Practical Security: A Story About Patch Management
Unfortunately (or fortunately), the majority of incidents are much less romantic: again and again. Attackers try to use non-renamed PsExec for malware distribution. They push old methods to bypass UAC to elevate privileges and attempt to exploit old vulnerabilities that have patches released several years ago.Recalling past security incidents, one will involuntarily conclude that almost every attack could have been easily prevented. If everything was done correctly by following the rules described many times in different manuals and the best information security practices. Therefore, today, I want to remind you of the need to install patches.Quite often, there is a misconception that information security should be a function, but not a process. As a rule, it looks like this: “Make it safe for now, and then we will support everything ourselves.” The hired company, which “does it safely,” will not argue with the client. It will do as requested and move on to another client – carrying information security to the masses. The client, after paying the company, will remain in the naive confidence that everything is fine and that their information security systems have been built for centuries.Surprises, as they say, will come later. Information security is an active, continually changing process. It cannot be achieved once and for all. Consumers often forget about this “tiny feature.” Information security, like any other business process, consists of many elements. If a single component fails, the whole system breaks down and does not work. Patch management is one of these elements.As the name implies, patch management is the process of managing software updates designed to eliminate security holes and maintain an adequate level of security.
Real-life case 1We have a geographically distributed closed network based on Microsoft solutions, which consists of approximately 200 hosts. Two of them carry a second network card and have Internet access. Due to the specifics of the main software, two service providers are involved in infrastructure maintenance. At the time of contacting the “fire brigade,” the infrastructure was not functioning for more than two days.The need to install patches, especially those that are aimed at enforcing security, has been talked about often. If you google: “Patch Management Policy,” you will get about 200 million results. The first active discussions began already back in 2006. In early 2007, SANS published a document called “Patch Management1.” The very beginning of this document clearly explains what patch management is and why it is needed. Moreover, it is explained in a language that is understandable not only to a technical specialist but also to managers who are far from IT.The more recent Guide to Enterprise Patch Management Technologies2 published in 2013 continues to emphasize the need for critical updates.
Real-life case 2According to information provided by service providers, over the past 48 hours, almost all network hosts experienced 100% CPU load, which caused BSOD. Numerous attempts to use antivirus software have failed. Multiple repeated infections of malware Trojan were detected. Moreover, a rollback of antivirus databases to December 2017 was discovered. RDP access was unavailable. However, the scattered information obtained allowed to draw preliminary conclusions about the method used to spread the virus through the network and to give first recommendations on how to counter the attack. One of the main recommendations was to disable the SMBv 1 and SMBv 2 protocols to stop the spread of malware over the network.The most widely known virus attacks are WannaCry and NotPetya. Both viruses exploited the SMB protocol vulnerability in Windows systems, which was published by the Shadow Brokers group3 in April 2017. At the same time, a month earlier, Microsoft, in its security bulletin MS 17-010, released a patch that closed the EternalBlue4 vulnerability. But WannaCry NotPetya attacks took place in May – June 2017. The consequences of these virus attacks would not be so critical if the victims had not ignored the critical update and installed the patch in time. In the wake of hype around mining cryptocurrencies, vulnerabilities in company networks become especially attractive. It became popular to use other people’s CPU resources to make the necessary calculations.
Real-life case 3Multiple attempts to infect the infrastructure understudy with crypto miner viruses5 were detected. Attackers also used the EternalBlue vulnerability for its distribution. An analysis of the antivirus and VPN6 logs showed the presence of the WannaMine malware in the affected infrastructure. This malware was intended to mine the Monero7 cryptocurrency.One of the distinctive features of the detected virus was the distribution mechanism, similar to the previously discussed WannaCry. Also, in SpeechsTracing directories, several files were found that were completely identical to those that ShadowBrokers published a year and a half before. During the attempts to neutralize the virus attack, multiple Microsoft updates were installed, from 2016 to the present moment.Life teaches us that many problems can be avoided if you do not try to accomplish everything with your own hands and mind. Do not rely on: “My our own, special way.” In the digital age, this paradigm does not work. A vast number of recommendations and manuals on the prevention of cyber-attacks have already been written. Moreover, with modern technology, it is relatively easy to do.
How to streamline your updates and patches process:
- Develop and enforce policies for managing OS updates, applications, and system components
- Deploy and configure a service for updating operating systems and Microsoft products in the server segment of the Windows Server Updates Services (WSUS)
- Continuously monitor the relevance of the updates installed and quickly install new critical security updates