MI6 Boss: Digital Attack Surface Growing “Exponentially”

One of the UK’s top spymasters has revealed that MI6 is pursuing partnerships with the technology industry to tackle the challenges posed by nation-states, cyber-criminals and global terrorists.

Head of the Secret Intelligence Service (SIS), Richard Moore, explained in a rare speech yesterday that, unlike the character Q from the James Bond films, the service cannot source all of its tech capabilities in-house.

“Through the National Security Strategic Investment Fund we are opening up our mission problems to those with talent in organizations that wouldn’t normally work with national security,” he added.

“I cannot stress enough what a sea-change this is in MI6’s culture, ethos and way of working, since we have traditionally relied primarily on our own capabilities to develop the world class technologies we need to stay secret and deliver against our mission.”

These partnerships will increasingly be needed in areas such as artificial intelligence (AI), quantum computing and synthetic biology, into which adversaries are “pouring money and ambition” to gain leverage, Moore warned.

New tech capabilities will help address MI6’s four key priorities: Russia, China, Iran and global terrorism. It’s a challenge made more acute as technology rapidly advances, he said.

“The ‘digital attack surface’ that criminals, terrorists and hostile states threats seek to exploit against us is growing exponentially. We may experience more technological progress in the next ten years than in the last century, with a disruptive impact equal to the industrial revolution,” Moore argued.

Much of his speech was focused on China, whose intelligence services Moore claimed were “highly capable” and both monitor foreign targets and aim to influence the Chinese diaspora.

Moore called out China’s growing disinformation operations via social media and its attempts to draw smaller nations into its sphere of influence via “debt traps” and “data exposure.”

He also warned that the country was increasingly exporting “Made in China” surveillance technology to create a “web of authoritarian control” around the planet.

James Griffiths, technical director of consultancy Cyber Security Associates, argued that technology like big data analytics could be a “force multiplier” in helping to automate key tasks and make intelligence analysts more productive.

“MI6 is very good at what it does within its own intelligence remit. It has also positively identified that to be the best across the board it needs to leverage the skillset of other organizations that are specialists in key areas, for example AI, machine learning quantum cryptography,” he added.

“By leveraging and working in partnership with these organizations MI6 will increase its overall effectiveness and the wider intelligence community as a whole.

HP Printer Hijack Bugs Impact 150 Models

Security researchers have discovered two vulnerabilities in multi-function printers (MFPs) which impacted 150 product models.

F-Secure security consultants Timo Hirvonen and Alexander Bolshev have written up their findings in a detailed report, Printing Shellz.

Specifically, they found a physical access port vulnerability (CVE-2021-39237) and a font parsing bug (CVE-2021-39238) in HP’s MFP M725z device. They turned out to affect scores more products in the FutureSmart line dating back to 2013.

CVE-2021-3928 is the more dangerous of the two as it can be exploited remotely, potentially by tricking an employee into visiting a malicious website, to conduct a “cross-site printing” attack. Here, the website would automatically print a document containing a maliciously crafted font on a vulnerable MFP, said F-Secure.

This would allow an attacker to execute arbitrary code on the machine to steal any printed, scanned or faxed information, including device passwords.

The report claimed that it could also enable attackers to launch deeper attacks into the corporate network to spread ransomware, steal data from more sensitive data stores and achieve other goals.

The bugs are also wormable, meaning multiple MFPs on the same network could be automatically impacted.

“It’s easy to forget that modern MFPs are fully-functional computers that threat actors can compromise just like other workstations and endpoints. And just like other endpoints, attackers can leverage a compromised device to damage an organization’s infrastructure and operations,” explained F-Secure’s Hirvonen.

“Experienced threat actors see unsecured devices as opportunities, so organizations that don’t prioritize securing their MFPs like other endpoints leave themselves exposed to attacks like the ones documented in our research.”

HP has issued patches for the vulnerabilities, which are described as “medium” (CVE-2021-39237) and critical severity (CVE-2021-39238).

Although they’re only thought to be exploitable by advanced targeted attackers, enterprises were urged to patch them as soon as possible.

Organizations Now Have 76 Security Tools to Manage

Organizations are presenting their attackers with an open goal because of tool bloat, a lack of visibility into key assets, and misplaced confidence in their security controls, according to Panaseer.

The security vendor polled 1,200 US and UK enterprise security decision-makers from various industries to compile its Panaseer 2022 Security Leaders Peer Report.

It found that the shift to cloud and remote working has driven a 19% increase over the past two years in the number of security tools organizations must manage – from 64 to 76.

This can increase reporting requirements and generate visibility and security controls gaps that are difficult to close.

Only a third (36%) of respondents said they feel very confident in their ability to prove controls were working as intended. In comparison, the vast majority (82%) claimed to have been surprised by a security event, incident or breach that evaded controls thought to be in place.

According to a Gartner poll of senior executives, security controls failures were the number one cited risk in Q1 2021.

Panaseer also found that just two-fifths of security leaders can confidently understand and remediate underperforming controls and track improvement. A majority (60%) of respondents admitted to not being confident in their ability to measure security controls designed to mitigate ransomware continuously.

Part of the challenge is a lack of insight into key assets such as databases (27%), devices (17%) and IoT endpoints (16%).

The amount of time the average security decision-maker spends on generating manual reports for the board has also surged in the past two years – from 40% to 54%

Panaseer CEO, Jonathan Gill, argued that tool overload has created a major data integration headache for security teams.

“Many organizations try to resolve this with spreadsheets and other in-house solutions that simply increase the reporting and administration burden on precious cybersecurity resources,” he added.

“It’s almost impossible to understand an organization’s assets, the status of controls relating to those assets, and the business context or ownership of the associated vulnerabilities. Most attacks happen despite organizations having invested in controls to defend themselves, but finding those controls were not deployed across all assets as intended.”

For the last decade, digital transformation has been fueled primarily by the adoption of cloud services which provide unmatched agility and reduced time to market when compared with legacy on-premises infrastructure. Most organizations have invested in public and hybrid cloud architectures to stay competitive, with nearly 94% of organizations using at least one cloud service. The COVID-19 pandemic has only accelerated plans to move to the cloud as security, high-priority and IT teams scaled to meet the demand for IT resources for a remote workforce.

Agile development practices that emphasize iteration and speed can overwhelm security teams who are not prepared to secure workloads as fast as they are created. This friction between DevOps and SecOps creates bottlenecks and an incentive for development teams to circumvent security and governance processes. As a result, there are often blind spots for security teams tasked with keeping cloud environments secure.

Cloud Misconfigurations on the Rise

Governance of workloads is often performed once when the workload is deployed, or sometimes not at all. And the specific configuration of workloads is inconsistent, with many instances deployed without critical controls. According to the State of Cloud Security 2021 report, misconfigurations remain the number one cause of cloud breaches.

Over 36% of organizations have suffered a cloud security leak or a breach in the last year, and 80% believe they are vulnerable to a breach related to a misconfigured cloud resource.

Under the AWS Shared Responsibility Model, the customer is responsible for configuring resources so that they are secure. While cloud adoption is rising, legacy security tooling designed for on-premises environments has failed to keep up and is not suited for cloud environments. One such technology is traditional vulnerability scanning and assessment tools, which rely heavily on on-premises appliance deployments and bandwidth-heavy scanning. This approach is insufficient for security teams looking to embrace the cloud with the confidence of knowing that their critical applications and services are configured in a secure manner.

Even organizations that have a vulnerability scanning tool deployed to their cloud environments often struggle in three areas:

Observability: Ingesting infrastructure vulnerability data and correlating with EDR telemetry from within the application workload
Operationalize: Visualize the most critical vulnerabilities to prioritize remediation
Actionability: Performing remediation across the cloud environment at scale

Cloud-Native Approach to Vulnerability Assessment

Vulnerability assessment for AWS workloads hasn’t been straightforward until now, with the launch of Amazon Inspector.

Amazon Inspector is a vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. With a few clicks in the AWS management console, you can enable Inspector across all accounts in your organization. Once enabled, Inspector automatically discovers all running Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (ECR) at any scale and immediately starts assessing them for known vulnerabilities.

An Inspector risk score is created for each finding by correlating Common Vulnerabilities and Exposures (CVE) information with factors such as network access and exploitability. This score is used to prioritize the most critical vulnerabilities to help increase remediation response efficiency.

All findings are aggregated in a newly designed Inspector console and pushed to AWS Security Hub and Amazon EventBridge to automate workflows. Vulnerabilities found in container images are sent to Amazon ECR for resource owners to view and remediate. With Inspector, even small security teams and developers can ensure infrastructure workload security and compliance across your AWS workloads.

Inspector creates a list of prioritized findings for security teams to prioritize remediation based on the impact and severity of vulnerabilities. These reports can provide valuable insights into opportunities for security and cloud teams to reduce their overall cloud attack surface.

SentinelOne Integration for Amazon Inspector

Today, we are delighted to introduce the SentinelOne Integration for Amazon Inspector, which provides support for Amazon Inspector findings with the SentinelOne Data Platform. The SentinelOne Data Platform is a massively scalable, cloud-native logging and analytics platform built on AWS that is designed to ingest, normalize, correlate, and action limitless datasets.

SentinelOne integrates with Amazon Inspector to provide unified visibility of vulnerabilities within AWS infrastructure.  SentinelOne ingests Amazon Inspector findings from Amazon EventBridge and correlates against logs from additional security and DevOps data sources. The SentinelOne Data Platform provides powerful querying and threat hunting features to make searching and pivoting within the datasets simple for security and cloud teams.

The SentinelOne Data Platform provides powerful querying and threat hunting features

Within SentinelOne, analysts can use prebuilt dashboards to view high priority vulnerabilities from Amazon Inspector. Data from Inspector is enriched with links to view additional information about CVEs from the MITRE National Vulnerability Database. With this data, analysts can view the most common vulnerabilities within their environment, the most severe, and additional context about a given CVE from a single pane of glass.

Sorting and view vulnerabilities is easy in the Inspector

When a vulnerability needs to be remediated, the SentinelOne Data Platform’s alerting is ready with native support for AWS Lambda, EventBridge, SQS, and SNS — allowing you to not only identify issues quickly but accelerate vulnerability remediation.

By interacting natively with AWS, you can leverage existing remediation patterns and curate them, if needed, to fit your business rules.

Leverage existing remediation patterns to fit your business rules

Bridging Workload Protection and Vulnerability Assessment

Vulnerability management is a crucial activity for maintaining good security hygiene. While prioritizing and remediating vulnerabilities will go a long way towards reducing the total attack surface, legacy custom applications lifted and shifted to the cloud may not be able to be updated fast enough to address open vulnerabilities. Regardless of the application, workloads within cloud environments should have measures to protect, detect and respond to active threats from vulnerabilities that may have been exploited.

Cloud VMs, cloud instances, and containers are just as vulnerable to known vulnerabilities, zero-day attacks, and malware as user endpoints.  Runtime protection, detection, and response are critical to effective cloud workload security.  Singularity Cloud Workload Security includes enterprise-grade protection, EDR, and Application Control to secure your cloud apps wherever they run. Our Linux Sentinel and Windows Server Sentinel deliver runtime security for VMs, and our Kubernetes Sentinel provides runtime security for managed and self-managed Kubernetes clusters.

A single, resource-efficient, Sentinel agent delivers autonomous runtime protection, detection, and response across the hybrid cloud estate. SentinelOne brings runtime security to Amazon EKS, Amazon EKS Anywhere, Amazon ECS, and Amazon ECS Anywhere, with automated kill and quarantine, application control, and complete remote shell forensics.

SentinelOne Singularity uses Behavioral AI to evaluate threats in real-time, delivering high-quality detections without human intervention. Our solution automatically correlates individual events into context-rich Storylines to reconstruct the attack and easily integrates threat intelligence to increase detection efficacy. Analysts can remediate all affected endpoints and cloud workloads with a single click, without the need to write any new scripts, simplifying and reducing mean time to respond.

Preserving the immutable state of production cloud workloads is a key control to protecting them against malware like crypto-jacking coin miners and zero-day attacks.  All expected processes are defined within the workload image.  When a change is to be made, instead of updating an image already in production, DevOps decommissions the old and releases a new image.

The SentinelOne Application Control Engine prevents your workload from being hijacked by rogue processes by automatically detecting and killing any executable not found in the image, reducing the possibility of a successful vulnerability exploit.

With SentinelOne Integration, customers can unify cloud workload protection with vulnerability insights from Amazon Inspector. Context-rich EDR telemetry can be queried alongside vulnerability information from Amazon Inspector, giving security analysts a single dataset for identifying open vulnerabilities and detecting successful vulnerability exploits.

Conclusion

Using SentinelOne Integration to connect Amazon Inspector findings with cloud-native protection for AWS workloads, organizations can use best-in-breed solutions to identify vulnerabilities proactively and detect and respond to active exploits of vulnerable applications. Together, security and DevOps teams can innovate rapidly, securely and embrace cloud adoption with confidence.

To learn more about SentinelOne for AWS, visit s1.ai/AWS.