With the publication of CVE-2024-1709 and CVE-2024-1708 still so fresh, defenders should not enable the enemy.
By MacKenzie Brown
As a former incident responder at Microsoft DART, I’m accustomed to working with large organizations flush with money for an IR retainer and cyber insurance. Now in the Managed Service Provider (MSP) world, I’m acutely aware of the impact events like this week’s ConnectWise vulnerabilities have on the businesses we serve.
These are not organizations with screw-up money to spend on recovering reputational damage. It’s not a question of a CEO or CISO taking a golden parachute and riding off into the sunset. The businesses we serve are SMBs whose entire livelihoods are at risk.
This is why I have been so concerned about seeing security companies rush to publish Proof-of-Concepts (PoCs) the first 24 hours after the ScreenConnect disclosures were made public. As defenders, our first priority and responsibility should be protecting our customers and their clients.
At Blackpoint, when we heard the news, we immediately developed a PoC for internal use, because it’s an important part of identifying and assessing the risk so we can mitigate it appropriately. Our concern was focusing on the detection mechanisms necessary to identify the lateral movement afterward. That PoC wasn’t particularly interesting—in fact, it was terrifyingly trivial. That meant we needed to immediately shift to understanding and tracking post-exploitation activity potentials and protecting accordingly.
For us, that meant proactively and aggressively isolating endpoints and notifying our partners. As trivial as this vulnerability is to exploit, we took this action because it’s much easier to un-isolate a system than it is to triage a ransomware attack and look for lateral movement after the fact. We simply had to take the best action to protect our customers until they can patch.
As security practitioners, we must be sensitive to the fact that not everyone is in a position to patch immediately. There are very large MSPs who, simply due to the size of their customer base, are having issues rolling out the patch. There are those who are several versions behind and are struggling to get up to date. From a global perspective, there are other areas of the world that haven’t even digested the news, recommendations, or advisories yet.
Even among MSPs in our own part of the world, there are plenty who are just focusing on the daily activities of running a business. How do we reach those who are not necessarily seeing the chatter in LinkedIn or listening to Andrew Morgan’s CyberCall? They are not up to speed yet.
Our job in the security industry is to defend. It’s concerning that we see some in the industry putting making a name for themselves ahead of that responsibility. Threat actors are moving faster than ever—our Security Operations Center (SOC) has now noted that we are already seeing active exploitation of ScreenConnect in the wild. While we don’t yet know if a security company’s PoC had a part in that, one thing is certain: The cat is out of the bag.
Let me be clear that my intention is not to point fingers at vendors. No technology is perfect, and regardless of the vulnerability or exploit, we are here to support the response. As defenders, however, we must take care not to enable our adversaries in that response.
Let’s hope that going forward, we can agree as a community to put security first and prioritize the interests and livelihoods of those we are supposed to be protecting.
Further Reading
Written By:
MacKenzie Brown
VP of Security
MacKenzie Brown oversees Blackpoint’s internal security strategy while helping enable and drive our product ecosystem and broader security vision among partners and the community. Her background in incident response includes supporting global customers and navigating advanced adversary investigations as an incident manager at Microsoft. An advisory board member for the Idaho Women in Technology organization, she strives to bring transformation to the industry for a better tomorrow.
Connect with MacKenzie on LinkedIn.