CVE-2020-8260, are post-authentication vulnerabilities that require an attacker to have established administrator access to the vulnerable Pulse Connect Secure device. Based on the authentication requirement for these vulnerabilities, they are likely to be used in combination with CVE-2019-11510 and CVE-2021-22893 as part of a chained attack.

Researchers at NCCGroup published technical advisories in October 2020 for both flaws. For CVE-2020-8243, the researchers detail how an attacker could exploit the flaw to gain arbitrary code execution privileges on the underlying operating system by injecting a backdoored template file. For CVE-2020-8260, the researchers detail how an attacker could exploit the flaw to perform an overwrite of arbitrary files, resulting in remote code execution.

Defense, government and financial organizations targeted

According to an article in Reuters, Pulse Connect Secure vulnerabilities including CVE-2021-22893 have been used to target U.S. government, defense and financial organizations. Researchers are attributing these attacks to China-linked threat actors.

Implanting malware and harvesting credentials

In a blog post from FireEye's Mandiant division, researchers identified at least 12 malware families linked to all four of these Pulse Connect Secure SSL VPN vulnerabilities, which they’ve been tracking from August 2020 through March 2021.

According to FireEye, some of the threat actors they’ve identified are harvesting account credentials in order to perform lateral movement within compromised organizations environments. They have also observed threat actors deploying modified Pulse Connect Secure files and scripts in order to maintain persistence.

Proof of concept

At the time this blog post was published, there were no proof-of-concept (PoC) exploit scripts available for CVE-2021-22893. However, there are at least 14 PoCs for CVE-2019-11510, a working PoC for CVE-2020-8243, and PoC details for CVE-2020-8260.

Solution

As of April 20, Pulse Secure has not yet released patches to address CVE-2021-22893, though the projected timeframe for availability is sometime in May 2021. However, Pulse Secure did release a temporary workaround that can be implemented to mitigate attempts to exploit the zero-day.

The temporary workaround requires disabling two features within the Pulse Connect Secure appliances: Windows File Share Browser and Pulse Secure Collaboration. Because the workaround details may be updated in the future, please refer to the Pulse Secure advisory for more information.

Identifying affected systems

A list of Tenable plugins to identify CVE-2021-22893 will appear here as they’re released. For the remaining Pulse Connect Secure vulnerabilities, please refer to the table below.

Get more information

• SA44784: Pulse Secure Out-of-Cycle Advisory for CVE-2021-22893
• Pulse Secure Blog Post: "Pulse Connect Secure Security Update"
• FireEye/Mandiant Blog Post: APT Activity Linked to Pulse Connect Secure Flaws
• NCCGroup Blog Post for CVE-2020-8243
• NCCGroup Blog Post for CVE-2020-8260

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Oracle addresses over 250 CVEs in its second quarterly update of 2021 with 390 patches, including 34 critical updates.

Background

On April 20, Oracle released its Critical Patch Update (CPU) for April 2021, the second quarterly update of the year. This CPU update contains fixes for 257 CVEs in 390 security updates across 32 Oracle product families. Out of the 390 security updates published this quarter, over 50% were assigned a high severity. Critical vulnerabilities only accounted for eight percent of the security updates patched this quarter.

Analysis

This quarter’s update includes fixes for 34 critical issues across 30 CVEs. The Oracle E-Business Suite product family contained the highest number of patches at 70, representing just shy of 18% of the patches from this quarter. Of those 70 patches, 22 issues are remotely exploitable without authentication.

As we’ve seen with past CPUs, Oracle Fusion Middleware continues to take the lead in the number of vulnerabilities which can be exploited by unauthenticated attackers, as 36 of the 45 patches meet this criteria. A full breakdown of the patches can be seen in the table below:

Five 10.0 CVSSv3 Scoring Vulnerabilities

This quarter Oracle includes patches to address five CVEs, with the highest severity CVSSv3 score of 10.0. This includes the critical Zerologon vulnerability (CVE-2020-1472). These flaws could be exploited by unauthenticated, remote attackers and should be prioritized for patching. The table below outlines each affected Product and CVE:

Proof of concept

At the time this blog was written, several of the highest severity (CVSSv3 9.8 and 10.0) CVE’s have published proof-of-concept (PoC) scripts. While all of these have not been tested or verified by Tenable, we would recommend taking action to patch the flaws as soon as possible. The following table lists some of the CVEs that currently have published PoCs:

Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2021 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Oracle Critical Patch Update Advisory - April 2021
• Oracle January 2021 Critical Patch Update Risk Matrices
• Oracle Advisory to CVE Map
• CERT Vulnerability Note VU#567764 for CVE-2021-2307

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Celebrating the elite defenders who are helping organizations around the world conquer their cyber risk. 

Cybersecurity is always a team effort. Day in, day out, defenders rely on an ecosystem of teams, partners and vendors to address the evolving threat landscape and deliver on a holistic security mission. The recent global shift to remote work, along with the continued adoption of cloud, IoT, mobile and DevOps technologies, has only underscored this need for collaboration. 

At Tenable, we’ve made several key investments in our Tenable Assure partner program to help distributors, resellers and managed security service providers (MSSP) better support end-user organizations with the tools they need to understand and reduce cyber risk. It was an honor to see these efforts recognized by CRN in its 2021 Five Star Partner Program Guide in the cybersecurity space. Some of our recent game-changing updates include:

• A revamped, peer-tested partner portal, optimized for easy access to product updates, sales playbooks and turnkey web, social, email and digital ad campaigns.

• Modular training and certification that enable sales, technical and service delivery practitioners to master the nuances of Risk-Based Vulnerability Management (RBVM) and Operational Technology (OT) security at their own pace. 

• Simplified deal registration that removes minimum license counts on eligible products, making it easier to achieve protection and incumbency on Tenable opportunities.

We are also seeing a great balance of both Tenable-sourced and partner-sourced business, highlighting the success that active Tenable Assure partners are experiencing in bringing new customers into the fold and helping more organizations protect their ever-expanding attack surface.

Announcing the 2021 Global Partner Awards

As part of our ongoing channel commitment, we’re excited to launch a new initiative to champion our Tenable Assure community and highlight those partners who have gone above and beyond in their respective regions and categories.

Our first annual Global Partner Awards includes six categories that recognize the success of Tenable’s highest-performing distributors, resellers and MSSP partners over the previous calendar year, from January 1—December 31, 2020. 

We hope these awards foster some friendly competition, as well as a renewed commitment to sharing best practices that can help more customers evolve from one-off vulnerability scanning and assessment to an ongoing, risk-based vulnerability management program. 

When more channel partners are winning more business, it means that more organizations around the world are leading the way in eliminating unacceptable risks and proactively managing their cyber exposure.

And the winners are….

Without further ado, here are the Tenable Assure partners who had a record year in 2020.

Top New Business Partner

• Latin America: ISH Technologia
• North America: Optiv
• Europe, Middle East and Africa: Softcat

Top Breakthrough Partner

• LATAM: BVS TV SA
• N. America: DeFY Security
• EMEA: Dimension Data South Africa

Top Regional Partner

ISA Cybersecurity

Top MSSP Partner

• LATAM: Scitum
• N. America: eSentire
• EMEA: Fujitsu

Top Distributor

• LATAM: Adisec Brasil
• N. America: Ingram
• EMEA: Arrow Denmark

Top Overall Partner

• LATAM: ISH Technologia
• N. America: SHI
• EMEA: Softcat

Ready to step up your game? Join us at AssureWorld on May 12

The Tenable Assure team congratulates all of our 2021 Global Partner Awards winners! And we’re excited to see how everyone continues to push and exceed their goals in the months ahead.

This year, Tenable is going all-in on our channel efforts. Partners can now register for our upcoming virtual AssureWorld conference on Wednesday, May 12, where you can:

• Hear directly from Tenable’s leadership on their strategy and vision for 2021
• Ask subject experts about our latest product updates and go-to-market strategies
• Compete for prizes on our live leaderboard that will be tracking engagement points throughout the day

Register now to save your spot and learn how you can uplevel your cyber exposure strategy in the year ahead. 

Congratulations again to the winners, and we’ll see you soon at AssureWorld!

Register for AssureWorld

Any Active Directory user can have their password requirements negated with a simple command. Here’s how to identify these gaps before an attacker does.

With Active Directory being around for so long, organizations and administrators get complacent with what they “think” is in place, which can lead to major security issues being exposed. Let’s take the fact that any Active Directory user can have their password requirements completely negated with a simple command. This setting is not obvious and can be missed during a security review or audit.

First, let’s see how this setting can be configured for a user, from a command line running as an administrator:

Net user <username> /passwordreq:no

Yes, it’s that simple! Now, how would you see such settings per user so you can then secure the accounts? There are a few options.

Saved Query in Active Directory Users and Computers (ADUC)

Create a new Saved Query that has a custom LDAP (Lightweight Directory Access Protocol) search like the following (also shown in Figure 1):

(&(&(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))))

Figure 1. Custom LDAP search using Saved Queries to find users with no password required.

PowerShell

Using the Active Directory Module for Powershell, you can also use:

Get-aduser –filter “useraccountcontrol -band 32”

Tenable.ad

The above options for retrieving the list of users with no required password are easy, but they are only point-in-time solutions. You would need to constantly run and evaluate the output to ensure that no additional users have been configured to not require a password. Better yet is a real-time solution that constantly looks for these users and alerts you as needed. Enter Tenable.ad. (See Figure 2.)

Figure 2. Tenable.ad can email you when a user is set to not require a password.

The fix for any user that does not require a password is to set the user account to require one. This is simple:

Net user <username> /passwordreq:yes

I strongly encourage you to verify if any users are allowed a blank password and to fix this loophole before someone else in the environment tries to attack these settings.

For more information on this topic and strategies for strengthening your Active Directory security, visit our Tenable.ad product page.

This blog post originally appeared on the Alsid website on July 14, 2020.

Attackers can get into your Active Directory by leveraging the SDProp process and gaining privileges through the adminSDHolder object. Here's how to stop them.

Attackers use every possible trick and process they can to get into your Active Directory environment by moving laterally and gaining privileges. One such method is to leverage the Security Descriptor Propagation (SDProp) process and gain privileges through the adminSDHolder object.

The brief history of the SDProp process goes back to the early 2000s. Administrators were breaking what privileged groups could do in Active Directory when the access control list of the privileged group was changed in error. Microsoft fixed this by introducing the SDProp process, which used the adminSDHolder objects’ access control list (ACL) and the adminCount attribute of both users and groups.

The process works like this:

1. Every 60 minutes, the SDProp process runs.
2. The SDProp process copies the ACL from the adminSDHolder object, shown in Figure 1.
3. The ACL from adminSDHolder is then pasted onto every user and group with an adminCount = 1, as you can see in Figure 2.

Figure 1. adminSDHolder object ACL.

Figure 2. Group with adminCount = 1.

You can see this process in action by looking at the replication trail flow between domain controllers (Figure 3).

Figure 3. SDProp process updates the ACL on all users and groups with adminCount = 1.

Attackers realized that if they add a rogue user or group to the adminSDHolder ACL, when the SDProp process ran, they would be added to every privileged user and group automatically. Even if the user or group was manually removed from the ACL of the privileged user or group, the SDProp process would add them back 60 minutes later.

Thus, it is necessary to constantly evaluate the adminSDHolder ACL and accounts that have an adminCount = 1 (but shouldn’t), as these are attack pathways into Active Directory.

Tenable.ad is constantly looking at these attack pathways and will send an alert when one opens. You can see this in the Indicators of Exposure (IoE) shown in Figure 4.

Figure 4. IoE clearly show attacks using the SDProp process and adminCount attribute.

Being able to see all aspects of an attack in real time enables the security team to react swiftly to prevent any further damage in Active Directory and safeguard the controls and information that users have access to.

For more information on this topic and strategies for strengthening your own Active Directory security, visit our Tenable.ad product page.

This blog post originally appeared on the Alsid website on July 14, 2020.

Here’s a look at how to safeguard your Active Directory from the known roasting attack on Kerberos Pre-Authentication.

As part of the Kerberos authentication process in Active Directory, there is an initial request to authenticate without a password. This is an artifact left over from Kerberos versions earlier than Kerberos 5. In these earlier versions, Kerberos would allow authentication without a password.

Now, in Kerberos 5, a password is required, which is called “Pre-Authentication.” When looking at the Kerberos exchanges during log-on, you will initially see an AS-REQ (Authentication Server Request) followed by a Kerberos error, which will state that pre-auth is required.

This is where the attack is initiated. But it does require that the user account setting is toggled to negate the need for Kerberos Pre-Authentication. You can see the setting here in Figure 1.

Figure 1. User account configured to not require Kerberos Pre-Authentication.

The attack is referred to as an AS-REP roasting attack. To understand how it works, let’s look at the normal Pre-Authentication process. The encryption key for the AS-REQ process is a timestamp encrypted with the user’s password hash. If the timestamp of the AS-REP (Authentication Server Reply) is determined to be within a few minutes of the KDC’s (Key Distribution Center) time, the KDC will issue the TGT (ticket-granting ticket) via AS-REP. 

However, if Pre-Authentication is not required, the attacker can simply send a fake AS-REQ, to which the KDC will immediately send the TGT because there is no password required. The AS-REP will include the TGT, along with some additional data that is encrypted with the user’s key (aka, the password hash), which can be obtained from the data and cracked offline. 

Ideally, you don’t want user accounts to bypass this Pre-Authentication, so be sure to look for any users that have this set. You have many options, but the main two are:

1) PowerShell

Get-DomainUser -PreauthNotRequired

2) LDAP (Saved Query)

(&(&(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))))

Of course, Tenable.ad will also flag any user that has this insecure setting, as clearly it opens up an attack pathway into Active Directory, as shown in Figure 2.

Figure 2. Tenable.ad flags user accounts that don’t require Kerberos Pre-Authentication.

Although this is a known attack, which is why Microsoft added the preauthorization control in Kerberos 5, the setting might still be misconfigured for some users in Active Directory.

For more information on this topic and strategies for strengthening your Active Directory security, visit our Tenable.ad product page.

This blog post originally appeared on the Alsid website on July 14, 2020.

The Primary Group ID in Active Directory, created to help manage access to sensitive resources, has become a critical vulnerability that attackers can exploit to escalate privileges without leaving a trace.

The Primary Group ID in Active Directory was originally developed to support the UNIX POSIX model and integration for controlling access to resources. Traditionally, the PrimaryGroupID attribute for a user needed to match the RID (or relative identifier) of the group with which the user must be associated. By default, all Active Directory users have a PrimaryGroupID of 513, which is associated with the Domain Users group.

However, if the user needed to be seen as a Domain Admin for POSIX, the PrimaryGroupID needed to be 512, the RID for that group. The Enterprise Admins group, 519, is also used to grant this level in POSIX.

The caveat is that Active Directory’s built-in management tools, the AD Users and Controls (ADUC), require users to have membership in the group used for the PrimaryGroupID, so a standard user could not be seen as a privileged user without actually being in the privileged group. Even today, when you attempt to move a user with a privileged PrimaryGroupID out of the group the ID represents, Active Directory will not allow you to do so. Similarly, a user who is not in a privileged group cannot have the PrimaryGroupID modified manually to be a privileged group’s ID.

The PrimaryGroupID attribute is not used much anymore, as newer technologies such as Identity Management for Unix (IdMU), Services for Network File System (NFS) and Services for Unix-based Applications (SUA) no longer need this attribute. Ideally, the value should be set to 513, which is the Domain Users group. The value cannot be blank, as Active Directory uses it to generate the initial group assignment during the user creation process, to make sure the user will receive a set of minimum permissions.

However, there are some attacks, such as DCShadow, which can alter the PrimaryGroupID attribute for a user to be 512 or 519, even though the user is not in one of the privileged groups. This attack, which does not create events in the log, is stealthy, persistent and difficult to detect. 

Therefore, it is necessary to have a security solution that can detect when the PrimaryGroupID of users changes and when a DCShadow attack occurs. Tenable.ad is a solution that can continuously detect both of these attacks in real time, as you can see by the solution’s Indicators of Exposure shown in Figure 1.

Figure 1. Tenable.ad can detect both a DCShadow attack and modification of the PrimaryGroupID for users.

Being able to see different components of an attack in real time allows the security team to react with swift precision to stop adversaries in their tracks.

For more information on this topic and strategies for strengthening your Active Directory security, visit our Tenable.ad product page.

This blog post originally appeared on the Alsid website on July 14, 2020.

In this post, we define privileges related to Active Directory and highlight the key security risks of internal privileged and non-privileged user groups.

What do we mean by “privileges”?

For the purpose of this blog, I am defining privileges that are related to Active Directory and the objects stored within the database. Examples of privileged users include those with membership to the Domain Admins, Enterprise Admins, Group Policy Creator Owners, Account Operators and similar groups. They also include users that have delegated permissions over Active Directory, such as the ability to reset passwords and modify group membership.

I don’t want to negate the other privileges within a Microsoft Windows environment, such as user rights, Group Policy Object (GPO) delegations and service permissions. But those aren’t the focus here.

What can an internal non-privileged user do?

An internal non-privileged user is typically an end-user. This individual will not have any capabilities to modify Active Directory. We could dive into the concept of whether or not the user has administrative privileges over their desktop, but for the purpose of this blog, let’s assume the user is a local administrator.

In this scenario, the user has quite a bit of power to install and run applications from their computer. Not all Active Directory interrogation tools require a local administrator, but in many cases they do. This user has the ability to conduct reconnaissance on the entire Active Directory domain, and beyond. Since the user has an Active Directory user account, the user has read access to the entire Active Directory database. Of course, the user can’t dump out all of the passwords for domain users. (That is not the level of read access provided.) However, they can obtain user, group, computer, GPO and trust details. Here are a few examples of what a user can see:

• All members of the Domain Admins group
• The last time a user changed their password
• Settings in a GPO

If tools like BloodHound are utilized, not only can this user see the objects within the database, but they can get a full mapping of the attack paths for each user to obtain privileges to Active Directory.

What can an internal privileged user do?

Of course, an internal privileged user can do all that a non-privileged user can—and more. It can be a bit confusing why an internal privileged user is a concern. I mean, isn’t this just an Active Directory admin? Not at all.

The issue with an internal privileged user is that they can do anything they want… which includes creating backdoors, changing settings without being tracked, obtaining security information without generating an event log, and more. Also, the internal privileged user might not be an employee of the company; this could be a service account or an outside attacker that has compromised an internal account.

The entire game changes when we start introducing attacks like DCSync and DCShadow (available in Mimikatz), both of which bypass many of the auditing, tracking and event logging solutions on which IT and security teams rely. Organizations require a much deeper solution to “see” that these attacks are happening.

How you can take action

As we can’t go deep into the attacks that both non-privileged and privileged users can perform, I want to leave you with an action you can take to help secure both of these internal user groups. 

For non-privileged users, make sure you remove their local administrative privileges on their computer. For privileged users, make sure that all privileged groups (e.g., built-in, service, application and custom) have the correct members; this includes any nested groups, too. It is also important to ensure that all Active Directory delegations are correct. Again, this includes not only the direct access control list (ACL), but any nested groups within groups listed on the ACL (referred to as EFFECTIVE permissions).

For more information on this topic and strategies for strengthening your Active Directory security, visit our Tenable.ad product page.

This blog post originally appeared on the Alsid website on August 5, 2020.

Active Directory has become the primary target for advanced cyberattacks and ransomware groups. Here's what you should consider when evaluating security vendors.

For more than 20 years, Active Directory has formed the backbone of digital infrastructure for organizations worldwide. When fully operational, its purpose goes beyond just governing authentication and passwords to managing the crucial access control rights for almost every organizational asset.

Active Directory is by no means a static software system, and its universal adoption is a testament to its ability to adapt and meet ever-changing business requirements. A modern organization’s architecture can change instantly. And Active Directory security hygiene can get ugly fast if not managed or secured properly. 

With inefficient Active Directory management, access control gaps arise, allowing non-privileged users easy access to data that is not meant for them. But that is just the beginning, for Active Directory is now the major target of advanced attackers and ransomware groups.

Just as one falling domino can start a chain reaction, one change in Active Directory can snowball into further unexpected consequences. Eventually, this creates a hidden attack pathway in the directory. What if there were multiple attack pathways? How can a single attack pathway be detected before others surface? Are you currently able to see this activity on your own systems?

Active Directory must scale with your business in resilience and security capability. The reality is that as the demands on Active Directory grow, the service will very often devolve to an insecure, non-compliant state, becoming an organizational risk rather than a trusted platform facilitating business optimization and growth.

Enforcing Active Directory security in these circumstances is paramount, but only after the most pressing questions are answered. Not all so-called Active Directory security solutions are created equal, so we have assembled 10 fundamental questions we believe will help your decision-making process.

1. Does the vendor install agents on the Active Directory and are privileged rights required?

No security professional wants to give access to a system they spend their days maintaining. The same goes for an IT administrator who manages a complex system like Active Directory. Part of that management is ensuring that Active Directory control is not provided freely to any third party or external source. Control and privileged rights access are usually given through the deployment of agents that act under a “trust-based” jurisdiction. This ultimately gives access to view, modify or change objects. But the installation of an agent should not be a requirement for enabling Active Directory security on the domain controller, or any endpoint for that matter. Knowing the importance of Active Directory within an organization, your administrators should not feel comfortable with vendors requiring mandatory access to the directory. The installation of agents and the surrender of privileged rights imply that access to confidential corporate data is open.

It is imperative to guarantee that privileged rights to Active Directory are not surrendered and that platforms are unable to alter or modify objects. Currently, there are only a limited number of auditing solutions for Active Directory, providing little protection and only capable of monitoring and reporting on attacks after they have occurred. These auditing solutions may include agent deployments on domain controllers, which lead to partial or full control over the status of Active Directory objects. There is no reason why any third parties should require open access to these objects. Also, some agent-based Active Directory security solutions have strict update requirements to be supported regularly and sometimes even .net framework must be installed (including on the domain controller).

2. Does the vendor display information in real time?

Picture driving a car. A real-time warning system should alert you when a dangerous, oncoming driver is approaching, not after the driver hits your car. Likewise, you would want to be alerted of brake failure before you start your car, not after you’re already on the road. In the world of Active Directory security, real-time alerting is mission critical. A real-time solution must detect and alert you to ongoing configuration changes that affect security measures of the Active Directory, as well as provide recommended steps for remediation. With real-time visibility, you can validate a proactive approach to monitoring and detection, deterring attackers who sit for months within target networks waiting for the right Active Directory attack pathways to appear.

3. Is the vendor compatible with all Active Directory versions, as well as Azure AD?

Over the past 20 years, Active Directory released upgraded platform versions. One of the primary changes is the on-prem vs. cloud scenario. A platform should be able to connect with and support both on-prem and Azure Active Directory (Azure AD) components.

In addition, Active Directory has been stuck in the Dark Ages when it comes to directory configuration. Configuration upgrades have taken place periodically or not at all. As such, platforms should incorporate indicators of exposure to evaluate how “clean” is the on-prem component of Azure AD (aka Azure AD Connect). Generally, an Active Directory security platform must be fully compatible with Azure AD Domain Services, which itself is the AD Managed Service by Microsoft.

4. Does the vendor rely on event logs or object changes to provide analysis?

Trying to secure Active Directory continually with event logs is difficult and cannot provide 100 percent visibility.

To stay up to date, you need to have dedicated Active Directory security experts constantly surveying the threat intelligence space, discovering your misconfigurations that could be leveraged in attacks, understanding the event logs used to detect attacks and creating rules to extract the specific configuration event log from the full stream of all event logs. This is expensive, difficult and inefficient.

There are, on average, 10 to 20 new toxic Active Directory configurations released or discovered each year.

What’s more, attackers are now conducting attacks that do not create event logs (such asDCShadow), or they are turning off event logs in the Active Directory via system access control list (SACL) modification so they can make changes without leaving a trace.

All this means that event logs can no longer be trusted to give a full view of what is happening in Active Directory. The only way to accomplish this is by analyzing the object level in the Active Directory database, which is precisely what Tenable.ad achieves. Moreover, Tenable.ad automatically includes updates when new toxic configurations are released so they can be detected at the object level. Simply put, the attacker cannot hide.

5. Does the vendor proactively identify dangerous misconfiguration attack pathways out of the box?

Recall the car-and-driver analogy. Similarly, built-in anticipation within an Active Directory security platform provides several benefits that can increase the likelihood of breaking potential attack pathways. Built-in anticipation enables a proactive approach to Active Directory security, rather than the reactive method that is used by the vast majority of existing solutions.

The most common way Active Directory gets hacked today is through misconfigurations in the software that are used to escalate privileges or propagate ransomware. Therefore, the most effective method to secure Active Directory is to continuously detect and remediate dangerous configurations as soon as possible once they appear. Tenable.ad provides security teams with this powerful advantage.

Active Directory is constantly evolving, with potentially hundreds of changes occurring every minute. Any of these changes could open your environment to adversaries, such as backdooring techniques ( e.g.,. AdminSDProp modification) and credential dumping techniques (e.g., Kerberos roasting attack).

Tenable.ad quickly and simply enables proactive, comprehensive security to continuously harden Active Directory, including Group Policy Objects (GPOs). As cyberattacks increasingly exploit dangerous Active Directory misconfigurations, the ability to detect and remediate new misconfigurations before they can be weaponized is key. Detecting them after the fact has little value.

With Tenable.ad, you can continue to detect the most complex Active Directory attacks without draining your security team’s resources.

6. Can the vendor provide in-context security information in real time?

It is not enough to simply display the specific deviance for an Active Directory object, as this view provides limited “global” information. This data will not reveal where the specific problem is coming from.

An incriminating object needs a detailed, accurate explanation of the security issue and, where relevant, to show how multiple security issues relate to each deviant object. You should be allowed to individually select each separate security problem from one specific object and address it independently. Coupled with the detailed information explaining how to fix these complex security issues, Tenable.ad empowers clients to proactively harden their Active Directory.

Tenable.ad enables continuous detection and remediation at the object level, providing real-time, in-depth explanations of each detected Active Directory security event, why it is dangerous and how to fix it.

By detecting Active Directory attack pathway misconfigurations, attacks like Pass-the-Hash, GoldenTicket, DCShadow and DCSync can be stopped before they begin.

7. Does the vendor detect advanced Active Directory attacks in real time—out of the box?

From a detection viewpoint, cyberattacks are becoming more complex. While the types of attacks are diverse and numerous, there are specific attack types that primarily target the Active Directory.

Tenable.ad detects standard attacks like password spraying out of the box, as well as the much more complex and difficult-to-detect attacks like DCShadow. The most advanced attackers will run stealthy attacks that switch off event logs to allow them to establish persistent access to the Active Directory via backdoors. Tenable.ad also detects these complex Active Directory backdoors in real time, right out of the box.

Remember that real-time detection alone is not enough and should be followed by an easy-to-understand set of remediation steps that provide a non-security-focused administrator with the ability to take the recommended actions.

8. Does the vendor enable forensics and threat hunting at the object level?

While you should not give out access or control over an Active Directory object, you still want to get accurate information at the object and attribute levels. Organizations need a platform with a built-in trail flow interface that detects and displays in real time such detailed information and changes. This advanced monitoring and alerting should be supported along with relevant steps to fix any changes that may create attack pathways.

Recall those 10 to 20 new toxic configurations that are discovered in Active Directory each year. Since Tenable.ad captures and stores every object change once connected, this data can be easily accessed for threat hunting at the object level, including extensive object attribute visibility.

Access to real-time, accurate and relevant security analytics specific to Active Directory is paramount to ensuring that IT and security teams see a realistic picture of their Active Directory security posture. Dashboards should include a security view of Active Directory, as well as compliance scores, attack numbers and information flow with graphs highlighting the constant evolution of related security metrics. 

9. Can the vendor visualize security attack pathways for easier analysis?

The original authors of Tenable.ad conducted the advanced Active Directory security research used to develop BloodHound. The Tenable.ad topology graph provides a unique and intuitive way of exploring Active Directory security attack pathways, including hidden or unintended relationships, visually and continuously against existing data.

Your security teams can explore trust relationships and interconnections against all existing ones mapped by Tenable.ad. These connections highlight the communication that takes place between the various Active Directories a client may have and are color-coded to highlight the varying degrees of safe and dangerous trust relationships.

10. Can the vendor integrate with other security solutions?

No organization can be 100 percent secure. However, crucial security steps and technologies at various organization layers need to be implemented to stay a step ahead of attackers. Perimeter and endpoint security solutions are vital instruments as outer-layer security, but they do not possess the ability to protect the core of an organization: Active Directory. Likewise, an application consisting of only access controls could not halt anyone who has deliberately or mistakenly been granted open access to an entire network.

Having the ability to run numerous, integrated security solutions simultaneously is the only way an organization can truly protect its outer and inner core. The ability to integrate via email, Syslog and APIs is essential, as is the ability to have alerts correlated with security information and event management (SIEM) tools and even security orchestration, automation and response (SOAR) platforms, all of which Tenable.ad provides out of the box.

To learn how Tenable.ad can help continually secure and protect your Active Directory, check out our product overview.

This blog post originally appeared on the Alsid website on August 20, 2020.

Looking to extend your Active Directory to the cloud? This guide explores options for securely migrating your on-prem identities and access controls to Office 365. 

Cloud computing offers lower costs, better flexibility and greater capacity beyond the limited resources most organizations have in their data centers.

But migrating data and extending user identities to the cloud is not risk-free. Compromising user identities in the cloud can lead to very immediate exposure of sensitive files that are de facto accessible directly on the internet.

Depending on the way data and users have been migrated, attackers can also leverage footholds in on-prem Active Directory to gain access to cloud data, and vice versa.

In this guide, we look at the different options for extending on-prem Active Directory to Office 365, then we discuss the available defense tactics for both environments.

Why manage access to Office 365 using Active Directory?

Customers can manage Office 365 using cloud-only identities in Azure Active Directory (Azure AD), a fully-managed identity and access service that is primarily designed for cloud-first applications.

This model suits organizations that have no investment in on-prem Active Directory. But organizations that already control access to on-prem resources using Windows Server Active Directory don’t want to manage an additional cloud-only directory separately. And who can blame them? It results in two identities for each user, which increases costs and effort for both users and IT.

Extending on-prem Active Directory to the cloud solves this problem by centralizing user identities in one directory, plus it provides some additional advantages, like seamless single sign-on and self-service password resets. There are several different models for extending Active Directory to the cloud, each with varying levels of complexity and risk.

How to extend Active Directory identities to Office 365

Password Hash Sync (PHS)

Password Hash Sync within Azure AD Connect is the simplest way to leverage existing on-prem directories, and it is best suited to organizations that want a quick and easy way to extend Active Directory to the cloud. PHS isn’t the best option if you need to replicate all of Active Directory’s features for cloud users.

With PHS, users can log into Office 365 with their on-prem Active Directory username and password, since PHS synchronizes password hashes to Azure AD. Conceptually, a hash is an encrypted version of a user’s password; cleartext passwords are never synchronized to the cloud. When a user logs into Office 365, their password hash is compared to what is stored in Azure AD to see if it matches. If there is a match, access is granted. If a user resets their on-prem Active Directory password, the resulting hash is synchronized to Azure AD so the same password can be used to access cloud and on-prem resources.

In contrast to cloud-only identities, PHS enables IT to manage a single set of identities for accessing both on-prem and Office 365 resources. PHS also provides single sign-on capability so that when users are signed into on-prem Active Directory, they are also signed into Office 365 without any additional action. Other key advantages are that no on-site infrastructure is required and users can continue to log into Office 365 even if on-prem Active Directory is unavailable.

But unlike the other models, adopting PHS by itself means that some Active Directory features cannot be used in the cloud. For example, user log-on hours are not supported, so organizations can’t use Active Directory to restrict when users access Office 365 resources. Furthermore, changes to user state are not replicated immediately to Office 365. If you disable an Active Directory user account, access to Office 365 is not blocked instantly, which in itself is a major security drawback.

Pass-through Authentication

Pass-through Authentication (PTA) is designed for organizations that need more control but don’t want the overhead of a federated architecture. PTA requires some on-site infrastructure, so it isn’t suitable for small organizations with no IT support. Instead of synchronizing password hashes to the cloud, PTA uses one or more agents installed on-prem to validate user credentials directly with Active Directory.

Unlike PHS, PTA immediately enforces on-prem user account states, password policies and log-on hours. Like PHS, PTA provides single sign-on capability. But PTA doesn’t work with leaked credential risk events or support Azure AD Connected Health integration, two important built-in security features that should be part of any Azure AD hygiene routine.

Federated Authentication (possibly combined with PHS) 

The final option is to use a federation service, either a third-party or the Active Directory Federation Services component built into Windows Server. Federation is suitable for large organizations that want to take advantage of all the security features supported by Active Directory. It is not suitable for small organizations because it is complex to set up and maintain. 

Federated authentication uses a trusted third-party to perform authentication duties, and it can integrate with different systems to provide additional value, like smartcard authentication and third-party multifactor authentication. But some advanced features of Azure AD, such as identity protection, require PHS. It is possible to combine federated authentication with PHS if your organization needs advanced Azure AD features or a means of signing into Office 365 in the event the federated authentication provider or Active Directory fails.

Extending Active Directory to the cloud involves risk

The authentication models described above, except for cloud-only identities, all provide single sign-on for users and a single set of identities for IT to manage. But with convenience comes risk. And while some attacks are targeted, many are arbitrary. So, even if you believe that your organization is not at risk or has nothing worth stealing, it doesn’t mean you won’t be compromised.

Password attacks

Because Office 365 is exposed to the public internet, it is open to brute-force attacks in which login attempts are repeated sequentially in the hope of discovering the correct password. Password spray attacks are similar but affect multiple users so that account lockout mechanisms aren’t triggered. Attacks can also result in denial-of-service (DoS) where users are unable to access Office 365.

Lateral movement from Office 365 to on-prem Active Directory

As an attacker, moving from Azure AD to Active Directory is not trivial. But the results are rewarding enough that defenders should keep it high on their risk list.

Hackers can use a technique called Pass-the-Hash (PtH) to authenticate without knowing a user’s password. However, if an Azure AD hash were compromised, it couldn’t be used to directly authenticate against on-prem Active Directory, since the synchronized hashes are “hashes of hashes.”Therefore, it is not automatic that an attacker could gain access to on-prem systems and data if a user’s identity is compromised through Office 365. 

That being said, knowing a user’s login credentials is often the first step to gaining deeper access to intranet servers and data, and attackers are keen on leveraging that incomplete information to progress toward their final target. Human error could also lead to privileged on-prem Active Directory accounts—like those with domain administrator rights—having their password hashes synchronized to Azure AD.

Lateral movement from on-prem Active Directory to Office 365

Conversely, if a user’s on-prem Active Directory identity were compromised, an attacker could gain access to sensitive data stored in Office 365.

In our hybrid context, the security of Azure AD is only as good as the security of the on-prem Active Directory. If an attacker gets a foothold in an organization’s on-prem Active Directory, authenticating to Azure AD is just a matter of time.

Thus, organizations wanting to extend their operations to the cloud should always harden and monitor their on-prem Active Directory as a prerequisite.

Mitigating migration risks

Organizations that move forward with their hybrid cloud strategy must implement strict mitigation tactics for both their Office 365 and on-prem Active Directory infrastructures.

Office 365 security tactics

Choosing the right identity model

While conventional wisdom says that a federated model is the most secure, Password Hash Sync (PHS) is likely the best option for most organizations because of its simplicity and its support for advanced Azure AD security features and threat detection. Organizations that need the features of a federated model can combine it with PHS to get the best of both worlds.

Manage privileged accounts

Users granted Office 365 global administrator rights need to be protected beyond standard Office 365 users because they have access to modify tenant permissions, access data and perform global operations that could affect how Office 365 works. These accounts should be treated much like privileged Active Directory accounts. Additional protections, like multifactor authentication, should always be enabled for Office 365 global administrators.

Implement security tools

Due to the inherent risks of extending any system to the internet, Microsoft provides tools for protecting identities and data in Office 365. But most of the advanced tools and features come at a price and aren’t included in entry-level subscription plans. Security professionals should always keep in mind that none of those solutions alone is sufficient. A good defense results from a consistent collection of technologies tightly sewed together by robust processes and capable people.

Multifactor authentication

Azure Multifactor Authentication (MFA) for Office 365 provides an additional layer of protection by requiring users to confirm their identity with a password and a device in their possession. When enabled, Azure MFA for Office 365 makes it almost impossible for a hacker to access an account even if they know the password or have access to the password hash.

However, Azure MFA for Office 365 does not provide MFA for on-prem Active Directory. Azure MFA is a separate product that has more capabilities, including the ability to secure on-prem Active Directory. It is included in Azure AD Premium Plans for an additional cost.

While MFA is a major step forward in collective security, it is not a silver bullet: If a hacker were to compromise an on-prem Active Direcotry, they would inevitably have the ability to control local, physical endpoints. In that scenario, said hacker would just have to wait for the host’s user to authenticate legitimately to start moving laterally on-prem or vertically to the cloud.

Conditional Access policies

Conditional Access is a premium service that blocks access to Office 365 unless certain conditions are met, including the use of MFA. Other conditions consist of determining location by IP address, sign-in risk and client application. For example, a policy could allow users to sign in from a predetermined IP address range if they are using Office desktop programs. Keep in mind that none of those solutions is sufficient on its own.

Smart Lockout and custom banned password lists

Smart Lockout is designed to protect identities from brute-force password attacks, and it is available to all Azure AD users. By default, Smart Lockout blocks sign-in attempts for one minute after 10 failed attempts. Accounts are locked again after each successive failed login for one minute, and longer if attempts continue. Hash tracking prevents account lockout if the same incorrect password is entered more than once providing that PHS synchronization is configured. Additionally, Azure AD Password Protection lets organizations use custom banned password lists for users with premium licenses. Password Protection can also be extended to on-prem Active Directory.

Advanced Threat Protection

Office 365 Advanced Threat Protection (ATP) and Threat Investigation provide additional protection against threats in email messages, hyperlinks and collaboration tools. ATP policies can protect against zero-day threats in email attachments, help dynamically block malicious internet links and block infected files shared on SharePoint, OneDrive and Microsoft Teams. There is also anti-phishing protection backed by machine-learning models.

However, ATP is largely a behavior-based technology. It creates statistical models of what is considered “normal” and compares users’ actual activities against their expected behaviors. It is by nature a construct that is either prone to false positives or ineffective, depending on how rigid the statistical model is.

Active Directory security tactics

Best practice configuration

Microsoft’s Server Manager tool includes Best Practices Analyzer (BPA) for identifying issues with Active Directory. BPA reports on security, performance, configuration, policy and operational issues. Organizations can use PowerShell to schedule BPA to run regularly to ensure compliance with Microsoft’s best practices.

The Security Compliance Toolkit (SCT) is a free download from Microsoft that contains security baselines for Windows 10 and Windows Server. The baselines can be used to configure devices with Microsoft’s recommended settings for server hardening. SCT also includes Policy Analyzer, a tool for comparing Group Policy Objects (GPOs) with each other and against local policy and registry settings.

Privileged accounts

Credential misuse is one of the key avenues to Active Directory compromise. Many organizations grant users permanent access to privileged Active Directory groups—like domain admins—to facilitate administrative and support functions. But these accounts can be used to compromise Active Directory, sensitive user accounts and data. 

Security teams should change default permissions to make sure that IT staff don’t need privileged Active Directory accounts to support end-user devices or perform day-to-day administrative tasks. When users are granted privileged access to Active Directory, they should make changes from devices specially purposed for privileged administration.

Furthermore, you should restrict privileged access to domain controllers on an “as-needed” basis. Establish a process to ensure that any proposed changes are approved by stakeholders and that a rollback plan has been tested in the event of a problem.

Using built-in tools like delegation, PowerShell Just Enough Administration (JEA) and Just-in-Time (JIT) Administration, you can also grant privileged access only when needed and for a limited time. Take similar care with servers and end-user devices. The Local Administrator Password Solution (LAPS) can help organizations manage and store administrator passwords.

Monitoring Active Directory

Auditing Active Directory using a tool like BPA can identify configuration issues, but audit data swiftly becomes stale. Security teams must continuously monitor Active Directory to ensure potential threats and breaches are detected.

Defenders also need tools to better analyze this data for the most urgent risks. The Windows Server Event Log collects security, configuration, performance and operational events for Active Directory and Windows. But the information collected is only useful if it is independently analyzed to alert on potential issues. Because the threat landscape is constantly changing, events collected from Active Directory should be analyzed against a threat intelligence feed to make sure that issues are flagged quickly and brought to the attention of IT staff. Unfortunately, this is hardly doable without specialized tooling. 

The security and Active Directory talent pools are already scarce. Hiring a team of professionals that combine both skills is close to impossible. Instead, the use of specialized technologies that can combine Active Directory-focused intelligence feeds and local logs is the only viable solution to monitoring Active Directory at scale.

And we might have a couple insights about choosing the right Active Directory security solution, but that’s a story for later…

This blog post originally appeared on the Alsid website on December 11, 2020.

This acquisition allows us to combine Tenable's ability to assess the state of the digital infrastructure with Alsid's ability to assess the state of Active Directory, helping security professionals answer the question: how secure are we?

Today, with great pride, I'm pleased to announce Tenable's acquisition of Alsid has been approved. Founded in 2016 by Emmanuel Gras and Luc Delsalle, former incident responders from the French National Cybersecurity Agency (ANSSI), Alsid represents the finest of French innovation: a pioneering technology solution which aims to resolve a critical cybersecurity challenge that has been top-of-mind for CISOs and IT leaders for over two decades. Exploiting user privileges via Active Directory is a favorite and predictable tactic used for everything from the most sophisticated compromises to the most quotidian hacks.

The majority of Alsid employees are based in Paris and our presence in France remains a priority for Tenable as we recognize the incredible pool of cybersecurity talent the country has to offer. We welcome Gras and Delsalle to the Tenable management team and we welcome the organization's talented professionals to team Tenable, where we'll work together to continue developing innovative solutions for Active Directory security.

While its roots are in France, Alsid's mission is decidedly global: 90% of the Fortune 1000 use Active Directory as their primary method of user authentication and authorization.

I've personally followed Alsid for some time now and I'm honored to welcome the company into the Tenable fold. Recent events, including the SolarWinds breach and the Microsoft Exchange hack, emphasize the need for Active Directory security. Successful breaches are followed by attacks on Active Directory to escalate privileges, move laterally, install malware, and exfiltrate data. Tenable's acquisition of Alsid positions us to not only enable our existing customer base to reduce cyber risk but also to help expand the potential market for this best-in-class technology. By combining Tenable's ability to assess the state of the digital infrastructure with Alsid's ability to assess the state of Active Directory, we give security professionals in even the most complex enterprise user environments a more holistic view of risk and the ability to predict which issues to fix first.

To that end, I'm pleased to introduce Tenable.ad, a new solution leveraging Alsid technology to secure Active Directory environments and disrupt one of the most common attack paths in both advanced persistent threats and common hacks.

By combining vulnerability and misconfiguration data, threat intelligence and account permissions, Tenable.ad offers users a risk-based, proactive approach to finding and fixing weaknesses in Active Directory. It detects ongoing attacks without the need to deploy agents or leverage privileged accounts.

With Tenable.ad, users can:

• Discover and map their entire Active Directory attack surface and identify vulnerabilities and misconfigurations as they are introduced 

• Prioritize their remediation of Active Directory vulnerabilities and misconfigurations 

• Detect and respond to Active Directory attacks and hunt for threats in the system

• Measure their Active Directory security posture and active threats at all times


Tenable.ad, now generally available, is a Software as a Service (SaaS) solution with an on-premises deployment option. Existing Alsid SaaS customers have the option of upgrading to Tenable.ad immediately.

Improving Active Directory security is the next critical step in Risk-based Vulnerability Management. By empowering organizations to prioritize their vulnerability management results based on the privileges afforded to each end-user in the system, we're effectively disrupting the attack paths hackers use to install malware, move laterally and exfiltrate data. With Tenable.ad, organizations around the world will be better prepared than ever to answer the critical question: How secure are we?

Learn more:

• Read the blog: Disrupting the Pervasive Attacks Against Active Directory and Identities
• Find out more about Tenable.ad here: https://www.tenable.com/products/tenable-ad
• Attend the webinar: Introducing Tenable.ad: Secure Active Directory and Disrupt Attack Paths

Securing Active Directory and the identity infrastructure is critical for preventing privilege escalation, lateral movement and attacker persistence.

As we look deeper into recent high-profile breaches, one thing becomes crystal clear: an attacker's ability to impact the identity infrastructure (read: Active Directory) is central to cybersecurity.

Once an attacker gains a foothold in an organization, they can't move any farther without access to a privileged user account. They'll immediately seek out high-level privileges in order to gain access to the information they want in an organization. With privileges, an attacker can create dormant accounts, giving them backdoor access so that even if they are discovered they can return to the environment unnoticed. An attacker can even erase their forensic footprints as they move laterally through an organization's network.

The vast supermajority of large enterprises use Microsoft Active Directory to manage account privileges. Every model we have about how breaches work, everything we know about how advanced threat actors and foreign intelligence services operate, tells us that Active Directory is absolutely critical to answering this question: How secure are we?

Despite its criticality, managing and securing Active Directory is incredibly complex. It's almost impossible to manage Active Directory securely at scale in an enterprise without a tremendous amount of expertise and constant attention.

This is why I'm so excited to announce that Tenable has completed our acquisition of Alsid and is introducing Tenable.ad, a new solution leveraging Alsid technology to secure Active Directory environments and disrupt one of the most common attack paths in both advanced persistent threats and common hacks.  Tenable.ad, now generally available, is a Software as a Service (SaaS) solution with an on-premises deployment option. Existing Alsid SaaS customers have the option of upgrading to Tenable.ad immediately.

With the acquisition of Alsid, Tenable achieves an important milestone in delivering on our Cyber Exposure vision to help organizations understand and reduce cyber risk across the entire modern attack surface. With the introduction of Tenable.ad, our Risk-based Vulnerability Management (RBVM) portfolio expands. Now, Tenable not only enables security professionals to use our vulnerability management tools to identify the vulnerabilities likely to be leveraged in an attack; with Tenable.ad we also enable them to deliver a risk-based approach to Active Directory security by disrupting one of the most common attack paths in both sophisticated compromises and common hacks.

Tenable.ad allows security and IT professionals to find and fix weaknesses in Active Directory before attackers can exploit them. And it allows incident responders to detect and respond to attacks as they're happening.

At its core, Tenable.ad does an incredibly thorough job of auditing and assessing every configuration setting and every entry and relationship within Active Directory. Then, it simplifies these findings and creates prioritized recommendations for IT and security teams to address based on criticality, the relative ease of making configuration changes and the relative ease of implementing recommendations.

Tenable.ad also provides ongoing monitoring for risky activities that might be an indication of a compromise underway. It monitors activities such as:

• Creation of new administrator accounts;

• Hiding accounts;

• Permission changes;

• Adding new groups;

• Adding users to groups; 

• Creating trust relationships;

• And others. 


What's remarkable about Tenable.ad is that it only requires user-level account access, which means relatively low impact on the IT organization. Tenable.ad does not require any agents to be installed on the domain controllers. It keeps security professionals out of the business of installing software on a sensitive system that could inadvertently disrupt business operations. And Tenable.ad functions without relying on Windows systems logs, which only give a point-in-time view of what's happening in a system and have been bypassed by advanced threat techniques. Instead, Tenable.ad relies on the replication features and functionality native in Active Directory to give security professionals the insights they need to protect user privileges in a dynamic, ever-changing environment.

Tenable.ad delivers the same level of professionalism and accuracy for securing Active Directory infrastructure that Tenable users have come to expect from our best-of-breed vulnerability management platforms for IT and Operational Technology (OT) environments. We're excited to welcome them to our team.

Learn more:

• Read the blog: Disrupting Attack Paths: Why Tenable's Acquisition of Alsid Matters
• Find out more about Tenable.ad here: https://www.tenable.com/products/tenable-ad
• Attend the webinar: Introducing Tenable.ad: Secure Active Directory and Disrupt Attack Paths

The sharing of financial data across applications is changing how consumers save, manage and spend their money. Here's how financial institutions can secure the next generation of banking.

Open banking is transforming the financial services landscape. The term has become shorthand for the sharing of financial data via application programming interfaces (APIs), a paradigm shift powering expanded consumer services such as mobile checking, online mortgage payments and digital budgeting assistants powered by Artificial Intelligence (AI). 

This burst of innovation creates tremendous opportunity for financial institutions to cross-sell and tailor financial products based on consumer data. However, the open architecture of open banking also poses new security challenges for bank security teams. Add to the mix the privacy requirements mandated by data protection legislation, such as the European Union's General Data Protection Regulation (GDPR), and it's clear infosec pros in the banking sector are facing a formidable task in finding effective ways to defend their expanding attack surface.

Open banking: 5 ways to secure your network

Here are five basic principles financial organizations can use to manage their open banking security risks.



1. Look beyond the traditional perimeter and continuously assess your entire environment. As firms adopt new open banking initiatives, they also create cyber exposure gaps attackers can exploit. Adversaries scan a broad range of environments to find the easiest way inside, and most legacy vulnerability management programs are limited to scanning traditional IT environments. This means your team is blind to vulnerabilities in the most dynamic aspects of your attack surface, such as cloud or operational technology (OT) assets. Security teams can improve their visibility by adopting robust and flexible vulnerability management solutions that support continuous assessment across all asset types, no matter where they reside.
2. Take a holistic view to protect your most critical assets. Compliance frameworks and zero-trust approaches are helpful starting points, but neither offers a complete security solution. Protecting your open banking initiatives requires a multi-pronged approach. Strategic use of privileged access management can help you restrict access to critical systems and key internal data. Addressing misconfigurations in Active Directory can help disrupt attack paths in the event an attacker does gain access. Deploying "jump boxes," or secure workstations for administrators, allow you to manage device access and task execution in special security zones or untrusted environments. As open banking creates a more complex and distributed computing environment, these and other safeguards can limit the ability of attackers to target and steal admin credentials, potentially allowing you to avoid significant harm to the bank.
3. Focus first on the greatest risks affecting your most critical assets. The open banking environment exacerbates the prioritization crisis already plaguing many cybersecurity teams. Security leaders routinely fail to prioritize critical vulnerabilities effectively. According to Tenable Research, approximately 30 percent of vulnerabilities are never remediated and it takes a median time of 60 days from assessment to remediation, even for critical vulnerabilities at top organizations. By utilizing threat intelligence, vulnerability research and probability data, cyber defenders can distill the most critical risks across their distributed attack surface, focusing on the 3 percent of vulnerabilities that attackers are most likely to exploit. 
4. Proactively manage risk across third-party partners. Every technology investment you make has long-term implications for your security. In the open banking environment, it is critical to secure connected and software-as-a-service (SaaS) applications via cloud access security brokers (CASB). These enforcement points manage compliance and access policies across the bank and external vendors. They also provide support for configuration monitoring, security and data loss prevention, and you can utilize additional cloud security scanning to verify their effectiveness. Work towards integrating all of your applications into one central identity and access management solution. This will help protect customer data and provide a central platform for compliance monitoring. 
5. Commit to greater transparency to increase trust. Open banking requires greater transparency around how companies are using consumer data. This philosophy is encapsulated in recent privacy legislation such as the California Privacy Rights Act and Brazil's Lei Geral de Proteção de Dados. Much of the recent legislation is inspired by the EU's GDPR and Payments Service Directive 2 (PSD2). It is a best practice to build consumer trust by being transparent about how data is collected, stored and used, so consumers can make informed choices. In this way, consumers receive the benefits of open banking along with the comfort of knowing they are always in control of their private data.

Conclusion

The open banking era provides unprecedented access to large amounts of consumer data, which also serves as an "open target" for cybercriminals. To maintain customer trust and avoid large potential fines for data breaches, financial organizations must craft an effective approach in managing evolving security threats. Through continuous monitoring of all assets, rigorous assessments of security weaknesses and mitigations around potential attack vectors, financial organizations can stay one step ahead of adversaries and protect the digital future of their business. 

Learn more

• On-Demand Webinar: Security Challenges Facing Today's Financial Organizations

• Use Case: Securing Financial Institutions — From Open Banking and Cloud Computing To Tomorrow's Innovations

• Solution Overview: Why the Top 10 Financial Services Organizations Turn to Tenable for Risk-based Vulnerability Management 


It's time for Operational Technology (OT) environments to pursue a more proactive approach to cybersecurity by making cyber maintenance as much of a routine practice as the mechanical maintenance of systems and equipment.

A major supplier of oil and gas to the U.S. East Coast was taken offline on May 8 after a reported ransomware attack. The attack on the 5,500 mile Colonial Pipeline, which supplies 45 percent of the oil and gas used on the East Coast, is just the latest to target the oil and gas sector, which is considered one of 16 critical infrastructure areas identified by the U.S. Department of Homeland Security

It is not surprising that a shutdown or interruption of a pipeline would gain major media attention. But the attack also begs the question: how exposed to attacks is our critical infrastructure?

Source: Colonial Pipeline

The changing operating technology paradigm 

While the operational technology (OT) required in oil and gas operations was once isolated and "air-gapped," today these systems are increasingly connected to IT infrastructure and to the internet, opening up new attack paths. This convergence creates an environment in which any and all aspects of oil and gas operations could be vulnerable to attack from either the IT or the OT side, opening up the possibility of lateral movement. 

Additionally, many ransomware attacks use Active Directory (AD) to perform lateral movement and privilege escalation after initial penetration and new malware increasingly  includes codes to target AD misconfigurations. AD has become the favored target for attackers to elevate privileges and facilitate lateral movement through leveraging known flaws and misconfigurations. Unfortunately, most organizations struggle with Active Directory security due to misconfigurations piling up as domains increase in complexity, leaving security teams unable to find and fix flaws before they become business-impacting issues. 

The attack against Colonial Pipeline is just the latest in a series of recent activity against oil and gas operations around the globe, including:

• Saipem, an Italian oil and gas industry contractor, which fell victim to a December 2018 cyberattack hitting servers based in the Middle East, India, Aberdeen and Italy.

• A cyberattack on a shared data network, which forced four natural gas pipeline operators in the U.S. to temporarily shut down computer communications with their customers in April 2018.

• A cyberattack against a U.S. natural gas facility, which concurrently encrypted both the IT and OT networks, locking access to the human machine interface (HMI), data historians and polling servers. The pipeline was forced to shut down for two days in February 2020.


Regulatory compliance does not equal security

In our experience working with OT environments, we often find organizations assuming that regulatory compliance is the same as security. While we are by no means suggesting this was the case at Colonial Pipeline, we do believe it's worthwhile for all organizations in the sector to consider taking a more expansive view of their cybersecurity strategy. 

There are five safety and security standards relevant to the oil and gas industry, all of which call for organizations to have a base layer of security in place. This layer includes asset inventory, security management controls and a vulnerability management system. While we support a regulatory approach and believe compliance is laudable, we consider adherence to these guidelines as only the beginning of a sound cybersecurity strategy.

Here's why: the promulgation, enactment and enforcement of regulatory standards cannot keep pace with the rapidly expanding attack surface, and the speed with which attackers adapt to it. Thus, we cannot assume "compliance" means the organization has achieved "security." We must look well beyond compliance if we hope to keep critical infrastructure secure and prevent attacks like the one that has affected Colonial Pipeline.

5 safety and security standards relevant to the oil and gas industry

API Standard 1164 - Content unique to pipelines not covered by NIST CSF and IEC 62443.


National Institute of Standards and Technology(NIST) cybersecurity framework for improving critical infrastructure cybersecurity (NIST CSF) - Pre-eminent framework adopted by companies in all industry sectors; Natural gas and oil companies increasingly orient enterprisewide programs around NIST CSF.


Department of Energy cybersecurity capability maturity model - Voluntary process using industry-accepted best practices to measure the maturity of an organization's cybersecurity capabilities and strengthen operations.


International Electrotechnical Commission (IEC) 62443 - Family of standards for industrial control systems (ICS) security; widely adopted by production segment of natural gas and oil industry; applicable to any type of natural gas and oil ICS

International Organization for Standardization ISO 27000 - Leading standard in the family providing requirements for an information security management system (ISMS).


How to disrupt OT security threats

Ironically, one of the least desirable times to deal with a cyberattack is when it is happening. Over the coming days and weeks, we will undoubtedly learn more details about the course of this attack, as well as the cost and disruption it caused. If critical infrastructure organizations have any hope of getting out of the cyber firefighting mode of having to react to attacks, they will need to instead focus on preempting attacks by disrupting them before they happen. 

Many industrial environments, including the oil and gas industry, are very familiar with performing routine maintenance on their equipment. Whether it is changing out a bearing, filter or fluids, maintenance is performed to avoid a catastrophic equipment failure due to what's known as "running to failure." Regular maintenance saves money and aggravation and avoids the diversion of resources. 

So, why aren't organizations performing the same type of regular maintenance on the cybersecurity of their OT systems?

Taking a "maintenance" approach to OT infrastructure means performing the appropriate cyber hygiene on the programmable logic controllers (PLCs), distributed control systems (DCSs), HMIs and other OT devices that run these machines. Performing regular cyber hygiene can reduce OT threats by stopping risky behavior, closing "ports of entry" and reducing the amount of vulnerabilities that can be exploited.

Reducing threats before they happen requires:

• achieving visibility across the entire attack surface — including IT and OT systems; 

• deploying deep security measures at the device and network level; and 

• re-establishing control through managing configuration changes. 


Organizations need appropriate cyber hygiene in both their OT infrastructure and their Active Directory to reduce their cyber exposure and ensure that attack paths are cut off before attackers can succeed in escalating privileges, traversing the network and launching their ransomware attempt. These efforts can help all critical infrastructure and manufacturing operations avoid having to respond to a security crisis that can stop operations and potentially put human lives at risk. 

Learn More

• Download the whitepaper: Critical Infrastructure Cybersecurity

• View our on-demand webinar: Critical Infrastructure at Risk: Anatomy of an OT Breach


GitHub's decision to remove the ProxyLogon exploit proof-of-concept from its platform put security researchers at a disadvantage even as attackers continued to exploit the vulnerabilities en masse.

GitHub is soliciting feedback on its policy around security research, malware and exploits on the platform, in the wake of its decision to remove a proof-of-concept (PoC) exploit for ProxyLogon in March. This is an important discussion and one that has real-world implications for organizations, researchers, defenders and everyday consumers.

When GitHub removed the ProxyLogon exploit from the platform, the security community was prevented from analyzing it — its implications, mitigations, detections and so on. Meanwhile, attackers were busy infiltrating Microsoft Exchange servers across the globe en masse. It would be foolish to think that removing the PoC from GitHub meant that no one would have access to it. It's quite the opposite, actually. It meant that defenders — providers of essential services, critical industries and the everyday security engineer — would lose the access they needed to understand the PoC even as attackers moved to underground forums to share it widely.

GitHub is an important platform for collaborating and sharing vulnerability intelligence. It is one of the most popular platforms in the security community for a reason. With that kind of power comes responsibility to continue to share information openly, transparently and quickly. However, when implicit trust in a platform is shaken, it takes a lot more than post-facto justification of previous actions for it to be regained and maintained.

There is a path forward by ensuring that material which can be used for defensive purposes is not lumped in the same bucket as weaponized malware. GitHub's responsibility here is to ensure that the defenders stay ahead in the game and not cause information asymmetry by making it more difficult for security professionals to access this type of sensitive information.

Security through obscurity will never work. GitHub could and should be used by the security community to more easily coordinate defense.

The revisions in the latest iteration of the policy are a good start. However, there are still multiple caveats that could put the security community at a disadvantage especially when there is an instance of widespread exploitation. We recommend Microsoft remove any verbiage around actions that would censor dual use content on GitHub in any form.    

We strongly urge GitHub's owner, Microsoft, to reconsider its position and realize the power — for good or bad — that GitHub holds. It can be a great asset to secure our global ecosystem, if handled responsibly.

After crossing the 100 CVEs patched mark for the first time in April, Microsoft patched just 55 CVEs in May, the lowest number of CVEs patched this year.

1. 4Critical
2. 50Important
3. 1Moderate
4. 0Low

Microsoft patched 55 CVEs in the April 2021 Patch Tuesday release, including four CVEs rated as critical, 50 rated as important and one rated as moderate.

This month's Patch Tuesday release includes fixes for:

• .NET Core & Visual Studio
• HTTP.sys
• Internet Explorer
• Microsoft Accessibility Insights for Web
• Microsoft Bluetooth Driver
• Microsoft Dynamics Finance & Operations
• Microsoft Exchange Server
• Microsoft Graphics Component
• Microsoft Office, Microsoft Office Access
• Microsoft Office Excel
• Microsoft Office SharePoint
• Microsoft Office Word
• Microsoft Windows Codecs Library
• Microsoft Windows IrDA
• Open Source Software
• Role: Hyper-V
• Skype for Business and Microsoft Lync
• Visual Studio
• Visual Studio Code
• Windows Container Isolation FS Filter Driver
• Windows Container Manager Service
• Windows Cryptographic Services
• Windows CSC Service
• Windows Desktop Bridge
• Windows OLE
• Windows Projected File System FS Filter
• Windows RDP Client
• Windows SMB, Windows SSDP Service
• Windows WalletService
• Windows Wireless Networking.

Remote code execution (RCE) vulnerabilities accounted for 40% of the vulnerabilities patched this month, followed by Elevation of Privilege (EoP) at 20%.

Windows 10 Version 1909 End of Life (EOL)

Microsoft has announced that the Home and Pro Windows 10, version 1909 and all editions of Windows Server, version 1909 have reached their end of life. These versions will no longer receive security updates and should be upgraded as soon as possible. The Education and Enterprise editions of Windows 10, version 1909 will remain supported until May 11, 2022, however, we do strongly encourage organizations to begin planning on upgrading or decommissioning these systems early to avoid last minute changes next year.

Tenable solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains May 2021.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all the plugins released for Tenable’s May 2021 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

• Microsoft's April 2021 Security Updates
• Tenable plugins for Microsoft April 2021 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Reconsidering how we define "vulnerability" is more than a thought exercise. It could represent a sea change in how organizations manage risk.

For most of us in cybersecurity, the definition of "vulnerability" has always been fairly straightforward: "a flaw in code or design that creates a potential point of security compromise for an endpoint or network." 

Outside IT circles, though, the word has a far broader meaning. According to the Oxford English Dictionary, vulnerability is "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." 

Has the cybersecurity sector done itself a disservice by not giving more consideration to this second meaning — and how it factors into the design of enterprise security architectures?

These questions arise as we consider two significant trends: the rise of ransomware attacks around the globe, and the resurgence of interest in the principles of zero trust. 

Trust is a vulnerability

For ransomware to succeed, attackers must first gain an initial foothold and then find a way to move laterally within an organization by exploiting vulnerabilities and misconfigurations in systems such as Active Directory. In a typical organization, user access and privileges are granted based in part on the notion that one user is fundamentally more trustworthy than another, based on their role or standing in the organization.

If we take the view of John Kindervag — who first coined the zero-trust concept as a Forrester analyst in 2009 and remains a leading evangelist in his current role at On2IT— then we have to consider the notion that trust itself is a vulnerability. 

In a 2017 blog post, Kindervag wrote: "Trust is no different from a vulnerability in Apache Struts. It's something we must address in our organizations and digital systems as much as any software vulnerability. And if we've learned anything from recent data breaches, it's that vulnerabilities are what are exploited, and all vulnerabilities must be mitigated."

Kindervag elaborated on his point of view more recently, during a May 6 panel discussion hosted by the U.S. National Security Telecommunications Advisory Committee (NSTAC). The session — moderated by my Tenable co-founder Jack Huffard — explored the challenges of adopting zero trust in both government agencies and private enterprises. Kindervag emphasized that the concept of trust comes from our drive to anthropomorphize the network, seeing "people" where we should be seeing "packets."

According to Kindervag, the goal is to eliminate the human emotion of trust in our digital environments. "Zero trust is a strategic initiative that helps prevent successful data breaches, meaning the exfiltration of sensitive information ... by eliminating trust in your organization," Kindervag said. "It is designed to prevent lateral movement. No matter which technology or vendor you use to deploy zero trust, the strategy always remains the same ... The technology will always change but the strategic objectives will remain in place for a long time to come."

What do we mean by 'vulnerability'?

At Tenable, we believe disrupting attack paths in order to foil lateral movement represents one of the best defenses against all manner of cyberattacks, from the commonplace to the most sophisticated ransomware. While we agree in principle with Kindervag's positioning of trust as an inherent vulnerability, we believe it's only the beginning of a sea change in how the cybersecurity industry at large defines "vulnerability." In our view, the meaning of "vulnerability" also needs to include factors such as:

• misconfigurations in Active Directory and cloud services, which often provide a primary attack path for ransomware actors; 
• mismanagement of identities, which are vital IT assets that can be compromised; 
• security gaps in the software supply chain in order to prevent the next SolarWinds-style attack. 

For cybersecurity leaders, preparing for a zero trust journey is less an exercise in evaluating technologies and more an exercise in strategic thinking, requiring you to answer fundamental questions such as:

• What is your organization's core mission or value proposition?
• What are the workflows required to fulfill that mission? 
• Who owns those workflows? 
• How does data flow in the organization?
• Which are your high-value assets, the so-called "keys to the kingdom"?
• How does the organization determine who is granted access to these high-value assets?
• How often does the organization audit user permissions once they are set?
• How will you design a "protect surface" to secure your most critical assets?

Answering these questions requires full visibility and continuous monitoring of your entire attack surface, including IT, internet of things and operational technology assets, and the ability to assess the criticality of each asset to deliver on your organization's core mission. No zero trust journey can begin without first addressing these fundamentals of cyber hygiene. 

Learn more

• Read the blog: Tenable and the Path to Zero Trust
• Download the report: The Tenable Research 2020 Threat Landscape Retrospective
• View the on-demand webinar: Tenable Research 2020 Recap and Defender's Guidance for 2021