Here we go again: what is your risk from the new CIA tools leak?

July 31, 2017 | 10 min read | Cybersecurity Strategy, Security Posture

Last week there was another disturbance in the force. There was a new leak of cyber-tools from the Vault7 collection, stolen tools of the CIA, which include the so-called “UMBRAGE Component Library”. This disclosure has many security teams worldwide scrambling to assess their organization’s vulnerability of being compromised. Cyber-defenders would like to avoid a repeat of what happened with WannaCry, which was based on some NSA tools that were released on the web. We do not want to be in a situation where patients are unable to get surgeries because of ransomware infections,  or when our companies’ revenues are impacted due to infected computer systems. We know that the attacks from malware based on these tools are coming — the question is what do we do today to be better prepared, and hopefully ward off the looming breach. 

CIOs and CISOs are hard pressed to assure their boards about their organization’s readiness to deal with the risk posed to their enterprise. Asking questions such as “what is my risk from Umbrage?” are useful ways by which corporate governance and risk management teams should look at the efficacy of their security posture and level of cyber-resilience.

Trying to think ahead is a great thing; unfortunately, for many organizations, scarce IT and security operations resources are being allocated to analyze the applicability of the latest leaks to the enterprise and identify scenarios that present the highest business impact. Much of this work will be performed manually or with scripts, costing hundreds of hours. And as you can imagine, some organizations do not have these resources, particularly the ones that are not in the Fortune 100, so the risk from Umbrage will mostly go unassessed and unmitigated, and then in the future, when we have a weaponized version of Umbrage with a snazzy name, these organizations will have a high likelihood of being breached. 

The worst part? The sinking realization that this fire drill will repeat indefinitely as new attacks and disclosures emerge every week. 

How do you assess risk for new attacks from Vault7?

Understandably, your security team’s knee jerk reaction is to immediately search for systems within the enterprise that contain the newly listed vulnerabilities in the Vault7 leak, such as CVE-2015-5122. Obviously, this shot-in-the-dark approach doesn’t yield much in the way of useful information as thousands of potentially vulnerable assets exist across your enterprise network, leaving your security team unable to ascertain those at highest risk of compromise and potential business impact.

Prioritize your efforts by uncovering assets that have a higher risk of being compromised

Identifying high risk devices, users and apps is the first step in better understanding where your enterprise is most vulnerable to the new Vault7 leak. Identify the high-risk devices by analyzing the Indicators of Risk (IoRs) for Vault7:

  1. Usage of Vulnerable software components: What devices and users in your enterprise are actually using the vulnerable software? Analyze the usage of vulnerable software components for every asset in the enterprise and identify where the usage is high. Specifically, for Vault7/Umbrage look for devices and users who are actively using the vulnerable version of Adobe Flash and not just have the vulnerable software installed, which could be thousands of systems.
  2. Privilege Escalation exposure: Users who have privilege escalation capability are at an increased risk from the attack. Identify assets where vulnerable software is being used and the user logging in has privilege escalation capabilities – to zero in on your high risk assets.
  3. Business Impact: Not all assets are created equal. Assets that perform highly sensitive roles or are part of critical business processes can pose a significant business impact if compromised. Ideally, to truly evaluate your enterprise assets, you need to calculate the monetary value of potential business impact. This gives you an idea of where the biggest risk exists from the newly released exploits in terms of business impact.
  4. Mitigating Controls: Assets that are vulnerable, have a high usage and/or business impact, but are not protected by mitigating controls, pose the biggest risk. Evaluate the mitigating controls you have in place, such as endpoint security and network firewalls, and find the assets that are exposed.

Sounds easy, right? Well, the trick to effectively assessing risk requires continuous measurement for every enterprise asset across these and hundreds of other IoRs introduced by Vault7.

Look for existing infections by searching for known IoCs and IoAs

Identify enterprise assets that have already been compromised by the Vault7 malware. Analyze network and host activity across the enterprise to identify where infections already may exist, looking for Indicators of Compromise and Attack. For the Vault7 malware search for following malicious behavior across the enterprise:

  1. Look for devices that are sending suspicious traffic to Google App Engine as the latest malware in Vault7, such as NfLog RAT, is using it for hosting the proxy communication to CNC.
  2. Identify assets that may be getting redirected from social media sites to repositories like Github and subsequently downloading malicious payloads. Malware included in Vault7, such as HammerToss, is using this approach to bypass traditional network security tools.

Since the malware can evolve at a very rapid pace, it is essentially to perform a fuzzy search where even if the IoC or IoA evolves, such as using a different port number or IP, you can still identify the infection.

And hopefully, if you were early enough in acting upon the IoRs, you won’t see any IoCs, just unsuccessful attacks. 

The Solution: Continuous & Automated Risk Assessment with Balbix

When I was CISO at Altera, we had to do similar drills a lot. Unfortunately, the network was constantly changing, with new devices, operating systems, subnets, applications, users, firewall rules, endpoint controls etc., and we had to constantly modify and adapt. What was particularly problematic was writing and updating our custom scripts and tools. Today’s ever-changing threat landscape comes complete with new attacks cropping up every week, requiring your risk assessment to be both continuous and accessible.

Given the extreme shortage of security talent, it is imperative that your risk assessment is also fully automated, accurate, and dependable. Security analysts need to quickly uncover risks stemming from new attacks, such as the new Vault7 leak, with a simple query that highlights highest-risk enterprise assets, and most importantly, offers prescriptions to mitigate the business impact of an attack. This is why I joined Balbix to help bring about a change in how we use the principles of automation, self-learning and predictive risk to better defend our networks. 

Balbix provides continuous and comprehensive risk visibility so your security team can instantly and effectively locate vulnerabilities, and calculate the likelihood and business impact for every asset across your entire enterprise. With Balbix’s automated solution, you gain the critical information and actionable insights you need to mitigate risk and increase resilience. 

To learn more about instantly assessing your risk from the new Vault7 leak, attend our upcoming webinar – Predicting & Mitigating the Risk of Cyber Threats – Before They Strike.

You can sign up here.