www.darkreading.com Open in urlscan Pro
2606:4700::6810:ddab  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Dark Reading is part of the Informa Tech Division of Informa PLC
Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT
This site is operated by a business or businesses owned by Informa PLC and all
copyright resides with them. Informa PLC's registered office is 5 Howick Place,
London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726.

Black Hat NewsOmdia Cybersecurity

Newsletter Sign-Up

Newsletter Sign-Up

Cybersecurity Topics

RELATED TOPICS

 * Application Security
 * Cybersecurity Careers
 * Cloud Security
 * Cyber Risk
 * Cyberattacks & Data Breaches
 * Cybersecurity Analytics
 * Cybersecurity Operations
 * Data Privacy
 * Endpoint Security
 * ICS/OT Security

 * Identity & Access Mgmt Security
 * Insider Threats
 * IoT
 * Mobile Security
 * Perimeter
 * Physical Security
 * Remote Workforce
 * Threat Intelligence
 * Vulnerabilities & Threats


World

RELATED TOPICS

 * DR Global

 * Middle East & Africa

See All
The Edge
DR Technology
Events

RELATED TOPICS

 * Upcoming Events
 * Podcasts

 * Webinars

SEE ALL
Resources

RELATED TOPICS

 * Library
 * Newsletters
 * Podcasts
 * Reports
 * Videos
 * Webinars
 * Whitepapers

 * 
 * 
 * 
 * 
 * Partner Perspectives:
 * > Microsoft

SEE ALL


 * Vulnerabilities & Threats
 * Cyberattacks & Data Breaches


CISA TAKEDOWN OF IVANTI SYSTEMS IS A WAKE-UP CALLCISA TAKEDOWN OF IVANTI SYSTEMS
IS A WAKE-UP CALL

The exploitation of vulnerabilities in Ivanti's software underscores the need
for robust cybersecurity measures and proactive response strategies to mitigate
risks and protect critical assets.

Charles Herder, Co-Founder, Badge Inc.

July 9, 2024

4 Min Read
Source: Simon Dannhauer via Alamy Stock Photo


COMMENTARY

In the wake of the attack on Ivanti's asset management software, which prompted
decisive action from the Cybersecurity and Infrastructure Security
Agency (CISA), what can we learn? This incident raises new questions about
exploit techniques, organizational response to security breaches, and the
skyrocketing cost of downtime.

First, let's break down what happened. From what's been disclosed, the
vulnerabilities in Ivanti's system, particularly its VPN gateway, enabled threat
actors to bypass authentication and gain unauthorized access. By sending
maliciously crafted packets to the VPN gateway, attackers had a free pass to
infiltrate the system without needing to steal credentials. Once inside, they
could export user credentials — including domain administrator credentials.



Attackers also exploited a second vulnerability to inject malicious code into
the Ivanti appliance, allowing them access to the VPN persistently (e.g.,
maintaining malicious control despite reboot or patch). An attacker's persistent
access to a VPN gateway is especially dangerous because the attacker can now
move laterally within the VPN, using the gateway’s trusted position to gain
access to critical credentials and data. The bottom line: An attack compromising
the VPN is bad, but here, the attack enabled the takeover of stored privileged
administrative account credentials, which is much worse.



In response, CISA intervened to let organizations know they should assume the
theft of critical credentials given the nature of the breach. The bigger concern
was Ivanti's apparent failure to detect the compromise, leaving attackers free
to operate within a trusted zone, bypassing zero-trust principles, and posing
heightened risks to sensitive data.



Prompted by the severity of the vulnerabilities and potential for widespread
exploitation, CISA took further action by taking two of Ivanti's systems
offline. This is an unusual safeguard that was made after careful assessment of
the damage and risk.

CISA correctly concluded that the risk of theft of privileged administrative
credentials stored in trusted enclaves was much greater than the downside of
complete shutdown. The calculus was that safeguarding the system's crown jewels,
the most powerful credentials, required immediate action to minimize the blast
radius of the breach, since they could not be sure they could operate the system
securely.



As it turns out, Ivanti later clarified that patches could have been deployed
discreetly, which would have prevented the need for an entire system downtime.
This miscommunication highlights the importance of having clear open channels
during a crisis. Mixed messages cause unnecessary chaos.


MEASURING HARD AND SOFT COST

Entire system level downtime is costly. The IT resources required to securely
and smoothly administer shutdown and recovery often are compounded by the losses
incurred from complete outages of services, user downtime, and downstream
effects (such as customers or dependent organizations that experience service
outages). Not to mention the reputational and service level agreement
considerations.

In Ivanti's case, we may never really know the exact cost. At the high end,
assuming a VPN is mission critical for a portion of the workforce, downtime is a
stop-work scenario for that user population and is therefore very expensive.
Downstream customers, businesses, and users are also affected. This should be a
warning to those of us addressing the aftermath of an attack in terms of
weighing the risk "wake" that is likely to result in downtime costs.



CISA’s downtime to risk calculation was founded on assessing the "blast radius"
of the attack. In this case, lateral movement from the VPN gateway was
relatively easier because of the gateway's naturally trusted position, and the
ability of the attacker to export stored credentials — including for privileged
accounts. 

The blast radius of this breach was especially large because attackers were able
to steal stored credentials and use them to move laterally. Minimizing blast
radius of attacks is achieved by building systems using the principle of least
privilege (e.g., zero trust). However, a service that stores credentials is
inherently one of the — if not the — most trusted service in any given system.
It is therefore not surprising that CISA made the call to shut it down, rather
than risk further compromise.

So, what's the takeaway? The exploitation of vulnerabilities in Ivanti's
software is a reminder of the threat facing organizations in the digital age. It
underscores the need for robust cybersecurity measures and proactive
infrastructure design and response strategies to mitigate risks and protect
critical assets. Reducing the number of high value targets in IT infrastructure
is an important step that minimizes the blast radius of attacks and can
therefore reduce the need for broad shutdowns when attacks do happen. Privileged
account credentials and stored keys are among the highest value targets, and IT
leaders should accelerate adoption of strategies and technologies that minimize
or eliminate such targets. As organizations navigate the aftermath of this
incident, collaboration, clear communication, and continuous vigilance is
essential in safeguarding against future threats.




ABOUT THE AUTHOR(S)

Charles Herder

Co-Founder, Badge Inc.

Dr. Charles Herder is a recognized and published thought-leader in cryptography
and embedded systems, and has been an invited speaker at the Global Cyber
Innovation Summit, the De Vinci Innovation Center, the Advanced Cyber Security
Center, TU Automotive, and MIT.

An expert in cryptography, systems security, and AI and quantum computing, Dr.
Herder has four degrees from the MIT, including a Ph.D. in Electrical
Engineering and Computer Science. Dr. Herder has worked on embedded systems
security at Texas Instruments, launched a cybersecurity company that was
acquired by a public company leader in network assurance, and most recently is
the Co-Founder of Badge Inc., the award-winning privacy company enabling
Identity without Secrets™.



See more from Charles Herder
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.

Subscribe

You May Also Like

--------------------------------------------------------------------------------

Vulnerabilities & Threats

Are You Affected by the Backdoor in XZ Utils?
Vulnerabilities & Threats

We're at a Pivotal Moment for AI and Cybersecurity
Vulnerabilities & Threats

PoC Exploits Heighten Risks Around Critical New Jenkins Vuln
Vulnerabilities & Threats

Critical Bluetooth Flaw Exposes Android, Apple & Linux Devices to Takeover
More Insights
Events

 * Black Hat USA - Aug 3-8 - The Premier Technical Cybersecurity Conference -
   Learn More
   
   August 3, 2024

 * Black Hat Europe - December 9-12 - Learn More
   
   December 10, 2024

 * SecTor - Canada's IT Security Conference Oct 22-24 - Learn More
   
   October 22, 2024

More Events



EDITOR'S CHOICE

Chinese flag with lines of computer code superimposed on top
Vulnerabilities & Threats
Patch Now: Cisco Zero-Day Under Fire From Chinese APTPatch Now: Cisco Zero-Day
Under Fire From Chinese APT
byElizabeth Montalbano, Contributing Writer
Jul 2, 2024
5 Min Read

Key surrounded by various security icons, dark blue digital background
Сloud Security
Passkey Redaction Attacks Subvert GitHub, Microsoft AuthenticationPasskey
Redaction Attacks Subvert GitHub, Microsoft Authentication
byTara Seals, Managing Editor, News, Dark Reading
Jul 2, 2024
8 Min Read
Intel Core desktop processor with Alder Lake architecture
Endpoint Security
Intel CPUs Face Spectre-Like 'Indirector' Attack That Leaks DataIntel CPUs Face
Spectre-Like 'Indirector' Attack That Leaks Data
byJai Vijayan, Contributing Writer
Jul 3, 2024
4 Min Read

Reports

 * 2024 InformationWeek US IT Salary Report

 * Elastic named a Leader in The Forrester Wave™: Security Analytics Platforms,
   Q4 2022

 * 2023 Global Threat Report

 * EMA: AI at your fingertips: How Elastic AI Assistant simplifies cybersecurity

 * Zero Trust and the Power of Isolation for Threat Prevention

More Reports
White Papers

 * Continuous Asset Discovery Do and Don'ts

 * 2024 InformationWeek US IT Salary Report

 * Leveling Up Cyber-Threat Intelligence Maturity for More Value and Better
   Insights

 * Cisco Panoptica for Simplified Cloud-Native Application Security

 * ESG E-Book: Taking a Holistic Approach to Securing Cloud-Native Application
   Development

More Whitepapers
Events

 * Black Hat USA - Aug 3-8 - The Premier Technical Cybersecurity Conference -
   Learn More
   
   August 3, 2024

 * Black Hat Europe - December 9-12 - Learn More
   
   December 10, 2024

 * SecTor - Canada's IT Security Conference Oct 22-24 - Learn More
   
   October 22, 2024

More Events





DISCOVER MORE WITH INFORMA TECH

Black HatOmdia

WORKING WITH US

About UsAdvertiseReprints

JOIN US


Newsletter Sign-Up

FOLLOW US



Copyright © 2024 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

Home|Cookie Policy|Privacy|Terms of Use
Cookies Button


ABOUT COOKIES ON THIS SITE

We and our partners use cookies to enhance your website experience, learn how
our site is used, offer personalised features, measure the effectiveness of our
services, and tailor content and ads to your interests while you navigate on the
web or interact with us across devices. By clicking "Continue" or continuing to
browse our site you are agreeing to our and our partners use of cookies. For
more information seePrivacy Policy
CONTINUE




COOKIE POLICY

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Back Button


COOKIE LIST



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Confirm My Choices