26 May
SWAT Assessment for Cybersecurity

SWAT Assessment for Cybersecurity

by Albert E. Whale, CEH CHS CISA CISSP
Founder & CEO

Attacks are running full speed ahead

Static Testing reviews above the waterline
Figure 1 – Static Testing reviews above the waterline.

Everyday new attacks are reported in organizations of various sizes.  Some of the attacks are recent, most are attacks that occurred months earlier, and are just recently being discovered.  What makes these events so difficult to discover?  There are several reasons that these attacks are undiscovered.  Most of these are focused on existing People, Process and Technology (PPT).  Even though the intent is to secure the organization, there are several faults in utilizing the existing strategy.

What we have discovered, is that PPT Service offerings are exclusively focused on known attacks and threats.  This excludes the unknown activities, and the existing exploits that have been successful already.  There are other reasons why many tools do not identify, because they are focused on the Static Network[1]. This is great but misses opportunities which are present when the employees are using the network.

The static review essentially reviews the exposed tip of the iceberg.  This is only 10% of the iceberg, the other 90% of the environment is not reviewed.  This includes the use of Third Party Vendors and their Applications (think SolarWinds breach), active users (current attacks of the environment from the Internet), as well as attacks from personal devices[2]

Can you see now why Firewalls and Virus Scanners are not effective?

While the use of SIEMs improve coverage, they require the configuration of events.  SIEMs only discover the activities after the event has already occurred. Both the lack of configured events, and backlog of manual review lead to more activities going undiscovered.

With 90% of the environment not being reviewed, it’s clear why attacks are not detected for months later (if at all).

SWAT – Secret Weaknesses in Applications & Technology

Figure 2 – SWAT Analysis

The SWAT Analysis is our Proprietary assessment for businesses, which identifies the cyber secret faults which are left undetected by today’s security tools.  Think about it, all of the testing tools are focused upon the CWE and CWE rankings for information. Their detection is solely based on understanding what has already been detected.  That leaves a huge gap in understanding what is occurring within the environment. Our SWAT Analysis is based on several attack strategies, as well as the NIST Zero Trust Architecture. We take into account all of your current activities, including the Third Party Vendors, the activities of the Users, and the personal devices in your environment.  This is totally different than existing testing activities, and better yet, it fully automated to support your organization’s needs.

I want to get started with the SWAT Analysis – Please contact me

Taking it to the next level

Everyone thinks that they are secure until they are proven! There are so many hacks in the news lately, the Colonial Pipeline (Ransomware – $5M), US Insurer – CAN Financial (lost – $40 Million), Ubiquiti, Parler, Experian[1], Microsoft Build Engine[2] and Many more.


[1] I was recently interviewed by CSOnline.com – https://www.linkedin.com/posts/albertwhale_how-api-attacks-work-and-how-to-identify-activity-6801611480853807104-2JKr

[2] Hackers use Microsoft Build Engine to Deliver Malware Filelessly – https://thehackernews.com/2021/05/hackers-using-microsoft-build-engine-to.html

We are confident our SWAT Assessment will find activities.  Here is an assessment we performed on a WiFi Network.  

Figure 3 – Countries found inside the WiFi network

The point of the video is that the network was considered secure, before the SWAT Analysis.  The video shows that traffic of Laptops, Personal devices and other equipment on the WiFi have compromised activities during the review period.  With the amount of activity taking place, it appears that a significant amount of malicious activity exists in and out of the network. 

Everyone understands that there is no need for 46 countries to be active inside their network.  If you don’t know who is already inside, how can you develop a protection plan to support your business?

Tell me about ITS SafeTMset up a 10 minute call.

Seeing the activity inside

The SWAT Analysis examines the network traffic, the configuration of the devices, and assesses the security of the environment.  The SWAT analysis tests the use of the network with activity.  This analyzes the active devices, and their security as well.  In the case of WiFi we easily identified the infected devices that were connected to the environment and permitted to communicate with the organization.

The traffic we discovered did not trigger any sensors or activities with the security tools already in place.  This is further outlined in recent blog posts

Why do you need a SWAT Analysis?

Everyday new exploits are detected in the equipment we use which were not previously identified.  Additionally, more manufacturers are connecting back to their organizations from the equipment you are installing inside your networks.  Imagine the equipment inside your network offering a backdoor into your environment.  That includes connections inside and outside of the continental USA.  Every time we discover connections to outside locations, we are informed that they were not authorized, and also not identified.  Imagine the equipment that you have providing a back-door connection to China.  Is that what you wanted?

I developed the SWAT Analysis to uncover the activities which go undetected inside networks every day.  Some of these include:

  • Misconfigured security controls
  • Obsolete communication protocols
  • Deprecated encryption technology
  • Malware activity undetected in the network
  • Identify the origin of the breach
  • Abuse of existing Protocols
  • Use of protocols for other activities
  • Connecting to malicious DNS
  • Requesting your IP Address for access
  • Connecting to Malicious websites
  • Unauthorized backdoor connections to external sites

Just to name a few.  We look at how the Network reacts with activity from within.  This is totally a different perspective.

Next Steps

We have seen all Organizations at risk.  Mature organizations as well as new organizations have opportunities for malicious activities which are not normally discovered, until it is too late. Failure to detect the unwanted activities costs organizations Millions[5] at that time.

What can organizations do?

  • Backups will recover data to a certain extent,
    • but they will also include the problems which the tools you are using cannot see
  • Testing with the same tools will lead to the same results
  • Insurance does not fix the problem; in fact, it gives the organization a false sense of security
    • Insurance does not fix the security problem
    • Insurance does not pay to fix the security issues which caused the attack
  • Wait for the Breach to occur, and then pay the ransom
    • Fixing the problem may take from 6 to 18 months

SecOps

SecOps stands for Security Operations.  Security Operations sole purpose is to increase the operational security within an organization.  It does this by assuring that operational changes are implemented as soon as there is a change in the environment.  This completely trumps the Annual Scanning of the network, because operational changes are made almost every week, traditionally known as patch Tuesday.

If your organization is running Logfile analysis to see things that have already occurred, then you need our SWAT Analysis combined with the power of continuous monitoring to get ahead of the attackers.  Logfile analysis takes activities which have occurred within the network and recorded it.  This is a historical record of events that were successful[6].  With ITS Safe we can deploy the basis for Zero Trust in your environment and utilize the ability of Machine Speed to intercept and block malicious activities, BEFORE they can complete.

Let’s get started! –  Contact me

IT Security Solutions recommends at least an annual Security assessment to determine the security posture and formal detection of internal activities. While this is the minimum recommendation, even doing the Minimum does not detect the activities as well as our continuous monitoring solutions for our clients.

IT Security Solutions, Inc. is a Pittsburgh based technology company with 25+ years of cyber security domain expertise catering to businesses of all sizes. The solutions offered range from technology security audits and penetration testing to continuous network scanning. The company recently launched ITS Safe™, a proprietary managed security solution that blocks hackers from attacking networks – the largest IT security threat facing businesses today.

Contact IT Security Solutions to discuss how a SWAT Analysis will benefit your company today.

www.IT-Security-Solutions.com w www.ITS-Safe.com

412-889-6870 – info@IT-Security-Solutions.com

                 


[1] The Static Network is the network without any users active already.

[2] Personal devices normally have less security, and are either being used outside of the office, or connected to equipment in the office network (WiFi).

[3] I was recently interviewed by CSOnline.com – https://www.linkedin.com/posts/albertwhale_how-api-attacks-work-and-how-to-identify-activity-6801611480853807104-2JKr

[4] Hackers use Microsoft Build Engine to Deliver Malware Filelessly – https://thehackernews.com/2021/05/hackers-using-microsoft-build-engine-to.html

[5] In many cases the business closes from the weight of the breach, fines, ransom and loss of revenue.

[6] This is the reactive approach for cybersecurity, let it happen, then try to fix it.  Whereas, ITS Safe takes a proactive approach to blocking the unwanted activity, and not permitting it to occur.

25 May
You are not alone!

You are not alone!

99% of all networks have already been breached.

by Albert E. Whale, CEH CHS CISA CISSP
Founder & CEO

A shift in the security paradigm needs to address the Unseen attacks in the environment. Detecting the Unseen activities in the environment explains why there are so many attacks being reported on a daily basis.  This includes the recent Colonial Pipeline, Solarwinds and so many other breaches.

The unseen attacks depend on the ability of the attackers to hide in plain sight.  We will outline several of them here to uncover the unseen activities within almost every network[1].  Here is a look at the use of today’s People, Process and Technology (PPT). 

As you can see from the chart below, today’s tools are only looking forward, to the next attack.  They are focused on the next attack because they can only detect Malware which has been previously defined and observed.  The security methods employed include security scans (assessments), the deployment of security tools, and compared with our ITS SafeTM security appliance.  It should be clear why ITS Safe maintains better coverage to protect your organization.

Figure 1- Scope of Security Testing

Security Assessments (review of security for a host, a network, software or other asset) are only valid up to the time the report is generated.  As soon as the observer generates the report, the Assessment of the environment ends, and it becomes stale[2].  This is a point in time observation.

Today’s Security Tools look for tomorrow’s attacks. Tools that security researchers and network testing teams all use to assess the activities inside the network are based on testing for Known threats[3], and how the environment will respond to the next attack.  These tools test the environment for detecting known threats[4] on potentially new attacks.

The ITS SafeTMsecurity appliance is designed to Detect, Defend against, and Destroy IntrudersTM, or MD3. While other tools and testing activities look for the future state of security in the organization, ITS Safe examines all activities to uncover and detect unwanted connections that were completed before you began the observation of environment[5].

Everyday around the world, new activities are discovered in new and existing equipment, software, and third parties to organizations.  Firewalls are breached[6], Vendors we use are hacked[7], software we create is breached[8] and app we use on our phones are backdoors for attackers as well[9]

The problem is that today’s tools only identify what other people have found.  After the attackers succeed at penetrating an environment, do you think that they would keep the tools that they used in place, so that they could be identified after the Zero Day threats become known threats?  Of course not!  After they have given themselves sufficient access to survive a reboot, they have cleared their tracks.

A comprehensive review of the cyber security digs deeper than reviewing the exposed 10-20% of the network, and actually reviews the active network as a comprehensive ecosystem.  If you compare the use of today’s tools to examining only the tip of the iceberg, then you will begin to understand why they are ineffective at discovering the unseen.

Can you expect to detect the unseen activities using tools which only scratch the surface?

Like an Iceberg, the visible part is tested, and the 90% below the waterline is unobserved.

—–

Visible Network structure (Static View)

—–

Invisible Operation of the network, and how it responds with people using it.  (Dynamic view)

IT Security Solutions recommends at least an annual Security assessment to determine the security posture and formal detection of internal activities. While this is the minimum recommendation, even doing the Minimum does not detect the activities as well as out continuous monitoring solutions for our clients.

IT Security Solutions, Inc. is a Pittsburgh based technology company with 25+ years of cyber security domain expertise catering to businesses of all sizes. The solutions offered range from technology security audits and penetration testing to continuous network scanning. The company recently launched ITS Safe™, a proprietary managed security solution that blocks hackers from attacking networks – the largest IT security threat facing businesses today.

Contact IT Security Solutions to discuss how a paradigm shift will benefit your company today.

www.IT-Security-Solutions.com w www.ITS-Safe.com

412-889-6870 – info@IT-Security-Solutions.com


[1] Every network we have examined include several of these activities, if not all of them.

[2] The Security Assessment becomes stale because the users in the network add additional threats from their use of the environment.

[3] Known threats are used in Virus scanners, network scanning, software analysis, and logfile monitoring tools.

[4] Security Tools cannot test for unknown threats because these events are currently not known.

[5] Think of this as reviewing the activities that are already active, that are not detected as tomorrow’s threats, because they are considered as part of the current environment.

[6] https://www.zdnet.com/article/sonicwall-says-it-was-hacked-using-zero-days-in-its-own-products/

[7] https://www.wired.com/story/solarwinds-hack-china-usda/

[8] https://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.html

[9] https://www.helpnetsecurity.com/2020/03/06/hackers-target-consumers/

Sidebar: