Cloud Hosting

As secure access service edge (SASE) specialistCato Networks burnishes its cyber credentials with the addition of multiple features to its platform, the companys senior director of security strategy, Etay Maor, has urged users to challenge some of their preconceptions around security, using data drawn from Catos global network to counter some established cyber truths.

In June 2022, Cato became the first SASE supplier to add network-based ransomware protection to its platform, combining heuristic algorithms that scan server message block (SMB) protocol flows for attributes such as file properties and network or user behaviours, with the deep insights it already has into its network traffic from its day-to-day operations.

The algorithms were trained and tested against the firms existing data lake drawn from the Cato SASE Cloud which holds over a trillion flows from Cato-connected edges.

The firm claims this will let it spot and stop the spread of ransomware across an organisations network by blocking SMB traffic to and from the source device to prevent lateral movement and file encryption.

Speaking to Computer Weekly, Maor, who joined Cato from IntSights, and is also an adjunct professor at the Woods College of Advancing Studies at Boston College, described a Black Basta ransomware attack to which he responded, in which the victim an unnamed US organisation could have benefited from this.

When he gained access to the victims security logs, Maor found that all the information that a ransomware attack was incoming was there, the security operations centre (SOC) team had just not been able to see it.

I know its cool to get to sit in front of six screens, but what SOC analysts are trying to do is gather so much information and put it all together, so I understand why stuff is missed, he said.

In this case, it was remote desktop [RDP] to an Exchange server. Yes, they said, but that Exchange server doesnt exist anymore so why attack a server thats not there? So I had to introduce them to ransomware as a service [RaaS].

What happened was someone else who attacked them sold their network data to someone else who wrote a script to automate the attack. They werent there for weeks, they were there for a minute, they didnt know the victim had changed their Exchange server, but got lucky somewhere else.

So if you can see east-west traffic, like an attempt to connect to a server that isnt there, that should be a red flag to the SOC, he explained. We created our heuristic algorithms to look for these quirks.

Maor said he wanted to explode the myth favoured by presenters at security conferences that attackers need to get lucky only once, while defenders need to get lucky all the time.

When you look at MITRE ATT&CK and see how attackers operate, you soon see that saying is the opposite of the truth. Attackers have to be successful at phishing, gaining an endpoint, lateral movement, privilege escalation, downloading malware payloads, et cetera.

You actually realise that attackers need to be right all the time, but defenders need to be right only at one point to protect, defend and mitigate, he said.

Cato is now going further still, adding a data loss prevention (DLP) engine to protect data across all enterprise applications without needing to implement complex and cumbersome DLP rules. It forms part of Catos SSE 360 architecture and is designed to solve for what the firm describes as the limitations with which traditional DLP solutions are fraught.

For example, legacy DLP may have inaccurate rules that block legitimate activities or, worse still, allow illegitimate ones while a focus on public cloud applications is leaving sensitive data in proprietary or unsanctioned applications exposed.

Added to that, investment in legacy DLP solutions does not help provide protection from other threat vectors.

Cato believes it has these problems licked by introducing scanning across the network for sensitive files and data that is defined by the customer. It is capable of identifying more than 350 distinct data types, and once identified, customer-defined rules will block, alert or allow the transaction.

Since joining Cato, Maor has been creating quarterly threat landscape reports using data drawn from the firms global network, and the latest edition of this report also challenges established cyber thinking in many ways.

For example, to spend a few days immersed in the security community, one might reasonably expect that most cyber attacks originate from within countries such as China or Russia, but Catos data reveal this is far from the case.

In fact, during the first three months of 2022, the most malicious activity was initiated from within the US, followed by China, Germany, the UK and Japan. Note this data is related to malware command and control (C2) communications, therefore the data reveals what countries host the most C2 servers.

Maor said that understanding where attacks really originate from should be a crucial part of a defenders visibility into threats and trends. Attackers know full well that many organisations will add countries such as China or Russia to their deny lists or at the very least closely inspect traffic from those jurisdictions therefore, he said, it makes perfect sense for them to base their C2 infrastructure in countries that organisations perceive as safer.

Catos report also pulled data on the most-abused cloud applications Microsoft, Google, RingCentral, AWS and Facebook in that order with Telegram, TikTok and YouTube also in vogue, likely as a result of the Russia-Ukraine war.

The report also showed the most targeted common vulnerabilities and exposures (CVEs) predictably, Log4Shell was the runaway winner here, with more than 24 million exploit attempts seen in Catos telemetry,but in second place was CVE-2009-2445, a 13-year-old vulnerability in Oracle iPlanet Web Server (formerly Sun Java System Web Server or Sun ONE Web Server) that lets an attacker read arbitrary JSP files via an alternate data stream syntax.

With such old vulnerabilities, people are completely unaware of them, said Maor. [It shows] the way defenders look at the network is completely different from how attackers do defenders will send me a PDF visual file of their servers, DMZ, cloud, et cetera, [but] attackers will say, Hey, you have a 14-year-old server, thats interesting.

Follow this link:
Cato aims to bust cyber myths as it extends network protections - ComputerWeekly.com