All posts by Jeff Petters

What is Incident Response? A 6-Step Plan

Incident Response 6-Step Plan

“We don’t rise to the level of our expectations, we fall to the level of our training.” – Archilochus

Incident Response is the art of cleanup and recovery when you discover a cybersecurity breach. You might also see these breaches referred to as IT incidents, security incidents, or computer incidents – but whatever you call them, you need a plan and a team dedicated to managing the incident and minimizing the damage and cost of recovery.

Some organizations call this team the Computer Security Incident Response Team (CSIRT) – there are other permutations of that acronym out there like Security Incident Response Team (SIRT) or Computer Incident Response Team (CIRT). The mission of this team is the same no matter what you call it – to enact the company’s established incident response plan when the bat-signal goes up.

You do have a company approved incident response (IR) plan, right?

Importance of Incident Response

If you work in data security, you deal with security incidents on a day-to-day basis. Occasionally, a minor security issue turns out to be a real live panic situation. When the bat-signal does light up will everyone know what to do? Will every CSIRT member know their role and responsibilities and follow the approved plan?

When the stakes get high and the pressure intensifies, the CSIRT will perform as they have practiced. If there’s no plan in place, there’s no guarantee they’ll be able to properly respond to a cybersecurity incident. The IR plan defines how to identify, contain, and manage data security incidents.

However, simply having an IR plan isn’t enough: the CSIRT team needs to run practice scenarios so they are adequately prepared for the real thing.

On top of all that, there is often a time crunch. Data breach notification laws are becoming more common: the GDPR, for instance, requires that companies to report data security incidents within 72 hours of discovery. California and Colorado are enacting similar rules in the US, and that trend is likely to continue.

6 Steps to a Successful Incident Response Plan

Incident Response Plan

SANS published their Incident Handler’s Handbook a few years ago, and it remains the standard for IR plans. It’s a 6-step framework that you can use to build your specific company plan around.

  1. Preparation: Your CSIRT needs to perform like a finely tuned machine when the time comes, and that takes work. Define a corporate security policy: this typically includes acceptable use of company data, consequences for security violations, and definitions on what qualifies as a security incident. Define a step-by-step guide of how the CSIRT should handle a security incident, including documentation of incidents and both internal and external communications.
  2. Identification: Define what criteria activates the CSIRT. It could be a specific kind of issue – like “found a random USB drive on the floor” or a Varonis DatAlert “Brute Force Attack Detected” that triggers the IR plan. It could also be a cumulative set of circumstances that trigger the plan: for example, an abnormal access alert combined with an alert on an unusual upload to a cloud storage site in the same hour might be a trigger.
  3. Containment: Contain the threat. There are two types of containment: long and short. Short-term containment is an immediate response, stopping the threat from spreading and doing further damage. Back-up on all affected systems to save their current states for later forensics. Long-term containment includes returning all systems to production to allow for standard business operation, but without the accounts and backdoors that allowed for the intrusion.
  4. Eradication: Establish a process to restore all of the affected systems. A good starting place is to reimage all systems involved in the incident and remove any traces of the security incident. These steps should include the specifics about the disk cloning software and images your company has validated. Lastly, update your defense systems to prevent the same kind of security incident from occurring again.
  5. Recovery: Determine how to bring all systems back into full production after verifying that they are clean and free of any nastiness that could lead to a new security incident.
  6. Lessons Learned: Review the documentation of the incident with the CSIRT for training purposes. Update the IR plan based on feedback and any identified deficiencies.

Who is Responsible for Incident Response?

Incident Response

Whatever you call your CSIRT team, they need to be a well-rounded team of professionals. They could be full-time security practitioners, or may have other job responsibilities in the organization and their assignment to CSIRT is a secondary role.

Some of the roles on a CSIRT team are:

  • Incident Response Manager: The lead of the CSIRT team that oversees the IR plan in action.
  • Security Analysts: The ground troops responsible for threat neutralization and containment of an active security incident.
  • Threat Researchers: The team responsible for providing research and intelligence to add context to the security incident. They often search for other incidents and analyze logs for other hints and clues about the incident.

In addition to the primary roles, you may want to include some cross-functional support from other areas of the company:

  • Management: The management team provides resources and buy-in to the CSIRT team and IR plan.
  • Human Resources: HR is often brought in to support the CSIRT efforts if an employee is involved.
  • General Council: Compliance and regulation are an integral part of data security, so get the lawyers involved – possibly as part of the full-time team. You might also have a full-time compliance officer fulfill this role.
  • Public Relations: PR can help manage communications after an incident, especially now that data breaches need to be public information so quickly.

What to Do After a Cyber Incident?

The dust settles, the bad guys are defeated, and the CSIRT team followed the IR plan to the letter. What next? Take stock and resupply for the next encounter. Re-run vulnerability and risk assessments and close any new gaps in security.

Tighten up the IR plan or add new forensics or monitoring. Implement the full Varonis Data Security Platform to add best-in-class data security analytics for advanced warning and behavioral analysis of all your data.

Varonis Powers Up a CSIRT

Varonis monitors your data, VPN, DNS, email, and more to catch cybersecurity threats before they become data breaches. Our threat models detect behaviors that match known attacks across the cybersecurity kill chain and warn on deviations from normal behavior patterns. It would take months (or likely years) for a CSIRT to code comparable threat models on their own.

Varonis enables teams to visualize security threats with an intuitive dashboard and investigate security incidents – even track alerts and assign them to team members for closure. You can even incorporate rich context and data security intelligence from Varonis into your favorite SIEM for better breach detection.

Get a 1:1 demo to see how customers use Varonis as part of their incident response strategy – it’s a game changer for incident response.

What is a Distributed Denial of Service (DDoS) Attack?

DDoS Attack

A Distributed Denial of Service (DDoS) attack is an attempt to crush a web server or online system by overwhelming it with data. DDoS attacks can be simple mischief, revenge, or hactivism, and can range from a minor annoyance to long-term downtime resulting in loss of business.

Hackers hit GitHub with a DDoS attack of 1.35 terrabytes of data per second in February of 2018. That’s a massive attack, and it’s doubtful that it will be the last of its kind.

How Does a DDoS Attack Work?

DDoS attacks most often work by botnets – a large group of computers that act in concert with each other –simultaneously spamming a website or service provider with requests.

Attackers use malware or unpatched vulnerabilities to install Command and Control (C2) software on user’s systems to create a botnet. DDoS attacks rely on a high number of computers in the botnet to achieve the desired effect, and the easiest and cheapest way to get control of that many machines is by leveraging exploits. The recent DYNDNS attack exploited WIFI cameras with default passwords to create a huge botnet.

Once they have the botnet ready, the attackers sends the start command to all of their botnet nodes, and the botnets will then send their programmed requests to the target server. If the attack makes it past the outer defenses, it quickly overwhelms most systems, cause service outages, and in some cases, crashes the server. The end-result of a DDoS attack is primarily lost productivity or service interruption – customers can’t see a website.

While that may sound benign, the cost of a DDoS attack averaged $2.5 million in 2017. Hackers engage DDoS attacks for anything ranging from childish pranks to revenge against a business to express political activism.

Common Types of DDoS Attacks

Application Layer Attacks

Application layer DDoS attacks aim to exhaust the resources of the target and disrupt access to the target’s website or service. Attackers load the bots with a complicated request that taxes the target server as it tries to respond. The request might require database access or large downloads. If the target gets several million of those requests in a short time, it can very quickly get overwhelmed and either slowed to a crawl or locked up completely.

An HTTP Flood attack, for example, is an application layer attack that targets a webserver on the target and uses many fast HTTP requests to bring the server down. Think of it as pressing the refresh button in rapid fire mode on your game controller. That kind of traffic from many thousands of computers at once will quickly drown the webserver.

HTTP Flood Attack Example
Protocol Attacks

Protocol DDoS attacks target the networking layer of the target systems. Their goal is to overwhelm the table spaces of the core networking services, the firewall, or load balancer that forwards requests to the target.

In general, network services work off a first in, first out (FIFO) queue. The first request comes in, the computer processes the request and then it goes and gets the next request in the queue so on. Now there are a limited number of spots on this queue, and in a DDoS attack the queue could become so huge that there aren’t resources for the computer to deal with the first request.

A SYN flood attack is a specific protocol attack. In a standard TCP/IP network transaction, there is a 3-way handshake. They are the SYN, the ACK, and the SYN-ACK. The SYN is the first part, which is a request of some kind, the ACK is the response from the target, and the SYN-ACK is the original requester saying “thanks, I got the information I requested.” In a SYN flood attack, the attackers create SYN packets with fake IP addresses. The target then sends an ACK to the dummy address, which never responds, and it then sits there and waits for all those responses to time out, which in turn exhausts the resources to process all of these fake transactions.

SYN Flood Attack

Volumetric Attacks

The goal of a volumetric attack is to use the botnet to generate a major amount of traffic and clog up the works on the target. Think of like an HTTP Flood attack, but with an added exponential response component. For example, if you and 20 of your friends all called the same pizza place and ordered 50 pies at the same time, that pizza shop wouldn’t be able to fulfill those requests. Volumetric attacks operate on the same principle. They request something from the target that will vastly increase the size of the response, and the amount of traffic explodes and clogs up the server.

DNS Amplification is a kind of volumetric attack. In this case, they are attacking the DNS server directly and requesting a large amount of data back from the DNS server, which can bring the DNS server down and cripple anyone that is using that DNS server for name resolution services.

DNS Amplification Example

DDoS Attacks Today

Just like everything else in computing, DDoS attacks are evolving and becoming more destructive to business. Attack sizes are increasing, growing from 150 requests per second in the 1990s – which would bring a server of that era down – to the recent DYNDNS attack and GitHub attack at 1.2 TBs and 1.35 TBs respectively. The goal in both of these attacks was to disrupt two major sources of productivity across the globe.

These attacks used new techniques to achieve their huge bandwidth numbers. The Dyn attack used an exploit found in Internet of Things (IoT) devices to create a botnet, called the Mirai Botnet attack. Mirai used open telnet ports and default passwords to take over wifi enabled cameras to execute the attack. This attack was a childish prank but presented a major vulnerability that comes with the proliferation of the IoT devices.

The GitHub attack exploited the many thousands of servers running memchached on the open internet, an open-source memory caching system. Memchached happily responds with huge amounts of data to simple requests, so leaving these servers on the open internet is a definite no-no.

Both of these attacks show a significant risk of future exploits, especially as the IoT universe continues to grow. How fun would it be for your fridge to be part of a botnet? On the bright side, GitHub wasn’t even brought down by the attack.

What’s more, DDoS attacks have never been easier to execute. With multiple DDoS-as-a-Service options available, malicious actors can pay a nominal fee to “rent” a botnet of infected computers to execute a DDoS attack against their target of choice.

How to Mitigate a DDoS Attack

How did GitHub survive that massive DDoS attack? Planning and preparation, of course. After 10 minutes of intermittent outages the GitHub servers activated their DDoS mitigation service. The mitigation service rerouted incoming traffic and scrubbed the malicious packets, and about 10 minutes later the attackers gave up.

In addition to paying for DDoS mitigation services from companies like CloudFlare and Akamai, you can employ your standard endpoint security measures. Patch your servers, keep your memchached servers off the open internet, and train your users to recognize phishing attacks.

You can turn on Black Hole Routing during a DDoS attack to send all traffic to the abyss. You can set up rate limiting to cap the number of requests a server gets in a short amount of time. A properly configured firewall can also protect your servers.

Varonis monitors your DNS, VPN, Proxies, and data to help detect signs of an impending DDoS attack against your corporate network. Varonis Data Security Analytics track behavior patterns and generate warnings when current behavior matches a threat model or deviates from standard behavior. This can include malware botnet attacks or significant increases in network traffic. Get a live 1:1 demo to see how Varonis protects your data from DDoS attacks and more.

What is the Colorado Privacy Law?

What is the Colorado Privacy Law?

On September 1, 2018, the Colorado Protections for Consumer Data Privacy law, HB 18-1128, goes into effect. A bi-partisan group introduced HB 18-1128 in January, and after the usual negotiations, the Legislature passed it unanimously. The new Privacy Law provisions are part of the Colorado Consumer Protection Act (“CCPA”), in a continued effort to protect personal data.

Colorado is getting the message. Data privacy and security are important – and companies need to be held accountable.

What Data Does HB 18-1128 Protect?

The new Colorado legislation specifies exactly what kind of personal data companies need to track regarding Colorado residents. HB 18-1128 defines Personal Identifiable Information (PII) for Colorado residents as a first and last name with any one or more of these other PII:

  • Social Security Number
  • Student, Military, or Passport ID number
  • Driver’s License Number
  • Medical Information
  • Health Insurance ID number
  • Biometric data
  • Username or email address with password and/or security questions and answers
  • Credit Card number with PIN/ access code/ password

HB 18-1128 applies to Colorado residents, but any company that manages PII for Colorado residents need to be aware of this new legislation.

How Long Do I Have to Report a Data Breach?

HB 18-1128 requires organizations to notify Colorado residents within 30 days of the discovery of a data breach where their PII was involved.

If there are more than 500 Colorado residents involved, companies have to notify the Colorado State Attorney General’s office. The law enables the Attorney General to prosecute violations of the new law.

What Else Does the Bill Say?

HB 18-1128 requires organizations to implement reasonable controls and safeguards to protect PII. If that sounds familiar, the EU GDPR, California, and Massachusetts have also used similar language to articulate that same idea – data security, especially on personal information, is super important.

What Can I Do To Comply With the New Colorado Privacy Law?

First, ask yourself about your company’s overall preparedness level to deal with a cyberattack.

Second, review best practices and recommended data security strategies outlined in resources like NIST and SANS – and determine how your company can apply these security principles.

Third, review your data breach procedures, and make sure you’ve got solutions in place to help identify PII, protect sensitive data, and detect potential security breaches.

The Varonis Data Security platform is the core of an effective data security strategy to protect your company from data breaches. Varonis discovers, identifies, and monitors PII on your core data stores, and detects (and alerts on) any abnormal or unlawful access to that data.

Get a 1:1 demo and learn how to discover where your Colorado related PII lives and how to meet the new privacy laws – get a head start on compliance with HB 18-1128 and protect your data wherever it lives.

What is SAML and How Does it Work?

what is SAML?

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). What that jargon means is that you can use one set of credentials to log into many different websites. It’s much simpler to manage one login per user than it is to manage separate logins to email, customer relationship management (CRM) software, Active Directory, etc.

SAML transactions use Extensible Markup Language (XML) for standardized communications between the identity provider and service providers. SAML is the link between the authentication of a user’s identity and the authorization to use a service.

The OASIS Consortium approved SAML 2.0 in 2005. The standard changed significantly from 1.1, so much so that the versions are incompatible. SAML adoption allows IT shops to use software as a service (SaaS) solutions while maintaining a secure federated identity management system.

SAML enables Single-Sign On (SSO), a term that means users can log in once, and those same credentials can be reused to log into other service providers.

What is SAML Used For?

SAML simplifies federated authentication and authorization processes for users, Identity providers, and service providers. SAML provides a solution to allow your identity provider and service providers to exist separately from each other, which centralizes user management and provides access to SaaS solutions.

SAML implements a secure method of passing user authentications and authorizations between the identity provider and service providers. When a user logs into a SAML enabled application, the service provider requests authorization from the appropriate identity provider. The identity provider authenticates the user’s credentials and then returns the authorization for the user to the service provider, and the user is now able to use the application.

SAML authentication is the process of verifying the user’s identity and credentials (password, two-factor authentication, etc.). SAML authorization tells the service provider what access to grant the authenticated user.

What is a SAML Provider?

Two Types of SAML providers
A SAML provider is a system that helps a user access a service they need. There are two primary types of SAML providers, service provider, and identity provider.

A service provider needs the authentication from the identity provider to grant authorization to the user.

An identity provider performs the authentication that the end user is who they say they are and sends that data to the service provider along with the user’s access rights for the service.

Microsoft Active Directory or Azure are common identity providers. Salesforce and other CRM solutions are usually service providers, in that they depend on an identity provider for user authentication.

What is a SAML Assertion?

A SAML Assertion is the XML document that the identity provider sends to the service provider that contains the user authorization. There are three different types of SAML Assertions – authentication, attribute, and authorization decision.

  • Authentication assertions prove identification of the user and provide the time the user logged in and what method of authentication they used (I.e., Kerberos, 2 factor, etc.)
  • The attribution assertion passes the SAML attributes to the service provider – SAML attributes are specific pieces of data that provide information about the user.
  • An authorization decision assertion says if the user is authorized to use the service or if the identify provider denied their request due to a password failure or lack of rights to the service.

How Does SAML Work?

SAML works by passing information about users, logins, and attributes between the identity provider and service providers. Each user logs in once to Single Sign On with the identify provider, and then the identify provider can pass SAML attributes to the service provider when the user attempts to access those services. The service provider requests the authorization and authentication from the identify provider. Since both of those systems speak the same language – SAML – the user only needs to log in once.

Each identity provider and service provider need to agree upon the configuration for SAML. Both ends need to have the exact configuration for the SAML authentication to work.

SAML example steps

SAML Example

  1. Frodo (user) logs into SSO first thing in the morning.
  2. Frodo then tries to open the webpage to his CRM.
  3. The CRM – the service provider – checks Frodo’s credentials with the identity provider.
  4. The identity provider sends authorization and authentication messages back to the service provider, which allows Frodo to log into the CRM.
  5. Frodo can use the CRM and get work done.
    “Need 8 volunteers for a tough project…”

SAML vs. OAuth

OAuth is a slightly newer standard that was co-developed by Google and Twitter to enable streamlined internet logins. OAuth uses a similar methodology as SAML to share login information. SAML provides more control to enterprises to keep their SSO logins more secure, whereas OAuth is better on mobile and uses JSON.

Facebook and Google are two OAuth providers that you might use to log into other internet sites.

SAML Tutorials

A few resources to help research exactly how to implement SAML:

SAML and SSO are important to any enterprise cybersecurity strategy. Identity management best practices require user accounts to be both limited to only the resources the user needs to do their job and to be audited and managed centrally. By using an SSO solution, you can disable accounts from one system and remove access to all available resources at once, which protects your data from theft.

Varonis protects your core Active Directory services, which in turn helps protect your SSO and SAML systems. Varonis will catch attacks to your AD system long before the attackers can access SSO resources. Get a 1:1 demo to see how Varonis protects Active Directory and your most important data stores from cyberattacks and insider threats.

CISM vs. CISSP Certification: Which One is Best for You?

women studying in front of two computer screens

It’s a perfect time to be CISM or CISSP certified, or have any cybersecurity certification: according to Gartner, the unemployment rate for cybersecurity professionals is zero – as in there isn’t an unemployment rate. In fact, there are more jobs than qualified candidates, and the job postings stay open for a long time.

CISM and CISSP are two of the most highly regarded certifications for cybersecurity leaders and practitioners, but their requirements aren’t trivial. Both require a significant investment of time and money – so It’s important to determine which is right for you. Take a look at our comparison of the two below to help you make a decision.

CISM (Certified Information Security Manager)

CISM (pronounced siz-zm) is a certification offered by ISACA that validates your knowledge and expertise in managing enterprise information security teams. Getting CISM certified puts you in high demand with employers around the world that recognize the achievement and capability CISM certification represents. CISM shows that you have an all-around knowledge of technical competence and an understanding of business objectives around data security.

Becoming CISM certified is a multi-step process. You need a passing score on the CISM exam, which is a 200-question multiple-choice test that covers these topics:

  • Information security management
  • Information risk management and compliance
  • Information security program development and management
  • Information security incident management

You also need a minimum of 5 years of information security work within the 10 years prior to your certification, and 3 of those 5 years need to be in management. There are some acceptable substitutions – a CISSP certification, for example, can count as 2 years of experience.

And lastly, there is a continuing education policy. To maintain your certification, you need 20 CPE credits per year, 120 CPEs over 3 years, and a commitment to adhere to a Code of Professional Ethics.

The ISACA offers CISM exam prep materials and sample questions for sale on their website. They also run training events and exam bootcamps all over the world.

CISSP (Certified Information Systems Security Professional)

CISSP (pronounced C-I-S-S-P) is another highly regarded information security certification, offered by (ISC)2. CISSP certification proves you have the expertise to design, implement, and manage a cybersecurity program.

Similar to CISM, CISSP is a certification typically geared towards experienced security practitioners in management or executive positions, but also pursued by experienced security analysts and engineers. CISSP certified analysts are in high demand and highly paid compared to other IT certifications.

The CISSP certification process requires that you meet several criteria: first, you need to pass a candidate background check. You also need 5 years of experience as a security professional in 2 of the 8 domains in the (ISC)2 Critical Body of Knowledge (CBK). Those areas are:

CISSP certification process checklist

  • Security and risk management
  • Asset security
  • Security engineering
  • Communication and network security
  • Identity and access management
  • Security assessment and testing
  • Security operations
  • Software development security

If you do not satisfy the work experience requirement, you can join as an Associate of (ISC)2, which requires a shorter test and qualifies you for ongoing training as a member of (ISC)2. This program is a good intermediate step towards a full CISSP.

Assuming you have the appropriate work experience, you then need to pass a 250-question test within a 6-hour time limit. (ISC)2 updated the exam in April of 2018, but not so much that the older preparation materials are outdated. The test includes questions from all 8 domains of the CBK.

Once you pass the test, you need an endorsement from a current (ISC)2 member in good standing. Hopefully, you know a current CISSP.

To maintain your certification, you need to maintain your membership status with (ISC)2. Members must pay their annual membership fees and earn 120 CPEs per 3 years.

CISM or CISSP? Which is Best for Me?

If you are in infosec or looking to move into infosec, it’s a good idea to get some kind of certification. Which one you get first depends on several factors. Some people get both. Most people get CISSP first and then get their CISM afterwards, but it doesn’t make a difference what order you get them. Here are a few other factors that might help you make a decision:

  • Salaries are comparable between the two certifications
  • There are 8,906 CISM jobs listed on LinkedIn
  • There are 21,714 CISSP jobs listed on LinkedIn

CISM and CISSP both require a certain number of CPE credits to maintain your certification. There are several ways you can earn CPE credits – you can attend webinars on cybersecurity topics, attend conferences, or attend local CISSP or CISM meetings. You can also earn credits by volunteering for some cybersecurity events and mentoring other members. CISM and CISSP have their own guidance and you should familiarize yourself with them and prepare for the commitment to maintain your certification as part of the decision on which path to follow.

Varonis provides free security training including several CPE eligible videos courses that cover a range of topics – from PowerShell and Active Directory Essentials with Adam Bertram to Web Security Fundamentals with Troy Hunt. We also run CPE-eligible webinars throughout the year, with topics on Insider Threats, GDPR compliance, HIPAA compliance, Office 365 Security Best Practices, Securing Active Directory, and more.

Probably the most important question you need to ask is “what are your long term career goals?” Are you looking to become a CISO or infosec executive? You should look into CISM. Are you planning on a long career as a security engineer? CISSP might be the better choice. It’s not uncommon to get one and complete the other certification at a later time.

Regardless of which certification you choose to pursue, you are doing both yourself and your infosec career a huge favor. Both options open the door to salary advancement, new positions, and new professional challenges. Whether you start with CISM or CISSP, you can be confident you’re making a sound career decision.

5 Basic Port Scanning Techniques

dark hallway with doors open letting light in

Imagine a long hallway with doors on either side. There are a total of 131,082 doors. The ones on the right of the hall are TCP, on the left UDP. Some of those doors are marked, but most of them aren’t. Some of them have locks or security cameras, but most of them don’t.

This is what a cybercriminal might see when they look at one of your computers, except they can look through many different hallways and all the doors at the same time. Are you watching all of the doors? Some of the doors, maybe? Are you using the same port scanning techniques the cybercriminals would use to see where you might be vulnerable to attacks? You should be.

What is a Port Scanner?

A port scanner is a simple computer program that checks all of those doors – which we will start calling ports – and responds with one of three possible responses: Open, Closed, or Filtered.

There are two kinds of ports on each computer – TCP, and UDP – and 65,536 of each.

The first 1024 TCP ports are the well-known ports like FTP(21), HTTP(80), or SSH(22). Anything above 1024 is available for use by services or applications.

Cybercriminals use a port scanner to find potential weak points they could exploit, with malware or a Trojan on that system, or to use that computer to connect to other systems in your network.

How Port Scanning Works?

Port scanning is quite simple: a port scanner sends a request to connect to a port on a computer and records the response.

port scanning responses illustrated with descriptions

There are three possible responses:

  1. Open, Accepted: The computer responds and asks if there is anything it can do for you.
  2. Closed, Not Listening: The computer responds that “This port is currently in use and unavailable at this time.”
  3. Filtered, Dropped, Blocked: The computer doesn’t even bother to respond, it has no time for shenanigans.

Cybercriminals are looking for open ports that they can use as communication relays or infiltration vectors into your network. Any open port they can find is a possible access point for further infiltration into your network.

Let’s check out some different port scanning techniques.

Ping Scan

The simplest port scans are ping scans. A ping is an Internet Control Message Protocol (ICMP) echo request – you are looking for any ICMP replies, which indicates that the target is alive. A ping scan is an automated blast of many ICMP echo requests to different targets to see who responds.

Administrators usually disable ping either on the firewall or on the router. It’s quick and easy to turn off this functionality and make it impossible to scout the network this way. However, ping is a good troubleshooting tool, and turning it off makes tracking down network problems a little more difficult.

TCP Half-Open

One of the more common and popular port scanning techniques is the TCP Half-Open port scan, sometimes referred to as SYN scan. It’s a fast and sneaky scan that tries to find potential open ports on the target computer. This scan is fast because it never completes the full TCP 3 way-handshake. The scanner sends a SYN message and just notes the SYN-ACK responses. The scanner doesn’t complete the connection by sending the final ACK: it leaves the target hanging.

Any SYN-ACK responses are possible connections: an RST(reset) response means the port is closed, but there is a live computer here. No responses indicate SYN is filtered on the network. Any SYN-ACK replies are a quick way cybercriminals can find the next potential target.

TCP Connect

This port scanning technique is basically the same as the TCP Half-Open scan, but instead of leaving the target hanging, the port scanner completes the TCP connection.

It’s not as popular a technique as the TCP Half-Open. First, you have to send one more packet per scan, which increases the amount of noise you are making on the network.* Second, since you complete the connection with the target, you might trip an alarm that the Half-Open scan wouldn’t.

* Technical jargon: “Noisy” programs are programs that send large numbers of packets around the network. You might also hear them referred to as “chatty.”

basic port scanning techniques

UDP

UDP is the other half of our “hallway” and some standard services – DNS, SNMP, DHCP for example – use UDP ports instead of TCP ports. When you run a UDP port scan, you send either an empty packet or a packet that has a different payload per port, depending on your use case.

The trick with a UDP scan is that you will only get a response if the port is closed, which means you might know that there is a computer there. Depending on which port responded you might know that it has DNS or SNMP running, but that’s pretty much it. No response means that either the port is open or it’s filtered, and you might have to run the scan more than once before you figure anything out about the target. You could be waiting a while to get a response that might never come.

One more logical use of a UDP scan is to send a DNS request to UDP port 53 and see if you get a DNS reply. If you do get a reply, you know that there is a DNS server on that computer. A UDP scan can be useful to scout for active services that way, and the nmap port scanner is preconfigured to send requests for many standard services.

Difference Between TCP and UDP

TCP and UDP are the two most common protocols in use for Internet Protocol (IP) networks. Transmission Control Protocol (TCP) is a nice orderly transaction protocol: TCP sends each packet in order, complete with error checking, verification, and a 3-way handshake to confirm each packet is successful.

UDP doesn’t have any of the error checking, but gains on speed: live streaming and online video games often use UDP for this reason. Programs that use UDP just send the data – and if you miss a packet, you will never get it again.

In the TCP vs UDP discussion it depends on what you need – do you need complete data or do you need speed? If you need complete data use TCP, if you need more speed and can tolerate some data loss, use UDP.

Stealth Scanning

Sometimes a hacker (whitehat or blackhat) wants to run a port scan that is even quieter and less obvious than the other kinds of scans. Thankfully, TCP includes some flags that allow you to do just that.

When you send a port scan with a packet and the FIN flag, you are sending the packet and not expecting a response. If you do get an RST you can assume that the port is closed. If you get nothing back that indicates the port is open. Firewalls are looking for SYN packets, so FIN packets slip through undetected.

The X-MAS scan sends a packet with the FIN, URG, and PUSH flags, and expects an RST or no response, just like the FIN scan. There isn’t much practical use for this scan, but it does make the packet resemble a Christmas tree, so there is that.
You can also send packets with no flags, called a NULL packet, and the response is either an RST or nothing.

The good thing – for the hacker – about these scans is that they don’t usually show up in logs. More recent Intrusion Detection Software (IDS) and of course WireShark will catch these scans. The bad news is that if the target is a Microsoft OS, you will only see closed ports – but if you do find an open port you can assume that it’s not a Windows machine. The biggest advantage of using these flags is that they can slip past the firewall, which makes the results more reliable.

Port scanning and penetration testing are important parts of the cyber kill-chain that can lead to intrusion, exploitation, privilege escalation, and more. Port scanning is often just one part of the bigger picture in a cyberattack.

When you’re investigating data security incidents, context is key: adding detailed location information to file activity, for example, can help you determine if files are being accessed from a known or unknown location. Varonis Edge adds context from perimeter devices to file server, email, and AD monitoring from Varonis DatAdvantage. It could mean the difference in identifying abnormal – but acceptable – user behaviors or catching a cyberattack in progress.

Get a 1:1 personalized demo to see how Varonis can add context to your data security investigations, and protect against every step of the kill chain.

Kerberos Authentication Explained

Kerberos

According to myth, Kerberos (you might know him as Cerberus) guards the Gates to the Underworld. He’s a big 3 headed dog with a snake for a tail and a really bad temper.

In the modern world, MIT Computer Scientists used the name and visual of Kerberos for their computer network authentication protocol. Kerberos uses symmetric key cryptography and requires trusted third-party authorization to verify user identities. Since Kerberos requires 3 entities to authenticate and has an excellent track record of making computing safer, the name really does fit.

What is Kerberos?

Kerberos authentication is currently the default authorization technology used by Microsoft Windows, and implementations of Kerberos exist in Apple OS, FreeBSD, UNIX, and Linux.

Microsoft introduced their version of Kerberos in Windows2000. It has also become a standard for websites and Single-Sign-On implementations across platforms. The Kerberos Consortium maintains Kerberos as an open-source project.

Kerberos is a vast improvement on previous authorization technologies. The strong cryptography and third-party ticket authorization make it much more difficult for cybercriminals to infiltrate your network. It is not totally without flaws, and in order to defend against those flaws, you need to first understand them.

Kerberos has made the internet and its denizens more secure, and enables users to do more work on the Internet and in the office without compromising safety.

What is the difference between Kerberos and NTLM?

Before Kerberos, Microsoft used an authentication technology called NTLM. NTLM stands for NT Lan Manager and is a challenge-response authentication protocol. The target computer or domain controller challenge and check the password, and store password hashes for continued use.

The biggest difference between the two systems is the third-party verification and stronger encryption capability in Kerberos. This extra step in the process provides a significant additional layer of security over NTLM.

NTLM systems can get hacked in a matter of hours these days: it’s simply older technology, and you shouldn’t rely upon NTLM to protect sensitive data.

How do you authenticate with Kerberos?

a simple Kerberos authentication diagram

Here are the most basic steps taken to authenticate in a Kerberized environment.

  1. Client requests an authentication ticket (TGT) from the Key Distribution Center (KDC)
  2. The KDC verifies the credentials and sends back an encrypted TGT and session key
  3. The TGT is encrypted using the Ticket Granting Service (TGS) secret key
  4. The client stores the TGT and when it expires the local session manager will request another TGT (this process is transparent to the user)

If the Client is requesting access to a service or other resource on the network, this is the process:

  1. The client sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the client wants to access
  2. The KDC verifies the TGT of the user and that the user has access to the service
  3. TGS sends a valid session key for the service to the client
  4. Client forwards the session key to the service to prove the user has access, and the service grants access.

Can Kerberos Be Hacked?

Yes. Because it is one of the most widely used authentication protocols, hackers have developed several ways to crack into Kerberos. Most of these hacks take advantage of a vulnerability, weak passwords, or malware – sometimes a combination of all three. Some of the more successful methods of hacking Kerberos include:

  • Pass-the-ticket: the process of forging a session key and presenting that forgery to the resource as credentials
  • Golden Ticket: A ticket that grants a user domain admin access
  • Silver Ticket: A forged ticket that grants access to a service
  • Credential stuffing/ Brute force: automated continued attempts to guess a password
  • Encryption downgrade with Skeleton Key Malware: A malware that can bypass Kerberos, but the attack must have Admin access
  • DCShadow attack: a new attack where attackers gain enough access inside a network to set up their own DC to use in further infiltration

possible Kerberos hacks

Is Kerberos Obsolete?

Kerberos is far from obsolete and has proven itself an adequate security-access control protocol, despite attackers’ ability to crack it. The primary advantage of Kerberos is the ability to use strong encryption algorithms to protect passwords and authentication tickets. With today’s computers, any brute force attack of the AES encryption protocol used by the current version of Kerberos will take approximately longer than this solar system has left to survive. Suffice to say: Kerberos is going to be around for a while in one form or another.

What is going to replace Kerberos?

There are no real contenders to replace Kerberos in the pipeline. Most of the advancements in security are to protect your password or provide a different method of validating who you are to Kerberos. Kerberos is still the back-end technology. Kerberos excels at Single-Sign-On (SSO), which makes it much more usable in a modern internet based and connected workplace. With SSO you prove your identity once to Kerberos, and then Kerberos passes your TGT to other services or machines as proof of your identity.

The weakest link in the Kerberos chain is the password. Passwords can be brute-force cracked or stolen by phishing attacks. For this reason, Multi-Factor Authentication (MFA) is becoming more popular to protect online identities. With MFA, you need the password and something else – a randomized token, mobile phone, email, thumbprint, retina scan, facial recognition, etc. – to prove that you are in fact who you are telling Kerberos you are.

How does Varonis monitor Kerberos?

Varonis monitors Active Directory domains for Kerberos attacks, privilege escalations, brute force attacks, and more. Our security analytics combines user events, security events, and perimeter telemetry – to detect and alert on potential attacks and security vulnerabilities.

Sample Varonis threat models that help detect Kerberos attacks include:

  • Potential pass-the-ticket attack: access to a resource was requested without proper authentication, bypassing the Kerberos protocol.
  • Failed privilege escalation detected via vulnerability in Kerberos: an attacker tried to elevate their privileges via Kerberos vulnerability.
  • Potential brute-force attack targeting a specific account: an unusual amount of authentication failures from a single IP address by a single user has occurred.
  • Security certificate activity by non-administrators: Activity was detected on certification files by a user who is not an administrator – potentially indicating an attacker trying to steal signatures.
  • …and that’s just the beginning!

Discover how Varonis detects Kerberos attacks for real with a 1:1 demo today – and get in touch to learn out more about our threat models.

Kerberos Attack: Silver Ticket Edition

Kerberos Attack: Silver Ticket Edition

With a name like Silver Ticket, you might think it’s not as scary as its cousin the Golden Ticket – you’d be horribly mistaken. A Silver Ticket is just as nasty and invasive, and even stealthier.

Important technical note: Kerberos uses authentication tokens, or tickets, to verify identities of Active Directory entities. This includes users, service accounts, domain admins, and computers. All of those entities have a password in Active Directory (AD), even though you might not have actually created or changed it manually.

What is a Silver Ticket?

A Silver Ticket is a forged service authentication ticket.

A hacker can create a Silver Ticket by cracking a computer account password and using that to create a fake authentication ticket. Kerberos allows services (low-level Operating System programs) to log in without double-checking that their token is actually valid, which hackers have exploited to create Silver Tickets.

If you really want to deep dive into Kerberos authentication hacking, Sean Metcalf gave an excellent talk at BlackHat a few years ago. In the simplest terms, a Silver Ticket is a forged authentication ticket that allows you to log into some accounts.

Silver Tickets are harder to detect than Golden Tickets because there is no communication between the service and the DC – and any logging is local to the targeted computer.

Usually Kerberos tickets are verified by the 3rd party Privileged Account Certificate (PAC). Service accounts, for some reason, aren’t always checked, which is ultimately what makes this attack work. Services are low-level applications like CIFS, Windows Firewall, or Print Spooler.

With a Silver Ticket in hand, hackers can use a pass-the-ticket technique to elevate either their access or use the service’s privileges to obtain further access. While more limited than Golden Tickets, with a little modern ingenuity, an attacker can still use a Silver Ticket to do some major infiltration.

How a SIlver Ticket Attack works

SIlver Tickets bypass the Kerberos authentication to the DC.

What Can Attackers Do With a Silver Ticket?

Let’s imagine that an attacker jacked your domain with a Golden Ticket. Despite best efforts to clean up after the attack, the attacker still has access to one computer, and they have PowerShell.

This is what can happen next:

  1. The attacker uses a couple of hacking tools to export the hash of a computer account password
  2. They crack the CIFS service account password to log into the CIFS service account
  3. With the CIFS service account, they steal the SYSVOL directory from C$
  4. They use the files in SYSVOL to access the HOST service account password hash
  5. They crack the HOST service account password
  6. Then they use the cracked service account to create a new scheduled task on the computer
  7. Which allows them to grab the hash of the KRBTGT account
  8. And then they create… Another Golden Ticket!

If you thought changing all the user passwords, all the service account passwords, and the KRBTGT password twice was enough to recover from the first Golden Ticket attack…now you get to do it all over again.

Another important technical note: This is a major oversimplification – if you want to play with this technique, you can do so on your own.

How to Defend Yourself from a Silver Ticket Attack

How to defend your network from a Silver Ticket attack.

  • Patch all servers and images for CVE-2014-6324
    • This is the vulnerability that lets a Silver Ticket become a Domain Admin account
  • Set all admin and service accounts to “Sensitive and cannot be delegated”
    • This will prevent an attacker from lateral movement by delegating their hacked account to other services or computers
  • Make sure that computer accounts are not members of administrator groups
  • Change computer account passwords every 30 days

What is Kerberoast?

Kerberoast is a hacking tool that can crack a kerberos hash using brute force techniques. It can crack an NTLM hash in a few hours and provides the password stored in the hash as a result. Attackers use the cracked hash to progress their Silver Ticket attack.

How Varonis Can Stop Silver Ticket Attacks

Varonis gathers and analyzes activity data from Active Directory, data storage, and the perimeter defenses and analyzes all of this data to detect abnormal behavior and track behavior patterns that could be cyberattacks.

Varonis security analytics discover many kinds of attacks and alert on abnormal activity throughout the kill chain – including lateral movement and privilege escalation, which are key activities in a Silver Ticket attack.

Attackers will use computer accounts to access services or computers to gather data files or scout for their next foothold.

Varonis Threat Model: Abnormal computer behavior: computer account attempted to access a personal device for the first time

How it works: A computer account is trying to access a personal device, which is certainly not expected behavior of any computer account
What it means: This means that an attacker is using a computer account to move around the network, probably looking for greater privileges to steal
Where it works: Directory Services

To create the Silver Ticket, the attacker will need to use one of the aforementioned hacking tools. Varonis maintains a database of known hacking tools – and can alert you when an attacker accesses one of them.

Varonia Threat Model: Penetration testing and hacking tools accessed

How it works: Someone accessed a tool used by hackers or pentesters on monitored data storage. Attackers may use file servers to create Silver Tickets, and if they use a file that is in our database Varonis will trigger an alert.
What it means: 99.9% of users have no reason to run mimikatz or kerberoast. If someone is using tools like that on your data storage, it’s a good indication that there’s an attack in progress.
Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS

Since the attackers are using Silver Tickets, they will be using service accounts to gather data. Varonis is able to automatically discover accounts and categorize all accounts as user, service, privileged, or executive. Varonis analyzes activity for each of these categories differently and compares current activity to past behaviors.

Varonis Threat Model: Abnormal service behavior: access to atypical files

How it works: Service accounts are expected to repeat the same activity over and over again, so when service accounts access different data this alert is triggered.
What it means: Someone is using this service account incorrectly, and it could be an attacker.
Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, One Drive, Dell FluidFS

Getting notice of a potential attacker inside your network is key to preventing data breaches and responding to the cyberattack before they can steal data: Varonis can help investigate anomalies, reduce security vulnerabilities, and prevent future attacks.

Get a free risk assessment to see where you may be vulnerable to security breaches, including a Silver Ticket or pass-the-hash attack – and sign up for a 1:1 demo to see how to detect abnormal behavior that indicates an attack-in-progress, and defend against cybersecurity threats.

What is DCOM (Distributed Component Object Model)?

macro image on skyscrapper

DCOM is a programming construct that allows a computer to run programs over the network on a different computer as if the program was running locally. DCOM is an acronym that stands for Distributed Component Object Model. DCOM is a proprietary Microsoft software component that allows COM objects to communicate with each other over the network. (Network OLE was the precursor to DCOM if anyone remembers seeing that in Windows 3.1.)

An extension of COM, DCOM solves a few inherent problems with the COM model to better use over a network:

Marshalling: Marshalling solves a need to pass data from one COM object instance to another on a different computer – in programming terms, this is called “passing arguments.” For example, if I wanted Zaphod’s last name, I would call the COM Object LastName with the argument of Zaphod. The LastName function would use a Remote Procedure Call (RPC) to ask the other COM object on the target server for the return value for LastName(Zaphod), and then it would send the answer – Beeblebrox – back to the first COM object.

Distributed Garbage Collection: Designed to scale DCOM in order to support high volume internet traffic, Distributed Garbage Collection also addresses a way to destroy and reclaim completed or abandoned DCOM objects to avoid blowing up the memory on webservers. In turn, it communicates with the other servers in the transaction chain to let them know they can get rid of the objects related to a transaction.

Using DCE/RPC as the underlying RPC mechanism: To achieve the previous items and to attempt to scale to support high volume web traffic, Microsoft implemented DCE/RPC as the underlying technology for DCOM – which is where the D in DCOM came from.

illustration dcom solves problems with com model

How Does DCOM Work?

In order for DCOM to work, the COM object needs to be configured correctly on both computers – in our experience they rarely were, and you had to uninstall and reinstall the objects several times to get them to work.

The Windows Registry contains the DCOM configuration data in 3 identifiers:

  • CLSID – The Class Identifier (CLSID) is a Global Unique Identifier (GUID). Windows stores a CLSID for each installed class in a program. When you need to run a class, you need the correct CLSID, so Windows knows where to go and find the program.
  • PROGID – The Programmatic Identifier (PROGID) is an optional identifier a programmer can substitute for the more complicated and strict CLSID. PROGIDs are usually easier to read and understand. A basic PROGID for our previous example could be Hitchiker.LastName. There are no restrictions on how many PROGIDs can have the same name, which causes issues on occasion.
  • APPID – The Application Identifier (APPID) identifies all of the classes that are part of the same executable and the permissions required to access it. DCOM cannot work if the APPID isn’t correct. You will probably get permissions errors trying to create the remote object, in my experience.

A basic DCOM transaction looks like this:

  1. The client computer requests the remote computer to create an object by its CLSID or PROGID. If the client passes the APPID, the remote computer looks up the CLSID using the PROGID.
  2. The remote machine checks the APPID and verifies the client has permissions to create the object.
  3. DCOMLaunch.exe (if an exe) or DLLHOST.exe (if a dll) will create an instance of the class the client computer requested.
  4. Communication is successful!
  5. The Client can now access all functions in the class on the remote computer.

If the APPID isn’t configured correctly, or the client doesn’t have the correct permissions, or the CLSID is pointing to an old version of the exe or any other number of issues, you will likely get the dreaded “Can’t Create Object” message.

DCOM vs. CORBA

Common Object Request Broker Architecture (CORBA) is a JAVA based application and functions basically the same as DCOM. Unlike DCOM, CORBA isn’t tied to any particular Operating System (OS), and works on UNIX, Linux, SUN, OS X, and other UNIX-based platforms.

Neither proved secure or scalable enough to become a standard for high volume web traffic. DCOM and CORBA didn’t play well with firewalls, so HTTP became the default standard protocol for the internet.

what is corba illustration

Why is DCOM necessary?

DCOM didn’t win the battle to become the standard protocol for the internet, but it remains integrated into the Windows OS and is how many Windows services communicate – like Microsoft Management Console (MMC).

Since DCOM can run programs on other computers, hackers can leverage it for lateral movement attacks through your network, gaining access to more data. This activity can be difficult to detect because it’s not malware or hacker tools: all it takes to access DCOM is PowerShell.

The good news: even if the hacker can access your sensitive data using DCOM, Varonis will help detect (and stop them) as they try to access your data. Varonis monitors the activity on your core data stores, and analyzes that activity for abnormal user behavior and suspicious activity. See how Varonis fits into your data security strategy with a customized 1:1 demo.

Endpoint Detection and Response (EDR): Everything You Need to Know

pink and purple lights in a dark city

Endpoints are a favorite target of attackers – they’re everywhere, prone to security vulnerabilities, and difficult to defend. 2017’s WannaCry attack, for example, is reported to have affected more than 230,000 endpoints across the globe.

What is Endpoint Detection and Response (EDR)?

Endpoint detection and response (EDR) platforms are solutions that monitor endpoints (computers on the network, not the network itself) for suspicious activity. Coined by Gartner analyst Anton Chuvakin in 2013, EDR solutions focus on end-user devices – laptops, desktops, and mobile devices.

EDR solutions provide visibility and monitoring for suspicious activity like malware and cyberattacks on those end-user devices.

Why is EDR Important?

Every device that connects to a network is a potential attack vector for cyberthreats, and each of those connections is a potential entry point to your data. With the rise of BYOD (bring your own devices), mobile attacks and sophisticated hacking techniques have only increased your risk of data breaches.

EDR solutions help protect those points of entry into your network by monitoring your endpoints for many modern threats that anti-virus software is unable to detect.

EDR solutions can help monitor and protect against Advanced Persistent Threats (APT), which often use malware-free hacking techniques and security vulnerabilities to gain access to a network. Older anti-virus software is able to detect malware only when there is a matching signature, and is unable to determine that an attacker has access to a computer just by monitoring their activity.

Endpoint security is not just an enterprise tool: there are consumer versions of EDR out there these days as well. A few differences in how endpoint security differs for consumers and enterprises include:

  • Remote management and central storage:
    • Enterprises typically provide remote management options so security administrators can configure the appropriate settings. Each endpoint sends audit data to a central repository for audit and analysis.
    • Consumers don’t need the same centralized administration.
  • Auto-updates vs. distributed patches:
    • Enterprises need to adhere to change management processes, which requires the enterprise to distribute patches during those windows.
    • Consumers usually allow the EDR to auto-update per the vendor’s release schedule.

edr solutions map

9 Elements of EDR Solutions

Endpoint detection and response solutions can have a range of features – but there are a set of core elements that are essential to EDR:

  1. Console Alerting and Reporting: A role-based console that provides visibility into the organization’s endpoint security status
  2. EDR Advanced Response: Advanced analysis and response capabilities of EDR solutions, including automation and detailed forensics about security incidents
  3. EDR Core Functionality: The capability to detect and report on security threats and vulnerabilities on the endpoint
  4. EPP Suite: Basic functionality that was available in the previous generation of endpoint security software including anti-malware, anti-phishing, and anti-exploit capabilities
  5. Geographic Support: An EDR vendor’s capability to support a global enterprise – because information security is mission critical
  6. Managed Services: The EDR’s ability to feed data to a Managed Security Service or Managed Detection and Response vendor to further augment the security team’s capabilities
  7. OS Support: In order to be effective, an EDR needs to support all of the operating systems in use by your organization,
  8. Prevention: It’s not enough to simply detect a threat – effective EDRs need to provide preventative measures as well, to help mitigate and enable teams to take action.
  9. Third-Party Integration: A comprehensive data security strategy often requires integrating with multiple products: EDRs should have APIs or built-in integrations with other solutions to complement and deliver on a layered security approach.

Endpoint Security vs. Anti-Virus Software

As noted in the list above, anti-malware is still a key component of EDR solutions. Older generations of anti-virus software detect threats by a signature, needed in advance in order to be able to detect the malware. The next generation of EDR solutions includes predictive analysis and advanced threat detection to better protect users.

Additional features found in EDR solutions that are not included in traditional AV solutions include:

  • Malware removal based on matching signatures and analytics
  • Antispyware protection
  • Local firewall
  • Intrusion detection and intrusion prevention warning systems
  • Application control and user management
  • Data control, including portable devices
  • Full Disk Encryption
  • Data Leak Prevention
  • Application Whitelisting

While an EDR solution protects the endpoints on your network, they’re limited in what type of activity they can monitor and limited in what type of malware or cyberattacks they can detect. Varonis is designed to protect enterprise data from zero-day attacks beyond the endpoint – putting perimeter telemetry in context with file activity and user behavior from your core data stores.

Some behaviors that might look normal on an endpoint – a user logging in with a valid user and password, for example – wouldn’t necessarily raise a red flag with an EDR alone. However, that login event might be suspicious if it logs in from multiple locations within a short time. Varonis DatAlert and Edge analyze file activity, user events, and perimeter telemetry to identify abnormal behavior with added context: so that even seemingly harmless activity is considered in context to get the bigger picture.

See how EDR and Varonis can work together – click here for a 1:1 demo and see how a layered security strategy works in your environment.

NIST 800-171: Definition and Tips for Compliance

security cameras on a white wall

Do you or does a company you work with deal with the Federal Government? The National Institute of Standards and Technology (NIST) has some important information regarding your important information.

NIST 800-171, interchangeably referred to as NIST SP 800-171, went into full effect December 31, 2017: even if you don’t fall under the jurisdiction of NIST SP 800-171, the core competencies are still good data security guidelines.

What is NIST 800-171?

NIST itself is a non-regulatory Federal agency responsible for establishing guidelines that apply to Federal agencies on many topics – including cybersecurity. NIST 800-171, a companion document to NIST 800-53, dictates how contractors and sub-contractors of Federal agencies should manage Controlled Unclassified Information (CUI) – it’s designed specifically for non-federal information systems and organizations.

NIST SP 800-171 began its life as Executive Order 13556 signed by President Obama in 2010, directing all Federal agencies to safeguard their CUI and establishing a unified policy for all agencies to follow for data sharing and transparency.

After a few data breaches in Federal agencies, – USPS, NOAA, and OPM – NIST and the Federal government started to focus more on cybersecurity: in 2014 Congress passed FISMA, NIST followed up with NIST 800-53, and later, NIST 800-171.

what is nist 800 171

What’s the Purpose of NIST 800-171?

NIST 800-171 standardizes how federal agencies define CUI: data that is private and sensitive but not classified per federal law. We aren’t talking about the list of BlackOps operating in enemy territories – different laws govern national security stuff – but data that is covered by SOX or HIPAA, for example. Each agency is responsible for providing the details of what kind of data is CUI to the National Archives and Records Administration, the agency charged with enforcement of EO 13556.

NIST SP 800-171 controls apply to federal government contractors and sub-contractors. If you or another company you work with has a contract with a federal agency, you must be compliant with this policy. Federal agencies may include specific requirements in their contracts, however, if you don’t have those clauses in your contract, that won’t stop NIST 800-171 from applying to your agreements.

Here are a few agencies or organizations that need to comply with NIST 800-171.

  • Contractors for Department of Defense (DoD)
  • Contractors for General Services Administration (GSA)
  • Contractors for National Aeronautics and Space Administration (NASA)
  • Universities and research institutions supported by federal grants
  • Consulting companies with federal contracts
  • Service providers for federal agencies
  • Manufacturing companies supplying goods to federal agencies

Like NIST 800-53, NIST 800-171 provides a list of controls that explain the compliance requirements.

  1. Access Control (Who has access and are they supposed to?)
  2. Awareness and Training (Did you train your staff about CUI?)
  3. Audit and Accountability (Do you know who is accessing CUI?)
  4. Configuration Management (Are you following the RMF guidelines to maintain secure configurations and manage change?)
  5. Identification and Authentication (Are you managing and auditing access to CUI?)
  6. Incident Response (What happens when there is a data breach?)
  7. Maintenance (See #4)
  8. Media Protection (How are backups, external drives, and retired equipment handled?)
  9. Physical Protection (Who can access the place where your CUI lives?)
  10. Personnel Security (Is your staff trained to identify insider threats?)
  11. Risk Assessment (Have you done a risk assessment? Do you have scheduled pentesting exercises?)
  12. Security Assessment (How do you verify the security procedures are in place?)
  13. System and Communications Protection (Are your communications channels secure?)
  14. System and Information Integrity (Is the process to address new vulnerabilities or system down situations defined?)

Benefits of NIST 800-171

Some of the benefits of implementing the NIST 800-171 controls include:

Varonis helps maintain compliance with NIST 800-171: the Data Classification Engine is the first step to identify and classify your CUI across your core data stores (including email). DatAdvantage helps map folders and permissions, with full reporting and auditing on who can (and who should access that data), while DataPrivilege enables data owners to manage and audit access to their data. Automation Engine streamlines the process to remove Global Access Groups, and Data Transport Engine can quarantine, migrate, or delete unsecured CUI.

NIST 800-171 Compliance Best Practices

Not only is it important to be compliant, but you need to be able to demonstrate compliance to avoid having contracts revoked or fines levied. Follow these steps to get started:

nist 800 171 compliance best practices

  1. Define what CUI you have to manage. You might have guidance from the agency you work with, but you might also have to figure out what applies to you on your own. Even if you have no guidance, you should identify and classify all possible PII so you can secure and protect sensitive data from data breaches. Examples of CUISocial security numbers, bank routing numbers or account numbers, credit card numbers, permanent resident status
  2. Map your folders and permissions and implement a least privilege model for your data. NIST requires that you manage who can access CUI: implement a least privilege model to get there, and make sure you can report on who can – and who does – access CUI data.
  3. Audit and alert on changes made to your CUI. NIST requires that you monitor CUI and respond to security incidents. Make sure you can audit all activity on your CUI data, and alert on abnormal activity.
  1. Get in touch with our Federal Team to see how Varonis maps to NIST in your environment – and how Varonis helps you get to (and maintain) NIST compliance.