Vulnerability Chaining – Considerations Across the Enterprise

Vulnerability Chaining – Considerations Across the Enterprise

By: Dr. Nikki Robinson, DSc, XLA

Cyber threats are constantly evolving and becoming more sophisticated. The hackers, or bad actors, are getting smarter and more resourceful all the time. Our Red Teamers, ethical hackers, and cyber warriors are aware of many of the tactics used by these malicious actors. They use these same methods to investigate and test organizations’ networks to ensure security controls are in place. But what are our Defenders and partners in IT Operations learning of attack methods? Are Executive leadership aware of the capabilities of these attackers? This conversation needs to be open throughout the organization, from the top to the bottom, to increase the security posture and awareness of methods of attack.

Our Network Defenders and IT Operations are unfortunately, not always taught about the Tactics, Techniques, and Protocols (TTPs) used by attackers. While not every organization may operate like this, does every third-party vendor or contractor you work with know these terms and TTPs? Every opening from one network to another organization could allow a potential vector of attack. We often look at vulnerabilities and security controls as individual issues, and the term “vulnerability chaining” is not used in audit or assessment meetings.

Vulnerability chaining is defined by the Common Vulnerability Scoring System (CVSS) User Guide as a situation where multiple vulnerabilities are exploited in a single attack to compromise a host (FIRST, 2020). A good example of vulnerability chaining would be an attacker enumerating usernames (considered an informational level vulnerability), to then use a tool called Burp Intruder to utilize a weak security question and answer, to then login to the account by resetting the password (considered Low vulnerabilities) (Trustwave, 2019). This type of attack shows how several vulnerabilities scored as Low or even Informational, can be used in combination to create a Critical attack. Defenders however, may only look at missing security controls or vulnerabilities one at a time, especially in a larger environment.

The more software, hardware, and hybrid environments used in an organization makes this a complicated situation. Each application, Operating System (OS), and hardware will have software or firmware updates which need to be managed. Some applications are updated weekly or every other week, making patch management a full-time job. The more complex the environment, the more difficult patch management becomes. This leaves IT Operations groups scrambling to patch and update every application on every device. Blue Teams consist of security analysts who monitor the network for security vulnerabilities and typically provide information back to the IT Operations groups if anomalies are detected.

With the latest use of a SolarWinds dll to create backdoors into untold numbers of networks, the conversation around patching and vulnerabilities needs to extend beyond the Security team. Vulnerabilities cannot be looked at as singular entities but should be looked at as a piece of the puzzle. Each vulnerability could lead to a security misconfiguration, or an administrator who has excessive privileges across the network. The initial malicious dll could lead to a variety of other attacks, including credential theft, other malware drops, or network traversal. Add on top of that any other vulnerabilities or patches missing in the environment, the attacker could leverage those as well once in the system. 

There are several ways organizations can work to lessen complexity and increase efficiency with patch management strategies. The first is to consolidate applications, which would reduce patching time of multiple applications and lower the threat profile by having fewer unpatched applications. The second would be to remove end of life (EOL) software, most EOL products are highly exploitable and easy for attackers to use in an attack. The third is to work towards a virtual or mobile environment where images can be patched, instead of OS and applications on mobile devices (laptops or tablets).

Creating a partnership and educational opportunities between Security teams and IT Operations / Engineering groups would create an environment where Security is viewed holistically. If more defenders are taught ethical hacking concepts, vulnerability chaining methodologies, as well as TTP’s, they would have a deeper understanding of why patch management is so essential. Security should be a conversation between all teams in the Enterprise, to help prevent attacks, but also respond to Incidents in an efficient manner.

 

 About XLA 

Headquartered in Vienna, VA, XL Associates, Inc. (XLA) is an IT-enabled Law Enforcement and Security services enterprise principally engaged in providing cybersecurity, data management and analytics, technical solutions, and international program-support services to the Federal government. With more than 30 years of overall experience supporting mission-critical requirements including homeland security, law enforcement, and international development, XLA delivers quality, agile, and cost-effective solutions, as proven by growth and repeat customers. Our Engineers and IT professionals bring a passion for innovation as well as significant experience in information technology and cyber security. We are a company that values ethics, integrity, and teamwork in pursuing exceptional performance in our business activities and in ultimately meeting our contractual obligations. XLA upholds and demands the highest standards in personal and professional conduct at every level of our business activities

References

FIRST. (2020). Retrieved from Common Vulnerability Scoring System version 3.1: User Guide: https://www.first.org/cvss/user-guide

Trustwave. (2019). Retrieved from Chaining Low/Info Level Vulnerabilities for Pwnage: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chaining-low-info-level-vulnerabilities-for-pwnage/

XLA Wins 5 Year IT Security Support Services Contract at NARA

XLA Wins 5-Year IT Security Support Services Contract at NARA

 

Vienna, VA., March 23, 2020 – XL Associates, Inc. (XLA) is thrilled to announce that The National Archives and Records Administration (NARA), has awarded a 5 year task order for IT Security Support Services to XLA.

 

NARA is the nation’s record keeper and it is an independent agency established in 1934 to identify, protect, preserve, and make publicly available the historically valuable records of all three branches of the Federal government.  Archives has locations from coast-to-coast, protect and provide public access to millions of records and provide Federal agencies superior records storage, access, and disposition services through a national network of facilities distributed across approximately 45 geographic locations.

 

Since 2006, XLA has supported NARA by providing Cybersecurity services in support of the office of the CIO performing authorization & accreditation, vulnerability assessment, incident response, policy development, annual training development, systems administration, and security engineering support services. XLA also supports other functions within NARA’s Information Services organization, providing Information Security Support Officer (ISSO) support services, Homeland Security Presidential Directive-12 (HSPD-12) Compliant Personal Identity Verification (PIV) Authentication Engineering and Design, and Configuration Management for many of the enterprise-wide initiatives.

 

XLA brings years of knowledge and experience serving as subject matter experts in the information system security arena, having built and delivered many of the mission-critical services and modules used within enterprise security management systems.  A defining feature of XLA’s security methodology is the constant striving to automate tasks to improve the performance of our engineers, reduce mundane data analysis, and provide improved views of the security posture in an agency. XLA consistently deliver tangible results that save agencies time and money and establish the foundation for future improvements.

 

“We are very proud of our talented workforce and we look forward to continuing supporting NARA and meet the organizational challenges of NARA’s IT transformation,” states Asim Malik, Director, Programs and Technical Solutions at XLA. “XLA has been a reliable partner during NARA’s maturation and adaptation to the ever-changing cybersecurity landscape. This win is a true testament of our credibility in providing critical mission support activities enabling XLA to expand our presence into areas that require high-level clearances.”

 

About XLA

Headquartered in Vienna, VA, XL Associates, Inc. (XLA) is an IT-enabled Law Enforcement and Security services enterprise principally engaged in providing cybersecurity, data management and analytics, technical solutions, and international program-support services to the Federal government.

 

XLA’s Coronavirus Response

March 27 – As we continue to navigate through this global health crisis and learn how to operate in what will be our new normal for the time being, XLA continues to be responsive and proactive to try to maintain business as usual. Although the situation with the COVID 19 virus is fluid and rapidly progressing, we as an organization, have taken measures for safety and work continuity. These include:

 

  • XLA Corporate has moved to telework to adhere to social distancing and help to stop the spread of germs.  Onsite visits that are absolutely essential to business continuity are pre-planned and spaced 6’ apart with no more than 10 individuals.

  • We still continue to interview candidates for all of our open positions, but have moved to virtual/online interviewing to ensure the health and safety of our staff and prospective employees.

  • Utilizing technology – XLA has moved to a virtual new hire orientation and on-boarding process to ensure a seamless and safety-first approach to hiring.

  • We maintain daily and weekly check-ins with our remote workforce through email, phone calls, texts, video chats, and group teleconferencing.