- Why ScienceLogic
- Main Menu
- Why ScienceLogic
Why ScienceLogic
See why our AI Platform fuels innovation for top-tier organizations.
- Why ScienceLogic
- Customer Enablement
- Trust Center
- Technology Partners
- Pricing
- Contact Us
- Product Tours
See ScienceLogic in actionTake a TourExperience the platform and use cases first-hand.
- Platform
- Main Menu
- Platform
Platform
Simplified. Modular-based. Efficient. AI-Enabled.
- Platform Modules
- Core Technologies
- Platform Overview
- Virtual Experience
Skylar AI RoadmapRegister TodayLearn about our game-changing AI innovations! Join this virtual experience with our CEO, Dave Link and our Chief Product Officer, Mike Nappi.
November 26
- Solutions
- Main Menu
- Solutions
Solutions
From automating workflows to reducing MTTR, there's a solution for your use case.
- By Industry
- By Use Case
- By Initiative
- Explore All Solutions
- Survey Results
The Future of AI in IT OperationsGet the ResultsWhat’s holding organizations back from implementing automation and AI in their IT operations?
- Learn
- Main Menu
- Learn
Learn
Catalyze and automate essential operations throughout the organization with these insights.
- Blog
- Community
- Resources
- Events
- Podcasts
- Platform Tours
- Customer Success Stories
- Training & Certification
- Explore All Resources
- 157% Return on Investment
Forrester TEI ReportRead the ReportForrester examined four enterprises running large, complex IT estates to see the results of an investment in ScienceLogic’s SL1 AIOps platform.
- Company
- Main Menu
- Company
Company
We’re on a mission to make your IT team’s lives easier and your customers happier.
- About Us
- Careers
- Newsroom
- Leadership
- Contact Us
- Live Webinar
The AI Imperative in IT OpsRegister NowSave your seat for our webinar discussing new research on benefits, challenges, and the path forward for AI in ITOps.
December 4, 2024
Discovering Zero Days: Why configuration management wins
Zero Days, Zero Days, Zero Days
“Zero Days” may be one of the most recognizable cybersecurity terms, other than hacker of course, for good reason. Zero Day Vulnerabilities are notoriously challenging for defending security teams to identify. Because of delays between active exploit and discovery, they are one of the worst examples of “Known Unknowns” in cybersecurity (Other than user’s behavior of course..).
It’s important to understand that Zero Days are not really brand-new vulnerabilities. What makes them difficult is that they are existing vulnerabilities that vendors and security teams have only just become aware of. Attackers have the initiative and sometimes extensive head starts.
Exactly how difficult the defender’s job is often depends on the time between when attackers discovered the vulnerability, versus when the rest of the world noticed. If that time is short, then an attacker’s steps to achieve exploitation can be clumsy or brute force. That’s a visibility advantage which makes our lives easier. However, the most dangerous exploits remain unknown for months or years allowing attackers to carefully probe and test over time, quietly blending unnoticed into the firehose of normal IT operations.
The Recent Cisco Vulnerability
In October 2023, Cisco disclosed two iOS XE vulnerabilities a few weeks apart. We know that these two different vulnerabilities were used together to infiltrate huge numbers of production systems. We also know that while the initial successful attacks are being mitigated by informed network teams through patching, many exploited devices will remain vulnerable in organizations with limited security resources or network visibility.
As this is an exploit that affects publicly accessible systems, security researchers can use tools like Shodan to search the internet for web interfaces and other internet accessible services that Google ignores. This makes it easier for attackers to discover vulnerable devices and applications at scale using scripts.
Cisco typically manages security disclosures quickly, communicating clearly with the public, publishing detailed information about the vulnerabilities, detailing mitigation and exploitation techniques, and providing updates. Although this appears to be the case with these new vulnerabilities, it still leaves administrators in a reactive posture.
Why Emphasize Change Monitoring?
To discover Zero Day attacks before we become aware of vulnerabilities, we must look for the impact of the attack and the footprints of our attacker. Fortunately, we can do this in a few ways. We can look for anomalous movement of data, or strange or novel user behavior. Viewed in the light of hindsight, these indicators may seem obvious. However, in the hustle of modern operations this type of data can be a few tiny needles in multiple haystacks of noise.
We can also monitor changes, assessing the actual modifications made to systems in the same way we assess change requests, or try to verify changes in the same way we respond to faults.
However, the definition of “Change” can mean several different things, so here are three key areas to monitor for indicators of compromise:
- New or updated files, especially on a web server
- A new executable file could be a remote administration backdoor
- Changes to cloud services configuration, especially at the account or virtual network level
- Attacks at the account level can be devastating in the cloud
- Changes to authentication configuration, elevated privileges or new users
With these Cisco iOS vulnerabilities the method of exploitation is the last one in the list- allowing a remote, unauthenticated user to create a new user on the device, which is then elevated with administrative permissions on the device.
The two vulnerabilities – both affecting the Cisco IOS web UI – are used together to achieve successful exploitation:
- CVE-2023-20198 Published 16th October 2023
- Exploit stage 1: Unauthenticated attacker remotely issues a Full Access (Privilege 15) command to create a normal user
- CVE-2023-20273 Published 25th October 2023
- Exploit stage 2: Authenticated using the new user, the attacker can now elevate privileges to root level.
Because they are used together, Cisco has rolled up details for both vulnerabilities into a single Advisory, where you can see the latest threat research details and patches to fix the vulnerability.
It is common for attacks to use multiple vulnerabilities – and attack vectors – to achieve their final goal. The list of related steps taken are referred to as the “Kill Chain”. The goal for the defenders is to detect and disrupt the attack as early in that chain as possible.
It’s also important to understand that what we are seeing here is only the initial setup for the unknown end objective of the attacker. In most cases they are looking for a foothold in environments to run further campaigns, perhaps to deploy ransomware or stockpile data for later exfiltration.
In this case, researchers have a clear indicator of compromise when the user is created. Operations teams will see a change in configuration that allows prioritization, mitigation and recovery activities as recommended by the vendor. Generally, we should prioritize changes in authentication systems for review, ensuring real-world awareness of the system’s state.
Network Change Monitoring
These kind of vulnerabilities can be devastating to organizations operating multi-vendor, hybrid IT infrastructures with no centralized management, characterized by operational silos and poor visibility. Under these conditions even minor changes in one location can have far reaching effects elsewhere.
ScienceLogic delivers solutions which enable our customers to detect network configuration changes, notify administrators of the exact change, and integrate with the ScienceLogic AIOps platform for system automation and IT Service Management use cases. These capabilities can give your teams information to reduce the impact of changes made maliciously, or in error.
The Restorepoint solution can be configured with pre-approved known-good configuration baselines for your devices, providing you with change alerting and the ability to quickly audit and rollback unauthorized and emergency changes as they happen. Coupled with the built-in compliance engine, Restorepoint can automatically remediate configuration issues when changes breach policy.
Reducing Risk Through Automation
With Restorepoint, three high-value capabilities dramatically reduce the risks and costs associated with inconsistent change management:
- Network Configuration Backup and Recovery: Automate backups to a secure, centralized repository so organizations respond faster and recover from failures or errors by automatically restoring configurations (often in seconds).
- Change Detection and Compliance Auditing: Automate change detection and identify context of when, where, and who made them. Compare changes against authorized settings, maintain compliance, close risk gaps, and eliminate lengthy, error-prone manual audits.
- Change Automation: Automate bulk updates whether in real-time or as a part of a scheduled maintenance and management program, minimize human error, and save time.
Optimizing Outcomes Through Integration
Complementing Restorepoint’s change management capabilities with the SL1 AIOps platform maximizes Restorepoint’s value.
ScienceLogic SL1 automatically discovers new services and devices, making technology onboarding easy and consistent. By detecting and assessing changes that correlate with risk to security and availability, administrators can quickly correct them if they occur and minimize or eliminate downline impact altogether.
When SL1 detects a change that Restorepoint recognizes as erroneous, it automatically alerts IT ops, then creates and routes an enriched ticket to the service desk. That means your IT operations team can resolve incidents faster, even automatically, when improper changes impact critical business services.
For more information on the Cisco vulnerabilities visit the Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature page.