The Gately Report: Live Patching Beneficial Tool for MSSPs, CISA Launches Early Ransomware Notification
Also, the number of ransomware victims skyrocketed last month compared to January.
![Security Patch Security Patch](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blta39acb64f9899bce/65240259ac223876a2c00270/Patch.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: What is live patching versus conventional patching? How does live patching work?
Jim Jackson: Conventional patching can be either simply the process of loading updated versions of software that fix bugs and vulnerabilities in the old version, or loading and applying patches that fix specific vulnerabilities using OS tools. For components that run in memory during operations (the kernel, shared libraries, etc.) the updates or patches applied on disk are not updated in the runtime version until the component is restarted or the entire environment is rebooted. That’s where live patching comes in. Live patching applies the patch code to components directly in memory during operations versus updating their disk versions.
CF: How widespread is awareness of live patching?
JJ: Industries and organizations that run larger mission-critical systems environments on Linux have become more aware of live patching recently due to their need to patch serious vulnerabilities more rapidly and frequently. However, data from an independent study we sponsored with the Ponemon Institute last year shows that the IT community as a whole is still largely unaware of the availability of live patching services, what it can do for them, and how easy it is to adopt.
CF: Is live patching available for all software vulnerabilities?
JJ: Live patching can fix any software vulnerability, but the technology and patches have been reserved for only those components that require restarts or reboots to actually apply the patches.
CF: What are the advantages of live patching over conventional patching?
JJ: There are three main advantages of using live patching over conventional. Most importantly, it eliminates the need to wait for maintenance windows in which systems can be rebooted or services, DBs, etc., restarted in order to apply patches. We have seen recent data from a study by Rapid7 that indicates the new norm is that active exploits are being deployed in a week or less after (vulnerabilities) are published. We refer to the time frame between a high/critical (vulnerability) being published and exploits for it appearing, and the time when it is patched, as the high-risk window. The longer that high-risk window is, the higher the chances that an organization will fall victim to exploitation of an unpatched (vulnerability) resulting in a data breach, ransomware attack or both.
Secondly, reboots and restarts themselves can be risky, and are obviously disruptive to an organization’s business and operations. In larger organizations, rolling restarts are typically required, and business services are either reduced or completely unavailable during that process.
Lastly, reboots and restarts must be carefully planned and executed during maintenance windows, which requires a great deal of time and labor. We have heard from many organizations that had dedicated teams that were constantly doing nothing but planning and executing reboot cycles before they moved to live patching. The labor cost savings can be substantial, and/or resources can be reallocated to tasks that are more strategic to the business.
CF: How can live patching help MSSPs better serve and protect themselves and their customers?
JJ: Mostly it’s about minimizing that risk window we previously discussed. Unpatched vulnerabilities are a ticking time bomb in these days of rapidly deployed exploits and sophisticated cyber crime businesses. Live patching and automation allow MSSPs to remediate vulnerabilities as soon as the patches are available versus waiting for a maintenance window, which could be weeks or months away.
CF: Will switching to live patching give MSSPs a competitive advantage? If so, how?
JJ: Yes, we believe it can help MSSPs gain competitive advantage in two ways. First, they can differentiate their services based on the improved service level objectives (SLOs) they can achieve related to much faster remediation of vulnerabilities using live patching services. Second, they can redeploy resources currently consumed with planning and managing system reboot cycles to more value-added services for their customers.
CF: Are there any drawbacks/challenges associated with live patching? If so, what are those?
JJ: The main challenges we see are with new customers adapting their old processes to fit the new live patching process, and learning to adopt and trust the technology and automation. However, our experience has been that once they are over that learning and trust curve, many of the largest and best known organizations in the world have safely reaped the benefits of significant increases in security and compliance, as well as cost and risk reductions.
In other cybersecurity news …
The Cybersecurity and Infrastructure Security Agency (CISA) has initiated pre-ransomware notifications to help organizations stop ransomware attacks before damage can occur.
The initiative is coordinated as part of CISA’s interagency Joint Ransomware Task Force. These early warnings can enable victims to safely evict the ransomware actors from their networks before the actors have a chance to encrypt and hold critical data and systems at ransom.
Clayton Romans is associate director of the Joint Cyber Defense Collaborative (JCDC), a public-private cyber defense partnership within the CISA.
“First, our JCDC gets tips from the cybersecurity research community, infrastructure providers and cyber threat intelligence companies about potential early-stage ransomware activity,” he said. “Once we receive a notification, our field personnel across the country get to work notifying the victim organization and providing specific mitigation guidance. Where a tip relates to a company outside of the United States, we work with our international computer emergency readiness team (CERT) partners to enable a timely notification. Although we’re in the early days, we’re already seeing material results. Since the start of 2023, we’ve notified over 60 entities across the energy, health care, water/wastewater, education and other sectors about potential pre-ransomware intrusions. And we’ve confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred.”
In cases where ransomware actors have already encrypted a network, and are holding data and systems for ransom, JCDC works closely with the victim organizations to provide threat actor tactics, techniques, and procedures (TTPs), as well as guidance to help reduce the impact of an attack, Romans said.
“For example, we have provided information to help identify the data that may have been exfiltrated from an affected entity’s network, as well as details of the intrusion to support investigative and remediation efforts,” he said. “JCDC also works with the cybersecurity research community and others to develop cybersecurity advisories on ransomware actors and variants to enable improved network defense at scale as part of our ongoing Stop Ransomware campaign.”
Craig Jones is vice president of security operations at Ontinue. He said this is a great initiative coordinating multiple disparate agencies on the fight against ransomware.
“The relationship that CISA has with the industry is a poster model for public/private organizational supportive relationships,” he said. “Advisories will help some organizations become better prepared. However, the organizations that read advisories are already on a path to better ransomware protection. This doesn’t address the organizations that haven’t invested in security tooling or expertise.”
CISA needs to appeal directly to business leaders to shift the boardroom focus on the credible threat that is ransomware to any size of organization, Jones said.
“The pre-ransomware initiative is similar to the National Cyber Security Center (NCSC) United Kingdom early warning system (EWS), which has been well received in the United Kingdom,” he said. “It’s great to see a similar initiative available to the United States. EWS sends millions of alerts to over 7,500 business’ in the United Kingdom that have signed up.”
Matthew Marsden is Tanium‘s vice president. He said information sharing is critical to accelerating the fight against cyberattacks.
“CISA, through Stop Ransomware, is leveraging the expertise and authorities in the JCDC to more quickly deliver critical guidance to combat ransomware, where every minute counts,” he said. “Identifying and closing known vulnerabilities, quickly searching for indicators of compromise (IoCs), and remediating affected machines is a race against time for impacted organizations. CISA is leading the way in aggregating a high volume of threat data and distilling it into easily consumable bulletins to allow security professionals to protect against these costly events.”
The work being done by CISA will prompt a measurable reduction in ransomware events, Marsden said.
“By educating and enabling the public to keep their shields up, it forces bad actors to work harder and slows the rate of successful attacks,” he said.
Oak Ridge, Tennessee, has suffered a ransomware attack affecting its technology systems.
The city posted the following message on its website:
“The City of Oak Ridge is experiencing network issues following a malware attack and we are working diligently to gather information and identify the impact on our technology systems. The city and its information systems department are working with law enforcement to investigate, as well as technical specialists experienced in cyber recovery services, to restore services as quickly as possible.”
John Stevenson is Skybox Security‘s senior product marketing manager.
“The series of ransomware attacks against state institutions this year alone indicates that attackers see these organizations as potentially lucrative targets, not least because they manage and process large amounts of high-value personally identifiable information (PII) that the attackers can exfiltrate as part of an attack and use later to target citizens,” he said. “This most recent attack emphasizes the need for all organizations to revamp their network security and utilize proactive vulnerability management.”
Prioritizing network accessibility, exposure, exploitability and commercial impact is crucial when determining the seriousness of vulnerabilities, Stevenson said.
“To protect businesses and critical state systems, it is necessary to define the attack surface,” he said. “Risk measurement can take many different forms, such as using tools to calculate the financial impact of cyber risks on companies, or using a quantification strategy to help businesses identify and rank risks based on their financial implications. Developing exposure-based risk scores can significantly increase the maturity of vulnerability management programs and ensure quick recovery by helping to prioritize the urgency of vulnerability correction.”
Daniel Selig is security automation architect at Swimlane.
“Unfortunately, this is not the first ransomware attack the state has experienced lately,” he said. “Just two weeks ago, Tennessee State University was the victim of a similar attack that completely brought down IT systems. Amidst this series of attacks, it is important to note that as one of a select few states, Tennessee has formalized requirements that state agencies provide information about cyberattacks and ransomware outbreaks. Oak Ridge is the 18th local government to be a target of ransomware in the United States since January.”
Due to the quantity of sensitive information held in its systems and the need to maintain operations, local government is a well-liked target for hackers, Selig said.
“Bad actors typically believe that they will be more willing to spend higher sums of money to regain control of this information as a result,” he said. “Fortunately, there are actions that the government can take to prevent things from getting to this stage. Organizations should consider low-code security automation solutions in order to leverage streamlined detection and implement proper incident response, ultimately ensuring first-rate protection free of human error. With these solutions, government organizations can create a unified protection plan that guarantees total protection of even the most sensitive data.”
A new Guidepoint Security report shows a 51.5% increase in posted ransomware victims compared to January, and a 15.8% increase compared to February last year.
The increase in activity is almost entirely attributable to ransomware-as-a-service (RaaS) Lockbit’s posting rate, which saw a 158% increase from 50 posts in January to 129 in February. This suggests Lockbit may have expanded its network of affiliates, or this may be the result of a large series of campaigns from the group and its affiliates. Another RaaS group, AlphV, also significantly increased its reported monthly victim count from 20 to 31. Meanwhile, Vice Society’s monthly victim count dropped from 22 to two victims, showing that not all ransomware groups are increasing their operational pace.
The data also revealed some shifts in the industries targeted by ransomware groups. The food and beverage industry saw a significant increase from four victims in January to 17 in February, possibly due to its high dependence on operational continuity and customer service.
The banking and finance industry also saw an increase from nine to 19 victims, reflecting its attractiveness for cybercriminals seeking monetary gain. The engineering industry increased from one to eight victims, indicating that ransomware groups may be targeting sectors with valuable intellectual property and sensitive data.
Sorted by threat actor targeting, February’s top countries were the United States, the United Kingdom, France, Italy, Germany, Brazil, Canada, Australia, Hong Kong and India. These are largely the same as they were in January, with only two countries being swapped out entirely. Portugal and Belgium in January were switched with Hong Kong and Brazil in February.
Drew Schmitt is a ransomware negotiator and principal threat analyst at GuidePoint Security.
“In our experience, this increase aligns with annual trends that we have been tracking over the last couple of years,” he said. “In many cases, ransomware groups tend to have some slowdown in activity at the end of Q4 into Q1. As Q1 progresses, we see a lot of ransomware groups ramping their operations and focusing on larger-scale operations.”
Lockbit‘s success and dominance appears to be largely driven by their affiliate rules, specifically with a thorough affiliate vetting process and explicit rules against targeting sensitive industry verticals and critical infrastructure, Schmitt said.
“They seem to stay just below the threshold for immediate and direct action from law enforcement operations,” he said. “Lockbit also has robust technological capabilities, in addition to a well-established overall business workflow, which increases efficiency and impact of their operations. Lastly, Lockbit also has a very strong brand/image in the ransomware community, which is attractive to affiliates looking to participate in a highly vetted ransomware operation.”
Historically, Q1 and Q4 are the most high-volume parts of the year and 2023 has been no exception, Schmitt said.
“With recent activity from Clop using a GoAnywhere zero-day vulnerability to exfiltrate data from over 130 victims, and a large increase in groups using more aggressive tactics to push victims to pay ransomware, it appears that 2023 is shaping up to be an intense year for ransomware,” he said.
Mike Halstead, cybersecurity sector lead for Launch Consulting Group, a division of the Planet Group, says it’s important for enterprises and leaders to “get back to basics” in order to protect their assets, community and bottom line.
Halstead’s suggestions include:
Education for C-Suite executives: “While it’s pivotal to engage your workforce on proactive measures to avoid phishing and other common scams, C-Suite executives need to be involved in the process as well,” he said. “Top executives are key targets with cybercriminals continuing to evolve and are finding new techniques to gain entry. C-Suite executives need to remain diligent and keep their digital footprint to a minimum and take additional cyber awareness training.”
Zero trust mentality: “A multi-step login process goes a long way with asset protection,” Halstead said. “For example, if a password is compromised, this doesn’t necessarily mean networks will be beached by cybercriminals. By requiring multiple factors for authentication, MFA adds an extra layer of security to protect businesses, employees and their data from potential hackers.”
Understanding bad actors: “A company’s security system should be constantly updated and tested to ensure safeguards are not only in place, but are of maximum efficiency,” he said. “Staying up to date on the latest security breaches as a way to update security systems proactively versus reactively.”
Hygiene: “
“Cybersecurity is 80% good hygiene,” Halstead said. “The rest is extra credit. However, you are never going to be able to address the more sophisticated risks if you haven’t addressed basic cyber hygiene”
Mike Halstead, cybersecurity sector lead for Launch Consulting Group, a division of the Planet Group, says it’s important for enterprises and leaders to “get back to basics” in order to protect their assets, community and bottom line.
Halstead’s suggestions include:
Education for C-Suite executives: “While it’s pivotal to engage your workforce on proactive measures to avoid phishing and other common scams, C-Suite executives need to be involved in the process as well,” he said. “Top executives are key targets with cybercriminals continuing to evolve and are finding new techniques to gain entry. C-Suite executives need to remain diligent and keep their digital footprint to a minimum and take additional cyber awareness training.”
Zero trust mentality: “A multi-step login process goes a long way with asset protection,” Halstead said. “For example, if a password is compromised, this doesn’t necessarily mean networks will be beached by cybercriminals. By requiring multiple factors for authentication, MFA adds an extra layer of security to protect businesses, employees and their data from potential hackers.”
Understanding bad actors: “A company’s security system should be constantly updated and tested to ensure safeguards are not only in place, but are of maximum efficiency,” he said. “Staying up to date on the latest security breaches as a way to update security systems proactively versus reactively.”
Hygiene: “
“Cybersecurity is 80% good hygiene,” Halstead said. “The rest is extra credit. However, you are never going to be able to address the more sophisticated risks if you haven’t addressed basic cyber hygiene”
Live patching presents opportunities for MSSPs to better protect their customers and generate more revenue.
That’s according to Jim Jackson, president and CRO of TuxCare. Through its automated live security patching solutions and long-term support services for Linux and open source software, TuxCare allows thousands of organizations to remediate vulnerabilities for increased security and compliance.
Live patching can now enable MSSPs to automatically apply the latest patches for their customers without needing to reboot systems. That helps SMBs stay on top of NIST 800-53 security and privacy requirements with less effort or impact.
This week, TuxCare announced it received top honors in this year’s Cybersecurity Excellence Awards. The company’s KernelCare Enterprise solution took home the award program’s gold award in the security automation category.
TuxCare’s Jim Jackson
“The KernelCare Enterprise live-patching service answers countless organizations’ long-standing problems surrounding the dependence on scheduled maintenance windows,” Jackson said. “Not only does this highly cost-effective service bring new levels of efficiency. But it arms organizations with never-before-available peace of mind since it largely removes any delays between a discovered vulnerability and its patch implementation.”
In January, TuxCare launched its OEM Partner Program to give OEM partners its KernelCare Enterprise and LibCare solutions. OEMs can add automated vulnerability patching for Linux kernels and shared libraries into their own product lines.
Scroll through our slideshow above for a deep dive into live patching and other cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like