Posts

New Microsoft Exchange Exploit Found in the Wild

Microsoft Exchange

New year, new exploit.

This time, it’s another exploit for Microsoft Exchange Server, and it’s out in the wild being actively used to gain control of unsuspecting organisations’ email servers.

Microsoft Exchange 2013, 2016 and 2019 has an RCE vulnerability (CVE-2022-41082) that allows threat actors to open an elevated remote PowerShell service, and from there, they effectively have the keys to the kingdom. A Ransomware group known as Play has developed an exploit chain that bypasses mitigations that Microsoft had provided for the exploit chain, meaning organisations that have only implemented those but have not yet applied the patch for it needs to do so immediately.

This vulnerability is one of 2 “ProxyNotShell” flaws in Microsoft Exchange Server; the other tracked as CVE-2022-41040, is a server-side request forgery (SSRF) bug that gives attackers a way to elevate privileges on a compromised system.

Microsoft has previously recommended that organisations apply a blocking rule to prevent attackers from accessing the PowerShell remote service through the Autodiscover endpoint on affected systems. They claim the blocking rule will help prevent known exploit patterns against the “ProxyNotShell” vulnerabilities.

email security

New Exploit Chain Found

The big problem with the above is that an attack method is being observed in the wild that uses a 3rd little-known SSRF bug in Exchange server tracked as CVE-2022-41080 to access the PowerShell remote service via the Outlook Web Access (OWA) front end instead of the Autodiscover endpoint. Microsoft has assigned the bug the same severity rating (8.8) as the SSRF bug in the original “ProxyNotShell” exploit chain. This vulnerability allows attackers to access the PowerShell remote service and use it to exploit CVE-2022-41082 in the same way they could when using CVE-2022-41040. This is a previously undocumented way to reach the PowerShell remoting service through the OWA frontend endpoint instead of leveraging the Autodiscover endpoint. This new exploit chain involving CVE-2022-41080 and CVE-2022-41082 is known as “OWASSRF”.

The new exploit chain was discovered when investigating several recent Play ransomware intrusions where the initial access vector was via a Microsoft Exchange Server vulnerability. The researchers quickly found that Play ransomware attackers had exploited the “ProxyNotShell” RCE vulnerability CVE-2022-41082 to drop legitimate payloads for maintaining access and performing anti-forensics techniques on compromised Microsoft Exchange Servers.

Patch Now or Disable OWA

So what can you do to mitigate this attack risk? Microsoft themselves advise that “organisations should apply the Nov. 8, 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for “ProxyNotShell” are not effective against this exploit method; if you cannot apply the KB5019758 patch immediately, you should disable OWA until the patch can be applied.”

microsoft exchange

What Else Can You Do?

If you still have on-premises / hosted Microsoft Exchange Servers in production, migration to Microsoft 365 should be considered for the longer term. Other practices that can be implemented now to help protect yourself:

  • Disable remote PowerShell for non-administrative users where possible
  • As previously mentioned, apply the KB5019758 patch immediately
  • If, for whatever reason, the patch cannot be installed, disable OWA
  • Implement an EDR tool to help detect web services spawning PowerShell processed; Planet IT recommends the Sophos Intercept X Advanced with EDR product if you have an in-house SOC team to manage it
  • If you don’t have an in-house SOC team, a managed SOC should be seriously considered; Planet IT highly recommends the Sophos MDR service
  • CrowdStrike has released a PowerShell script to help detect signs of exploitation and use it at your own risk.

Reach Out!

If you want to discuss anything within this article or need some advice on what to do next, please reach out via DM on LinkedIn, or email me directly.

Also check our our CyberSecurity page on our website

The 7 Steps Of A Cyber Attack Chain

cyber attack chain

If you have been following our Planet IT webinar series this year (if not, why not? Catch-up HERE), we have been talking through the various critical aspects of protecting a business in 2022 from the modern cyber threats.

In doing so we have referenced the 7 steps of the attack chain. This conceptual idea breaks down the activity of an adversary attacker into 7 clear steps, allowing us to directly reference the techniques, tools and approach used at each stage.

In this article I am going to take a deeper dive into these 7 steps and add some additional information that we don’t always have time to share on our webinars.

 

STEP 1 – Reconnaissance

During this first phase of an attack, our threat actor is looking for a virtual open door, a window left ajar or a poorly trained security guard. In technical terms this looks like a port scan, DNS look up, physical walk around your building. The threat actor is looking for a way in. In most cases they will find this looking for open ports on your wireless network that can be used to access an exposed system which they can use later in the attack chain. However, in this phase it may be as simple as finding on your DNS that you don’t have SPF, DKIM or DMARC configured and that our only email protection is provided by Microsoft or Google as part of your email hosting.

In a physical sense, if the attacker is looking for a way in, they could be outside your office building, completing a wireless scan looking for a network which uses a pre shared key or is open to the public which could easily be leveraged.

Once this stage is complete the threat actor has what they need to begin their attack and move onto the next stage.

 

STEP 2 – Delivery

With the information gained during step 1, the adversary now has all the information to hand to begin their attack. For an email-based attack which will leverage poor inbound security, they may simply deliver an email with a hidden attachment, a special font or a tracker which will give them all the additional information about your system including your endpoint protection, operating system and patch level.

For an attack coming in via an open port, this is when they will use tools to gain access at either code level or even remote desktop level to a system. Looking to gain clear access to a system with admin rights, the delivery step will often include the use of passwords ascertained from the dark web or from shares of other threat actors who have completed steps 1 and 2 before selling the information for gain.

For a wireless, attack a similar approach is taken to the open port however for this the attacker will have to come and either sit near your site in a range of your WiFi or place a device near your building that they can access remotely. The aim for this step for the attacker will be to gain access to the network and find a system which they can then deliver software onto in step 3.

This phase finishes where access to a system has been gained by any method and is ready to deploy their tooling or attack to a device.

 

STEP 3 – Installation

As all three steps begin to merge, the next action for the attacker is to get either the tools they are going to use to take control of the system in steps 4-7 or to have their ransomware, virus or associated malware delivered onto the target system or systems if they intend to have to spread to across the network automatically.

The key to remember is in step 3, no action to trigger an attack has taken place. This is the phase very much like the move before checkmate, the attacker is moving their pieces into place surrounding you ready to press forward.

This step is the last chance to intervene before serious damage is caused by that loss of business, reputation, or finical impacts.

Cybersecurity health check

STEP 4 – Actions On Objectives

This phase is where the attacker gets what they want, however, the end goal for different threat actors will be different. For most, it is to gain Intellectual property which can be used to blackmail a business into paying for its “safe” return. Others will exploit business customer data for sale on the dark web. This may include anything from usernames and passwords to bank details and national insurance numbers. The other side to any attack could be they simply want to hurt the business causing it to fail by removing IT as a function from the business.

During Step 4, this is exactly what a threat actor is doing, getting what they need, taking control and preparing to move into step 5.

 

STEP 5 – Weaponisation

Once we hit step 5, you have lost control of your system. The attacker is in control and they have leveraged their attack to gain whatever their goal was in step 4.

Now they are going to disrupt your business and drop the nasty surprises they have on you.

This is the phase that most unprotected or unskilled business notice an attack, after the adversary has already completed all of the actions and has begun to either encrypt systems, delete system data, delete backups, access or simply corrupt the system to make it unusable.

For most business, this is when a cyber response kicks into full swing with IT professionals scabbling to understand what has happened, where it has come from and how to stop it. If you find yourself in this position, I have some clear advice for you;

  • Disconnect all internet connections to all systems
  • Call your cyber insurance provider before you try to resolve the issue. They will have an approach they want you to follow and not doing so could leave you open to liability.
  • Take a breath. This is going to be a marathon, not a sprint and you need to make level-headed decisions. If you need it, call in external help; even if it’s just to provide a calming voice to those meetings where you will be making critical choices. An external party who are not invested in your business or employed directly by you will aid this process.

 

STEP 6 – Exploitation

At this point the attacker has gained what they wanted from you and may be in control of your IP, your data, or your finances. At this step the exploitation can take many forms and it could be;

  • A ransom note demanding payment for the release of your system or return of your data
  • A threat to release the information to the public showing your breach
  • Sharing this information on the dark web and allowing other threat actors to gain your business data
  • Selling your customer data on the dark web
  • Selling your IP to a rival or leaking it for free online

Only the attacker will know why they completed the previous steps but at this point, they will show their hands if they want either financial gain or if they want to damage your business or reputation. Once we have reached this stage you should be working with your Cyber insurance provider to take the necessary steps.

In most cases paying a ransom won’t get you your data, systems or Intellectual Property back, however some insurance providers will take the risk on the payment.

backup as a service

STEP 7 – Command and Control

If the attacker is not finished with you then step 7 is where they can leverage your network, its devices and its users and systems from their own means.

Think of a Zombie army once you are infected you join the army and become part of the problem. Many attack chains will see your IT systems leveraged to accelerate the attackers next targets and allow them to spread to other systems. During WannaCry, this was one of the main issues. Interconnected systems where getting the Ransomware passed onto them after another. Linked or associated business fell victim and this is why the NHS was affected so badly by the WannaCry outbreak.

 

I hope that the above information helps you understand how the attack chain takes place and the number of steps involved by the attacker when gaining access. If you are reading this and thinking, “how do I protect against each step of the attack?”, then you are in the right terms and you will stand a better chance of protecting your systems.

If you want to talk to one of our experts about how we can help you to avoid being the next victim then please call 01235 433900 or email [email protected]. Alternatively, if you would like to speak to me directly you can reach out to me via DM or at [email protected].

 

Corridor Digital, A Story of skirting over cyber security

CorridorDigital security hack

First of all I want to start by saying I love to watch CorridorCrew by the team over at Corridor Digital on YouTube. I appreciate the skill they have in their respective fields and the work they put into high quality content, I was therefore extremely interested when they uploaded this video (Channel was TERMINATED, we got Hacked (Not Clickbait)). As someone who lives in the Cyber Security space I wanted to know more, however this video only highlighted one thing to me the lack of emphasis in their video on the real issue, their own lack of cyber security.

To summarise the video the Corridor Crew’s YouTube account was compromised and a 3rd party took over their Near 6 Million subscriber page and removed all the videos on the page, replacing the name and starting a live stream of a Crypto mining scam. In the video it is highlighted that a member of the team had full admin rights to the business’s Google account , now to be clear in the video they are vague and say that this persons phone of MFA has also been compromised, but they never expand on this. Following another admin being able to force change passwords and kick all live sessions out and with some support from Google the team manage to restore access and return to function, using their other social media outlets to let fans and followers know what is happening.

Corridor Crew security

 

What did they do wrong?

To me this video highlights a critical issue with business today which is the mentality of it what happen to us and when it does many business chalk it off to a one off event. As a specialist in the field, my concern would not only be what else does access to this account give them, but what other tools or techniques could they have put in place for a second or 3rd wave attack. While taking over a YouTubeChannel for a Crypto scam is far from they most serious of crimes.

A serious though needs to be put to what other data could they have taken or used from this account, could they have got into the business own site and in turn the customer data on it including credit card details. The list goes on but this event cannot be brushed away as well we are back online, the severity of the business failing to take cyber security seriously has to be looked at, they however are not alone.

I am not calling out Corridor Digital for any reason other than they posted this onto YouTube and highlighted the event and therefore are asking for commentary. I do feel it reflects heavily on the general approach to cyber security in business and therefore I yet again employer you to look at your business practices, look at the tools and protections you have in place and ask yourself “Is this enough” .

What tools should they have used?

If you haven’t already secure every online account you have with two factor authentication, and make sure than the second stage authentication is not a text message to your phone or an email back to your main account, you should be using tools with time sensitive codes, physical tokens or bio metrics. This is they minimum protection you should have, it therefore goes without saying that you should always have a secure pin on mobile phones and tablets and that they should also use biometrics for security where possible, companies like Apple and Google spend millions on technology to protect data so leverage them.

What can you do to avoid it happening to you?

In closing I ask you to review your cyber security now! Before it is too late.

If you want to talk to one of our experts about how we can help you can avoid being the next victim then please call 01235 433900 or you can email [email protected] or if you would like to speak to me directly you can reach out to me via DM or at [email protected].

Email Security Gateway – What is it and why should you have one in place?

I recently wrote a blog post about how to spot a phishing attack (read it here), and also incorporated some of the content in a webinar we did with Precursor Security which showed how easy it is to was to compromise a Microsoft 365 account (watch it here). In both I mentioned that if you had a sufficient Email Security Gateway in place then it should help to catch and block phishing attempts. Here I will go into more detail about what an Email Security Gateway is, and what it can do for you.

What is it?

An Email Security Gateway is effectively a security barrier between your email solution and the outside world. It has visibility of all emails sent / received and interrogates them looking for malicious content.

How does it work?

When an Email Security Gateway is put in place, the MX records for your email domain are changed to the servers of your chosen provider. This then points all email traffic to your chosen solution which will then forward the email traffic to your email servers after interrogating them. Connectors are also configured within your email solution to allow mailflow to and from the Email Security Gateway.

How does it protect you?

Traditionally, an Email Security Gateway would be hosted on-premises scan an email’s attachments for viruses and that would be that. These days an Email Security Gateway is based in the cloud and will protect you against much more. Here are just a few of the attack types that a competent solution will prevent:

  • Denial of Service (relevant to on-premises email servers)
  • Impersonation emails
  • Malicious links in emails
  • Zero-day threats
  • Email account takeover
  • Low reputation senders

Some numbers for you…

  • 91% of cyberattacks start with an email
  • 85% of organisations were hit by a phishing attack in 2020
  • 1 in 7 organisations experienced an account takeover in 2020
  • $200,000 is the average ransom fee paid in 2020

“But I am using Microsoft 365 which has built in protection”

While technically this is true, the Microsoft Defender for Office 365 product requires a license uplift to get only some of the comparable features that a dedicated Email Security Gateway would provide. Being a dedicated solution, a 3rd party product would sanitise email traffic before it even hits Microsoft 365 and provides protection against more threats than Microsoft. Additionally, in independent tests Microsoft 365 ATP tends to perform poorly against the competition (full test here):

 

Email lSecurity Gateway Microsoft

 

An Email Security Gateway would also provide an Email Continuity solution should the Microsoft 365 email servers ever go down (which they have done in the past). See a brief diagram from Barracuda on how this would work:

Email servers working

 email servers working

 

Email Servers NOT working – Barracuda’s Email Continuity service takes over

email servers not working

 

 

What do we recommend?

Planet IT recommends a capable 3rd party Email Security Gateway like Barracuda or Mimecast to protect your business against email threats, as both solutions provide all the tools and protection you need to keep your organisation safe.

If you would like to discuss further how Planet IT can help you secure your email environment and protect your users from scams like the above email, please get in touch via DM or email [email protected].

 

My name is Adam, and I am a security-focused Technical Architect. My job is to provide expert advice on security solutions and assist our customers with protecting their environment from viruses, ransomware, and other nasty attack vectors! My background is in Security as a Service, Infrastructure and Helpdesk Support; I keep myself up to date with the latest threats and security products, so you don’t have to! Want to hear more of my thoughts on Cybersecurity and other technology news? Connect with me on LinkedIn

 

Cyber Essentials, What’s new 2022?

Cyber Essentials

Cyber Essentials is an effective, government-backed and industry-supported scheme to help organisations protect themselves against common online threats.

Cyber-attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Cyber Essentials looks to guide you to better understand these threats and help to keep that metaphorical front door firmly shut.

What are the differences between different Cyber Essentials Accreditations?

There are two levels of Certification: Cyber Essentials Basic and Cyber Essentials Plus, which I have expanded on in some more detail below to help you decide what’s right for you and your business.

Fundamentally the Cyber Essentials framework was designed to provide a security baseline for every business in every industry against the following 5 key areas:

  • Access control
  • Firewalls and routers
  • Malware protection
  • Secure configurations
  • Software updates

What’s new to Cyber Essentials for 2022?

Due to the COVID-19 global pandemic, businesses operational models have drastically changed and adapted over a relatively short amount of time.

To continue operating, most businesses were forced to adopt a fully digital model and allow remote or hybrid working. This transformation and rapid adoption of cloud services that has prompted these changes to the existing Cyber Essentials scheme to ensure organisations uphold the basic level of cyber resilience which reflect the current working environments and cyber security risks.

Some of the key updates to Cyber Essentials will specifically cover changes to cloud services and web applications, bring your own device (BYOD), and security updates including password management and multi-factor authentication (MFA). Other changes include, but are not limited to the below:

  • Some questions have been expanded upon with more details needed in your answer.
  • Cloud services are now in scope of your basic and Plus assessments.
  • The Cyber Essentials Plus test will include local admin rights checks and a MFA test for each workstation tested.

 

The Two Levels Certification

Cyber Essentials

 

Cyber Essentials Basic is obtained by completing and independently verified Self-Assessment. This option gives you protection against a wide variety of the most common cyber-attacks. This is important because vulnerability to basic attacks can mark you out as target for more in-depth unwanted attention from cyber criminals.

Certification gives you peace of mind that your defences will protect against most common cyber-attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place

 

Cyber Essentials Plus

Cyber Essentials Plus is a little more involved and to achieve Cyber Essentials Plus, a business must also first complete the online Cyber Essentials assessment as part of the Cyber Essentials Plus certification or have received the basic Cyber Essentials certification a maximum of 90 days prior to applying for the Cyber Essentials Plus

Unlike the Self-Assessment method for the basic certification, a hands-on technical verification is required to be carried out. Similarly, however, a qualified assessor examines the same five controls, testing that they work through a technical audit.

Another benefit of a Cyber Essentials plus certification includes automatic cyber liability insurance for any UK organisation who certifies their whole organisation and have less than £20m annual turnover.

 

So, is it Essential?

The threat landscape to businesses is changing rapidly, with modern working practices always evolving. More and more businesses and IT professionals placing a higher level of emphasis on the security strategy, and this is where the new changes to Cyber Essentials, will help to strengthen businesses overall cyber security stance.

Not only is Cyber Essentials cost-effective and easy to implement but it will ensure businesses deter hackers from targeting their infrastructure once the necessary Cyber Essentials technical controls are in place.

You will also give your customers and partners the reassurance that you are working to secure your IT against cyber-attacks. In an ever-competitive landscape these certifications will also display the emphasis your business is placing on security and may even help attract new business with the knowledge of these cyber security measures in place.

If you would like to discuss with myself or any of the Technical Architecture team at Planet IT about how you can get ready for a Cyber Essentials certification you can reach us using the contact details below.

Contact me at –
LinkedIn Message: Thomas Packer

Call 01235 433900 or Email: [email protected]

What is Phishing?

What is Phishing?

A phishing attack is sending emails that appear to be from trusted sources to gain personal information, deliver malicious payloads, or compromise account credentials. Phishing attacks are usually transmitted to many email addresses. The contents are not specific to the receiving user and are generally along the lines of “Your Netflix account has been locked, CLICK HERE to unlock” or similar.

What is spear-phishing?

Spear Phishing is a method of cyber-attack that tries to convince users to provide access or information by pretending to be someone important who is in some way relatable to the targeted user. CEOs are a common vector of attack, as is a potentially lucrative new client. These attempts influence the recipient to do something such as transfer money or buy Amazon / Google Play vouchers.

Example

I received this email on my account not too long ago and thought I would use it as an excellent example of a phishing attempt. At first glance, you can see why people would think it is genuine:

Phishing Attack 1

 

But let’s look a little closer. Notice the sender email is using the @msn.com domain, suggesting that this is a free Microsoft email account that has been set up for this purpose:

Phishing attack 2

 

If we hover over the Confirm Your Email Address link, you will see it wants to take you somewhere that is NOT Microsoft:

Phishing attack 3

 

If we click the link, we can see that the site we are forwarded to does not look professional at all:

Phishing attack 4

As expected, a login box to steal your credentials:

Phishing attack 5

 

Also, note that the tone of the email is assertive and trying to portray urgency. Even though it is the first you have heard of it, according to the email, you absolutely MUST click the link within 48 hours to make sure you keep your account. Many people don’t even log into their emails every 48 hours, so this is a ridiculous request.

Finally, the grammar is not good and certainly not what you would expect from an official email from Microsoft. Spelling and Grammar errors are good indicators of a malicious email. Sometimes they are even included on purpose as the assumption is if you miss them, then you will miss other signs and therefore be more gullible to fraud!

What advice can we give?

If in doubt, don’t click! Hover over links in emails if you are not sure they are from a trusted source. A phishing email may claim to be from a legitimate company. When you click on the link, it may look like the actual website, but double check by hovering over the link and checking the URL.

Never give out personal information online – as a rule, you should never share personal or financially sensitive information over the internet. If you are paying for an item or service, check that the website is secure and the address starts with “HTTPS”.

If the email contains spelling mistakes or has grammatical errors – this could indicate that it is a scam email; people write many phishing emails outside of the UK, so the standard of English is usually not good.

If the email asks you to do something urgent – claiming that your account will be closed unless you submit your details instils a sense of panic, double-check that it is from a natural source.

An unusual attachment – if you receive an unexpected email from a company that contains an attachment, it could include a malicious virus – don’t open it! These generally come in Word / PDF documents claiming to be an invoice or remittance advice but can be anything.

  

In Conclusion

Phishing attacks are one of the most common types of cyber-attacks today. It is so important to keep alert and question any suspicious-looking email that you receive. There are several 3rd party solutions that can help you mitigate this risk:

  • Email Security Gateway – this sits between your email provider and the outside world, filtering spam, phishing, fraud attempts and other malicious email categories.
  • Training & Testing – there are several trusted vendors that provide end-user training on how to spot a phishing email, as well as running test campaigns to keep everyone on their toes!
  • Multi-Factor Authentication – the main aim of a phishing email is to forward you to a fake website and have you enter your credentials, so they are stolen and the account used for malicious activity. If you have MFA enabled on your email accounts (Office 365, for example), even if a user falls for a phishing email and enters their credentials, they cannot be used without the MFA code from a separate device.

 

If you would like to discuss further how Planet IT can help you secure your email environment and protect your users from scams like the above email, please get in touch via DM or email [email protected].

My name is Adam, and I am a security-focused Technical Architect. My job is to provide expert advice on security solutions and assist our customers with protecting their environment from viruses, ransomware, and other nasty attack vectors! My background is in Security as a Service, Infrastructure and Helpdesk Support; I keep myself up to date with the latest threats and security products, so you don’t have to! Want to hear more of my thoughts on Cybersecurity and other technology news? Connect with me on LinkedIn: https://www.linkedin.com/in/adam-e-harrison/

 

Please don’t tell me it’s Window’s Defender!

windows defender

Cyber-attacks happen and are increasing in frequency. Certain sectors are naturally susceptible to these attacks; banking, government, healthcare, and energy sectors will always be targets due to the nature of what they do. But did you know that the Education sector is also very high up the list?

Around 20% of all educational institutions have been specifically targeted by cyber criminals, and a MASSIVE 83% of UK schools had experienced at least one cyber security incident. There are many other scary statistics that can be quoted, and you would think that with this information being readily available for review, schools and other institutions would take cyber security seriously; you would think wrong.

 

It’s just not good enough

Here at Planet IT, we have many dealings with the education sector, whether that be providing fully managed support, running security health checks or just the facilitating the procurement of specific classroom hardware, we have seen how vulnerable a lot of school environments are. We talk to schools daily and something that keeps coming up is the widespread use of Microsoft Windows Defender as the sole endpoint security solution. Something else that keeps being apparent on most calls we join is that the on-site IT team are too busy being reactive and fighting fires to spend the time being proactive and looking at the bigger picture.

Microsoft Windows Defender is a consumer-grade antivirus that is native to Windows 10 and comes preconfigured. There is an anti-ransomware element to it, but the testing we have done in the past shows that it is not capable of detecting most live ransomware threats:

education Vulnerabilities Found

So, what should you do?

Well, you should start with an industry-leading endpoint / server security solution such as Sophos Intercept X Advanced which will detect ANY Ransomware attack using the CryptoGuard element (this detects any file encryption attempts and rolls them back using Windows Shadow Copy if any encryption has started by the time it is stopped). This combined with the award-winning Endpoint Protection / Server Protection means that your endpoints and servers would enjoy a very high level of cyber security protection.

With any good security solution should come a good EDR product. EDR stands for Endpoint Detection & Response. This provides additional reporting and threat mitigation tools for your environment.

 

But does this really happen?

A real-world example that I have seen first-hand – we have a large private school as a customer. They were hit by ransomware which took down some critical file servers AND compromised the backups. With Sophos Intercept X Advanced with XDR (Sophos’ EDR offering), we were able to see that not only did Windows Defender not stop the ransomware from running but didn’t even detect it as a threat.

Also, with the recent Log4j vulnerabilities, and further back the Hafnium vulnerability, XDR was a requirement to investigate customers’ environments to easily check if they were open to attack due to these vulnerabilities. With Hafnium, XDR could report what hosts were vulnerable but also if they had been compromised and the location of the remote consoles that had been deployed by the bad actors. We at Planet IT saw at least 2 instances of Microsoft Exchange servers that had been compromised, and our job was made easier with XDR.

 

What if my team just don’t have the time to manage XDR.

The downside of adding XDR to Sophos Intercept X Advanced is that you need the resources to respond and investigate detected threats. Sure, Sophos Intercept X Advanced will of course detect and block any threats it comes across, but any advanced solution like this requires the time to configure and monitor to ensure you get the value from the product.

This is where MTR comes in; MTR (or Managed Threat Response) is a managed SOC (Security Operations Centre) provided by Sophos themselves, and will give 24/7 threat detection and activity reporting among many other benefits that are essential for any security conscious educational institution. With the Sophos MTR service, you can focus your time on ensuring your local infrastructure is running well safe in the knowledge that your Sophos environment is being looked after competently.

Planet IT recommends Sophos Intercept X Advanced with XDR and MTR Standard as the minimum level of protection for any educational institution.

Education in Focus: Cyber Attacks on the rise while protection remains behind other industries

Education Cyber Attack

2020 was far from an easy year for the education sector, with the strains of COVID-19, the forced move to remote learning and the constant moving goals of exams, assessments and certifications looming over the industry. IT improvements and IT budgets were shifted from infrastructure and enhancements to purchasing laptops and enabling learning over video. These changes have had a dramatic impact on all educational organisations. Unfortunately, we are starting to see the repercussions of this, with several educational organisations being hit by cyber-attacks.

Another Attack

This week we have seen the latest attack on the University of Northampton, this is unfortunately just another in a long line of victims of the last few years.

As many of you who have read my articles are aware, I have a long history in the education sector, working across schools, academies, and colleges. From this, I have a very first-hand experience of how budgeting works in education. I know its effect on the choices that we make when it comes to selecting solutions and ultimately protecting educational establishments.

When I read stories like the one about the University of Northampton, it churns my stomach. This is because I know that the ladies and gentlemen who work in the IT teams of these organisations will have been doing everything they could to protect the system. However, they are always constrained by the limits they have finically and with their current technology stack. Having personally experienced several attacks first-hand, the IT Team usually takes the brunt of the fallout from these events. In truth, it’s business management and senior management, who’s lack of understanding, allows these incidents to happen.

university cyber security

The real-world cost of an attack

When these kinds of cyber attacks in education occur, we all see the headlines and the public outcry about the fact these threat actors get into and disrupt educational organisations. What is very rarely discussed is the organisation’s cost.

The cost itself is not just that of recovering from the breach. Depending on what equipment has been affected and what can be recovered, the cost anywhere from £10,000 to £500,000!

However, on top of this, you have to add the cost of staff not working. The organisation not being able to deliver teaching and learning can easily cost an organisation over £50,000 a week.

We then have to consider the cost of the damage to the organisation’s reputation and any fines that may come in from the ICO if data has been lost. These costs can total into millions.

The worst part of all of this is that insurance will not always cover these costs if you have the wrong cover type. In a real-world example, we are aware of a case where an educational organisation had a total cost of an outbreak at £2.5 Million, this figure should be enough to make your senior management sit up and pay attention.

Where to start…

The question then is, how do we get our educational sector partners to a position where they can protect their data, deliver teaching and learning and ultimately avoid cyber attacks in education?

The answer is about prioritising spending and focusing on ensuring that a security landscape is in place that covers all bases and protects against all foreseeable attack vectors. We start this with solid anti-virus and anti-ransomware technology. Endpoint protection must be paired with a robust Endpoint Detection and Response product (EDR) or an Extended Detection and Response product (XDR). These technologies will give you a strong endpoint protection roster.

Then layered on top of this, you need to look at device encryption, which must be centrally managed. Then, on top of that, we need to pivot and look at the ingress points on your network, this being your email and your firewall. Both should be robust next-generation products that use both Unified threat management and a traditional stateful firewall approach.

school cyber security

And then there’s the human element

When we have tackled the technical delivery needed to secure the network, we need to look at your staff and the human firewall element of protection. From this regard, we should be looking at Phishing training, security awareness and data protection training.

When you have all these pieces in line and configured to best practice, then there is a good chance that you will mitigate most risks towards your organisation. Now, that doesn’t mean your senior management can wash their hands of cybersecurity. Proper cybersecurity protection is reviewed and maintained regularly, and this also means patching all your other IT systems; it’s a busy and full-on task to undertake. However, if you do it correctly, it’s advantageous knowing that you are keeping your learners, staff and visitors safe and protecting against the effects of a cyber-attack on the business, individuals and the wider community

If you would like to have a conversation about how we can review your security landscape and work with you to build a robust cybersecurity landscape for your organisation, then CLICK HERE to book a meeting with me, or you can email me at [email protected] and together we can work to align your organisation against the current and future risks.

Sophos MTR vs Security as a Service. What’s the difference?

sophos MTR vs Security

What is Sophos MTR?

Sophos MTR Standard or Managed Threat Response, provides 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully managed service. What that means is a dedicated team at Sophos will monitor your environment and act on any threat detections using the EDR technology that we are a massive fan of here at Planet.

IT is offered as an optional service add-on with Sophos Intercept X Advanced with EDR.

Sophos MTR Advanced goes one step further and will actively go looking for potential threats. It proactively improves your security by recommending configuration changes and reporting on vulnerabilities.

How does Planet IT’s Security as a Service (SECaaS) compare with Sophos MTR?

Let me start off by saying that Sophos MTR is a fantastic service, there is no denying that. But you do have options should you want this protection but want to explore different avenues.

Here at Planet IT, we offer an alternative service that will give you the peace of mind of MTR, while being more aware of the fact that many of you will have technologies outside of the Sophos stack.

Alongside this we know that for many of our customers the biggest risk is always the recovery and with Sophos MTR there is quite rightly an end to where Sophos can provide services. With SECaaS we stick with you and can support you to the bitter end.

I have compared the offerings of Sophos MTR with Planet IT’s Security as a Service (SECaaS) in the table below:

 

FeatureSophos MTRPlanet IT SECaaS
24/7 supportOffice Hours
Dedicated Account Manager
Direct Call-In Support
Asset Discovery via EndpointsX
Enhanced Telemetry via EndpointsX
Activity ReportingSophos OnlyAll Security Vendors
Periodical Health ChecksSophos OnlyAll Security Vendors
Vulnerability ScanningSophos OnlyAll Security Vendors
Firewall SupportSophos OnlyAll Security Vendors
Completely mitigate through to completionSophos OnlyAll Security Vendors
Penetration TestingX
Windows UpdatesX
Phishing Training & TestingX
Email ProtectionX
Cyber Essentials / PlusX

 

Verdict

Sophos MTR is a great service if you are a large organisation with the requirement for 24/7 support and have the resources to afford it. If you have an internal IT team in place to work in collaboration with Sophos to completely remediate any threats, it really is a top solution.

However, as you can see above Planet IT’s SECaaS offering is more than sufficient to give you the peace of mind you need. We will work with you to recommend and provide the solutions right for your business and support you until any threat is mitigated, no matter what security products you use.

Add in our other services such as Windows Updates as a Service, Vulnerability Scanning (not just for Sophos products) / Penetration Testing and Cyber Essentials as a Service, you can rest assured that SECaaS will keep you safe and updated as much as possible!

About Adam Harrison

My name is Adam, and I am a security-focused Technical Architect. It is my job to provide expert advice on security solutions and assist our customers with protecting their environment from viruses, ransomware, and other nasty attack vectors! My background is in Security as a Service, Infrastructure and Helpdesk Support; I keep myself up to date with the latest threats and security products, so you don’t have to!

If you want to talk to me about how Sophos Intercept X with EDR would fit into your business then please call 01235 433900 or you can reach out to me via DM or at [email protected]

What are the benefits of Sophos Intercept X Advanced with EDR?

sophos edr

Over the last few months, you may have heard the word EDR (Endpoint Detection and Response) banded around when talking about security products, but what does EDR really mean for you and your business? In this article I am going to explore EDR and the tangible benefits that you would see from having this product in place.

What is EDR?

Sophos Intercept X Advanced with Endpoint Detection and Response (or EDR) is an award-winning security solution that is built upon the framework of the Sophos product that so many of you use and know.

One of the simplest ways to look at it is like a cake made up of three layers. You may already have two of these in place:

Endpoint Protection – traditional anti-virus that detects and blocks threats in real-time. This is the signature-based piece of the puzzle something that every business should already have even if it’s from another vendor. It is looking at what is happening and checking it off against a list of known attacks.

Intercept X – anti-ransomware protection. This comes in the form of AI and Machine Learning driven technology which knows what your device should look like if you are working as normal. When you’re not, it uses a technology called CryptoGuard and detects any encryption attempt, reversing any encryption that has already taken place. This is your backstop and a way to protect yourself from unwanted changes. This is a technology many of our customers have and saw the value in having after the WannaCry outbreak of 2015.

EDR (Endpoint Detection and Response) – This enhances the ability to analyse an attack and see what happened, whether the threat has spread to other devices and if any data has been lost. This is new and this is less about what is happening and stopping it and more about the validation of how safe you were following an attack. Now this may sound counter intuitive, if the product is protecting you, why would you need to know what happened in an attack? To answer that simply we need to look at GDPR and the requirement to report breaches.

These components combined provide you with the whole protection cake. You have the ability to protect your data (these are the sponge top and bottom made up of Endpoint Protection and Intercept X) and then you have the knowledge that if something happens you can clearly report on what took place (this is the jam filling that completes your cake). Protection like this is second to none when coming up against today’s attackers, in a threat landscape that is every changing.

Sophos Planet IT

How does it work?

Sophos Intercept X Advanced with EDR combines proven endpoint threat protection with the power of advanced machine learning to identify and block malicious processes. Intercept X uses AI that detects malware without relying on signatures and monitors system behaviour for any changes that could mean a malware attack. SophosLabs then provides the knowledge to back it up.

Take a targeted ransomware attack as an example. Bad actors will try to brute force their way into a externally facing RDP server. Once in they will drop an encryption package onto the system and start to encrypt files. Intercept X will detect the behaviour, CryptoGuard will stop the encryption and EDR will be able to fully report on the events chain (source, root cause, beacon, when it was detected and if it has been cleaned) providing complete analysis. Additionally, EDR customers will have access to a SophosLabs Threat Intelligence report that further aids you in your decision whether to allow the suspicious file or not.

How does this benefit you?

Sophos Intercept X Advanced with EDR will increase your security footprint without the need for additional resources to look after the solution. You can be safe in the knowledge that the solution you have chosen is the best in the business. With EDR you will have all the tools you need to make sure that any detected threat has been stopped in its tracks!

I’m sure you know that if there is a breach and data is compromised, the Information Commissioner’s Office (ICO) have to be informed. As a result of this, if your security solution is deemed to be inadequate you will be subject to a substantial fine! Throw GDPR into the mix and you have the potential to be in serious trouble. With Sophos Intercept X accompanied by EDR, not only will you have an industry-leading security product, but also EDR ensures all details are captured for reference later.

So, should you become a target you will be able to prove where exactly the threat has come from, where it has been and if it has been dealt with completely.

From a resourcing view, investigating all detected threats and tracing their actions to ensure nothing has been compromised is a full-time role; EDR does this automatically and comprehensively so you don’t have to. You can search through 90 days so even if you have only been made aware of a threat you can wind back the clock and quickly see how it was dealt with.

How good is Sophos compare to the competition?

As you can see, Sophos Intercept X with EDR is industry-leading when put up against the competition:

sophos comparison

Security as a Service (SECaaS)

Now sometimes it is all well and good having the tools yourself, but you may not have the inhouse skills or the time to make proper use of them, this is where our Security as a Service offering comes in – with SECaaS we will provide further peace of mind by monitoring your Sophos solution and remediating any alerts within an agreed timeframe. We will also provide you with periodical reports at an interval of your choosing showing the health status of your estate, complete with our recommendations to make sure you are as protected as you can be.

 

About Adam Harrison

My name is Adam, and I am a security-focused Technical Architect. It is my job to provide expert advice on security solutions and assist our customers with protecting their environment from viruses, ransomware, and other nasty attack vectors! My background is in Security as a Service, Infrastructure and Helpdesk Support; I keep myself up to date with the latest threats and security products, so you don’t have to!

If you want to talk to me about how Sophos Intercept X with EDR would fit into your business then please call 01235 433900 or you can reach out to me via DM or at [email protected]

Looking for a technology partner?
Let’s talk

  • This field is for validation purposes and should be left unchanged.