Shadow Brokers – Details on Leaked Cyberintelligence Tools and Vulnerabilities A brief research note for Info-Tech’s members.

The facts about the Shadow Brokers On April 14, 2017, the threat actor group known as the Shadow Brokers publicized an arsenal of hacking tools as well as a series of zero-day exploits targeting various operating systems. 1 The Shadow Brokers (also known as the Equation Group) have, over the past eight months, leaked a gigabyte worth of confidential NSA weaponized software exploits. The exploits target more than just Microsoft products. Vulnerabilities were identified in a variety of operating systems, servers, and software, including Avaya, Red Hat, Solaris, Microsoft, IBM, and Linux. 2 3 Microsoft has released patches for the majority of Windows exploits. Refer to the appendix for a comprehensive list of exploits. 4 Not all exploits have been patched – it is worth the effort to assess your current exposure and update/patch impacted endpoints as necessary. The release appears to be politically motivated. Amongst the software releases were exploits into the SWIFT intercommunication banking system, a European banking program. 5

Best practices moving forward The accessibility of the toolsets coupled with the severity of a potential breach could have dangerous implications. Several key takeaways include: Patching ≠ Security Just because a patch is available does not mean it has been deployed. Many organizations run a few patching cycles behind. Conduct an inventory of current operating systems and immediately patch vulnerable endpoints. Leverage Threat Intelligence Take a proactive approach to vulnerability identification. Leverage third-party open-source vendor websites and mailing lists to actively search for new indicators of compromise and CVEs. Schedule regular scans and prioritize your patching efforts. There Are Multiple Solutions Different methods can be used to remediate the same vulnerability. When patches are not available, configuration changes and defense-in-depth controls can be used to protect the organization. Drive Adoption Use this release as leverage not only to create organizational situational awareness around security initiatives but also to drive adoption of foundational security measures such as patch management, threat intelligence, and zero-day mitigation policies, procedures, and solutions. Assess Port Security Assess port security and exposure of internet-facing services related to affected RDP and SMB services. Standard Ports include 3389 and 445. Consider disabling unused legacy protocol such as SMBv1.

Immediate actions that you can take Do not simply wait on vendors to update their security. 1 - Don’t overreact: understand the full scope of the leak. Determine your exposure and the potential risk implications. - Organizations must not remain idle and wait for new patches or reissued certificates from vendors. Complete your own due diligence to proactively mitigate security risks both in the short term and long term. Assess your exposure Prioritize vulnerabilities 2 - Conduct the appropriate due diligence to determine which relevant vulnerabilities have been patched (or not). Enterprises can demand proof of change from vendors by asking for evidence such as records of change, etc. - Where specific vulnerabilities are identified, use risk assessment processes to determine the priority for remediation. Patch management 3 - Implement relevant patches. Additionally, ensure that your team is monitoring all vendor patch updates over the next few months. Take this time to review and reassess your patch management processes. 4 - This is a good opportunity to review your security strategy and program, and ensure that defense-in-depth practices are in place where possible. - Leaks that get mainstream media attention are always a good opportunity to demonstrate to the board the importance of security. “Don’t let a good crisis go to waste!” Security strategy and incident response Leverage threat intelligence 5 - Review your threat intelligence feeds (or if there are none, refer to Info-Tech for guidance on setting them up) and ensure that they are being consumed and actioned. Timely intelligence can give you a crucial headstart against threat actors.

Maintain a holistic security program The Shadow Brokers leak is a good reminder that security threats are often unknown and unpredictable. The only way to maintain effective defense is through a comprehensive and flexible security program. Respond Analyze Detect Prevent Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Effective anti-malware, diligent patching and vulnerability management, and strong human-centric security are essential. Detect: There are two types of companies: those who have been breached and know it, and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs. Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape. Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.

Use this opportunity to conduct a security program evaluation Leverage Info-Tech’s various security blueprints: Effective information security management will help you: Enhance your organizational security posture Risk reduction Enhanced compliance management Improved organizational situational awareness Build an Information Security Strategy Create and clarify accountability and responsibility Formalized role and process responsibility Enhanced internal and external communication Develop and Implement a Security Incident Management Program Control security costs Incident reduction Streamlined security operational process Strategy alignment Integrate Threat Intelligence Into Your Security Operations Identify opportunities for improvement Defined measurement program Defined opportunities for continuous improvement Improve threat protection Intelligence-driven security operations process Optimized patch management program Improved effectiveness of internal controls Standardized operational use cases Design and Implement a Vulnerability Management Program

Appendix: Exploit Information Understand what was leaked to better prepare for attackers using new techniques and procedures. The three exploits not addressed in the recent MS patch (EnglishmanDentist, EsteemAudit, and ExplodingCan) cannot be reproduced on supported MS systems. Users running Windows 7 and above or Exchange 2010 and above are not at risk. Those using earlier versions of either are advised to upgrade. For a comprehensive list of MS patching updates, please visit Microsoft’s blog.