Americas

  • United States

Asia

Oceania

sbradley
Contributing Writer

Lessons learned from 2021 network security events

Feature
Dec 29, 20215 mins
CyberattacksNetwork Security

Rather than predict what 2022 will bring, let's manage the future by implementing the lessons learned from this year's biggest security threats.

network security / network traffic scanning
Credit: HYWARDS / Getty Images

It’s the end of 2021, a time when you expect to see security pundits predict security issues for the coming year. I’d rather look back at the security issues we’ve been tracking to ensure that we’ve learned all the necessary lessons from them.

SolarWinds attack: Know your vendors’ security posture

It’s been literally a year since the SolarWinds software supply chain attack hit the news and we are still trying to fully understand the potential of this type of attack. The attackers were stealthy and were discovered only because one of the firms impacted, FireEye, had elite capabilities to monitor and detect intrusions.

I wonder in these situations if my firm would have the tools and resources to know if such an attack was occurring. My guess is that not only would I not be aware of this intrusion, many of you would not have the resources to do so, either. According to Microsoft, the attacker was able “to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.” It should make us all consider the source of software we install and ask if we can trust our vendors and their security processes, let alone our own security processes.

Lessons learned: Review with your software vendors their security processes. Look for abnormal behavior especially in highly privileged accounts. Review when new federated trusts are created or adding credentials to processes that can do such actions as mail.read or mail.readwrite.  You’ll also want to block known C2 endpoints in your network perimeter firewall.

Exchange Server attack: Protect legacy systems

In March 2021, came a very disruptive attack. Locally installed Exchange Servers came under direct attack using a zero-day flaw. Microsoft initially indicated that the attacks were targeted, but it was later revealed the attacks were much more widespread. Microsoft also found that many mail servers were woefully out of date in patching, so it was difficult to bring them up to date quickly. Microsoft had to prepare patches for older platforms to keep customers safe. The FBI even went so far as to proactively clean and patch Exchange Servers that were still unprotected.

Lessons learned: Ensure that any legacy server is protected. Especially with on-premises Exchange Servers, they are more often targeted. Ensure you assign appropriate resources to patch these legacy systems. Email is a key entry point to networks both in terms of the phishing attacks that come in through email as well as being more at risk due to attackers understanding the difficulty of patching these servers.

Also, do not necessarily rely on the threat and risk evaluation provided by the vendor. Microsoft first indicated that the attacks were limited and targeted, but they were much more widespread and even impacted small firms.

PrintNightmare: Keep printers updated

The next major security incident is one that we’re still dealing with nearly six months later. In July, Microsoft released an out-of-band update for a vulnerability named PrintNightmare. For network administrators, this PrintNightmare has turned into a Print Management Nightmare. The print spooler software is older NT-era code that many urge Microsoft to totally rewrite, but this would cause major disruptions to third-party print vendors. While the pandemic has pushed us away from in-person printing to more remote printing processes, even PDF printers rely on the print spooler to deploy and print to PDF.

Even now in December, we are still tracking side effects to the multiple print spooler related patches that have been released since then. A fix for several printing related issues was included in the optional updates released at the end of December. It fixes issues where Windows print clients might encounter the following errors when connecting to a remote printer shared on a Windows print server:

0x000006e4 (RPC_S_CANNOT_SUPPORT)

0x0000007c (ERROR_INVALID_LEVEL)

0x00000709 (ERROR_INVALID_PRINTER_NAME)

I’ve seen some network administrators opt to go unpatched due to the disruptive side effects of these updates.

Lessons learned: Even in the pandemic we still need to print. Whenever an update includes a fix for the print spooler service you must assign appropriate resources to test before updating. Use third-party resources such as PatchManagement.org or the Sysadmin forum at reddit to monitor for side effects and workarounds that you may need to do rather than leave your firm unprotected. The print spooler service should be disabled on servers and workstations that you have no need to print and only running on devices and servers that must have printing enabled.

Ransomware: Block RPC and SMB communication

Among the security incidents will we see in 2022, ransomware will still be a major risk. It’s now built into cyber insurance policies and the United States government has organized task forces to provide more protection, information and guidance to businesses in facing this risk.

Lessons learned: Use your local and network firewalls to prevent RPC and SMB communication. This will limit lateral movement as well as other attack activities. Next, turn on tamper protection features to prevent attackers from stopping security services. Then enforce strong, randomized local administrator passwords. I recommend that you use the Local Administrator Password Solution (LAPS) to ensure you have randomized passwords.

Monitor for clearing of event logs. Specifically, Windows generates security event ID 1102 when this occurs. Then you’ll want to ensure internet-facing assets have the latest security updates. Audit these assets regularly for suspicious activity. Finally, determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Highly privileged accounts should not be present on workstations.

sbradley
Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for Askwoody.com, is a moderator on the PatchManagement.org listserve, and writes a column of Windows security tips for CSOonline.com. In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at https://www.askwoody.com/tag/patch-lady-posts/ and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author