A key differentiator of the NodeZero platform is that it autonomously navigates through your environment, choosing which exploit to run next depending on what it encounters, just as a threat actor does. It’s dynamic, not prescripted.

Here is the detailed description of a NodeZero autonomous attack that leveraged two weaknesses to achieve domain compromise in 33 minutes, 9 seconds.

NodeZero:

1. Details each step in the attack path and lets you drill down to the specifics
2. Provides proof of its exploits, meaning there are no false positives
3. Prioritizes weaknesses and their impact to your organization, so you know what to fix first
4. Guides your remediation, with fix actions for each weakness
5. Identifies systemic issues to help you eliminate numerous weaknesses with a single change

In this attack path, these are the steps NodeZero took to compromise the domain.

NodeZero was launched from host 10.0.222.200

NodeZero discovered the host 10.0.4.4.

NodeZero discovered the Java service on 10.0.4.4 port 1099

NodeZero discovered H3-2020-0022: Insecure Java JMX Configuration affecting the Java service on 10.0.4.4 port 1099

The C:\Windows\win.ini file was retrieved via the RCE vulnerability

NodeZero loaded a Remote Access Tool on host 10.0.4.4 to enable post-exploitation of H3-2020-0022: Insecure Java JMX Configuration

NodeZero leveraged the Remote Access Tool running as administrator on 10.0.4.4 to discover H3-2021-0042: Credential Dumping – Security Account Manager (SAM) Database

NodeZero discovered an NTLM Hash for cbr-user by exploiting H3-2021-0042: Credential Dumping – Security Account Manager (SAM) Database

NodeZero discovered Domain Controller 10.0.4.1 (dc01.pod04.h3airange.internal)

NodeZero discovered the SMB service on domain controller 10.0.4.1 (dc01.pod04.h3airange.internal) port 445

NodeZero verified the credential for domain admin cbr-user in domain POD04.H3AIRANGE.INTERNAL on the SMB service on domain controller 10.0.4.1 (dc01.pod04.h3airange.internal) port 445

Proof NodeZero achieved domain compromise and domain user compromise after 33 minutes, 9 seconds.

During the attack NodeZero leveraged 2 weaknesses:

• H3-2020-0022: Insecure Java JMX
• H3-2021-0042: SAM Dump

The attack path involved 1 compromised credential:

• Domain Admin cbr-user

The attack spanned 2 hosts:

• 10.0.4.4
• Domain Controller 10.0.4.1

Once a domain is fully compromised, all hosts, domain user accounts, data, infrastructure, and applications tied to that domain should be considered fully compromised. Additionally, applications running on a domain-joined machine or any application that uses Active Directory integration to authenticate users should be considered fully compromised.

Key Takeaway

Remediating the Insecure Java JMX Configuration weakness would potentially eliminate 28% of critical impact paths. NodeZero provides the guidance to remediate the issues identified.

Discover the attack paths in your environment.
Start your 30-day NodeZero free trial now.

The post NodeZero Pivots Through Your Network with the Attacker’s Perspective appeared first on Horizon3.ai.

Active Directory Analytics Solution Enables Domain Compromise

Due to lessons learned from the SolarWinds breach a few years ago, organizations should be wary of products that require privileged credentials since they may have the potential of increasing risk. In similar context, here is an example of a NodeZero™ successfully compromising the ADAudit Plus admin credential during a penetration test to become a Domain Admin.

Background

ADAudit Plus is a user-behavior analytics solution from ManageEngine that audits all access to active directory (AD) to identify anomalous behavior. According to the product website, “ADAudit Plus provides a clear picture of all changes made to your AD resources … [and] helps detect and respond to insider threat, privilege misuse, and other indicators of compromise, and in short, strengthens your organization’s security posture.” ADAudit Plus is required to be configured with a high privilege domain user credential to function.

In this attack path example, NodeZero performs the following steps to discover the ADAudit credential that eventually led to domain compromise. Note that this penetration test was against real production systems and no humans were involved in this discovery.

In this example case, NodeZero:

1. NodeZero poisoned LLMNR network traffic originating from host host1 and acquired the NTLMv2 hash for domain user user1.
2. NodeZero cracked the hash for user1 and logged in as user1 to the domain.
3. NodeZero determined user1 had local admin privileges on a host host2.
4. NodeZero logged into host2 as user1 and dumped the Security Account Manager (SAM) database file containing all local user credentials in NTLM hash format. One of the credentials dumped was for a local administrator user.
5. NodeZero found the local administrator credential was being reused on another host host3. NodeZero “passed the hash” and logged in as a local administrator on host3.
6. NodeZero used the local administrator credential on host3 to dump credentials from the Local Security Authority (LSA secrets). Among these secrets was the cleartext credential for the domain user adauditplus configured with ADAudit Plus.
7. NodeZero logged in as the adauditplus user to the domain and discovered it was a domain admin.

Along the way, NodeZero identified and raised the following weaknesses:

1. H3-2021-0034: LLMNR Poisoning Possible affecting host host1.
2. H3-2021-0020: Weak or Default Credentials – Cracked Credentials affecting the credential for user1.
3. H3-2022-0086: Domain User with Local Administrator Privileges affecting the credential for user1 on host2.
4. H3-2021-0042: Credential Dumping – Security Account Manager (SAM) affecting host2.
5. H3-2022-0084: Credential Reuse – Windows Local Administrator Accounts affecting the administrator credential on host3.
6. H3-2021-0043: Credential Dumping – Local Security Authority (LSA) Secrets affecting host3.

Why is this frustrating?

First, the role of ADAudit Plus is to monitor for these types of credential-based attacks. It is ironic that a tool that is supposed to help users detect AD attacks is itself something that can be used to compromise AD in the end.

ADAudit does not require a domain admin credential, but users often set up the ADAudit credential to have domain admin privileges. ADAudit makes it easy to run with a domain admin but more work is required to configure a new account with least privileges that users don’t often want to spend the time to do.

Ultimately, and as shown in Figure 1, NodeZero chained six different issues together and none of them were CVEs. They were all misconfigurations or weak credentials across six different hosts, buried among thousands of hosts, to find this successful attack path.

Figure 1

Key takeaway

The attack path NodeZero executed above was primarily enabled by two key issues: Privilege Management and Weak Security Controls.

Privilege management came up twice. The first domain user NodeZero acquired had local admin rights on a system, allowing NodeZero to use it to dump credentials. And the domain user credential for ADAudit Plus that NodeZero discovered at the end, turned out to be a domain admin, even though it didn’t need to be.

NodeZero also performed OS credential dumping twice, once to dump SAM and another time to dump LSA secrets, yielding credentials that furthered the attack. EDR was either not present or not configured to block credential dumping.

The post Privileged Credentials Often Bite Back appeared first on Horizon3.ai.

Combining Compromised Credentials Enables Domain Takeover

When running internal phishing campaigns to help train employees, one challenge IT security teams face is explaining to leaders, “why the credentials of an intern (or whatever level employee) are valuable to attackers.” The common pushback security teams normally hear is, “They are an intern. They do not have access to anything critical, so why is it so important?”

Demonstrating how an intern’s credentials, combined with other issues, could lead to a domain compromise, sensitive data exposure, or other critical impacts is not an easy task when organizations do not have something like NodeZero™ on hand.

A credential injection test

A terrific way for security teams to tell the end-to-end story to leaders is to “inject” a low-level user’s credentials into a running NodeZero penetration test. NodeZero will then use those credentials as it identifies ways to compromise the environment.

Below is an example of a real attack performed by NodeZero with no human penetration testers or red teams involved. NodeZero started with the privileges of a low-level domain user and ultimately ended up fully compromising the domain. The attack was executed safely against production systems that were not in a lab environment.

Attack Path to Domain Compromise

1. In this case, NodeZero started out as an authenticated member of the internal network. NodeZero was given the credential for domain user user1.
2. NodeZero verified the credential for domain user user1 in domain domain1 over SMB.
3. NodeZero discovered that user1 has local Administrator privileges on a Windows machine, machine1. NodeZero raised a new weakness, H3-2022-0086: Domain User with Local Administrator Privileges.
4. Logged in as user1 on machine1, NodeZero dumped credentials from LSASS memory. NodeZero raised a weakness H3-2021-0044: Credential Dumping – Local Security Authority Subsystem Service (LSASS) Memory.
5. Among the credentials dumped from LSASS memory on machine1 is the NTLM hash for domain user user2. Using a Pass-The-Hash attack, NodeZero verified the credential for user2 against domain1 over SMB.
6. NodeZero discovered that user2 has local Administrator privileges on another Windows machine, machine2. NodeZero raised a new weakness, H3-2022-0086: Domain User with Local Administrator Privileges.
7. Logged in as user2 on machine2, NodeZero again dumped credentials from LSASS memory. NodeZero raised a weakness H3-2021-0044: Credential Dumping – Local Security Authority Subsystem Service (LSASS) Memory.
8. Among the credentials dumped from LSASS memory on machine1 is the NTLM hash for domain user admin1. Using a Pass-The-Hash attack, NodeZero verified the credential for admin1 against domain1 over SMB.
9. NodeZero further identified that domain user admin1 is a domain admin.

How can this work?

Typically…

• A domain user also has local admin rights.
• With local admin rights an attacker can access sensitive processes like LSASS.

LSASS stores credentials in memory for users active on the machine. The purpose of keeping these credentials in memory is for a form of single sign on, so the user does not have to reinput credentials for network resources shares, or services within the domain.

Once LSASS is dumped, additional credentials can be harvested and used to log into adjacent machines, where LSASS can be dumped again (and again, and again.)

It is highly likely that at some point, an LSASS dump will contain a privileged credential (e.g., Service Account, Domain Admin account, etc.)

In addition, the attacker has access to every system and data resource a compromised domain user credential has access to, unless those resources are MFA’d, but that is atypical for things like file shares and databases.

Note: Typically, EDR solutions should be able to block dumping credentials from LSASS, but in practice, the effectiveness of EDR solutions can vary widely depending on how they are configured.

The likely outcome

From something as simple as gaining a low-level employee’s credentials can allow attackers to eventually become a domain admin, which means the domain is fully compromised, and all hosts, domain user accounts, data, infrastructure, and applications tied to that domain should be considered fully compromised as well. Additionally, applications running on a domain-joined machine or any application that uses Active Directory integration to authenticate users should be considered fully compromised too.

Attack path details taken from NodeZero

As shown in Figure 1, during the attack, NodeZero leveraged:

• H3-2021-086: Domain User with Local Admin
• H3-2021-0044: LSASS Dump
• H3-2021-0044: LSASS Dump
• H3-2021-086: Domain User with Local Admin

The attack path involved 3 compromised credentials:

• Domain user user1 (injected into the pentest)
• Domain user user2
• Domain admin admin1

The attack spanned 5 hosts

Figure 1

Key takeaway

This attack path is very common in internal pentests and is typical of the methods real-world attackers use once they have breached the perimeter. Not a single CVE was used in this attack, no humans were involved in this attack, just NodeZero pivoting with credentials and eventually becoming Domain Admin in a little over six hours. The key takeaway is to ensure the least privilege access for users. Domain users having local admin privileges is what led to LSASS dumping twice in this case. In addition, tuning EDR solutions to detect and block credential dumping can help.

The post Low-Level Credentials Can Get Big Gains appeared first on Horizon3.ai.

Recent CVE Affecting Veeam Backup Software Leads to Domain and AWS Takeover

Veeam Backup and Replication software is commonly used by enterprises for data protection and ransomware recovery. Earlier this year a vulnerability affecting Veeam,CVE-2023-27532, was disclosed. This vulnerability enables attackers to dump highly privileged credentials used by Veeam for backup operations.

NodeZero has been able to successfully exploit the Veeam CVE in many environments. In the example below, NodeZero leveraged the Veeam vulnerability to fully compromise a client’s on-prem environment and AWS infrastructure.

To be clear, attack paths that NodeZero discovers are completely valid paths that an attacker could take, and in doing so, can completely lead to compromise. This is a real attack performed by NodeZero with no human penetration testers involved. The attack was executed safely against production systems that were not in a lab environment.

Attack Path #1: The Path to Domain Compromise

In this attack path, NodeZero leveraged 4 weaknesses, one being the recent Veeam CVE to become domain admin. The attack path involved 2 compromised credentials and spanned 4 hosts.

NodeZero started off as an unauthenticated member of the internal network. Then:

1. NodeZero was launched from host x.x.x.x on ~Jun 19
2. NodeZero discovered the Veeam Backup and Replication service running in the environment on port 9401.
3. NodeZero identified that the Veeam service is vulnerable to CVE-2023-27532 (Veeam Backup and Replication Credential Disclosure Vulnerability). NodeZero exploited the vulnerability to dump cleartext credentials from Veeam.
4. One of the credentials NodeZero acquired from Veeam is for a domain user, service1. NodeZero verified service1’s credential by logging into the domain domain1 as that user over SMB.
5. NodeZero discovered that service1 has local Administrator privileges on a Windows machine, machine1. NodeZero raised a new weakness, H3-2022-0086: Domain User with Local Administrator Privileges.
6. Logged in as service1 on machine1, NodeZero dumped credentials (NTLM hashes) for all local users from the Security Account Manager (SAM) database. NodeZero raised a weakness H3-2021-0042: Credential Dumping – Security Account Manager (SAM) Database
7. One of the NTLM hashes NodeZero acquired from the SAM dump on machine1 is for a local user admin1. Using a Pass-the-Hash attack, NodeZero discovered that the credential for admin1 also happens to be a domain user on domain1. NodeZero raised a weakness H3-2022-0085: Credential Reuse – Shared Windows Local User and Domain User Accounts
8. NodeZero further identified that domain user admin1 is a domain admin.

In other words, NodeZero proved it could become a domain admin and takeover all machines connected to the domain in approximately 2.5 hours. Figure 1 highlights this attack path.

Figure 1

Attack Path #2: The Path to AWS Compromise

Now let’s look at another attack path in the same environment that led to full AWS account compromise via the same Veeam CVE.

1. NodeZero was launched from host x.x.x.x on ~Jun 19
2. NodeZero discovered CVE-2023-27532: Veeam Backup and Replication Credential Disclosure Vulnerability affecting the MC-NMF service on Veeam1 port 9401
3. NodeZero discovered an AWS Access Key XXXXXXXXXXXXXXXXXXXX on the MC-NMF service on Veeam1 port 9401 by exploiting CVE-2023-27532: Veeam Backup and Replication Credential Disclosure Vulnerability
4. NodeZero verified the credential for AWS admin user aws1 in AWS account xxxxxxxxxxxx on AWS STS (Security Token Service)

NodeZero executed the attack path in Figure 2 in about 1 hour and 20 minutes. NodeZero would go on to compromise other AWS accounts this organization used with the same credential.

Figure 2

Key Takeaways

The attack path examples above highlights the value of autonomous pentesting.

One of the interesting aspects of the Veeam CVE is that it is rated as a 7.5 (High) by the National Vulnerability Database (NVD). In many organizations, this vulnerability would not be prioritized for patching relative to other Critical level vulnerabilities. The reality, as proven here by NodeZero, is that exploiting this vulnerability can lead to full compromise. NodeZero can be used to assess the true impact of a vulnerability in any environment

In addition to the Veeam CVE, NodeZero also identified and exploited other important weaknesses common in many environments: over-privileged domain users, insufficient EDR controls to prevent credential dumping, and credential reuse. In the attack path to domain compromise, the Veeam CVE provided NodeZero initial access, and the subsequent weaknesses enabled NodeZero to take over the domain. NodeZero performed the same actions a human pentester would by chaining multiple weaknesses together to arrive at the greatest impact possible.

The post Veeam CVE Leads to Full Compromise appeared first on Horizon3.ai.

Date: July 13, 2023
Location: Los Angeles

Description: Join Snehal Antani, CEO of Horizon3.ai to gain insight into your vulnerabilities and enhance security by adopting an attacker’s perspective. Continuously test and improve your environment through automated and reliable methods.

The post Cvision CISO Think Tank LA appeared first on Horizon3.ai.

Low-Level Vulnerability Leads to Domain Compromise

Although vast numbers of organizations purchase and utilize some sort of vulnerability management solution and may perform in-house penetration tests on their own networks, most struggle with knowing what not to fix because they lack context about what is truly exploitable. As a result, organizations spend vast amounts of time fixing issues that are of minimal risk.

There is a considerable difference between being vulnerable and being exploitable, and lacking context is an enormous challenge most organizations face. In many cases, organizations are using some sort of assessment tool that labels their findings with CVSS scores, but often they are of little use since these scores are primarily used to measure severity—and are not used to measure “your” risk. Severity refers to the seriousness of an issue, but risk refers to the possibility of loss or injury. If something is seen as not being severe, how much risk can really be involved? Lots.

It’s become all too clear that a more advanced pentesting approach is the only viable way to unravel the two questions that follow:

1. How do we determine the difference between weaknesses that make our organization vulnerable vs. weaknesses that make us exploitable?
2. How do we accurately prioritize each occurrence of a vulnerability finding based on its downstream impacts, and what should we fix first?

Let’s look at an example

An SMB Signing Not Required vulnerability is a notable example of having a low severity CVSS score (~5.0) but can still be a substantial risk. The vulnerability is viewed as elevating risk because an unauthenticated, remote attacker could potentially exploit it to conduct man-in-the-middle attacks. Most people believe these attacks are difficult to pull off but that is not always the case. Remember, risk is all about the possibility of loss or injury.

Although SMB Signing Not Required has a low CVSS score, a savvy attacker can chain this misconfiguration together with other issues and become a Domain Administrator, compromise hosts and users, and/or gain access to sensitive data. And even worse, a run-of-the-mill vulnerability scanner will classify all occurrences of SMB Signing Not Required as “low” because vulnerability scanners lack the attacker’s perspective and provide little, if any context.

How is NodeZero™ different?

NodeZero is the industry’s first fully autonomous pentesting platform and is far more advanced than your typical vulnerability scanner. NodeZero will utilize each occurrence of an issue in an attack path, then it will accurately score each occurrence of that weakness based on its downstream impacts (see Figure 1), capturing the proof of exploitation along the way. In this example, NodeZero:

1. Provides a true vulnerability SCORE
2. Supplies the NodeZero WEAKNESS ID
3. Delivers context into the number of DOWNSTREAM IMPACTS
4. Shows all potential ATTACK PATHS
5. Provides TIME TO DISCOVER
6. And allows the user to select and view PROOFS

When looking at the SCORE column in Figure 1, we see that this risk is a 10+. Then when looking at the DOWNSTREAM IMPACT column, the at-risk hosts are exploitable to one or more of the following outcomes:

• Domain Compromise
• Host Compromise
• Domain User Compromise

And according to NodeZero, there are at least 73 attack paths where this vulnerability could be exploited. This is what we mean by “context-based scoring” which is much different than a CVSS score.

Figure 1

NodeZero has proven that a low severity issue suddenly has an extremely elevated risk of exploitation because it knows it could exploit these vulnerabilities and achieve domain, host, and/or user compromise.

Security teams now get context on what to prioritize

Once a security team receives the results from a NodeZero, they now understand what to prioritize for remediation. When they have remediated the issues at hand, they normally want to verify that they have properly fixed each occurrence of this issue.

Rather than having to rerun the entire pentest, security teams can select the specific occurrences they want to test and execute a “retesting” workflow on NodeZero, which is a narrowly scoped pentest that only checks for those specific weaknesses. Not only do they immediately know what to fix, they can also prove that their fix was effective. This is a valuable time-saving feature.

Key takeaway

Context-based scoring on downstream impacts, combined with our retesting workflow, is one of the most used features within NodeZero. This enables organizations to accurately prioritize fixing security weaknesses that can be exploited, then quickly verifying that the detected issues have been remediated. In all reality, context into risk is what matters most.

The post You Can’t Manage Risk if You Lack Context appeared first on Horizon3.ai.

The Solution to the Growing Divide Between Providers and Clients

Gartner® recently published a report called, Emerging Tech: Grow Your Security Service Revenue with Cybersecurity Validations. We believe the report provides research from a buyer’s perspective on security services they purchase while offering guidance to MSPs and MSSPs on how to improve retention and upsell rates of the critical services they provide. So, what has Gartner discovered, and what do they recommend?

Download Report Now

From the buyers’ perspective

Since Gartner performs inquiry sessions with clients who purchase security services, they have a unique opportunity to learn what organizations are most concerned about. In the report, it highlights some of the key findings as follows:

• “As more executives engage in the cybersecurity purchase and retention decision, security service clients are wanting more than just threat detection and response for their IT/OT/cloud environments.
• Many security service clients express frustration in not knowing what their provider does for them, and they question the benefits of the service.
• Security service clients lack cybersecurity resources and look to their provider for guidance on what to do to mitigate risk. They want a partner that will proactively help them improve their security maturity.”¹

Also in the report, clients expressed the desire to have processes in place so that they can validate their provider’s security services are working as claimed since they struggle to confirm the results of their providers. These processes would include a way of validating that services are improving clients’ security postures, reducing their risk, and securing their critical data and operations. The discussion around validations in the report highlights several technology areas to consider like:

• Attack Surface Management (ASM)
• Breach and Attack Simulation (BAS)
• Automated (Autonomous) Penetration Testing and Red Teaming

From the providers’ perspective

On the flipside, Gartner had inquiry sessions with service providers who expressed their upmost desire to help clients prevent negative outcomes from cyberattacks. However, they lack clarity on what the client’s security posture is and seldom see clients taking responsibility to improve their position. As we can see from the report, we feel there is a disconnect between those who purchase services and those that deliver them.

Why this report is important as per us

Gartner has the distinguished role of hearing from both sides of the many dilemmas in our industry. And when they do, we feel not only do they provide an analysis of what they hear, but they also bounce solutions off both sides of the jam to see what sticks. And in this case, the Gartner report provides actionable recommendations for sellers of security services.From the service provider perspective, the report provides critical insights about how to grow revenue with distinct options providers should consider, and advice on what to do from both a short-term and longer-term outlook to meet their clients’ needs. Simply put, clients want more out of their providers and are willing to invest in enhanced services. Following the guidance in the report will turn out to be a win-win for both parties involved. Those who want to learn more about the contents in the report can download it here. [link]

Why we think Horizon3.ai was mentioned in this report?

Because our autonomous pentesting solution, called NodeZero, is the AI-driven pentesting co-pilot MSPs, MSSPs, and security consultants have come to rely on to meet their clients’ growing needs for validations—and more. The reason for this is simple. NodeZero is a force multiplier that helps service providers perform comprehensive adversary emulation and autonomous penetration testing exercises. This allows providers to meet their deliverables, enhance their clients’ security, and improve revenue and retention, all while tremendously reducing the amount of time needed to do so.

“We are seeing a tremendous uptick in interest from security providers who want to up their game and expand their services to include security assessment as part of their repertoire,” says Snehal Antani, Horizon3.ai co-founder and CEO. “They tell us there are not enough skilled assessors (aka pentesters) to perform the needed services. For example, there are only about 6000 OSCP certified ethical hackers in the US alone, and fewer elsewhere. This fact leaves providers often unable to deliver and/or enhance their services to meet client demand. This is where NodeZero comes into play.”

Today, there are many security service providers, MSPs, MSSPs, and security consultants who have standardized many of their services on NodeZero, stating that it is enabling them to overcome the limited number of pentesters they can tap into today. Not only can the solution run autonomous pentesting, but more importantly, the solution helps build a baseline of where service delivery clients are upon service engagement. This way, providers can validate improvement over time and clients can rest assured risks are reduced.

For example, “NodeZero has changed the game for my team and for our customers. What took us five person-days is now less than two days, and our customers can get frequent telemetry as opposed to a periodic snapshot of risk,” said Kelly Robertson, CEO at SecureCENTRX.

NodeZero enables providers to see their clients’ networks through the eyes of an attacker. With this perspective, they can continuously identify attack paths and exploitable weaknesses that need fixed. These weaknesses span critical vulnerabilities and misconfigurations, compromised credentials, sensitive data exposure, and ineffective security controls and security policies. NodeZero’s reporting interface enables security providers and clients to easily understand attack paths, what weaknesses to prioritize for fixing, and how to fix them. This results in reducing mean-time-to-remediation (MTTR) and helps them prove their services are delivering increasing value to their clients. MSPs and MSSPs can charge clients to fix problems that NodeZero surfaces, and they and their clients can use NodeZero to conveniently verify fixes. No longer will clients be in the dark about service efficacy.

Strategic Planning Assumptions

According to the report, “The number of security service providers that provide cybersecurity validation assessments to test their service efficacy and their client’s security posture will grow from less than 10% in 2023 to up to 40% in 2025 and over 50% by 2026. Security services providers that adopt this cybersecurity validation assessment trend will see improvement of over 5% in their acquisition, retention and upsell rates.”

After reading this report, we believe service providers that want to align to these strategic planning assumptions should seriously consider onboarding NodeZero as part of their assessments to meet these strategic goals.

¹Gartner, Emerging Tech: Grow Your Security Service Revenue With Cybersecurity Validations, Travis Lee, 10 April 2023.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Clients Want Assessments to Prove Service Efficacy appeared first on Horizon3.ai.

Businesswire 06/01/2023

Autonomos.ai has joined forces with Horizon3.ai, a U.S.-based cybersecurity firm, as a fully licensed and Certified Partner to introduce advanced cybersecurity services to the African continent. This partnership aims to provide enterprises, governments, and NGOs with a comprehensive and proactive defense against cyber threats….

Read the entire article here

The post Horizon3.ai and Autonomos.ai Partner to Introduce Advanced Cybersecurity into Africa appeared first on Horizon3.ai.

PressePortal 05/04/2023

In 2022, the weekly number of cyberattacks in the financial industry averaged 1,131 attacks – a 52 percent increase in one year, according to Check Point Research figures. More than two-thirds of large institutions were affected by at least one cyberattack, not including successfully prevented attacks and unreported cases…

Read the entire article here

The post Financial sector should perform penetration tests on its own according to EU regulation DORA appeared first on Horizon3.ai.

One of our customers, a public university in Victoria, British Columbia, is constantly looking for ways to improve their overall cybersecurity posture – and has started using NodeZero’s autonomous pentesting capabilities to keep their students, faculty, and data safe.

Speaking with us was the University’s Senior IT Security and Risk Specialist, a role that didn’t exist until 2017. Like many organizations, the importance of cybersecurity needed a champion in-house to bring it to the top of mind.

“Before that, there wasn’t someone dedicated to security, and virtually no policies for cybersecurity at all,” he mentioned. “My role as the sole security person here touches all areas from proposing and drafting policies, to firing up the Zeek server to look at the logs, look for strange traffic, and everything in between.”

Since joining, he has been working on aligning the university’s cybersecurity policies with industry best practices in a number of areas, and instituted a handful of programs to address vulnerability management and user management.

A while back, the organization ran into a situation where there were an abundance of minor account compromises that cumulatively turned into a hassle for everyone involved. Taking the lead, the risk specialist started building out awareness training, advocating basic policies and building an expectation of some basic cyber hygiene.

“We started to reduce the number of those kinds of incidents, which also worked out well as that was right around the time we had a few minor ransomware incidents,” he said.

“But because I’d done that work with the business units (developing better awareness and preparedness), we were able to resolve those incidents quickly.” This also led to the university realizing it needed someone in that security role full time.

NodeZero as a Difference Maker

The university wanted to do some penetration testing to get confirmation that the changes they’d been implementing were working and to identify any security gaps that might remain.

“I took advantage of some pre-negotiated contracts in place by our being a public body, and asked vendors for some quotes. After my heart restarted after seeing the quotes, I just happened to get an email from the Horizon.3ai sales team and said, ‘ok let’s take a look at it’,” said the risk specialist. “I saw the ability of NodeZero to do what I needed to do at a similar cost, but also with the ability to repeat that find, fix, verify process and customize the testing the way I wanted it done.”

That flexibility and the find, fix, verify loop really drew him in during the initial test.

“That’s really what we wanted to do,” he said. “The way Horizon3.ai is set up allows for that. It shows where problems are and provides guidance on what we need to do to fix it. It has the right philosophy, as opposed to just asking: what can we break into? I can get a kid from high school to hack away at our network, but the question is, how do we fix it?’ He also found that the ability to do multiple pentests is a huge benefit.

“It was a breath of fresh air. I can repeat this!” he said. “When one network segment showed some interesting vulnerabilities, I was able to fix them and repeat the test to verify that things were much better.”

This was the difference from traditional pentesting options, where it would cost thousands of dollars and take weeks, if not months, to bring a team in to test and assess every time.

Improving Credentials Hygiene and Beyond

NodeZero was particularly helpful in addressing the common struggles associated with credentials hygiene and patching.

“We have people who felt that having a nice, long password meant nobody would ever guess it. We’re now able to show that’s not true,” said the risk specialist. Character count matters, but is ineffective when it’s reused from a previous breach or is a simple string.

NodeZero provides password analytics from the NTDS database in their domain, pinpointing exactly where their credential policy is effective. NodeZero was also able to help with vulnerabilities that were consistently getting flagged as weaknesses in scans.

“Those vulnerabilities became a pivot point – we now have proof that there’s a vulnerability, here’s what happens when it exists, now let’s fix it,” he said.

It helps minimize pushback and enabled him to offer proof to higher-ups. By reporting on vulnerabilities or other cybersecurity issues so that everyone in a leadership role is seeing it at the same time, everyone knows what needs to be fixed – which helps foster cooperation to help those improvements move forward quickly and easily.

Deciding on NodeZero

The University did look at other, traditional pentesting options as well as NodeZero before signing on.

“Typically, they were security companies that had a standing contract with our provincial government,” said the specialist. “I didn’t look at anyone doing it autonomously the way NodeZero does it. I saw the chance to spend the same money but gain more capabilities.”

Coincidentally, the opportunity for a trial run came up at the end of the fiscal year and there was some budget left which enabled him to show leadership of the value of NodeZero.

“The reports enabled my CIO to show the executive team that we’re being proactive and taking the steps our board wants us to take, and we can demonstrate we’re taking positive action to secure our environment,” he said.

The IT and Risk Specialist has been very impressed not just with NodeZero as a tool, but also by the team behind it. “I’ll tell you, the support is phenomenal,” he told us. “I can’t tell you how many times I’ve been in the middle of an op and the chat bubble pops up because someone is there and concerned that I’m having an issue. It takes customer service to the next level.”

The team’s proactive approach has made a big difference.

“I’ve come in to work in the morning and found an email from someone at Horizon3.ai letting me know they’d reviewed our ops, found a vulnerability, and let me know how to fix it,” he said.

And then there’s the overall ease of use NodeZero offers.

“Setting up an op is simple. It’s so easy an old guy like me can do it, and it not only tells me what’s broken but how to fix it,” he remarked. “It shows the attack chain, how it got in, how to fix it, and then I can use that to demonstrate to others what needs to happen. We get the attack chain, proof, and how to fix it, all in one package.”

Download PDF

The post Public University Uses NodeZero to Close Gaps, Prove Value of Cybersecurity appeared first on Horizon3.ai.