DejaBlue has come and not gone…old, outdated “zombie” Windows systems are still prevalent in 62% of OT networks. These systems lumber along, refusing to die. Some of these systems no longer receive patches from Microsoft because they have reached end of life or end of support. Others have patches available to them but the patches are not applied because the infrastructure they control is considered “too critical” to schedule any down time at all.
When we wrote our 2nd Global IoT/ICS Risk Report in Oct of 2018, we said “if you don’t schedule at least some downtime to upgrade your systems, your downtime will be scheduled for you”….the statement was meant to be both ominous and somewhat playful, a reflection of the reality that the vulnerabilities that existed in Windows XP, Windows 7, etc, exposed ICS networks to attack, and that as long as the vulnerabilities went unpatched, the network and security administrators ran the risk of being attacked and suffering loss of production, profit, or even people.
In Oct of this year we ran our 3rd Global IoT/ICS Risk Report and we found that our advice had not been heeded. Not to say we weren’t surprised. We understand the risk and institutional thinking and resulting resistance to upgrading Windows systems in networks that run critical infrastructure is difficult if not impossible to overcome. In the case of Pharma, upgrading just one Windows box could force re-certification by the FDA for a drug a time-consuming and costly process, and thus essentially a non-starter. In other industries, downtime in production systems is equated with profit loss, and plant managers are measured by output and profit and are thus loathe to intentionally stop production.
So what to do? Network admins and security managers are between a rock and a hard place. In my conversations with Security Managers and even CISOs, I hear them say things like “I don’t even want to know what vulnerabilities exist in my ICS networks — I have a hard enough time keeping up with the patching and other work involved in keeping my IT networks secure. I don’t have nearly enough time/budget/people to help me mitigate risk in ICS (or OT) networks.
CyberX exists to help network security admins, security directors, and CISOs such as these. If and when you can’t manage to patch your ICS systems, if you are one of the 62% of companies that have outdated Windows systems in your environment — or you are one of the countless companies who simply don’t have visibility into whether your environment houses an outdated system or not– you can take advantage of the asset inventory and continuous network security monitoring in CyberX to mitigate your risk.
We update our Threat Intelligence packages to deal with the latest threats and vulnerabilities, and we even discover behavior that is associated with vulnerabilities *before* they are reported (zero day threats). Because we have a patent in discovering anomalous behavior in networks connecting machines (behavioral anomaly detection in M2M communications) we are able to discover and alert our customers when traffic that is caused by operational deficiencies or threat actors traverses the network.
DejaBlue is no different — when it was discovered, we issued a Threat Intelligence package for CyberX that helps companies who have not (or cannot) update their Windows systems. We actually already alerted on the types of behavior that are indicative of a threat actor taking advantage of the BlueKeep and Dejablue vulnerabilities– this particular update simply put proverbial name and face together. In other words this Threat Intelligence package is an updated means of detecting whether or not threat actors are attempting to exploit the DejaBlue vulnerability.
If you are an existing customer you can download DejaBlue Threat Intelligence package here.
If you are interested in trying. buying, or seeing a demo of CyberX capabilities, you can contact us here.