A few weeks ago we saw information leaked from known sources that no one really knows what their agenda is (disinformation, whistleblowing or a nation-state sponsored disruption campaign). Information was released about toolkits that certain Intelligence Agencies (supposedly in the USA) used to spy on all other countries.
Among software there were also exploits in portions of Windows operating systems that many believe Microsoft knew about but only released a patch when the information leak came out. This patch was released shortly after samples of the toolkits were given away via github in order to get people interested in bidding for the software and information.
An interesting thing to note is that “Shadow-brokers” had very broken english so we don’t know from which country they are really from, China, Russia, Iran??? Who knows. A detailed language analysis would offer some insight as to the language mistakes in the posts and translating into the three mentioned actors (if against the US) to see if it would make sense. Another option is that someone from the US or a Skiddie group are trying to start WW3.
This type of propaganda (if that is what it really is) aims at creating a “suspense and end-of-world” type of news and messages to do a few specific things. From an emotional standpoint they create fear, get people to question the specific nation-state supposedly behind the tools that calls up negative views on how they are the bad guys. The reality of Intelligence however is not so simple or easy to blame just one country for this predicament. Lets start with some facts:
I want to talk about what we “hopefully” learned from all this and clarify a few things about what this really was.
If we separate fantastic claims and emotions from all the security companies now using this to make money we can actually see a few things and after looking at those facts determine what and how we need to buy or use services to change the situation. If I may I will state some personal views and opinions, I hope you don’t mind as the reader and appreciate you reading so far.
I don’t want to blame anyone for this, one thought that keeps on coming back however is why where so many XP machines being used by critical infrastructure that were exploitable in the first place? The answer is simple if you blame folks but in reality its much more complex.
Many companies and entities have various types of software to do many different things. From an attackers perspective they make operations and management much harder and more complex than in clean-cut and simple shops. When a small shop has outdated clients, operating systems and applications usually its a resource, skill or money issue. In larger companies more resources are in place and budgets may or may not be used to plug the biggest holes. When we look at the most recent attack there “could” be a few reasons for this:
When infrastructure becomes “bloated” , complex and costly, people usually tend to put mechanisms in place to try to protect it and apply haphazard Band-Aids. Usually we find that in attacks, Band-Aids don’t really solve the real issues that a company has when they can’t change older legacy systems.
We also discover that simple tasks like patch management and managing a secure and proactive operations in NOC and SOCs is usually not done when facing complex and legacy systems. Again there “can” be multiple reasons for this that are not necessarily financial or budget in nature.
The fact remains though (and this attack proves it … again) that these weak links or challenges to solid and more secure operational states are certainly exploitable and are being targeted more and more by various groups in order to create much more damage that actually dealing with the underlying issues and challenges of legacy systems.
So what do we do to resolve and stop these types of attacks?
Thats it for this post, I hope it was useful, added value and starts additional discussions with us, other really good partners we have and respect and yourself. We are here to help, use us. Don’t fall for the fear based mentality of some “cyber” companies that sell off fud and silver bullets, the world of operations and security is never about silver bullets. Its about great teams that work together with partners, gathering intelligence and using that tom app risks and then manage them.