The $100M Lesson: The Louvre Forgot About Security

The Heist: The Windows You Forgot to Lock

In recent headlines, the Louvre, a historic museum that holds over $25 billion in historic artifacts, art, and jewels, experienced a heist where the thieves made off with over $100 million in goods. The museum does have cameras and locks to prevent thefts from happening at the museum. Regardless, the thieves were able to scale the museum with a ladder and then cut through a window with power tools to enter. The guards did appear but retreated after the thieves threatened them with superior firepower.

One final detail: after the investigation, it was discovered that the password for the surveillance system was “Louvre.” Fortunately, it appears this was not exploited to carry out the successful heist.

Don’t Set It and Forget It

You have deployed an EDR onto your endpoints, an absolutely critical piece of endpoint security. You’ve closed a pivotal door that adversaries depend on to take control of your hosts and servers. Your EDR is similar to the camera and lock system at the Louvre. Every day these cameras and locks prevent thefts from happening at the museum; they work without fail and at scale, 24/7. Your EDR has been designed to stay aware of the latest threats, but the thieves keep innovating their tactics.

The security team at the Louvre put the same trust in their surveillance system until the thieves found a window they hadn’t considered. The password wasn’t exploited, but it was still pure negligence by the team. What if I told you each one of your hosts had something just as obvious to exploit?

Never Trust, Always Verify

When dealing with adversaries who can choose to avoid where your EDR is looking, what options remain? What if we looked at device hardening through the Zero Trust lens to apply to the endpoint and reduce the attack surface?

A core Zero Trust concept emphasizes least privilege. Least privilege means that your marketing team shouldn’t have permission to access the finance application and should only have access to applications specific to their roles.

If we apply this concept to user laptops, why is it so common that every device is shipped with full PowerShell access? PowerShell access on your device is equivalent to the security team’s password at the Louvre being “Louvre.”

Consider an organization with 1,000 employees. Maybe only 50 developers rely on PowerShell daily. Since PowerShell can hide behind an EDR and be used as the “keys to the castle,” security should have a strong understanding of all devices allowed to run it with admin privileges.

How does your security team consistently ensure visibility into who has these permissions, turn them off, and keep them off?

Your Largest Attack Surface Is Already Installed

Just as you wouldn’t want certain ports open on your firewall, there are controls and tools inherently active on every endpoint that shouldn’t be installed or enabled. Large enterprises may have the resources to work through static Active Directory Group Policy to perform appropriate  framework mapping to eliminate these unneeded services, but many small and mid-size organizations lack the resources.

Attackers are using legitimate tools installed on endpoint fleets to take control of hosts. What existing tools are present in your fleet that your users aren’t using, but a known adversary has exploited or would love to exploit in your environment?

Here’s a small sample of tools most certainly already installed:

• WinRAR for data staging
• Rclone for data exfiltration
• Cloudflare for tunneling
• AnyDesk for persistence

Drifting From Your Golden Image

If the security team at the Louvre had maintained a regular cadence of security scans, they may have discovered the thieves before they entered the window and also the weak password.

With Batuta, you’ll have live visibility into your fleet so you can quickly detect drift from your security-minded golden image. The golden image represents your vision for the exact tools each user should or shouldn’t have in their fleet, along with ensuring critical security controls are properly configured on all the right devices.

A macro view of all assets, servers and VM’s allows CISOs to detect compromise much sooner in the kill chain. The limiting of exposed services and features paired with real time visibility allows for comprehensive fleet management. Additionally Batuta can simplify the deployment of your EDR and ensure it is consistent across your tools and not bypassed.  This approach provides strong defense in depth so you don’t leave your door/window -slightly- open.