This article was written by James Cabe, CISSP, a 30-year cybersecurity expert who’s helped major companies including Microsoft and Fortinet.

Throughout 2023, several organizations were successfully hit by Ragnar Locker cyberattacks. The affected victims spanned the globe and were forced to shut down much of their critical operations, while the attackers demanded tens of millions of dollars in ransom payments. Despite the group being taken down by law enforcement in October, organizations are re-evaluating their defensive measures — and more importantly, their recovery strategies — to combat these attacks.

If you read my previous articles about the ongoing MOVEit breach and the ransomware that hit MGM, you probably know that isolation is key. It helps you fight through attacks by cutting the kill chain, so that you can restore services quickly without reinfection.

How Do Ragnar Locker Cyberattacks Start?

Ragnar Locker breaches, like all ransomware attacks, require a kill chain that must first be initiated. MITRE ATT&CK defines this as the ‘initial,’ and in these attacks, the initial comes from social engineering. Email stuffing is often the tactic of choice, whereby the attacker sends an email that appears to have a trail of replies or forwards (see the example below). Email trails like this trick spam filters and land directly in the target’s inbox. When an employee clicks a malicious link inside the email, the attack kicks off.

Image: Email stuffing is used by marketers and threat actors alike to bypass spam filters.

How Do Companies Discover Ragnar Locker Cyberattacks?

After the Ragnar Locker cyberattack kicks off, the bad link uses Java to load the locker ransomware, then a series of batch scripts installs a payload consisting of virtual box emulation software. This emulation software takes over and encrypts the host, and displays the ransomware message (see image below).

Image: A Ragnar Locker ransomware message showing on encrypted devices.

How Do Ragnar Locker Cyberattacks Spread?

The attack spreads by gaining access to Windows domain controllers and then attacking the management interfaces of the VMware ESXi machines. Most organizations don’t properly segment or isolate these management interfaces. This makes them especially vulnerable even to older Babuk ransomware source code that is an ESXi encryptor. Basically, the attackers only need to gain access to the management network, and then they can attack the production network.

From Intel471: “VMware’s ESXi is called a ‘bare metal’ hypervisor because the underlying hardware on which it is installed doesn’t need an operating system. ESXi allows the hardware to be utilized for multiple virtual machines (VMs), which saves on hardware costs. ESXi is a fruitful target for attackers since it may be connected to several VMs and the storage for them. Security experts warn ransomware actors have built specific binaries to target these systems. Groups joining this trend include HelloKitty, Black Basta, Cheerscrypt and GwisinLocker.”

They continue, “Over the last few years, several vulnerabilities have been identified in ESXi, including CVE-2021-21974. The vulnerability is a heap overflow vulnerability within Open Service Location Protocol (OpenSLP), which is a network discovery tool. The vulnerability is remotely exploitable over port 427, and has a Common Vulnerability Scoring System Version 3.0 (CVSSv3) base score of 8.8. It’s suspected that it may be the vulnerability exploited in this attack. VMware said that “significantly out-of-date products” were targeted with vulnerabilities that had been addressed. It affects ESXi versions 7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG and 6.5 before ESXi650-202102101-SG. Due to other vulnerabilities in OpenSLP, VMware disabled OpenSLP starting in 2021 in ESXi versions 7.0 U2c and ESXi 8.0, which is the current version.”

Ultimately, these attacks exploit a combination of a lack of management plane isolation to the VMware management interfaces, specifically on port 427 (OpenSLP), and a lack of patching and updating. Organizations also typically lack a backup authentication mechanism for the control plane, as well as Privileged Access Management, which are both good fallback options.

How Can Companies Stop Ragnar Locker Cyberattacks?

Ragnar Locker ransomware and other attacks are successful because companies don’t employ proper management plane isolation. Attackers can gain access to VMware management interfaces, and then they essentially have the keys to the kingdom. That’s it. No amount of defense can save you.

If you recall CISA’s binding operational directive, they call for an isolated management infrastructure. This is what we refer to as IMI. Rather than serving as a defense, like we think of traditional cybersecurity products, the IMI is an architecture that allows you to fight back. It’s your quick-reaction force, your cavalry, your secret weapon that ensures you always have a counterattack ready to deploy.

IMI is infrastructure that is dedicated — and most importantly, fully isolated from production assets — to ensuring operations can recover quickly from breaches and outages. Here’s a graphical breakdown:

The IMI includes all of the tools you need for rerouting traffic, decommissioning affected gear, wiping/re-imaging devices, and restoring infrastructure. You can also incorporate automation to speed the process along and make recovery something that happens in minutes or hours at the most. Aside from being completely isolated from production assets, the IMI itself is also segmented and employs zero trust practices. This means that you and only you have access to your secret weapon for cutting the ransomware kill chain.

How Do You Use Isolated Management Infrastructure?

An IMI can host an IRE (Isolated Recovery Environment), which is used to cut off all user data and remote access (except for OOB) to an entire infected site. A properly implemented recovery environment should automate most of these activities to speed up the recovery. One of the first considerations is the requirement for a secondary organization in your IAM that is not attached to normal operations. This is what is known as a set of “Break the Glass” accounts. These are known in military circles but have made it into formal practice as part of a strong playbook for ransomware. Once you do this, you can instantiate selected Zero Trust remote access to the site using credentials that are not in the scope of the attack, and then bring up a communications channel for a virtual war room using software like Rocket Chat, Jitsi, Slack, or other standalone communications tools that are installable on the IRE environment. 

Avoiding normal authentication methods or IAM and normal communication channels is required for the integrity of the recovery and strengthens the recovery playbook. During this time, no email may be used that is associated directly with the organization. Ideally, email should never touch an account that is associated with it either.

The next step is to create a new set of clean side networks that do not directly connect to the main backbone or put it behind another firewall for triage good/bad. Using a sniffer software running on the IRE, the recovery team can then run a passive scan or an active scanner against all machines continuing to try to send email to Exchange/M365. You can give access to people that are deemed good (not sending traffic) but lock off (with an EDR) the ability to open Outlook for a while, while keeping them on the web email. From there, continue working through to find all the sending drivers to see if they have a good backup. If not, back up the infected drive for offline data retrieval for later. Then re-image while scanning the UEFI BIOS during boot (if needed, run an IPMI scan). If the site has a list of assets that are considered crown jewels, prioritize these.

Once you have a segmented “clean side” established with all the network services required to operate the site (DNS, IAM, DHCP), then Internet access can be restored to this site on a limited basis; which means only out-bound communications, nothing in-bound. Restorative operations can continue apace. making sure that the infected side assets are captured in backup for later forensics following chain-of-custody if damages exceeding insurance limits are found to be the case. This is decided in the war room.

Download the Isolated Management Infrastructure Blueprint

Now is the time to lay the groundwork for your IMI so you can fight back against ransomware. Download the Network Automation Blueprint, which gives you a step-by-step guide to building your Isolated Management Infrastructure.

Get in touch with me!

True security can only be achieved through resilience, and that’s my mission. If you want help shoring up your defenses, building an IMI, and implementing a Resilience System, get in touch with me. Here are links to my social media accounts:

• James Cabe – CISSP on LinkedIn
• @how2cloud on X – James Cabe

How do you address security across the software development life cycle?

“Security is the cornerstone of ZPE’s infrastructure management solutions,” says Koroush Saraf, Vice President of Product Management and Marketing at ZPE Systems. “Our automation platform touches every aspect of our customers’ critical infrastructure, from networking and firewall gear, to servers, smart PDUs, and everything else in their production network. The ZPE portfolio is architected with the strongest security and implemented with the same level of scrutiny.”

Given the critical nature of enterprise networking, security is paramount to ZPE’s customers.

“The average time taken to apply patches and fix vulnerabilities can be more than 205 days,” says Saraf. “This is due to many reasons: limited resources and time, concerns that something may break, or in some cases, admins don’t even know that a critical patch is available. That’s why ZPE takes on the responsibility for customers. They’re assured that the systems running their infrastructure are running the latest, most secure software. And if a patch fails, our built-in undo button reverts to a safe configuration before any damage can be done.”

Saraf adds, “Like with all modern organizations, ZPE uses a complex mix of proprietary, open source, and third-party software obtained through a variety of sources from the software supply chain. Think third-party libraries, packaged software from ISVs, IoT and embedded firmware, and especially open source components. In fact, studies show that over three-quarters of the code in any given application is likely to be open source.”

“Most third parties won’t provide the source code behind their software,” notes Saraf. “But the question remains whether that supplier is as security-conscious as ZPE. Again, we found the solution with Synopsys, which gives us insight into any third-party software we include without requiring access to the source code.”

The solution: Comprehensive security testing with Synopsys AST

Different security solutions focus on different aspects of vulnerability detection and risk mitigation. By layering multiple solutions such as static analysis, dynamic analysis, and software composition analysis, ZPE covers a wide range of potential vulnerabilities, ensuring that code quality and security issues are identified at various stages during the software development life cycle and across different types of code.

Coverity® provides the speed, ease of use, accuracy, industry standards compliance, and scalability to develop high-quality, secure applications. Coverity identifies critical quality defects and security vulnerabilities as code is written, early in ZPE’s development process when they are easiest to fix. Coverity seamlessly integrates automated security testing into CI/CD pipelines, supports existing development tools and workflows, and can be deployed either on-premises or in the cloud.

WhiteHat Dynamic is a software-as-a-service dynamic application security testing solution that allows businesses to quickly deploy a scalable web security program. No matter how many websites or how often they change, WhiteHat Dynamic can scale to meet any demand. It provides security and development teams with fast, accurate, and continuous vulnerability assessments of applications in QA and production, applying the same techniques hackers use to find weaknesses This enables ZPE to streamline the remediation process, prioritize vulnerabilities based on severity and threat, and focus on remediation and its overall security posture.

Black Duck® helps ZPE identify supply chain security and license risks even when it doesn’t have access to the underlying software’s code. This is a critical security tool for the modern software supply chain. Black Duck Binary Analysis can scan virtually any software, including desktop and mobile applications, third-party libraries, packaged software, and embedded system firmware. It quickly generates a complete Software Bill of Materials (SBOM), which tracks third-party and open source components, and identifies known security vulnerabilities, associated licenses, and code quality risks.

The result: A notable reduction of CVEs

“One of the outcomes from taking a comprehensive, layered approach to security testing has been a notable reduction in CVEs on the systems we deploy,” says Saraf.

“I think a lot of industry players don’t give enough attention to patching CVEs. They wait until after a security incident, or until a customer specifically asks. Unfortunately, it’s normal to see unpatched, outdated software running on critical infrastructure. The Equifax breach of 2017 is just one example that exposed the personal data of millions. It’s a particular problem with IoT and embedded devices—many of those systems get installed and forgotten. But it’s another attack surface, especially if you use the equipment for critical infrastructure automation.”

“ZPE’s goal is to reduce the attack surface of our systems to as close to zero as possible, either by making sure that software vulnerabilities are identified and addressed, and that our software is running the most secure and up-to-date versions. It’s an ongoing process— what is vulnerability-free today won’t necessarily be so tomorrow—which is why ZPE always stays security-conscious. I think the company’s commitment to security has positioned ZPE as a trusted partner for enterprises seeking secure automation solutions for their critical infrastructure needs.

Download the document for details about Synopsys and ZPE Systems

How to Fight the latest Ransomware Attacks

Nodegrid plus Synopsys is the most secure platform for Isolated Management Infrastructure (IMI). This architecture is recommended by the FBI and CISA, and allows you to fight back when ransomware strikes. Check out our latest IMI articles from cybersecurity veterans James Cabe and Koroush Saraf, who have helped companies including Fortinet, Microsoft, and Palo Alto Networks.

This article was written by James Cabe, CISSP, whose cybersecurity expertise has helped major companies including Microsoft and Fortinet.

The recent MGM cyberattack reportedly caused the company to lose millions in revenue per day. The successful kill chain attack — originally a military tactic used to accomplish a particular objective — granted inside access to the attackers, who encrypted and held for ransom some of MGM’s most prized assets. These ‘crown jewel’ assets, as they’re called in the cybersecurity realm, are most critical to the accomplishment of an organization’s mission. Because ransomware attacks persist in corporate networks until fully cleared, organizations must be ready to “fight through” an attack using resilient systems and effective procedures. This should involve identifying these crown jewels and designing them in a way that ensures they can operate through attacks.

When these types of large-profile attacks occur, many cast their eyes at cybersecurity leaders for failing to fend off the bad guys. The reality is these leaders struggle to get budget, corporate buy-in, and digital assets that are required to build a strong defense for business continuity. For MGM, it’s likely they also faced difficulty operationalizing current assets across a gigantic digital estate, and ultimately lacked a plan to recover from a total outage of crown jewel assets.

From the attacker’s perspective, an exceptional level of intelligence and preparation are required in order to understand a target’s internal operations and architecture and execute a successful kill chain. Successfully attacking a sophisticated organization like MGM requires rapid information stealing to capture and leverage cloud credentials, as well as to lock up those resources and lock out the most important support staff in an organization. This is the crux of the issue: infostealers and ransomware automate the mass grabbing of resources and quickly set up a denial of services for the stakeholders that are responsible for fixing these systems.

How did the MGM cyberattack start? After MGM discovered the breach, how did the attacker stay one step ahead? What approach should organizations take to ensure they can recover if they’re targeted?

Okta is quoted saying, “In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users.” Okta further warned, “The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization.” 

The MGM cyberattack and those like it are more about processes than technology. Let’s explore how the attack progressed, and how the criminals were successful at staying persistent and ultimately hitting their goal. 

How Did MGM Discover the Cyberattack?

The first notification of the hack was dropped on the VXUnderground forums. The staff there verified through chat contact with the threat group UNC3944\AlphaV, who works in conjunction with the Scattered Spider threat actor, The attacker also confirmed this on their blog on the darknets.

On September 11, 2023, anyone attempting to visit MGM’s website was greeted by a message stating that the website was currently unavailable. The attack also stopped hotel card readers, gaming machines, and other equipment critical to MGM’s day-to-day operations and revenue generating activities. 

How Did the Attacker Maintain Control?

The initial attack allowed AlphaV, who runs the C2 (Command and Control) networks for the RattyRat trojan, to have remote access to the VMware server farm that services the guest systems, the gaming control platforms, and possibly the payment processing systems. They maintained control despite all of MGM’s attempts to mitigate the problem, because they were able to establish elevated access in places the organization could not easily remove them from without removing access to the whole organization. They established something called “persistence.”

From the attacker’s blog on the darknet, “MGM made the hasty decision to shut down every one of their Okta Sync servers after learning that we had been lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn’t be cracked from their domain controller hash dumps. At this point MGM being completely locked out of their local environment. Meanwhile the attacker continued having super administrator privileges to their Okta, along with Global Administrator privileges to their Azure tenant. They made an attempt to evict us after discovering that we had access to their Okta environment, but things did not go according to plan. On Sunday night, MGM implemented conditional restrictions that barred all access to their Okta (MGMResorts.okta.com) environment due to inadequate administrative capabilities and weak incident response playbooks. Their network has been infiltrated since Friday. Due to their network engineers’ lack of understanding of how the network functions, network access was problematic on Saturday. They then made the decision to ‘take offline’ seemingly important components of their infrastructure on Sunday. After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing.“

MGM tried many things to remove access into their network. However, because of an advanced attack that installed a shadow identity provider in their own Identity Solution, they were able to maintain access long enough to redeploy access to most of the assets they found to be the backbone of the company. AlphaV was then able to encrypt most of the crown jewels of MGM’s operations network.

Is There a Way to Stop These Types of Attacks? 

The MGM cyberattack required physical reconnaissance, patience, and a lot of planning to set up the kill chain. Playbooks that can protect against this kind of attack are hard to create, because it can mean taking all guest services offline for a period, which requires very high authority in the organization. One of the comments from the attacker was that the organization did not act fast enough to take all remote access offline to their management framework that consisted of Okta Proxy Servers. When they did, the adversary was then able to lock them out by submitting a Multifactor Authentication Reset. To stall the attacker, they would have had to induce a full outage of their crown jewels while a formal assessment of all assets could be performed. Taking assets offline requires buy-in at the board level and executive level, which are difficult to come by even if an organization emphasizes its operational excellence, detection, and defense.

Organizations should have a plan to quickly recover from a total loss of a site, outside of backups (which can be lost) and disaster recovery sites. Organizations need to be properly hard-segmented into a full IMI (Isolated Management Infrastructure). Keeping crown jewels safe from an attacker that targets the chewiest part of an organization should be top of any list going from 2023 budget to 2024 planning.

The following is a light version of what can be done in a fully-automated response that can take mere hours instead of days for an outage (a full operations blueprint will be out in the near future).

An IMI can host an IRE (Isolated Recovery Environment), which is used to cut off all user data and remote access (except for OOB) to an entire infected site. A properly implemented recovery environment should automate most of these activities to speed up the recovery. One of the first considerations is the requirement for a secondary organization in your IAM that is not attached to normal operations. This is what is known as a set of “Break the Glass” accounts. These are known in military circles but have made it into formal practice as part of a strong playbook for ransomware. Once you do this, you can instantiate selected Zero Trust remote access to the site using credentials that are not in the scope of the attack, and then bring up a communications channel for a virtual war room using software like Rocket Chat, Jitsi, Slack, or other standalone communications tools that are installable on the IRE environment. 

Avoiding normal authentication methods or IAM and normal communication channels is required for the integrity of the recovery and strengthens the recovery playbook. During this time, no email may be used that is associated directly with the organization. Ideally, email should never touch an account that is associated with it either.

The next step is to create a new set of clean side networks that do not directly connect to the main backbone or put it behind another firewall for triage good/bad. Using a sniffer software running on the IRE, the recovery team can then run a passive scan or an active scanner against all machines continuing to try to send email to exchange\M365. You can give access to people that are deemed good (not sending traffic) but lock off (with an EDR) the ability to open Outlook for a while, while keeping them on the web email. From there, continue working through to find all the sending drivers to see if they have a good backup. If not, back up the infected drive for offline data retrieval for later. Then reimage while scanning the UEFI BIOS during boot (if needed, run an IPMI scan). If the site has a list of assets that are considered crown jewels, prioritize these.

Once you have a segmented “clean side” established with all the network services required to operate the site (DNS, IAM, DHCP), then Internet access can be restored to this site on a limited basis; which means only out-bound communications, nothing in-bound. Restorative operations can continue apace. making sure that the infected side assets are captured in backup for later forensics following chain-of-custody if damages exceeding insurance limits are found to be the case. This is decided in the war room.

Get the Blueprint for Isolated Management Infrastructure

Maintaining control of critical systems is something security practitioners deal with in the Operational Technology (Industrial Control Systems) side of an organization. For them, the critical and most impactful part of the problem is the loss of control rather than the loss of data, a problem highlighted by the MGM cyberattack. Operational Technology Safety and Security teams set up and maintain Safety Systems as a fallback measure in case of any kind of disaster. This automation allows fallback of services safely, from which point they can recover operations. In 2023, most of our business is done on computers and networks. It is how to plan for business continuity. Now is the time that IT started following this safety system blueprint as well. 

Download the Network Automation Blueprint now, which helps you lay the groundwork for your IMI so you can recover from any attack.

Get in touch with me!

True security can only be achieved through resilience, and that’s my mission. If you want help shoring up your defenses, building an IMI, and implementing a Resilience System, get in touch with me. Here are links to my social media accounts:

• James Cabe – CISSP on LinkedIn
• @how2cloud on X – James Cabe

The Intel NUC, or “Next Unit of Computing,” is a small, appliance-like minicomputer that’s widely used across a variety of industries and applications. They’re tiny and relatively inexpensive, so you’ll often find them inside IoT devices and ruggedized cases. They’re also frequently deployed as jump boxes or service delivery appliances. However, Intel NUCs create added security risks, technical debt, and management headaches. Plus, Intel recently announced the discontinuation of all NUC product lines. This post describes some of the most common Intel NUC use cases, explains the security and management issues that caused its discontinuation, and provides superior replacement options.

Intel NUC use cases

While Intel NUCs have a dedicated fanbase among home enthusiasts, they’re primarily used by professional IT teams. Some popular Intel NUC use cases include:

• Reducing carbon footprints: As investors place more importance on an organization’s environmental, social, and governance (ESG) practices, it becomes necessary to improve sustainability and reduce greenhouse gas emissions. Replacing inefficient PC towers with Intel NUCs can help reduce carbon footprints and improve ESG ratings.
• Security and surveillance systems: An Intel NUC can run a wide range of security applications for things like entry control and surveillance cameras, eliminating the need for dedicated servers. Some IoT (Internet of Things) security devices have embedded Intel NUCs for greater mobility and efficiency.
• Application delivery: Some service providers use Intel NUCs as platforms to deploy their software on-site to reduce hardware overhead costs. For example, a provider can install a NUC in their customer’s server room to deliver artificial intelligence (AI) or Software-as-a-Service (SaaS) applications.
• Jump boxes: Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) often deploy Intel NUCs at customer sites to act as “jump boxes” used to remotely access client infrastructure without taking up rack space.
• Rugged computing: When services are needed out in the field, such as in military or construction applications, a traditional laptop may not be heavy-duty enough to withstand operating conditions. Some organizations solve this problem by running their services on Intel NUCs installed inside rugged cases designed for the environment.
• Customized appliance computing: For specialized applications requiring a high degree of physical customization, such as law enforcement surveillance systems, an Intel NUC is often used because it’s small enough to fit nearly any case.

Intel NUC EOL products

Intel recently announced it’s discontinuing all NUC products, with specific dates for end-of-sale, end-of-support, and end-of-security-support varying by product. ASUS agreed to take over manufacturing and support of NUC product lines, but it’s unclear what the transition will look like or how ASUS will develop the NUC in the future.

Click here to view a list of all Intel NUC end-of-life SKUs as well as direct replacement options.

Why is Intel EOL-ing the NUC?

Despite all the exciting enterprise use cases listed above, the Intel NUC was never intended to be used as an appliance. It has numerous security and management limitations that make it challenging for Intel (and ASUS, in the future) to support the NUC for enterprise applications, including:

• There’s no dedicated platform to deploy or secure NUC applications
• Each Intel NUC is managed and accessed individually with no centralized management
• Intel NUCs create a lot of technical debt because they require a lot of coding, API knowledge, and other specialized skills to work with
• NUC operating systems are usually left out of patch schedules, leaving vulnerabilities critically exposed
• There is usually no ability to recover a non-responsive NUC remotely, requiring expensive on-site visits any time there’s a network hiccup or OS crash
• NUCs often don’t have the onboard hardware Roots of Trust (e.g., TPM) needed to secure them properly
• The hardware NUCs are embedded in often have unclear or undocumented supply chains
• There’s no ability for bidirectional authentication to the cloud with unique certificates
• The production data and applications are on the same plane as management processes, leaving management ports exposed

Intel NUCs are a quick and inexpensive way to deploy applications, jump boxes, and digital services, which is what makes them so popular in enterprises. However, due to a lack of security features and centralized management, NUCs are also popular with cybercriminals looking for an easy target to exploit. With Intel discontinuing all NUC product lines, it’s the perfect opportunity to look for a replacement option that delivers the same cost-efficient flexibility but with enterprise-grade security and management features built in.

Intel NUC replacement options from ZPE Systems

Nodegrid is a family of all-in-one networking, application delivery, and infrastructure management devices from ZPE Systems. Nodegrid was built with security in mind, taking a three-pronged approach that includes:

1. Hardware security – Onboard security features like TPM 2.0 and self-encrypted disk (SED) protect your device even if it falls into the wrong hands.
2. Software security – Nodegrid protects its software using features such as BIOS protection and Signed OS, and it can host third-party security applications for an even stronger defense.
3. Management security – Nodegrid keeps the management plane isolated from the data plane and uses strong zero-trust authentication methods to protect your management interfaces.

Nodegrid reduces management headaches without reducing security or functionality. ZPE provides enterprise-level support for all Nodegrid products with a responsive engineering team and 24-hour CVE (common vulnerabilities and exposures) patching. Nodegrid also lowers the technical debt and can meet teams at their skill level. You can deploy Nodegrid and use it to manage solutions that are already in place without any specialized programming or API knowledge.

Plus, Nodegrid uses out-of-band (OOB) management and serial connectivity to ensure continuous remote access to the control plane, making it a superior choice to an Intel NUC jump box for MSPs and MSSPs. With OOB connection options like 5G/4G LTE, teams can remotely troubleshoot and recover systems, services, and applications, even during major network outages. Management of all Nodegrid-connected infrastructure is unified by a single platform for streamlined control at any scale.

Due to its size, cost, and open, Linux-based operating system, Nodegrid is just as flexible and efficient as an Intel NUC while delivering the centralized management, robust security, and responsive support needed in enterprise deployments.

Nodegrid product comparison

The entire family of Nodegrid edge solutions provides reliable OOB management and flexible service delivery capabilities protected by enterprise-grade security features. The Nodegrid Mini SR, Bold SR, and Gate SR are direct replacements for EOL Intel NUC models but offer so much more. Nodegrid is an entire Services Delivery Platform designed to streamline operations at any scale.

To see first-hand why Nodegrid edge solutions are a superior choice for Intel NUC use cases, request a demo from ZPE Systems today.

Schedule a Demo

Intel NUC replacement SKUs

Want to learn more about replacing your Intel NUC with Nodegrid?

Ready to replace your Intel NUC with a Nodegrid alternative? Call ZPE Systems today at 1-844-4ZPE-SYS or contact us online.

Contact Us

As enterprise networks increase in complexity and distribution, and the frequency and severity of cybersecurity incidents also continue to grow, organizations must rethink traditional approaches to network security. That’s where the zero-trust methodology comes in.

What is zero trust security, you ask? This post defines the term and discusses its history before providing a guide to implementing zero trust security in your organization.

What is zero trust security?

Zero trust is a network security protocol that embraces two main principles. The first lends its name and stipulates that networks must “never trust, always verify” any device or account, including those already within the network perimeter. As a result, a zero trust security framework requires any entity accessing network resources to successfully authenticate through a root-of-trust and strong authentication method (e.g., one-time passwords or 2-factor authentication).

The second pillar of a zero trust network is micro-segmentation. Instead of a singular, all-encompassing security perimeter, a zero trust approach uses the same strong authentication and highly specific security policies to establish trust at checkpoints along smaller, segmented perimeters. This combination limits the lateral movement of compromised accounts, which minimizes the impact of breaches and aids in protection, governance, and compliance.

The history of zero trust security

The NIST publication answered the question, “What is zero trust security?” using seven core tenets.

Zero trust security benefits

One of networking’s fundamental goals is to allow information to flow between computers, people, and organizations. However, that information is more decentralized now than ever before and must be relayed through various applications, partners, and third-party channels, increasing risk. Plus, the frequency of ransomware attacks and other highly sophisticated cybercrimes makes it a near certainty that a breach will occur even with the best protection strategies.

The zero trust security model operates under the assumption that a breach is already in progress, meaning an account or device is already compromised and accessing the network. It works to restrict an attacker’s movement on the network by erecting security checkpoints around each potential target and forcing them to re-establish trust. Limiting the blast radius of a cyberattack decreases the duration and cost of recovery operations so organizations can minimize the impact on their revenue and reputation.

Zero trust security use cases and examples

Organizations across any industry can benefit from the zero trust approach to network security. For example:

• Ransomware often exploits vulnerabilities in unpatched software to compromise enterprise systems and move around the network, encrypting critical resources along the way. Establishing zero trust checkpoints at each micro-perimeter can help identify compromised resources and prevent their lateral movement, limiting the impact of ransomware and expediting recovery.
• Operational Technology (OT) is used to automate machines that interact with the real world, such as HVAC systems or industrial robotics, which makes OT-related cyberattacks uniquely devastating. With recent reports indicating these attacks are on the rise, many organizations are using zero trust policies and controls to secure both their OT and their IT networks.
• Many organizations use Internet of Things (IoT) devices to collect data, provide mobile services, automate critical operations, and more. However, these devices are a huge cybersecurity risk if not managed properly, especially in the financial sector and the medical industry. Zero trust security helps mitigate the risk by making it easier to identify compromised IoT devices and deny access to sensitive resources.

How to implement zero trust security

With an understanding of what zero trust security is, where it came from, and how it can be used, you can create an implementation plan that includes all the tools and processes you must deploy to achieve the zero trust model. There are four key questions to answer:

1. How will we establish trust?
2. How will we control and secure user access to resources?
3. How will we identify and manage our attack surface?
4. How will we enforce zero trust and detect attackers on the network?

Let’s discuss the best way to answer each of these questions and the natural progression to establishing a zero trust implementation plan.

1. Establishing trust

As the core of the zero trust strategy, this must be addressed before moving on to any subsequent steps. Establishing trust requires four things, implemented in this order:

• Roots of Trust (RoTs) – Roots of Trust are hardware security mechanisms that provide cryptographic functions, key management, and other important features. An example would be a Trusted Platform Module (TPM). RoTs are inherently trusted and provide the foundation on which to build a zero trust security architecture, so it’s critical to choose solutions that provide the best and most up-to-date security features.
• Identity and Access Management (IAM) – An IAM solution provides policy creation and deployment, identity verification, and trust assessment functionality. It acts as the gateway at each micro-perimeter, forcing accounts to verify their identity and re-establish trust before accessing enterprise resources.
• Strong authentication – A password alone isn’t enough to prove someone’s identity, so strong authentication requires a secondary form of proof. Examples include one-time passwords (OTPs), authentication app keys, physical keys like USBs or smart cards, and biometric scans.
• Privileged Access Management (PAM) – Similar to IAM, privileged access management focuses specifically on accounts with special access rights, such as sysadmin or service accounts.

2. Controlling access to resources

The next step is to establish control over who can access network resources and ensure that access is secured. The four areas to focus on, in order, are:

• Access control policies – Zero trust requires highly specific policies that are custom-tailored to the resources being protected. The best practice is to use role-based access control (RBAC) instead of assigning individualized permissions to each account.
• Threat intelligence – Threat intelligence refers to the information used by organizations and cybersecurity vendors to learn about threats to the network. This knowledge is used to determine which security solutions and controls are needed to defend specific network micro-perimeters.
• Risk management – Risk management involves using threat intelligence and other sources of information to determine how risky it is to deploy particular technology solutions, work with specific third-party partners, or allow access to particular areas of the network.
• Zero Trust Network Access (ZTNA) – ZTNA provides secure remote access to enterprise resources, similar to (but better than) a VPN. ZTNA connects remote users directly with the specific resource they’re requesting to access without letting them see or interact with anything else on the enterprise network.

3. Managing the attack surface

Creating effective micro-perimeters is impossible without a clear understanding of what’s being protected and what the potential risks are. This involves four components:

• Asset management – You must have a total accounting of all the assets on the network, including information about software versioning, patch schedules, hardware security capabilities, and location.
• Vulnerability management – Vulnerability management involves monitoring, discovering, reporting, and resolving software vulnerabilities. A robust vulnerability management strategy is required to prevent malicious actors from using software exploits (like the unpatched Accellion vulnerability) to bypass zero trust security controls.
• Software Bill of Materials (SBOM) – A software bill of materials lists all the various third-party and open-source components present in a given software product. An SBOM is required to gain a full understanding of the risks associated with a particular solution and determine which policies and controls are required to defend it.
• Attack surface management – Attack surface management involves identifying all the potential targets of a cyberattack, implementing policies and controls to defend those targets, and continuously monitoring for new threats. Effective attack surface management requires robust asset & vulnerability management as well as SBOMs for all software, so all previous processes must already be in place prior to this step.

4. Enforcing zero trust and detecting attacks

The final stage of zero trust implementation involves enforcing policies, detecting threats on the network, and dealing with those threats. These processes, in order, include:

• Zero trust enforcement – You enforce zero trust policies using all the tools, processes, and information from previous steps. Many organizations adopt artificial intelligence (AI) and machine learning (ML) technologies for greater visibility into account activity. For example, User and Entity Behavior Analytics (UEBA) solutions monitor and analyze behavior so they can better detect anomalous account activity.
• Threat detection – Threat detection involves monitoring the network to identify signs of attack, like malware execution, data exfiltration, repeated failed access requests, and unapproved registry changes.
• Deception – Zero trust deception technology uses an overlay of “false” attack targets to lure malicious actors into revealing themselves and their motives without allowing them access to any real resources.

Source: NIST Special Publication 800-207 (Zero Trust Architecture)

It’s important to note that all of the steps and processes listed above must be followed chronologically because each successive stage builds upon the one before. It isn’t until all these steps are complete that an organization has achieved the zero trust security model.

Zero trust on the control plane

The management interfaces used by administrators to control network infrastructure are often excluded from zero trust implementation plans because end-users don’t typically access them. That means a compromised sysadmin account could potentially hijack the control plane and bring down critical infrastructure.

Organizations must apply zero trust security principles, policies, and controls to management infrastructure. The best practice, according to a recent CISA directive, is to keep the control plane on an isolated, out-of-band (OOB) network – also known as an Isolated Management Infrastructure (IMI). Isolating the management interfaces on a dedicated network prevents lateral movement to or from the production LAN. It also gives administrators a safe environment in which to recover from ransomware or other cyberattacks without risking reinfection; this is known as an isolated recovery environment (IRE).

The easiest and most effective way to implement an IMI is with OOB serial console servers. Ideally, these devices should have robust Root of Trust technology like TPM 2.0, use alternative network interfaces like 5G/4G cellular to ensure isolation and continuous access, and integrate with zero trust solutions such as IAM and PAM for consistent policy enforcement.

Zero trust security simplified

What is zero trust security? It’s both a mindset and a set of innovative technologies and cybersecurity methods that address the current threat landscape of frequent, sophisticated, and disruptive attacks on networks of all sizes. By following the principle of “never trust, always verify,” and using the implementation steps outlined above, you can defend your network and streamline recovery operations.

Are you looking for a way to simplify zero trust without sacrificing security? The Nodegrid platform from ZPE Systems includes a range of all-in-one solutions that combine LAN/WAN/Branch networking, out-of-band (OOB) management, zero touch provisioning (ZTP), and more. Nodegrid solutions are vendor-neutral and can run or integrate your choice of third-party zero trust solutions like IAM and ZTNA, reducing the number of security devices to deploy at each office or branch. Nodegrid boxes are protected by strong Root of Trust technology like TPM 2.0 and employ innovative security features like geofencing to form a robust foundation for your zero trust implementation.

What is zero trust security?

Learn more or request a demo of the Nodegrid solution by contacting ZPE Systems today.

Contact Us

Managing and securing operational technology (OT) is notoriously challenging because of stakeholder focus on continuity and safety. This is only becoming more difficult as OT systems and networks grow more complex and distributed. Operational technology is a rare but valuable target of cyberattacks due to the severe impact on business operations and a relative lack of cybersecurity monitoring due to physical security requirements and GRC. It is simply harder to blend cybersecurity into operational security when the stakes are high and availability and continuity are the prime focus.

Early attempts to apply IT-specific security controls to OT had mixed success. A particular tool may work well in one scenario, but fail in another project. Some solutions meant to simplify OT management, such as NMAP (or Network Mapper), could even turn into weapons in the wrong hands. For example, the AvosLocker ransomware variant uses NMAP NSE (NMAP Scripting Engine) to scan endpoints for the Log4shell vulnerability and select targets to exploit.

This guide defines OT, explains how to overcome some of the biggest operational technology security challenges, and discusses the importance of recovery in building resilience in OT.

What is operational technology (OT)?

Operational technology (OT) includes any equipment interacting with the real world, as well as the systems that control such equipment. Some examples of OT equipment include HVAC systems, door controls, industrial machinery, fluid system sensors, and medical robotics. Examples of OT control systems include programmable logic controllers (PLC), supervisory control and data acquisition systems (SCADA), building management systems (BMS), and building automation systems (BAS). These control systems enable a high degree of automation in fields like industrial manufacturing, water and energy utilities, building management, and medicine.

Figure: An example of how a typical OT network is isolated from the IT network & security infrastructure.

Operational technology security challenges & solutions

It’s tempting to believe that operational technology is safe from cyberattacks because it’s often isolated from the IT network—the “security through obscurity” approach. However, OT is a very tempting target for malicious actors because it’s so critical to business operations. Recent research from Barracuda Networks found that over 90 percent of manufacturing organizations experienced cyber attacks on their production or energy supply in 2021. An OT attack can completely halt manufacturing lines, interrupt oil and gas supplies, or prevent life-saving procedures from taking place.

Operational technology security is a crucial focal point, but significant challenges exist.

Challenge: OT security tools are a double-edged sword

Network Mapper, or NMAP, is a widely-used network management tool. NMAP started as a simple scanner in 1997 but evolved over the years into a solid open-source tool for OS detection, software version detection, and other network discovery features. NMAP aids in OT security by mapping exposed operational technology controls for teams to patch and secure. However, in the wrong hands, this tool could be used in intelligence gathering to attack vulnerable, out-of-date systems.

The problem with tools like NMAP is that they only discover information about systems with open ports on the same network as the tool – usually the production network. If an authorized network admin can find OS versioning information on the production network, so can an unauthorized user with stolen credentials.

Security teams need an efficient way to discover, patch, and manage operational technology without exposing these systems to cybercriminals.

Solution: Out-of-band (OOB) OT management

An out-of-band (OOB) network uses dedicated network infrastructure to create a control plane that’s completely isolated from the production network. An out-of-band serial console is the most efficient way to create an OOB network. This device directly connects to OT equipment and control systems via management ports (e.g., RS232 Serial), allowing administrators to monitor and patch vulnerabilities without exposing OS/versioning information to production.

An OOB serial console also uses alternative network interfaces—such as LTE cellular or dial-up—to ensure this management network is always remotely accessible by administrators, even when the production ISP, WAN, or LAN goes down from a failure or breach. With this added redundancy, teams can recover and restore critical OT operations much faster, even when the outage occurs in a remote or hard-to-reach location.

An out-of-band OT management solution provides efficient patch management without exposing vulnerable systems to cybercriminals. OOB also streamlines OT recovery efforts to minimize the impact of successful attacks and other failures.

Challenge: OT isolation hinders disaster recovery and Zero Trust

Since operational technology is often isolated from the IT network on its own LAN, there usually isn’t any way to access the control systems remotely. Operators must be on-site to use SCADA or PLC systems to monitor and control industrial processes. If on-site access is impossible, for example, due to a global pandemic or natural disaster, OT operations completely shut down. For example, increased tornadoes, floods, and other natural disasters in the midwest have forced major companies like General Motors and Amazon to close regional plants and logistics centers. When workers are sent home, operations grind to a halt unless operators have a way to access their OT control system remotely.

In addition, this separation makes it difficult to extend Zero Trust to operational technology. Without strong authentication, granular security policies, and targeted protection, there’s a significant risk of breaches. Plus, a lack of Zero Trust makes it difficult to contain the lateral movement of a malicious actor who’s using stolen credentials, which increases the blast radius and business impact of cyber incidents. 

Organizations need a way to minimize operational disruptions from natural disasters and apply Zero Trust to OT networks if they want to improve their resilience.

Solution: IT/OT convergence with vendor-neutral platforms

IT/OT convergence involves bringing information technology and operational technology together under one management umbrella and securely bridging the gap between the two networks. 

An IT/OT convergence strategy improves business resilience in two ways:

1. It brings OT onto the same enterprise network as IT systems which facilitates the use of remote tools (like VPNs or ZTNA), giving operators access to OT control systems from off-site
2. It brings OT within the purview of Zero Trust security controls like multi-factor authentication (MFA), identity and access management (IAM), and deep packet inspection (DPI)

The easiest way to achieve IT/OT convergence without gaps is to use a vendor-neutral management and orchestration platform. For example, an OOB serial console with an open OS architecture that can dig its hooks into multi-vendor OT systems will give administrators a single-pane-of-glass view of the converged IT/OT infrastructure. A platform that can host or integrate 3rd party Zero Trust solutions will also enable unified orchestration of IT and OT security. 

By converging IT and OT, organizations can keep business running during natural disasters and limit the blast radius of breaches. A vendor-neutral platform also provides unified security orchestration for greater coverage and improved efficiency.

Operational technology security & resilience

A comprehensive operational technology security strategy will help improve resilience by preventing some cybersecurity incidents and reducing the impact of the rest. However, it’s impossible to ensure 100% protection, especially with ransomware attacks on the rise. That’s why it’s important to distinguish between security and resilience; security provides preventative measures, but resilience is your ability to withstand adversity and keep business flowing. 

One of the best measures of resilience is how quickly you can recover from outages caused by failures and attacks. And the best way to ensure a speedy recovery, according to the experts at Gartner and the CISA, is by using isolated management infrastructure such as OOB serial consoles to create an isolated recovery environment (IRE). This gives teams a dedicated environment, insulated from ransomware and production failures, where they can rebuild and restore critical services. 

Download our whitepaper 3 Steps to Ransomware Recovery for more guidance on streamlining IT/OT recovery and improving business resilience.

Building OT security & resilience with Nodegrid

The Nodegrid platform from ZPE Systems is a complete resilience solution that delivers OOB operational technology management and vendor-neutral IT/OT convergence. Using Nodegrid out-of-band solutions as your isolated management infrastructure ensures teams will have 24/7 remote access to monitor, patch, troubleshoot, and recover operational technology. The open, Linux-based Nodegrid OS supports VM and container hosting and easy integrations so you can deploy and control 3rd party applications for Zero Trust, OT management, and more from a single platform. Nodegrid can also host all the tools your team needs to recover and rebuild critical services — including to fully destroy and rebuild production networks — making it the perfect solution for building an isolated recovery environment.

Nodegrid can also run 3rd-party automation solutions such as software-defined networking (SDN)/software-defined wide area networking (SD-WAN), infrastructure as code (IaC), and artificial intelligence for IT operations (AIOps). Automating workloads helps reduce the risk of human error, while automating root-cause analysis (RCA) and security event analysis can significantly speed up recovery efforts, creating a more resilient network.

Learn how Nodegrid delivers unified orchestration and out-of-band management!

Nodegrid delivers unified orchestration and out-of-band management to help you build your zero trust security architecture. Contact ZPE Systems today to learn more.

Contact Us

The healthcare industry is one of the largest adopters of “Internet of Things” (IoT) technology, using internet-enabled devices to monitor patient health, dispense lifesaving medication, perform medical procedures, and more. Some examples of IoT devices used in healthcare include insulin pumps, pacemakers, heart rate monitors, and intracardiac defibrillators. These devices allow healthcare teams to provide advanced care in bustling urban centers as well as remote or rural areas where frequent in-person visits are impossible.

However, these devices often run outdated software due to the difficulty of patch management and the time-intensive nature of updates, which end up getting bumped from the schedules of busy metropolitan teams. In addition, healthcare organizations and patients alike often sacrifice security hygiene for convenience, increasing the likelihood of stolen credentials and compromised devices. Plus, since these devices often operate in patient homes and other locations outside the organization’s network, security teams may not even know if an IoT device is stolen or compromised until it’s too late.

Many cybercriminals target IoT medical devices to harvest sensitive health data, but in the process could cause a pacemaker to crash and severely injure the patient. To address the growing threat of ransomware and other cyberattacks on patient health devices, the FDA recently issued a set of guidelines for securing medical devices. In this post, we’ll discuss the factors that make medical devices a cybersecurity risk before providing mitigation strategies to help healthcare organizations meet FDA requirements.

What makes medical devices a cybersecurity risk?

Every internet-enabled device expands an organization’s attack surface, giving cybercriminals something new to compromise and gain access to data and other resources. Medical devices are particularly risky for three reasons.

• Outdated software – It’s difficult to update software on remote, wearable, or implanted medical devices without causing a (potentially dangerous) disruption to the patient. A recent FBI report showed that 53% of IoT medical devices had known, unpatched vulnerabilities in their software, making them more susceptible to cyberattacks.

• Poor security hygiene – Teams often deploy medical devices with easy, insecure passwords for ease of use. While this may make operating and troubleshooting these devices easier for busy healthcare practitioners, it also significantly increases the cybersecurity risk.

• Inadequate monitoring – Once medical devices leave the central network, it can be difficult for admins to monitor software versioning, account activity, device location, and other critical security metrics. That means they may not be aware of breaches or failures that put patient health at risk.

Medical device cybersecurity risk mitigation strategies

Due to the increased frequency of attacks and the potential to cause patient harm, the FDA released guidance earlier this year to address medical device cybersecurity risks. For the FDA to consider a medical device “secure,” there must be plans and processes in place to monitor, identify, and patch vulnerabilities, both on a routine schedule and as soon as possible in response to specific threats. There are also additional requirements to demonstrate that reasonable security measures are in place, including strong authentication.

This guidance is intentionally broad, giving general rules without detailing exactly how to achieve compliance. Let’s discuss three specific risk mitigation strategies that address the above mentioned risk factors and meet FDA guidelines.

Automated patch management

Medical device manufacturers and service providers must continuously monitor for vulnerabilities and release software patches on a regular schedule to comply with the FDA’s ruling. Automated monitoring, configuration management, and software delivery tools can all help teams stay on top of demanding patch schedules. On the consumer side, healthcare teams can use automated patch management solutions to ensure updates are installed as soon as they’re available, reducing manual workloads and improving device security.

•  Find more guidance on how to build an automated infrastructure patching defense.

Zero trust security

Zero trust security is a methodology that involves applying highly specific security policies and building checkpoints of security controls around individual network resources. Zero trust requires strong passwords and uses technology like multi-factor authentication (MFA) to prevent compromised accounts from accessing devices or data. Zero trust is difficult to achieve, and it can be challenging to get overworked healthcare providers or elderly patients to follow stricter password guidelines, but it’s quickly becoming standard practice for new medical devices and cloud services. Teams can help smooth the transition by providing additional training and support when deploying new healthcare technology.

•  Learn more about removing IoT from your attack surface.

Vendor-neutral monitoring

Administrators need to track device metrics to ensure the equipment functions correctly and identify any signs of compromise. Often, devices come with software monitoring solutions that are specific to a particular vendor, but most healthcare teams deploy a wide variety of equipment from multiple vendors. As a result, admins must log in to several different dashboards, all of which provide varying degrees of coverage and granularity. A vendor-neutral monitoring platform can unify all these disparate systems, making it easier to track device health and spot potential problems.

•  Learn more about automating patches and other tasks with an IoT device management system.

Medical device security, recovery, and resilience

Medical devices pose a significant cybersecurity risk, and the consequences of successful breaches could be deadly. The FDA urges medical device providers to follow guidelines for vulnerability monitoring, patch management, and overall cybersecurity. In addition, healthcare organizations can use automated patch management, zero trust security, and vendor-neutral monitoring platforms to improve their security posture.

It’s also vital that organizations have a plan for how to recover remote medical devices that are compromised by ransomware or other cyberattacks. The faster teams can restore, rebuild, or replace the device, the better the patient’s health outcomes. This combination of security and recovery planning makes healthcare networks more resilient to cyberattacks and failures.

For example, the Nodegrid platform from ZPE Systems allows healthcare teams to deploy automation, zero trust security, monitoring, recovery tools, and more from one unified system. Nodegrid’s out-of-band management solutions can also be used to build an isolated recovery environment where teams can rebuild and restore compromised systems with the risk of reinfection.

To learn more about recovering from ransomware and other medical device cybersecurity risks, download our whitepaper, 3 Steps to Ransomware Recovery.

Download the Whitepaper

Learn more about recovering from ransomware and other medical device cybersecurity risks!

Nodegrid allows healthcare teams to deploy automation, zero trust security, monitoring, recovery tools, and more from one unified system. 

Contact Us

In today’s economy, businesses can’t afford to neglect their cybersecurity architecture. According to a recent report, cybercrime damages are expected to reach $10.5 trillion annually by 2025. Attacks are more frequent and damaging, thanks partly to the difficulty in establishing a solid security perimeter around a modern enterprise network. With Internet of Things (IoT) device usage on the rise and networks expanding to include remote branch offices and edge data centers, it can be impossible to clearly define the boundaries of a network, let alone effectively defend those boundaries. For example, many organizations use tools like Citrix to enable secure remote access to enterprise resources, but recently, high-risk vulnerabilities were discovered in several Citrix gateway products. The very tools we rely on to defend our expanding perimeter may leave us the most exposed to attacks.

The zero trust security methodology was created to address the challenges involved in traditional, perimeter-based defense strategies. This post defines a zero trust security architecture, discusses some of the gaps typically left in such an architecture and provides tips for avoiding these pitfalls.

What is a zero trust security architecture?

A zero trust security architecture is designed around the principle of “never trust, always verify.” Traditional security architectures assume that every user and device should be implicitly trusted as long as they’re inside the organization’s network perimeter. That assumption leaves compromised accounts and malicious insiders free to move laterally around the network, accessing and exfiltrating data or executing ransomware in the process.

On the other hand, a zero trust security architecture assumes that every account and device is already compromised unless trust is continuously established. The zero trust methodology was founded by Forrester analyst John Kindervag in 2009; the same year, Google’s BeyondCorp project launched with the sole purpose of defining and developing a zero trust security architecture.

Zero trust uses network micro-segmentation, advanced authentication, Layer 7 (application-level) threat monitoring, and highly-granular security policies to verify trust and prevent lateral movement. Risk is calculated for each resource on the network, and then micro-perimeters of specific security controls are built around the resource micro-segment. Users and devices must establish trust each time they hit a micro-perimeter no matter how elevated their accounts are or where they’re accessing the network from, making it easier to spot and disable a compromised account. This is how a zero trust architecture limits the blast radius and duration – and thus the cost – of cyberattacks.
.

Tips for implementing zero trust without gaps

Zero trust is not a single solution to purchase and deploy in your enterprise – it’s a combination of tools, policies, and proccesses that contribute to a more resilient network. The complexity of a zero trust architecture makes it prone to gaps. For example, manually configuring and managing so many moving parts increases the risk of human error. Additionally, zero trust doesn’t prevent 100% of attacks, but many organizations lack a comprehensive recovery plan. Plus, you can’t have a zero trust environment unless you isolate all administrative interfaces for infrastructure.

During the planning stage of your zero trust security implementation, you should keep the following three questions in mind:

1. How will you manage so many different policies and solutions?
2. Do you have tools to aid you in recovering from a successful attack?
3. How will you protect your control plane from malicious actors on your network?

Addressing these challenges with the following best practices will help you build a successful zero trust security architecture.

Reduce human error with centralized orchestration

A zero trust security architecture includes hundreds or thousands of individual security policies and solutions. Configuring and managing this architecture is a monumental task prone to human error, leading to potential vulnerabilities. According to Microsoft, configuration errors cause 80% of ransomware attacks, making human error a major threat to network resilience. The best way to reduce complexity and prevent mistakes is to be able to see and manage all your solutions from one place, with the ability to automate regardless of skill level.

A centralized security orchestration platform allows administrators to configure, monitor, deploy, and automation all their zero trust solutions from a single place. The best practice is to use a vendor-neutral platform that integrates with third-party zero trust vendors for identity and access management (IAM), next-generation firewalls (NGFWs), and more. Such a platform allows organizations to build bespoke micro-perimeters using the preferred solutions, regardless of vendor, and still manage the entire architecture from a single pane of glass. Plus, with a holistic view of the security architecture, organizations gain a more accurate perspective on their overall security posture and have the context needed to spot systemic issues or subtle indicators of a breach.

Prioritize incident response and recovery planning

According to a recent report from Check Point Research, the global volume of cyberattacks reached an average of 1168 per week per organization in Q4 of 2022. That means there’s no question of “if” a breach will occur, only “when” it will happen. It’s essential to consider incident response and recovery when you build your zero trust security architecture to reduce the cost of an attack.

Research from Sophos found that 70% of organizations hit by ransomware took longer than two weeks to recover, implying they didn’t have the right recovery architecture in place. Downtime gets more expensive the longer it goes on, so organizations must improve their recovery capabilities. For example, data backups are critical to recovery efforts, so they must be protected by zero trust authentication and policies to prevent compromise or corruption. In addition, backup data, systems, and infrastructure must be validated with security scans before they’re restored to ensure they don’t reinfect the network with malware. Getting business back up and running as soon as possible will decrease the cost of cyberattacks, which means a recovery toolkit is an essential component of a zero trust architecture.

Secure the control plane on a dedicated OOB network

The management interfaces used by administrators to control network infrastructure are often excluded from cybersecurity planning because because end users don’t access them. Only admins have usernames and passwords, and they trust their own security hygiene, so they (incorrectly) assume these interfaces are safe. If zero trust policies aren’t applied to the control plane, a compromised administrator account could completely wipe out your infrastructure and gain unfettered access to sensitive data and backups. The blast radius of such an attack would be devastating and severely hamper recovery efforts.

A recent CISA directive provides guidance for reducing the risk of open management ports. The best practice for a zero trust security architecture is to keep the control plane on a separate, out-of-band (OOB) network. An OOB network uses dedicated infrastructure that’s isolated from the production LAN, preventing lateral movement by attackers. This also allows administrators to perform recovery operations even when ransomware or hardware compromises bring down the production network. In addition, zero trust policies and controls must be applied to the OOB control plane to prevent a compromised administrator account from gaining too much access.

The zero trust methodology asks us to assume that devices and accounts are already compromised, and attackers have breached the network, requiring everyone to continuously prove trustworthiness before accessing enterprise resources. A successful zero trust architecture is unified by a vendor-neutral orchestration platform, prioritizes business resilience and recovery, and secures management interfaces with the same strict policies and controls as the production network.

Build your zero trust security architecture with Nodegrid

Building such an architecture is easier with the Nodegrid solution from ZPE Systems. Nodegrid is a vendor-neutral security orchestration platform that delivers unified control of the entire architecture of zero-trust policies and controls to reduce complexity and mitigate the risk of human error. Nodegrid branch gateway routers and serial console servers provide secure OOB management, so you get an isolated control plane without deploying an entire secondary network. You can even use Nodegrid to build an isolated recovery environment (IRE) to streamline ransomware recovery and reduce the business impact of attacks.

Learn how Nodegrid delivers unified orchestration and out-of-band management!

Nodegrid delivers unified orchestration and out-of-band management to help you build your zero trust security architecture. Contact ZPE Systems today to learn more.

Contact Us

This article was written by James Cabe, CISSP, whose cybersecurity expertise has helped major companies including Microsoft and Fortinet.

MOVEit over SolarWinds — The largest and most successful ransomware attack ever recorded is happening. Right now. It’s attacking healthcare and financial institutions with high rates of success, and recently stole sensitive data of 4 million more healthcare patients. It uses something called CL0P ransomware, and the threat actor is a well-known criminal group with the name FIN11. Many organizations are finding it difficult to stop the attack because they have no way to access infected devices, take them offline, patch, or even replace them. So, what exactly is going on?

How did the ransomware attack start?

The ransomware attack began with several Accellion FTA customers, including those in industries like healthcare, legal, finance, retail, and telecom. Companies such as Jones Day Law, Kroger, Singtel, and many others had no idea that they had been attacked, because the initial breach was quiet and headless.

Their only indication came after receiving a threatening email aimed at extortion. 

In this email, the group threatened to publish stolen data on the “CL0P^_- LEAKS” .onion website, according to an investigation from Accellion. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023.

According to the investigation, four zero-day security holes were exploited in the attacks:

• CVE-2021-27101 – SQL injection via a crafted Host header
• CVE-2021-27102 – OS command execution via a local web service call
• CVE-2021-27103 – SSRF via a crafted POST request
• CVE-2021-27104 – OS command execution via a crafted POST request

And, the published victim data appears to have been stolen using a “WEB SHELL”. These web shells give remote administrative access to the web server and create a jumping off point to attack the rest of the internal network. Mandiant, a well-known cyber investigation arm of Google, added, “The exfiltration activity has affected entities in a wide range of sectors and countries” (Threatpost). Exfiltration is the unauthorized removal of important or damaging data from an organization.

However the biggest problem is that these web shells are what researchers call “PERSISTENCE”. This means that an attacker can remain in your network indefinitely to continue damaging and attacking your resources. Researchers call these “APTs,” or Advanced Persistent Threats.

Why is the ransomware attack still going strong?

The ransomware attack is still going strong because there’s no patch available. According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Accelion’s appliance that is the backbone of a solution known as Progress Software’s MOVEit Transfer service. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar spates of activity, TA505, which is the group responsible for the Dridex trojan and Locky ransomware, conducted zero-day-exploit-driven campaigns against Accellion FTA devices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023.

What most organizations want to know is: How do you quickly respond to issues like these? How can you be properly prepared to respond to an issue you didn’t cause or didn’t expect?

Patching is a good response. However, it takes an average of 205 days to patch a recently known zero-day exploit like the MOVEit vulnerability. While patching alone is typically the ideal response, it isn’t automatic nor can it be done quickly.

Another approach involves removing the offending software or appliance, or cutting off access to the software or appliance. But once you remove this access, how do you continue normal operations, and how can you easily bring the software/appliance back online? Without adequate infrastructure in place, physically deploying to each site is not practical, especially for distributed organizations.

CISA and the FBI encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of CL0P ransomware and other ransomware incidents. The Mitigations section describes many approaches, including patching, removing software/appliance access, and implementing a recovery plan. But all of these take too much time and too many resources, which leaves organizations vulnerable as they scramble to create an adequate response.

The great news is, organizations can cover all their bases without having to reinvent the wheel. This approach is recommended in one of CISA’s recent directives, and gives organizations somewhat of a silver bullet that allows them to quickly defeat ransomware and remain prepared for any future attack.

What approach does CISA recommend to address ransomware attacks?

CISA’s recent directive (23-02), which addresses the vulnerability of Internet-exposed management interfaces, calls for organizations to create an isolated management infrastructure (IMI) via out-of-band connectivity. This is a drop-in solution that the military, telcos, and hyperscalers/cloud companies use to respond to widespread ransomware and other issues impacting security and resilience. This approach — which ZPE Systems has perfected in the last decade with the help of Big Tech — gives organizations a completely separate control plane through which they can monitor and manage their entire IT infrastructure in a safe and dedicated fashion.

What is isolated management infrastructure?

Isolated management infrastructure consists of the hardware and software that create a management network that’s fully separate from other production and management networks. The key to this is in out-of-band connectivity, which is defined as connectivity other than TCP/IP. Out-of-band can include direct USB, serial, or even non-routed zero-trust connections to crown-jewel assets.

Essentially, the IMI gives an organization complete oversight and control of their widespread IT infrastructure, in a way that is secure and accessible only to their IT teams.

In this diagram, the production infrastructure (blue ring) sits at each distributed location. The out-of-band infrastructure for LAN (OOBI-LAN) is the green ring and surrounds the production infrastructure with one layer of isolated management. The OOBI-WAN (orange ring) is what provides a second layer of isolated management, which teams can access from a central or remote location, to gain access to the OOBI-LAN and ultimately the production infrastructure.

Knowing these assets and providing access across the organization can be easy and does not have to disrupt current operations. 

How can IMI stop the FIN11 ransomware attack?

In the ongoing FIN11 ransomware attack, Internet-facing applications are targets of the zero-day exploit. This means that no amount of security solutions can pre-mitigate the attack (i.e., there’s nothing you can do to stop it). This is where IMI shines.

Remember the OOBI-LAN/OOBI-WAN diagram? Here’s a zoomed-in view of the isolated management infrastructure sitting beside the production infrastructure. The IMI connects via serial, Ethernet, and USB to production gear, and provides the necessary functions (routing, storing golden images, hosting jumpbox tools, etc.) to recover from attack. But how?

IT teams can use OOBI-WAN to remotely access their OOBI-LAN and production gear. They can pull affected devices offline and bring them in for forensics, which takes place in an Isolated Recovery Environment (IRE). This means these assets and networks are still reachable by analysts and responders, but isolated from other vulnerable assets. This allows an organization to quickly and even automatically deploy tools and resources inside of this environment through devices like ZPE Systems’ Nodegrid.

To combat the FIN11 attack, organizations don’t need to unplug cables or shut their devices off. They can instead deploy their IMI as the framework for closing the attack surface while maintaining access and critical data to aid in recovery.

Get the blueprint for isolated management infrastructure

Don’t wait until the next attack to shore up your defenses. ZPE Systems has worked with Big Tech for ten years developing the isolated management infrastructure. It’s now available inside the Network Automation Blueprint, and walks you through how to implement your own IMI. Download the blueprint now to stay ready for any attack.

Get in touch with me!

True security can only be achieved through resilience, and that’s my mission. If you want help shoring up your defenses, building an IMI, and implementing a Resilience System, get in touch with me. Here are links to my social media accounts:

• James Cabe – CISSP on LinkedIn
• @how2cloud on X – James Cabe

A Conversation with Atsign CTO & Co-Founder, Colin Constable

This is a guest post composed by Atsign, creators of zero-attack-surface solutions including atProtocol.

We recently sat down with our CTO and Mariposa Rotary Club extraordinaire, Colin Constable, to discuss our partnership with our friends over at ZPE Systems. Let’s explore the driving force behind this powerful partnership, and how together we’re securing IoT devices and the data shared between them.

Why is this partnership strategically important?

We are a software company that helps people connect beyond the edge of the Internet. And as a software company, we need to have hardware to run our software on. After looking at a number of hardware platforms, ZPE stood out as an organization that provides a strong array of network connectivity options. Our software running on ZPE’s hardware serves as an edge platform that gives customers reliable access to edge-generated data.

What are some of the synergies between Atsign and ZPE?

First and foremost, ZPE’s hardware was designed from scratch to provide the openness and flexibility that we were looking for in a hardware platform. If I were going to design something like this myself, it would look very much like a ZPE box! It is incredibly easy to drop our Docker containers straight onto the platform, and they just simply work, which is quite a joy. To have a Docker container environment on an edge box is really the thing that makes ZPE stand out as a platform. Combine that with the fact that ZPE boxes are running x86, which makes things easy–plus actually having dual SIM cards–we can work with our MVNO partners to provide constant connectivity; even if hardlines go down, there’s cellular backup. The thing we can offer ZPE and their customers is if the box can see the Internet, then you’ll be able to address it, get data to and from it, and actually even log into it, and get hold of the built-in UI on the box.

Tell us about ZPE’s Docker Container support

Our docker containers literally just ran perfectly on the ZPE hardware. I went into the UI, selected my docker container, and it just ran. It doesn’t get much easier than that. Plus, there’s the promise of being able to have the docker container talk to connected devices like V.24 cables to provide connectivity to IoT devices.

Once IoT devices become directly addressable, then it opens up all kinds of opportunities for more efficient delivery or sharing of information that can save customers tons of money by eliminating a lot of the current infrastructure they currently use to do that job.

What are some real-world use cases for Atsign and ZPE Systems?

Because ZPE boxes have lots of connectivity options (e.g. serial ports, 4/5G backhaul, and ethernet–with more coming!) for connecting IoT devices, then you can have always-on devices at the edge, and be able to address and get data to and from them. For example, a radio station that has DSL connectivity, and cellular backup would be able to just automatically move over to cellular backup, notify the radio station that it’s on cellular backup, but use that connectivity until the ADSL line comes back online and at all times be able to get information from the equipment at the radio station. This is critical for radio stations, as it eliminates “dead air,” that moment when the transmitter is not transmitting. Sponsors rely on radio stations to put out notifications for what their businesses are doing, so having constant, uninterrupted connectivity is essential.

Do Atsign & ZPE Systems improve sustainability?

Traditional solutions would have you installing many different boxes. What we really like about the ZPE platform is that although the hardware provides lots of connectivity options–that reduces the footprint for starters–there’s no need to have different modems and firewalls, and any other services can be added via docker containers, so you actually have an environment where you have a single box, and it can do multiple functions at the edge.

What are your final thoughts on the partnership between Atsign and ZPE Systems?

As a software company, we need hardware to deploy on. We especially need hardware that can sit on the edge with all the right connectivity points. Atsign and ZPE Systems is really a perfect combination of great software and great hardware at the edge.

Bonus: What is Colin’s favorite firewall configuration for a ZPE box?

My favorite firewall rule is the one that costs the least money, and is ultimately the most secure firewall ruleset: Deny All. If you’ve got Deny All, that means that you don’t have to deal with the pain and complexities of firewall rules in order to address devices, which is what the real cost of networking is these days; it’s not necessarily the hardware, it’s actually having people to administer firewall rulesets. Having zero network attack surfaces, having a Deny All ruleset, just means you don’t have to have people changing rulesets all the time, which is a good thing.

Learn more about IoT Security & our partnership with Atsign

• Building an IoT Device Management System
• How to remove IoT & OT from your attack surface
• ZPE Systems Partners with Atsign to Add Zero Attack Surface Technology
• ZPE Systems launches smartphone-size cloud gateway for IoT, OT, & IoMD applications
• Zero Trust Security for IoT: How to Secure Your Network