There is a series of steps for any cybersecurity investigation, and during that journey, it's likely you'll uncover a trail of digital breadcrumbs that lead to unexpected places.
Take, for instance, the trail of breadcrumbs we uncovered during a recent customer training originally for detecting weak cipher suites.
Encrypting sensitive data is a critical part of protecting any network's assets, and it's considered a best practice to proactively encrypt all data in transit, but data encrypted with a weak cipher suite leaves organizations vulnerable to compromise. ExtraHop's Weak Cipher Suite detection does a great job of bringing visibility to weak-sauce cryptography.
Here's one example we found coming in from a third party vendor: TLS_RSA_WITH_null_MD5
Cipher suites can be a mouthful. Let's unpack the example.
- TLS: Transport layer security, the fancy name for SSL, uses cipher suites to secure data transfers with a combination of authentication, encryption, and message authentication code algorithms.
- RSA: The method of key exchange. More on RSA encryption here.
- null: We'll get back to this.
- MD5: A digesting algorithm that enables verification of message integrity. It dates back to 1991, and, as of around 2008, MD5 is considered broken and should not be used.
Back to null: This means no encryption is done.
I'll say that again: No. Encryption. Is. Done. Period. Full stop. End of message. Do you copy? Over. I'm fine. How are you?
Long story short, "TLS_RSA_WITH_null_MD5" is telling us we are exchanging keys via RSA to ensure each side can verify each other, that we are using MD5 to verify message integrity, and that no encryption is done so messages are passed in the clear.
Think of it this way: Alice has a sup3r sekret message she wants to send to Bob. Alice writes her message on a postcard, locks the postcard in a glass capsule so nobody tampers with it, and hands the capsule to Charlie who hands the capsule to somebody else. Eventually the capsule lands in Bob's hands. Anybody standing between Alice and Bob can read Alice's message, as well as Bob's reply.
Back to ExtraHop.
The offender—the SSL client opening the connection—was an internal IP address, and the other side of the connection was a public IP hosted by a food services company. As it turns out, that food services company runs the cafeteria at the organization's headquarters.
We had a few action items: Action Item No. 1: Reach out to the food service vendor and catch them up on the past 10 years of advances in cryptography.
Here's where the breadcrumbs keep falling: The offending computer wasn't showing up in the customer's asset database.
We used ExtraHop to look deeper.
Based on telemetry from DNS and SSL, we determined the computer was connected to internal IP space, but not domain joined, and therefore not subject to the important group policies applied across all "domain computers." Essentially, we had an unmanaged asset inside the network with a connection open to the outside world. Because the device was unmanaged, traditional host-based monitoring (such as log forwarding) wasn't working, but ExtraHop's network-centric visibility was, allowing the team to detect abnormal activity stemming from the device.
This particular customer uses CrowdStrike endpoint detection and response (EDR), but the Falcon agent wasn't installed on the unmanaged endpoint—at least not yet. This isn't entirely uncommon, in fact aggregated, anonymous ExtraHop data tells us that of companies that have an EDR product, only 34% of their devices have EDR deployed on them. Tracking every asset in sprawling modern architectures is a nigh impossible task, but this savvy security team has the tools to cover the gap with network detection and response (NDR), allowing them to still identify and monitor unmanaged assets.
Action Item No. 2: Install CrowdStrike.
Action Item No. 3: Re-visit network access control and determine why this endpoint was able to access the network.
What started as a simple journey into cryptography unearthed an improperly configured, externally managed endpoint connected to the network. With the help of complementary EDR and NDR, this team gained clear visibility into everything that was on their network, attaining rock-solid security.
Follow the breadcrumbs. They'll lead you to unexpected results.