A SAFE DIGITAL JOURNEY

WHAT YOU SHOULD KNOW ABOUT THREAT RESPONSES  

Northwave frequently sends out Threat Responses: messages regarding vulnerabilities that are considered relevant to our customers. These messages are typically rather in-depth texts, aiming to provide actional advice to IT teams. This blog provides additional information for the less tech-savvy readers what these Threat Responses mean to an organization and the individuals working there. Let’s dive into the different aspects of the Threat Responses (TR’s).

WHY ARE THREAT RESPONSES IMPORTANT?

Threat Responses are messages that give information about vulnerabilities, their impact and the steps to mitigate them. Clients of Northwave receive these messages as part of Northwave’s service, but they also get published on the website. The reason this information is shared is because vulnerabilities can have huge impact on businesses and individuals. They allow hackers to get past the security of the other party, which might include your organization too. This means that, without (quick) action, the consequences can be dire. The Northwave CERT regularly sees vulnerabilities mentioned in Threat Responses begin exploited during incident investigations.

HOW DO I KNOW IF I AM VULNERABLE?

The Threat Responses always indicate what software or systems are affected. Not all individuals or businesses will make use of every software or system mentioned in the Threat Responses. By stating what systems are affected, the readers will have a handy overview that they can use to quickly determine whether the information is relevant to them or not.

For example, in the TR about Multiple Critical Zero Day Vulnerabilities in Microsoft  not only users of Windows 10 were affected. System administrators running Windows Server or Exchange were affected as well.

HOW CAN VULNERABILITIES BE EXPLOITED?

Vulnerabilities in systems give hackers the opportunity to achieve one or more of the most common goals below. Sometimes multiple vulnerabilities must be exploited in order to get access to all aspects of the device and/or network.

1. They are able to run code on your device remotely.
The reason this is harmful is because it allows the hacker to access someone else’s device from a remote location and make changes. It gives a hacker the freedom to take control of the systems and files on the device, think of databases and other documents that are stored locally.

2. They are able to elevate their privilege.
This means that they can gain elevated access to resources that are normally protected from an application or user. Once the initial access is gained, the attacker will try to gain admin rights on a device, they then have the potential to do everything that the person owning the device can do too. The end goal is mostly to gain admin privileges, as this permits them to install software on to a device (think of spyware and other malicious software that could assist in the process of gathering credentials and infecting other devices).

WHAT CAN I DO ABOUT VULNERABILITIES?

It is hard to completely wipe out all risks when it comes to vulnerabilities. However, there are things you can do to mitigate them. Mitigation of risks refers to the actions one can take to decrease the risks. In The Threat Responses sent out by Northwave, there is a section devoted to the mitigations for the vulnerability at hand. As a rule, it is important to follow up on the instructions as quickly as possible. Mostly the instructions will contain the advice to immediately update your device. By limiting the time that a hacker can make use of a vulnerability, you reduce the risk of it being exploited.

WHAT ARE THE INDICATIONS OF EXPLOITED VULNERABILITIES?

When it comes to indications of compromise, it is often hard to make this visible for users without taking the right measures. Fortunately, there are ways to uncover vulnerabilities being exploited in your environment. By using a combination of the right security tools, like endpoint protection or network monitoring, coupled with adequate business processes, it is in certain cases possible to detect and respond to signs of compromise.

This can for example be done by an internal SOC (security operations center) or an external cybersecurity specialist that offers the SOC/Monitoring service. Once the monitoring is set up, the possibility of tracing back to the “Patient Zero” of a hack is possible and it provides enough information to quickly take action.

HOW DO I STAY UPDATED ABOUT MESSAGES ABOUT VULNERABILITIES?

Messages regarding security issues are often discussed on security forums. Instances of reliable sources are Threatpost.com and Bleepingcomputer.com. Another source that can be consulted is the government, For The Netherlands this is the website of NCSC (Nationaal Cyber Security Centrum) and in Germany one could gather information on the website of Das BSI (Bundesambt für Sicherheit in der Information Technik) and of course, the Threat Responses that Northwave shares which can be found here.