On January 31, 2024, CISA issued Emergency Directive 24-01 (ED 24-01), calling for all agencies running Ivanti Connect Secure and Ivanti Policy Secure to disconnect those solutions immediately. Agencies are also required to continue threat hunting on any systems connected to or recently connected to the affected Ivanti products. The devices contain known vulnerabilities that allow threat actors to “capture credentials and drop webshells that enable further compromise of enterprise networks.”
Additionally, ED 24-01 requires agencies to:
- Monitor the authentication or identity management services that could be exposed
- Isolate the systems from any enterprise resources to the greatest extent possible
- Continue to audit privilege level access accounts
Here are five practical steps you can take to meet all of these requirements while uncovering other possible vulnerabilities in your application environment.
Step 1: Compile a comprehensive asset inventory
Effectively responding to the Ivanti threat requires you to have a clear understanding of all assets that comprise your technology estate. That can be difficult, especially if you have hundreds of thousands of assets in your network.
Start by compiling a comprehensive asset inventory to identify systems that are connected to Ivanti solutions. Don’t do this manually, though. Instead, automate asset discovery and continuously monitor when new assets are added or removed from your network.
Step 2: Use an asset map to view interdependencies
Next, investigate how assets are related and where data flows between them. Mapping assets and how they connect visually depicts the relationship between your assets and helps you understand their topography. The Axonius interactive asset graph quickly shows you where the Ivanti instances exist within your organization and what other assets they are connected to. This will help you identify which assets you need to closely monitor.
The asset graph is a powerful solution for illuminating potential threats wherever they may be. Instead of searching in the dark with a flashlight, you’ll be able to shine a bright light on everything you have in your network, all at once.
Step 3: Automatically isolate impacted assets
Once the assets connected to the Ivanti software have been identified they must be immediately isolated. You can do this through the Axonius Enforcement Center, which has an automated flow to send the isolation command to your already existing security tools.
However, doing this manually and asset-by-asset could take precious time and increase the risk that your agency could be adversely affected. It’s better to automate the process and send commands out to all of the tools that may have been impacted by the Ivanti software simultaneously, rather than isolate them individually. The Axonius Platform integrates directly with many of the tools in your ecosystem, allowing you to collectively and automatically isolate applications quickly. Isolation can be removed once it is deemed safe to do so.
Step 4: Create a dashboard to monitor all administrative accounts
Just like asset management, monitoring privileged access can be tricky, especially in expansive IT environments with a lot of applications and hundreds if not thousands of users. Many organizations lack a centralized view and inventory of every user, and keeping up with access rights and passwords can be a monumental task.
Yet creating a known user inventory is just as important as creating a device inventory. You need to be able to track and monitor users just as much as you would any other asset. Once you have developed a known user inventory, it’s easy to create dashboards to monitor the inventory and alert administrators when someone has been added, and who that user is.
This can make identity access management far more manageable and effective. Not only can you monitor who has access to which applications, but you can also see how many administrators can access an asset and be alerted when that number changes. This approach gives you both total control over user access and an easy way to manage access rights.
Step 5: Look beyond the Ivanti vulnerabilities
The Ivanti vulnerabilities are known exploits that must be taken care of expeditiously per the required actions outlined in ED 24-01. But as you follow these actions, you can go several steps beyond the Ivanti problem and uncover other known vulnerabilities, which can then be addressed before they are exploited.
As you commence your search for the Ivanti products and their integrations, consider expanding your efforts to your entire application stack. Perform a comprehensive vulnerability scan across all of your assets, both known and unknown, to discover vulnerabilities and their severity levels.
With Axonius’s Vulnerability Management Module, you can go even further. For instance, you’ll be able to tell how many assets have not been scanned (or have not been recently scanned) for newly identified vulnerabilities. You’ll also be able to correlate software version numbers against the known vulnerabilities list to see if there are vulnerabilities that could be impacting your assets.
Since the issuance of ED 24-01, Ivanti has disclosed a new critical vulnerability in Ivanti Connect Secure and another solution, Ivanti Pulse Secure. Axonius will continue to monitor the evolving Ivanti situation and keep our customers apprised of any changes or updates to CISA’s requirements. In the meantime, take these steps to proactively shore up your defenses and protect your agency against both current and future vulnerabilities.
