“Lift & Drag”, BeyondTrust, Absolute DataExplorer, & RDP Exploits – ESW #241

" The latest version offers certificate-based authentication and the ability to configure Time-to-Live (TTL) for secrets, leading to even tighter DevOps security and easier management."

"LogPoint, a provider of security information event management (SIEM) platform and user behavior analytics tools, today revealed it has acquired SecBI, a provider of an integrated security orchestration and automated response (SOAR) and extended detection and response (XDR) platform." - Check the boxes on acronym bingo.

"D3’s SOAR platform helps many of the world’s most sophisticated security teams integrate their security tools, eliminate time-consuming tasks via automation, and orchestrate lightning-fast responses to threats."

"The Query.AI platform serves as a connective tissue that delivers federated search to conduct investigations across data silos and eliminates the antiquated approach of universal data centralization."

Kinda neat how it lives in firmware, we always talk about bad things that could live in firmware, this is a legit tool that lives in firmware: "Anchored by its firmware-embedded Persistence® capabilities residing in more than 500 million endpoints, Absolute provides an undeletable digital tether to every device - enabling customers to maintain enhanced visibility across their device fleets and reliably monitor critical hardware and software information."

"With this release, Privileged Remote Access enables organizations to properly manage and inject credentials managed by Azure AD Domain Services. Administrators can now leverage the Secure Remote Access Vault to rotate account credentials managed by Azure Active Directory Domain Services"

"Removal of admin rights and implementation of pragmatic application control are two of the most effective security controls for preventing and mitigating the most common malware threats." - Agree?

"Psychological inertia, as it is known in medical literature, is prevalent in workplace change management because committing to the changes necessary to achieve higher-level objectives causes individuals to feel anxiety and fear. So, even though the workforce acknowledges the security benefits of a Zero Trust model, they resist the necessary changes in their daily routine." - This is so common! "In fact, most wildly successful organizations can point to one or more significant disruptions that served as the catalyst to overcome status quo bias and drive innovation." - I've always said you have to scramble a few eggs to make an omelet...

"Successfully authenticated user credentials were saved, in plaintext, to this file. Any unauthenticated visitor could exploit the vulnerability to retrieve this file and collect plaintext credentials." - Why can't we just patch this? Did we not know it existed or we knew and got pushback? "The primary method of access and lateral movement was through the VPN and Remote Desktop Protocol (RDP)." - Curious if MFA could be implemented system-wide for RDP connections as I believe this is possible, not expensive, and not a huge inconvenience. "Four months into the incident, PsExec was run from a VPN source IP to create a scheduled task on domain controllers." - This should generate an alert, also curious how common this is for legitimate admins or software to create a scheduled task on a domain controller...