Prepare for the Next Shadow Brokers Dump

The Shadow Brokers recently launched a subscription program that gives anyone access to potentially pernicious exploits and data. According to the service announcement, for the cryptocurrency equivalent (currently Monero) of about $21,000, buyers are promised:

  • Web browser, router, and handset exploits and tools
  • Select items from newer Ops Disks, including newer exploits for Windows 10
  • Compromised network data from SWIFT providers and central banks
  • Compromised network data from Russian, Chinese, Iranian, or North Korean nuclear and missile programs

In all, the Shadow Brokers promised that the dump would include “75% of U.S. cyber arsenal” (the group is notorious for poor grammar to thwart linguistic analysis). This follows the WannaCry ransomware campaign that rendered hundreds of thousands of computers useless worldwide. It’s no surprise that there has been a significant amount of handwringing over the next leak of zero-days and exploits purportedly stolen from US intelligence agencies, including the NSA.

If the Shadow Brokers live up to their claims, the dump could yield devastating results. Exploits from the first two categories target the backbone of modern computing and communications. While patches will inevitably inoculate most users, as the WannaCry campaign demonstrated, major disruptions will precede any patches. The consequences could be especially severe for Android smartphone users. The Android ecosystem is notoriously insecure and fragmented, and patches and updates often never reach users. While Android has taken steps to remedy this problem with Project Treble, millions of users remain vulnerable.

What can organizations do to prepare for the next Shadow Brokers dump? Given the state of readiness at many organizations, the answer is quite a lot. However, we don’t know what will be dumped this month. Unfortunately, it’s likely that existing patches will not mitigate the threats of the leaked exploits and zero-days. As a result, no company should expect to be immune from the coming threats.

Instead, companies should proactively prepare to limit the damage of and to recover quickly from an attack. The following four actions are foundational to elevating your organization’s resilience to not only the consequences of the imminent Shadow Brokers dump but also the ever-expanding array of sophisticated cyber threats.

 

Design the Right Network

A properly protected and rigorously segmented network is essential to minimizing the damage that a cyber threat can cause. The difference between a well-designed network and a poorly designed network is like the difference between an M&M and a jawbreaker.

Most networks are insulated from external threats with hardware and software, like firewalls and honeypots. After these initial perimeter defenses, many networks are flat and fail to prevent unauthorized lateral movement. These networks are like an M&M. They have a hard shell, but the insides of the M&M are soft and prone to melting (or melting down).

A resilient network is like a jawbreaker. A hard shell prevents intrusions to the best of its ability. If a threat actor penetrates the shell, they are forced to fight through every layer that follows. Whether their purpose is to exfiltrate sensitive data or to cause significant disruptions, a jawbreaker network slows progress, giving you time to identify the threat and to limit the damage to your organization.

 

Secure Your Endpoints 

Once your network is properly segmented, it’s important to secure your endpoints. There are two common misconceptions about endpoint security that we should dispel. The first misconception is that endpoints refer to a limited set of devices, commonly laptops and desktops. In reality, endpoints encompass a wide range of devices, including smartphones, tablets, thin clients, and anything that resides on a network’s edge. All these endpoints should be secured. Any unsecured endpoint serves as a launching pad for broader attacks against other endpoints and networks in your organization.

The second misconception is that an antivirus program is the equivalent of endpoint security. Endpoint security products often include an antivirus component, including advanced machine-learning methods to detect zero-day threats. However, endpoint protection involves much more and comes in many forms. Endpoint security products can be hardware, software, or a combination of both. In addition to their antivirus capabilities, endpoint security products often include a firewall, intrusion prevention and detection systems, full-disk encryption, and application whitelisting. Your organization’s technical team should be empowered to assess and identify the features your organization needs.

 

Manage Your Patches 

Outdated and unpatched versions of Microsoft Windows catalyzed the rampant spread of the WannaCry ransomware. As any systems administrator knows, the common prescription of simply throwing patches at devices right away or replacing legacy software is anything but simple. These “solutions” can sow instability and cause downtime.

A robust patch management process is essential for preventing instability and keeping devices up-to-date. Generally, organizations should maintain three separate networks. First, a test network allows your organization to test new hardware and software without unnecessarily exposing daily operations to risks. Second, a development network should be used to identify bugs and other challenges using production data types. Once defects are identified and addressed, patches can be deployed to your operational or production network. Patches should be updated at least quarterly to mitigate known issues.

While we can reasonably assume that the existing patches will not prevent many of the exploits to come, a patch management process can help your organization respond more quickly to vulnerabilities that may arise. By keeping patches up-to-date, your team won’t need to scramble to catch up when a crisis emerges. Furthermore, an established and optimized patch management process enables your organization to deploy patches for zero-day vulnerabilities as soon as the patch is available.

 

Get an Incident Response Team

No organization is impenetrable. Retaining an in-house or contracted incident response (IR) team can help your organization recover more quickly in the event of a breach. Your organization has a complex set of networks and endpoints, a litany of priorities, and data of differing sensitivities. An incident response team called in the aftermath of a breach will need time to assess these factors. This eats away at precious recovery time, exacerbating the damage and disruption caused.

To respond immediately, an IR team needs a deep understanding of your organization. This understanding can only be nurtured through a formalized relationship with regular contact and the development of a standing incident response plan even when a breach has not occurred.

 

Fundamentals, Fundamentals, Fundamentals

The recent WannaCry ransomware outbreak raised many questions about the government’s responsibility to disclose zero-day vulnerabilities. Perhaps more importantly, the outbreak also highlighted the appalling state of readiness at many organizations. As the zero-day disclosure debate rages, organizations must take more responsibility for the security of their networks and endpoints.

There is no panacea for threats, whether it’s the next Shadow Brokers dump or a state-sponsored threat actor. Organizations must master the fundamentals and improve their resilience and responsiveness to extant and emerging threats. A jawbreaker network, robust and comprehensive endpoint security, an optimized patch management process, and an incident response team on standby will minimize future damage and disruptions. Storm clouds are brewing. It’s time to get our houses in order.