How small businesses are not immune to sophisticated cyber threats.
Nicolas
CEO, Security Engineer
Network Redesign
The logical and physical design of the customer network did not allow for optimal placement of access control devices and sensors. The latter also contained outdated network equipements and was affected by multiple vulnerabilities and design flaws.
The customer's network was essentially flat, with no hierarchy or clear delineation. It was essentially a merged core/aggregation layer and an access layer with no network access control (NAC). An attacker could have easily connected to an access port and getting connectivity to a user VLAN. These VLANs could have been traversed using double tagging or attacks targeting the Cisco proprietary protocol VTP.
Additionnaly, a few key network devices were running legacy software subject to various vulnerabilities, such as CVE-2018-0171 affecting the Smart Install client, the latter could be leveraged to download the current configuration and thus the devices' passwords, some of which where stored as unsafe Type-5 passwords (Unsalted MD5).
So we proposed a better design, which could be rolled out gradually, after replacing obsolete equipment, especially those that could no longer receive software updates.
Workstation & Endpoints
Some hosts ran outdated operating systems that had not received patches or updates for various reasons, such as lack of free disk space, or bugs related to the update service. Some hosts were vulnerable to remote exploitation and were completely unprotected. A temporary solution was found with the customer to protect these devices until they get updated or fixed.
The customer almost exclusively relied on an expensive EDR solution that was of no use in the particular events associated with the former compromise of their network. It was unable to detect the malicious attachment in the email from the contractor, nor the execution of the dropper, the C2 communication channel or the artifacts dropped onto the disk.
Identity Management
Previously, the company lacked centralized identity management and the ability to enforce policies such as password expiration and two-factor authentication (2FA). The customer now uses Active Directory and redundant Radius services to address these specific issues.
SIEM & Incident Response
We implemented a more powerful security service that enables distributed data collection and analysis. The client now has greater visibility into its network traffic, and the new SIEM solution improves visibility, event collection, and analysis capabilities. Our incident response team, along with the client's IT team, can now respond to security issues in record time.
Backup Strategy
Finally, we have also added a remote encrypted backup solution to protect critical data and enable fast and timely restoration of host operating systems in the event of additional technical or security incidents. Data is now stored both on-site and remotely, providing additional security, especially in presence of unforeseen events.
Closing Words
By gradually implementing these changes, we were able to significantly improve the customer's security posture and resilience. They can now better protect, quickly detect emerging threats, and, in worst-case scenario, restore compromised hosts within minutes. Our team keep working with the customer on a regular basis to ensure the newer security policies are enforced. Regular grey-box penetration tests are performed to ensure no flaws or major vulnerabilities are left behind.
