This is a guest post by independent security researcher James Quinn. This will be Part 1 of a series titled Reversing Gh0stRAT Variants.
As 2018 drew to a close and 2019 took over, I began to see a different behavior from SMB malware authors. Instead of massive, multi-staged cryptocurrency miners, I began to see more small, covert RATs serving as partial stage1’s. Of these samples, there was one specific sample that stood out to me. A Gh0stRAT variant, this sample not only changed the Gh0stRAT header from “Gh0st” to “nbLGX”, it also hid its traffic with an encryption algorithm over the entire TCP segment, in addition to the standard Zlib compression on the Gh0stRAT data. Some key functionality is below:
Can download more malware
Cleans Event logs.
[Screenshot 1] Encrypted Login Packet sent by Gh0stRAT infected PC
In addition to a standard malware analysis blog post, I’d also like to take this time to document and describe my methods for analysis, in the hopes that you as a reader will use these techniques in the future.
Before we begin the analyses, I’d like to clarify on some of the terms used.
Stage1 - Typically the first contact or entry point for malware. This is the first part of the malware to arrive on a system.
SMB Malware - Any malware that uses the SMB protocol to spread. SMB is typically used for file sharing between printers and other computers, however in recent years malware authors have been able to leverage this protocol to remotely infect hosts.
RAT - Remote Access Trojan. This type of malware allows for the complete control of an infected computer.
Gh0stRAT - An open source RAT used primarily by Chinese actors. A more detailed analysis of the standard Gh0stRAT can be found here.
Despite being a Gh0stRAT sample, this variant is very different than your standard Gh0stRAT sample. One of the most noticeable differences is the use of encryption over the entire TCP segment, as a way for it to evade detection. Additionally, this seems to be a lightweight version of Gh0stRAT, as it only has 12 commands, compared to the 73 for a full Gh0stRAT sample; 3 of those commands are undocumented. Also, unlike most samples that I receive on my honeypot, this sample did not start as a DLL that communicates to a distribution server in order to download the stage1. Instead, dropped on my honeypot was a full exe that served as the dropper.
From my analyses, I was able to identify http://mdzz2019.noip[.]cn:19931 as its main C2 url. This is a dynamic DNS, meaning the actual IP changes quite frequently. Additionally, on that same url, http://mdzz2019.noip[.]cn:3654/ is used to distribute more versions of this Gh0stRAT sample, along with a .zip file containing ASPXSpy, a web shell.
RSA has come and gone, and things are settling down into a normal routine. I did write a post-RSA blog which covered the highlights and trends I observed.
Because of RSA and the subsequent week of getting through the backlog of emails and work, the news list has piled up with over 141 separate news items lined up in my list. But don’t worry, I’ll only share the ones I truly hearted.
Device and account security checklist
Bob Lord has put together a great resource to help people and companies better secure themselves and their organisations. Even if you’re a security expert, it’s worth checking out and sharing the checklist with friends and family.
On March 6, 2019, the FBI contacted Citrix with the news that international cyber criminals had likely gained access to the internal Citrix network. The firm says in a statement that it has taken action to contain this incident. “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI,” says Stan Black, Citrix CISO.
Actors have been launching phishing campaigns that abuse several brands of well-known real estate franchises with the intent of capturing targeted real estate agents' email credentials. While this type of targeting in the real estate sector is not new, this post highlights the in-depth tactics, techniques, and procedures (TTPs) used. The TTPs and imagery used in the PDF are used to lure people in. Credential harvesting websites can be used for situational awareness to defend against these attacks.
Pros-for-hire no better at writing secure code than compsci beginners
Freelance developers hired to implement password-based security systems do so about as effectively as computer science students, which is to say not very well at all.
Boffins at the University of Bonn in Germany set out to expand on research in 2017 and 2018 that found computer science students asked to implement a user registration system didn't do so securely unless asked, and even then didn't always get it right.
Most folks who work with servers know the monthly drill:
Patches are released by manufacturers -> Patches are tested -> Patches are deployed to Production. What could possibly go wrong?
Anyone who has ever experienced the nail-biting joy of patching, and then awaiting a restart, knows exactly what could go wrong. Does anyone remember the really good old days when patches had to be manually staged prior to deployment? For those of you who entered the tech world after Windows NT was retired, consider yourself lucky!
If you think about it, most organizations that patch on a monthly basis are considered to have an aggressive patching strategy. As evidenced by the legendary Equifax breach, some organizations take months to apply patches. This is true even when the organization has been forewarned that the patch is a cure for a vulnerability that is being actively exploited, also known as a “Zero-day” vulnerability.
Patching is never a flawless operation. There is always one server that just seems to have problems. What is the first response when this happens? Blame the patch, of course! After all, what else could have changed on the server? Plenty, actually.
Sometimes, removal of the patch doesn’t fix the problem. I have seen the patch still held responsible for whatever has gone wrong with the server. I am not blindly defending the patch authors, as there have been too many epic blunders in patching for me to exhibit that kind of optimism and not laugh at myself. But what can we do to avoid the patch blame game?
The simple solution is to restart the servers before deploying patches. This is definitely an unorthodox approach, but it can certainly reduce troubleshooting time and “patch blame” when something goes wrong. If you restart a server, and it doesn’t restart properly, that indicates that an underlying problem exists prior to any patching concern.
This may seems like a waste of time, however, the alternative is usually more time consuming.
If you patch a server, and it fails at restart, the first amount of time you will waste is trying to find the offending patch, and then removing the patch. Then, upon the subsequent restart, the machine still fails. Now what?
Even if we scale this practice to 1000 servers, the time is still not wasted. If you are confident that your servers can withstand a simple restart, then restart them all. The odds are in your favor that most will restart without any problems. If less than 1% of them fail, then you can address the problems there before falsely chasing the failure as a patch problem.
Once all the servers restart normally, then, perform your normal patching, and feel free to blame the patch if the server fails after patching.
The same approach could also be applied to workstations in a corporate environment. Since most organizations do not engage automatic workstation patching on the corporate network, a pre-patch restart can be forced on workstations.
Patching has come a long way from the early days when the internet was young and no vulnerabilities existed (insert sardonic smile here). The rate of exploits and vulnerabilities have accelerated, requiring more immediate action towards protecting your networks. Since patches are not without flaws, one easy way to rule out patching as the source of a problem is to restart before patching.
The NIST Cybersecurity Framework (CSF) has only been around for four years and while developed for critical infrastructure, resulting from Executive Order 13636, it has been widely adopted across both private and public sectors and organizational sizes. It is used inside of the US government, with 20 states using it (at last count). In addition, international organizations such as the Italian government, as well as private sector organizations including technology and education are using the framework.
Why is this?
If there’s one overarching theme of the NIST CSF when it comes to implementation, it’s that there’s no one-size-fits-all solution. Your risk profile, regulatory requirements, and financial and time constraints are unique, and the NIST CSF allows each organization to take these factors into account when implementing the CSF. Moreover, implementation is not an all-or-nothing proposition. Without the restrictions of a formal compliance regulation to hold you back, you are free to implement the NIST framework in whatever way best fits your business needs. Once you establish your unique, current profile and target profile, you can use the gaps between them as a tool to help prioritize improvement actions, based upon your budget and resources.
The NIST CSF allows you to establish or build upon your foundation by identifying what needs to be protected, implementing safeguards, and detecting, responding to, and recovering from events and incidents. In the simplest terms, NIST CSF defines outcomes based upon your unique threats and risks, as well as how you manage risks within your organization:
Know what you have and what you are facing
The NIST CSF calls on organizations to identify your data and the devices that store, transmit, and process information. This means you must have an inventory of data, the devices, the applications, and the underlying infrastructure that process and store that data.
Now that you know what data you have, you can identify threats and vulnerabilities in the environment. This allows you to focus on protecting the ‘riskiest’ assets or what is most valuable to your organization.
Put protection measures in place
Once you know what you need to protect, put measures in place to safeguard that data. Taking the approach of "We have a firewall. Our data is protected" is long gone. A layered approach to security is imperative protecting the connectivity layer, the application layer, and the device itself.
Monitor, monitor, monitor
There are always changing circumstances, even with the most mature security programs. That is why you must continually monitor the environment to detect events and potential incidents. Not only must you monitor but you must improve your monitoring strategy and technologies that you use. Detection must be efficient and effective - your organization can fall into one of these two buckets: you have been breached and you know it or you have been breached and you don’t know it. Continually optimize and tune the technologies and processes you have in place. You cannot respond to what you can’t detect.
Have a plan
Like we all know, it’s not if you get breached, it’s when. Having a formal, tested response plan that is known by the organization, its stakeholders, and responders is crucial.
With or without a security operations center, and whether your network is on premises, in the cloud, or a hybrid, you need to determine which events and indicators correlate with cyber attacks. Organizations these days face a wider range and greater frequency of cyber threats than ever before. These threats can be from APTs (advanced persistent threats), cyberwarfare, promiscuous attacks through bots and botnets, script kiddies, malware-as-a-service via the Dark Web, or even internal attacks from entities within your organization. Everything from distributed denial of service attacks (DDoS) to cryptojacking, from man-in-the-middle attacks to spear phishing, from ransomware to data breaches hit businesses of all sizes and in all industries constantly and every single day. It’s perfectly normal to find it all to be overwhelming!
But implementing the right tools and practices can help you make sense of all of the cacophony. That’s where cybersecurity analytics can be useful. Several years ago, security analytics became something of a buzzword, but it’s as relevant now as ever.
Cybersecurity data analytics explained
So what is it exactly? It’s actually quite simple.
Security analytics isn’t one particular type of tool or system. It is a way of thinking about cybersecurity proactively. It involves analyzing your network’s data from a multitude of sources in order to produce and maintain security measures. It’s all about aggregating data from every possible source and finding the “forests” that all of those “trees” of logs and other recorded details are a part of. Of course, being able to identify the “forests” can make it easier to not only put out “forest fires” of cyber attacks, but also prevent “forest fires” in the future.
Security analytics sources and tools
Here are some of the different types of data sources which can be used in your cybersecurity analytics practices:
Logs from network security appliances, such as firewalls, IPS, and IDS
Network traffic and its patterns
Identity and access management logs
Mobile devices and storage mediums connected via WiFi, Ethernet, and USB
Business specific applications
There are some types of tools which your network can deploy which pertain to cybersecurity analytics. They include:
Code analysis applications to find vulnerabilities in software and scripting
File analysis tools to explore files in ways which may go beyond malware detection
Log analysis applications for firewalls, IDS, IPS, networked print devices, servers, and endpoints
SOC (security operations center) specific applications to organize data in a way which is useful for their functions
DLP (data loss prevention) tools
Security analytics use cases
Properly implemented cybersecurity analytics can not only improve your network’s security posture, but also help your organization with regulatory compliance needs. There are many industry-specific regulations which require log data collection and activity monitoring. HIPAA and PCI-DSS are just a couple of them.
It can even help show your organization’s stakeholders and management which security measures and policies are useful and worthy of investment.
Using an analytics approach and the right tools have the benefit of being able to
RSA is arguably the biggest business-focussed cyber security event of the year. As over 40,000 security professionals completely take over the Moscone Centre in San Francisco.
Of course, one of the biggest changes this year was a case of the blues - as AlienVault made its transition into AT&T Cybersecurity. There were smiles all around, and the now blue blinky sunglasses remained a favourite across our two booths.
However, it’s not the last we’ll see of our little Alien mascot, who will live on in Alien Labs.
There was also a ‘bullet time’ camera setup in the South Booth. I’m sure there’s a technical term for it, but I only know it as bullet time - the technique popularised by the Matrix movies, where multiple cameras are setup and take a photo at the same time, giving attendees the chance to have their photo taken while being beamed up by the UFO above.
RSA is a huge event with thousands of vendors, and hundreds of talks, which naturally bring about some common topics and trends.
Stop, Collaborate, and Listen
No, Vanilla Ice wasn’t a keynote speaker, but a common thread from the keynote to the show floor was one of collaboration and working better together.
I attended a great presentation by Wade Baker and Jay Jacobs if Cyentia Institute entitled “NONE of Us Are as Smart as All of Us” in which they take a scientific approach to proving why many is better than one for learning in the security industry.
Don’t call it a comeback
There was a lot of discussion around security fundamentals. While there are many new threats and attacks in the wild, they are not worth focussing on if the foundations are shaky. Industry luminaries HD Moore and Jeremiah Grossman are working on asset discovery, and Cybersecurity Asset management firm Axoni
Organizations of all sizes have made considerable shifts to using cloud-based infrastructure for their day-to-day business operations. However, cloud security hasn't always kept up with cloud adoption, and that leaves security gaps that hackers are more than happy to take advantage of.
One of the most widely observed objectives of attacking an organization's cloud infrastructure has been for cryptocurrency mining. Despite recent falls in cryptocurrency prices, mining campaigns continue to plague organizations. Below, we've shared some of the more noteworthy forms of attack where the hackers’ end objective is to use your cloud infrastructure to mine cryptocurrency.
Compromised Container Management Platforms
We've seen attackers using open APIs and unauthenticated management interfaces to compromise container management platforms.
We recently investigated attacks involving mining malware served from the domain xaxaxa[.]eu. That domain may sound familiar, as it appeared in a February 2018 report by RedLock on the compromise of the Kubernetes infrastructure of an electric car company. The report details the container commands showing the malicious request.
RedLock reported the attackers used the compromised Kubernetes server in Amazon Web Services to mine Monero and potentially access customer data. In the event of such unrestricted access, cryptocurrency mining is one of the least malicious outcomes to victim organizations. For example, customer data and business operations could be at risk for theft or malicious modification.
Following the attention of the report by RedLock, the owners of xaxaxa[.]eu published a Public Notice stating that they are just a mining proxy and are not responsible for any malicious activity themselves.
Notably, we have also observed the domain serving pages saying it is a Dynamic Domain and a Vesta Control Panel. However, we have seen from other attacks listed in this article that the root domain is actively involved in serving malware and implicated in other campaigns.
Control Panel Exploitation
We have also observed attacks aimed at the control panels of web hosting solutions. The impact is similar to the previous topics, essentially allowing administrative control over web services for the execution of malicious code.
In April 2018, the same attackers that compromised Kubernetes infrastructure started exploiting an unknown vulnerability in VestaCP. This was followed by frantic posts on the official VestaCP forums and those of web-hosts that run VestaCP. VestaCP users provided details on how their installations were compromised.
In these attacks, they added a new backdoor user called “sysroot,” and then downloaded and installed the XMRig application to mine Monero cryptocurrency.
I am very excited to announce the 2018 AT&T Cybersecurity (formerly AlienVault) Partners of the Year! These eight outstanding companies achieved phenomenal business growth during 2018 and truly reflect the types of organizations that believe in ‘customers first’.
The AT&T Cybersecurity Partner Program enables leading VARs, system integrators, managed security service providers (MSSPs), managed detection and response providers (MDRs) and corporate resellers to sell and support AT&T Cybersecurity solutions and deliver compelling services powered by AlienVault USM in the global marketplace. With a strong focus on enablement, the program is designed to help solution providers create new opportunities for business growth, expansion and profitability.
Our dynamic and rapidly expanding partner community is a critical part of our success as a company, and we are committed to enabling and supporting the growth of our participants based on their individual goals and objectives.
Our Partner of the Year awards recognize the success achieved by our partners in the following categories:
Binary Defense led the AT&T Cybersecurity global partner community by identifying, architecting and delivering managed security services to a record number of customers. These customers ran the spectrum in size, from small business to some very recognizable, household names! They had top honors two years ago and we are very proud to recognize their return to the top spot by delivering more than 100% year-over-year growth.
“We are honored to receive such an award. The continued partnership and support between AlienVault and Binary Defense is a testament to the dedication of both organizations to improving cyber security around the world. As a leading MSSP and provider of SOC-as-a-Service, Binary Defense is proud to be aligned with AlienVault’s world class SIEM platform.” - Mike Valentine, CEO
Highest growth in 2018 as compared to 2017 sales bookings
IT Lab, based in the UK, delivered more than 800% growth year-over-year leading all others in 2018 by a comfortable margin. These growth numbers are challenging to achieve even in the best of times and IT Lab were able to take a great baseline and deliver these amazing results. With an eye firmly on value, it’s no surprise their existing customers renew and new customers flock to their services.
“IT Lab are thrilled to have been awarded growth partner of the year. This represents the excellent growth that we have had across IT Lab, both within our cyber security services and beyond. The SOC team have on-boarded some excellent clients in the last 12 months; spanning large FTSE250 businesses to financial and professional services, healthcare organisations and beyond. This award is testament to the fantastic team, and the great people that make up that team, right across our cyber and managed services.” – Michael Bateman
Highest sales bookings by a solution provider that joined our program in 2018
Agio signed on with us in early 2018 and came to the table with focused goals, a compelling service offering and an amazing technical team. Their desire to be impactful to their customers immediately made recognizing Agio a simple process. When you
The Federal ban on smartphones for some employees in the workspace makes a lot of sense in post-Snowden days. The phone has a camera, microphone, Bluetooth and other capabilities that can be abused, with or without the employee even intending harm.
AT&T ThreatTraq did a six-minute video I really enjoyed. The video included Karen Simon, Director Technology Security, AT&T, Manny Ortiz, Director Technology Security, AT&T and Matt Keyser, Principle Technology Security, AT&T. They referenced a great article in Security Magazine on this topic recently. Here are some key takeaways:
Unbridled smartphone capabilities are a righteous threat in highly secure facilities. Cameras can be used to steal classified documents. Microphones can be used to spy. Bluetooth is fraught with valid security issues that could be abused to exfiltrate data and spy.
The ban cost about 52 minutes per day of lost productivity. Karen calls it the “backlash on productivity”. Manny found the 52 minute number to be incredible, but then broke it down to employees having to walk out to their car or to a locker to check on their phones multiple times per day – yes it does add up. But is that really true? Would employees have been equally or more unproductive due to using the smartphone for personal reasons on the job?
There’s a definite hit on employee morale. I know a few people who wouldn’t take a job that required surrendering their smartphone to go to work. From the article:
“The numbers don’t lie: four out of ten millennials refuse to work for an organization that doesn’t allow personal devices in the workplace.”
Personal effectiveness can be greatly reduced. Think of all the times getting a quick text to a colleague during a long meeting can save quite a bit of time and reduce wasted work.
Work laptops / desktops have similar functionality as smartphones – why does it make sense to ban a smaller version of a laptop? Laptops can’t be taken from employees because they would be unable to do much work without them!
As Karen suggested, while security does have an impact – it’s never entirely benign - there needs to be a balance between security and productivity. Perhaps technology to disable the recording and camera functions of smartphones while at work?
We are very excited to announce that our new Success Center has just launched. It is our new “one stop shop” for help for AT&T Cybersecurity commercial USM Anywhere, USM Appliance and USM Central customers, OTX and OSSIM users, and InfoSec practitioners in need of help and support.
Why a Success Center?
We studied the situation at length before formulating our plan for the Success Center. In interviews with customers and partners, we determined that those wanting our help had to go to too many sites to get what they needed. These sites include the Forum, the Support Portal, the Documentation Center and the blogs. It was hard for folks to know the best place to look for information about a particular topic or question.
What Makes the Success Center Different?
Now you can log in one time and have access to information from a great many resources. You have the capability to search across all the resources and find helpful information that would otherwise be tricky to find. Searches span across blogs, AlienVault documentation, KB articles, Forum questions and even the customer case history (in the case the user is a customer.) We respect your privacy - company case history is accessible only by designated users of that company.
What Happened to the Customer Support Portal?
If you were a user of the Support Portal, your existing credentials will allow you access to the Success Center. You will have access to all the things you used to have access to, and much more!
What Happened to the AlienVault Forum?
The Success Center is a superset of the Forum. If you were a Forum user, you should have received an email near the end of January requesting you set up a new password in for the Success Center.
We migrated all the users of the Forum over to the Success Center, as well as the all existing Forum questions and answers.
There’s another neat feature about the Success Center – we will be able to get the focus from our technical experts to answer your questions better. In the Forum, questions could go unanswered. With the Success Center we will be alerted if a question has not been answered in a reasonable time. We can then open a ticket to get the right eyes and minds to answer your questions. In addition, duplicate questions will be resolved, and questions we’ve already answered in the past will get answers automatically.
Features to Notice in the Success Center
Intelligent Search: Searching for an answer is hard enough, but trying to filter through the results for the best answer makes finding your answer a frustrating process. Our new search intelligence can help with that by adding the following features:
View filters – additional filters allow you to filter results by result type, product, or source.
AI - Search AI will compare your search to previous results and your own history in the community to determine the likelihood of relevance for each result.
Result post-filtering - Our new search will analyze the results to rank not just by term relevance, but also age, validation, and reviews.
Getting Started Guide
Sometimes it is hard to know where to start with a new product. To help ease the process of getting used to our products, we provide a quick Getting Started Guide to help you get off the ground quickly.
In order to simplify finding what you need, we have provided a list of links to commonly requested answers and pages.
Termite is a tool used to connect together chains of machines on a network. You can run Termite on a surprising number of platforms including mobile devices, routers, servers and desktops.
That means it can be used used to bounce a connection between multiple machines, to maintain a connection that otherwise wouldn’t be possible:
Termite is a useful networking and penetration testing tool, but we’re seeing it used in attacks to enable access to machines too. There has been little reporting on Termite, beyond a brief mention in a report by Kaspersky of an earlier version of Termite called “EarthWorm”. Below, we’ve provided an outline on some of the attackers we’re seeing deploying Termite.
Termite and EarthWorm are publicly available tools written by an employee of 360NetLab. They can be considered an updated version of the well known packet relay tool HTRAN.
Termite popped up on our radar when we were reviewing malicious binaries compiled to run on IoT architectures. Termite is available for a range of different operating systems and architectures including x86 ARM, PowerPC, Motorola, SPARC and Renesas.
This means an attacker can use a long chain of desktop, mobile and IoT devices to be able to connect through networks and DMZs.
Termite can act as a SOCKS proxy to bounce traffic, as well as a lightweight backdoor that can upload and download files, and execute shell commands:
The Termite help function
For example, this is a typical sequence of commands you may see when investigating a compromised machine:
On a victim host, the attacker listens for incoming connections:
agent.exe -l 8888
Then the attacker connects to the compromised machine:
admin.exe -c [tartet_ip] -p 8888
And selects which compromised system to interact with:
Then they start a SOCKS proxy on the system to route traffic through it:
And a shell on the compromised system that they can connect to with netcat:
Breaches are widely observed in the healthcare sector and can be caused by many different types of incidents, including credential-stealing malware, an insider who either purposefully or accidentally discloses patient data, or lost laptops or other devices. Personal Health Information (PHI) is more valuable on the black market than credit card credentials or regular Personally Identifiable Information (PII).
.With instances of identity theft and fraud rising, however, many healthcare organizations are now hosts to valuable patient data such as social security numbers, medical records, and more personal information that can be compromised through cyber-attacks. If cybersecurity is not a key piece of your healthcare facility’s infrastructure, you may be putting both your organization and your patients at extreme risk. With the current cybersecurity climate in healthcare, it is important to consider some foundational security elements in terms of maintaining cyber hygiene.
What it Means for 2019 and Beyond
The data from 2018 illustrates that there is a problem with security throughout the healthcare industry. Information security experts warn that healthcare will be the biggest target for cybercriminals over the next five years, as noted in Healthcare IT News. The financial burden on attacked organizations is crippling, but the reputation risk is even greater.
A Smarter Approach to Security
Healthcare organizations must have an effective security risk management strategy built on the concept of edge-to-edge protection. They need to know what their data security priorities are, have policies that are effectively enforced, and bring an approach to cybersecurity that’s surgical— working from the inside out — to understand every fit and function of their organization. Without proper guidance, healthcare organizations could be throwing money into cybersecurity with little return, strangling their operations rather than supporting them. So as healthcare organizations work to toward their future security, a key step is consider doing a penetration test. Consider it a self-check-up.
To combat a hacker, you need to think like a hacker. Penetration testing is a form of ethical hacking that simulates attacks on an organization’s network and its systems. This is done to help organizations find exploitable vulnerabilities in their environment that could lead to data breaches. The test is a manual process performed by security experts that dive deeper into your environment than an automated vulnerability scan does.
A Penetration Test Does NOT Equal Automated Vulnerability Scans.
It exposes your weaknesses before real hackers do
It can reveal which areas of security you need to invest in
It provides an outsider perspective of your security posture
It will simulate a real attacker scenario
Help with meeting compliance with industry standards and regulations
Help prioritize and tackle risks based on their exploitability and impact
MITRE ATT&CK™ (Adversarial Tactics, Techniques and Common Knowledge) is a framework for understanding attackers’ behaviors and actions.
We are pleased to announce that AlienVault USM Anywhere and Open Threat Exchange (OTX) now include MITRE ATT&CK™ information. By mapping alarms to their corresponding ATT&CK techniques, we are assisting in prioritizing analysis work by understanding the context and scope of an attack.
Below we’ve outlined how this new capability can help you investigate two threats - TrickBot and RevengeRat.
Mapping a Trickbot infection with ATT&CK
Trickbot is a malware family that was discovered a few years ago targeting the banking industry, but following some investigations, it is still active and evolving. The malware is usually delivered using attached Office documents via spear-phishing emails.
This particular sample works by running a PowerShell script via command line from the malicious Excel document. The script will load the code that needs to be executed in memory and run the payload. In order to run the payload without being detected, the malware will try to disable and evade anti-malware protection. Once that is done, it will copy itself to another location and will run from there. It also spawns instances of the svchost.exe process to perform several tasks such as downloading config files and injecting into browsers to steal user credentials.
AlienVault USM Anywhere detects and tracks the previous malware behavior and maps all different behaviors to ATT&CK definitions. This provides a clean understanding of the attack’s stage and tactics, and makes the analysis work easier.
Running the sample in our environment we can observe different alarms that USM Anywhere is automatically triggering once the malicious Office document is opened by the user:
Suspicious Process Created by Microsoft Office Application
Suspicious Powershell Encoded Command Executed
Windows Defender Disabled
Windows Unusual Process Parent
Malicious SSL Certificate
Now it’s possible to see those alarms mapped to the ATT&CK matrix:
As we can observe, the ATT&CK matrix provides visibility of the techniques and tactics that Trickbot uses. Starting with Execution tactics, Defense Evasion mechanisms and finishing with Command and Control activity.
The first alarm in the kill chain is the Suspicious Process Created by Microsoft Office Application. After opening the malicious document, the process EXCEL.EXE creates a new process to run a PowerShell command and load code in memory using the IO.MemoryStream class. We can see how the alarm Suspicious Powershell Encoded Command Executed detected the malicious activity and the encoded command trying to evade detection.
Today marks another new milestone and I am proud to unveil our new name….AlienVault has now combined with AT&T Cybersecurity Consulting and AT&T Managed Security Services to form a new standalone division, AT&T Cybersecurity!
Digitalization continues to drive rapid changes in business models and network architectures. On the other hand, it also drives changes in how cybercriminals operate, making it easier for them to harvest data and launch automated attacks at scale. The mismatch between changes in cybercrime sophistication and the relative stagnation in cybersecurity approaches is apparent as organizations continue to suffer data breaches. According to a survey presented in AT&T Cybersecurity Insights, 88% of respondents had reported at least one type of security incident or breach in the last year.
The root cause? Dispersed networks, an explosion of data, disparate technologies, complex security operations present cybercriminals with gaps or “seams” in organizations’ security postures. Fighting cybercrime requires a coordinated and collaborative approach orchestrating best-of-breed people, process and technology.
AT&T started down this path years ago by building a best-of-breed Cybersecurity Consulting practice and Managed Security Services business serving customers of all sizes, across industries, and around the world. Combined with its network visibility across the threat landscape, AT&T has been well-positioned to take a unique role in cybersecurity.
With the acquisition of AlienVault, AT&T Cybersecurity will continue to deliver on our joint vision to address these “seams” and uniquely bring together people, process, and technology through a “software defined” unified security management platform. A platform that integrates, automates and orchestrates a wide spectrum of best-of-breed point security products.
By abstracting much of the management of individual security products, we are automating deployment and ongoing operations, and operating them as a single unified solution - much in the same way AlienVault had done with the critical capabilities required for threat detection and response. This platform will use the technical capabilities and reach of AT&T’s Edge-to-Edge intelligence in order to deliver solutions as on-demand digital services optimized to help protect customers through their own digital transformation journey.
We will accomplish this through collaboration with AT&T’s industry-leading Chief Security Organization and through the integration and automation of AT&T Alien Labs threat intelligence into the platform. The combination of Open Threat Exchange now curated by Alien Labs and AT&T’s incredible breadth and depth of threat intelligence will create one of the world’s leading threat intelligence platforms!
AT&T Cybersecurity is uniquely positioned to provide security without the seams through people, process and technology, which will provide UNRIVALED VISIBILITY for our customers!
2019 is off to a great start! Stay tuned for more exciting news from AT&T Cybersecurity that will enable our customers to anticipate and act on threats to help protect their business!
Once upon a time, businesses needed to take light cybersecurity precautions to ward off amateur hackers. A business owner may have recruited their tech-savvy nephew to protect their system, barely worrying about the risk. Today, the world of cybersecurity has done a 180 — it’s now a top concern for businesses. As businesses swiftly adapt to the changing digital environment, new technology means more cybersecurity concerns.
Businesses are now using new tech for an assortment of needs, from the recruitment process to audience discovery and beyond. On top of that, as consumers continue to shop online and use the internet to store all sorts of personal information, hackers have only grown in their knowledge and resourcefulness to create clever, threatening ways to attack businesses. And for good reason: Uncovering financial and health information is worth a lot of money for hackers.
The internet of things (IoT) has created more opportunities for employees and consumers to stay connected through an assortment of tools, from smartphones to smart home appliances. Every time another device connects to the internet, another security risk opens up. When valuable personal information is transmitted, those devices and connections become gold mines for hackers.
Additionally, any business that has some type of online presence, whether it’s a customer-facing retail store or employees who use an internal, internet-connected system, needs cybersecurity services. Certain industries have even more of a pressing need than others:
These industries deal in high levels of personal information that, if a hacker accessed it, would be detrimental to the business as well as its customers.
How Do Cybersecurity Experts Protect Businesses?
In 2014, Sony Pictures was the target of a major cybersecurity attack. According to Michael Lynton, chief executive, “There's no playbook for this, so you are, in essence, trying to look at the situation as it unfolds and make decisions without being able to refer to a lot of experiences you've had in the past or other people's experiences. You're on completely new ground.”
This is a common sentiment, but it may be unfounded. Even five years ago, cybersecurity pros noted that Sony should have, and could have, been better prepared.
When you decide to go into the field of cybersecurity, you may opt to head back to sc
We have two weeks of news to catch up with because I was travelling last week and wasn’t able to submit to the editor in time.
But that just means double the security fun. So let’s just jump right into it.
Helping The Smaller Businesses
Small and mid-sized businesses have most of the same cybersecurity concerns of larger enterprises. What they don't have are the resources to deal with them. A new initiative, the Cybersecurity Toolkit, is intended to bridge that gulf and give small companies the ability to keep themselves safer in an online environment that is increasingly dangerous.
Security Isn’t Enough. Silicon Valley Needs ‘Abusability’ Testing
It is time for Silicon Valley to take the potential for unintended, malicious use of its products as seriously as it takes their security. From Russian disinformation on Facebook, Twitter, and Instagram to YouTube extremism to drones grounding air traffic, Tech companies need to think not just about protecting their own users but about abusability: the possibility that users could exploit their tech to harm others, or the world.
CISO Spotlight: Security Goals and Objectives for 2019
Rick Holland shares his security goals and objectives for 2019, which has some great insights and tips such as hyperfocusing on process / program improvements, establishing a security and risk playbook, avoiding ‘expense in depth’, eating their own BBQ, and investing in the team.
Some defense attorneys in San Juan County worry that Sheriff Ron Krebs has a finger on the scales of justice after learning he used a courtroom security camera to surreptitiously zoom in on defense documents and a juror’s notebook during a criminal trial last week.
The incident has drawn outrage from criminal and civil-rights attorneys and frustration from the county prosecutor, and prompted a rare weekend hearing during which a judge dismissed misdemeanor assault and trespass charges against a Lopez Island man after finding the incident amounted to government misconduct that had violated his right to a fair trial.
Given you’re here, you’re likely new to this topic, so please be aware in that fileless malware, fileless malware attack, and fileless attack are different words for the same thing. With that clear, let’s jump in!
What is Fileless Malware and How Does It Work?
There are many definitions of a fileless malware attack. I like the description from the Poneman Institute:
"A fileless attack is really an attack technique - what we're talking about is a technique - that avoids downloading malicious, executable files, usually to disk, at one stage or another by using exploits, macros, scripts, or legitimate system tools instead. Once compromised, these attacks also abuse legitimate systems and admin tools and processes to gain persistence, elevate privileges, and spread laterally across the network."
What's most confusing about these attacks is that they might not be 100% file-free. Typically, different technique types are termed “fileless”, but that doesn't mean the malware or an entire attack campaign won’t include executables at some stage. For example, a traditional phishing attack could have components of a fileless attack in it. Instead of opening the file, clicking on a link and it downloading something to your hard drive, malware may just run in your computer’s memory. It’s a phishing attack, but one piece is fileless. That scenario is more common than a completely fileless malware attack where everything is running in memory. More commonly, we're going to see traditional attacks: phishing campaigns, spoofs, Man in the Middles (MiTM), where something in the attack vector includes malicious code that runs in memory.
The other point is that you might hear “fileless attacks” referred to as non-malware attacks, memory-based attacks, in-memory attacks, zero footprint attacks, and macro attacks. These are all different flavors of attack techniques. The whole premise behind the attack is that it is designed to evade protection by traditional file-based or signature-based tools. So any technique designed to try to circumvent or evade detection by those tools really falls into the fileless attack category.
Just to get a picture of some of those techniques, in the picture below on the left there are some example delivery methods we see for fileless types of attacks. As we know, phishing and social engineering remain tactics that work for attackers.
This nice diagram from Microsoft that shows a full taxonomy of fileless threats. The diagram shows the breadth of different types of techniques and different types of tools, tactics, and procedures that malicious attackers are using to launch attacks.
Cyber security has three pillars of people, process, and technology. Enterprises have historically had a skewed focus towards the technology aspect of cyber security - installing another endpoint agent, or deploying another network monitoring device designed to seek out anomalys behaviour.
While all these things are well and good, when you look at user awareness plans, and most companies have a once-a-year activity where they go over a few points and hope people remain educated.
And as far as processes go … well, it’s unclear how much of a conscious effort is put into developing robust processes for cyber security, particularly in small and medium businesses.
If we take an unscientific look at some of the trends over the last couple of years, we can see that attacks coming from non-state adversaries has been changing some of its tactics. It is no longer possible for most attackers to waltz in through the virtual front door of organizations and access their data. Which is why many attackers focus on different areas.
Three of the most commonly spotted areas are as follows:
Going after employees is a tried and tested method. Be that dropping USB drives marked “HR bonus list” in the car park, or sending targeted phishing emails, these attacks have proven to stand the test of time.
Phishing emails have been used in many ransomware infections, as well as Business Email Compromise (BEC) rely on duping users within a company.
At the beginning of 2019 it was reported that the Indian unit of an Italian firm was targeted and managed to swindle $18.6m. This trend shows no signs of slowing down as Business email compromise (BEC) fraud attacks soared 58% in the UK during 2018, possibly affecting as many as half a million SMEs, according to Lloyds Bank data.
Employees aren’t the only ones targeted by criminals. Customers of companies are also fair game in the eyes of hackers.
Phishing attacks are a common avenue, with scammers masquerading as popular brands such as Apple or Amazon, threatening behaviour such as law enforcement or the tax office, or even pulling at emotions such as love and greed.
Accidental Personal Info Disclosure Hit Australians 260,000 Times Last Quarter
The latest quarterly report on Australia's Notifiable Data Breaches (NDB) scheme has revealed around 269,621 separate cases of individuals having their personal information impacted as a result of a human error. The report [PDF] says
Way back in around the 2010 / 2011 timeframe Wendy Nather coined the phrase "The Security Poverty Line" in which she hypothesised that organisations, for one reason or another (usually lack of funds), can't afford to reach an effective level of information security.
Nearly a decade on, and while the term has sunk into frequent usage within the information security community, are we any better at solving the issue now that we've identified it?
I asked Wendy on her thoughts, to which she said, “I don’t think we’ve even come close to understanding it yet. And I think solving it will take an effort on the level of US health care reform.”
It’s a morbid thought, and can leave one with a feeling of helplessness. So, I thought I’d try to scratch beneath the surface to see what we can understand about the security poverty line.
The term technical debt has become more prevalent within information security over the years. Whereby a company will accrue technical debt, or information security risk over time due to decisions they've made. For example, if a service is launched before undertaking a full penetration test or code review, it adds to the debt of fixing any subsequent issues in a live environment.
One of the challenges with technical debt is that it doesn’t occur in a linear manner, rather the debt, or fall below the poverty line, occurs at an exponential rate.
Speaking to people who run small businesses, things become a bit clearer as to some of the challenges they face.
Cybersecurity needs investment in different areas, initially that is to hire expertise, or invest in technologies. Neither of which are necessarily the smallest of investments. But then there are ongoing costs - the cost to maintain security, to undertake ongoing testing. Then, when wanting to do business with larger companies, the smaller company is usually subject to a 3rd party assurance process where they need to demonstrate they meet all the cybersecurity requirements of the larger company, even in instances where the controls may not be directly applicable. Finally, in the event of an incident, a company that has already under-invested in security is faced with loss of business, or even legal action from partners, regulatory fines, as well as the cost of incident recovery and PR management.
How Much Information Security is Enough?
With such a seemingly endless laundry list of things to consider in the security world, the question on
Online trading is on the rise as many consumers take control of their own investments or work with brokers virtually rather than in person or over the phone. At the same time, cybersecurity attacks are on the rise as hackers also try to take advantage of gaps in the system, stealing identities and even money.
How do you keep yourself safe when trading online? Here are six simple tips:
Check the Doors and Windows
Before trading online, know that the most important thing is awareness. Be aware of what risks you run by trading online and what might happen. In your home, you check doors and windows before going to bed because you know they are potential entry points; you need to understand the same thing about online trading.
How do you recognize a threat and combat it or prevent it in the first place? One of the keys is good security software and setting up automatic alerts. Of course, once you receive an alert, you need to know what actions to take, and software can help with that as well. Secure your online trading accounts and all of the data associated with them by securing any potential entry points. As well, it’s never a bad idea to regularly back-up your data either through physical offsite or cloud-based storage. Should the integrity of your systems be compromised due to a breach, you’ll still have access to your data.
None Shall Pass
For a moment, let’s talk passwords, one of the entry points mentioned above. Truth is, as much as we talk about passwords, the list of the top awful ones every year is astounding, including things like your birthday, 123456, and even the word “password” used as a password.
There is no reason for this in an age of password vaults and generators that not only help you set your password, but remembers them for you as well and can even remind you to change them. Consider using such a password management system, and guard your passwords carefully. All of the fancy firewalls and protection in the world do no good if your password is easy to guess.
Do you know what two-factor authentication is and how to use it? Most apps, even those for social media, offer this now, and bank and trading apps are no exception. When you log in from a new device, you will need not only your password, but you will need to have access to a device you own.
This can be everything from your tablet, your phone, your smartwatch, or at the minimum access to your primary email. A code will be sent to that device or email that you must enter in order to access your account. This is a great second layer of security — one that is free.
That way, even with your password, a hacker cannot breach your account.
Don’t Let Them In
What happened in the quite public cyberattacks on Home Depot and Target? Both retailers had the same problem, in that they had granted access to their systems to vendors and did not shut off that access when the vendor was done working.
Security information and event management (SIEM) technology is transforming the way IT teams identify cyber threats, collect and analyze threat data and respond to security incidents. But what does that all mean? To better understand SIEM, let's take a look at SIEM technology, how it works and its benefits.
What Is SIEM?
SIEM technology is a combination of security event management (SEM) and security information management (SIM) technologies. IT teams use SEM technology to review log and event data from a business' networks, systems and other IT environments, understand cyber threats and prepare accordingly. Comparatively, IT teams use SIM technology to retrieve and report on log data.
How Does SIEM Work?
IT teams use SIEM technology to collect log data across a business' infrastructure; this data comes from applications, networks, security devices and other sources. IT teams can then use this data to detect, categorize and analyze security incidents. Finally, with security insights in hand, IT teams can alert business leaders about security issues, produce compliance reports and discover the best ways to safeguard a business against cyber threats.
What Are the Benefits of SIEM?
SIEM technology frequently helps businesses reduce security breaches and improve threat detection. The AlienVault Infographic and "2019 SIEM Survey Report" revealed 76 percent of cyber security professionals reported their organization's use of SIEM tools resulted in a reduction in security breaches. Additionally, 46 percent of survey respondents said their organization's SIEM platform detects at least half of all security incidents.
Also, SIEM tools typically provide compliance reporting – something that is exceedingly valuable for businesses that must comply with the European Union (EU) General Data Protection Regulation (GDPR) and other data security mandates. SIEM tools often come equipped with compliance reporting capabilities, ensuring IT teams can use these tools to quickly identify and address security issues before they lead to compliance violations.
SIEM tools help speed up incident response and remediation, too. A cyber security talent shortage plagues businesses worldwide, but SIEM tools help IT teams overcome this shortage. SIEM tools are generally simple to deploy, and they often can be used in combination with a business' third-party security tools. As such, SIEM tools sometimes reduce the need to hire additional cyber security professionals.
Is SIEM Right for My Business?
SIEM technology is designed for businesses of all sizes and across all industries. If a mid-sized retailer wants to protect its critical data against insider threats, for example, SIEM technology can help this business do just that. Or, if a globally recognized bank requires a user-friendly compliance management tool, it can deploy SIEM technology as part of its efforts to meet industry mandates. SIEM tools can even help businesses protect their Internet of Things (IoT) devices against cyber attacks, proactively seek out cyber threats and much more.
How Can I Select the Right SIEM Tool for My Business?
The right SIEM tool varies based on a business' security posture, its budget and other factors. However, the top SIEM tools usually offer the follo
Hello February! I was doing some research last night and was surprised to discover that the Target breach is over five years old! Five years! I was sure it only happened a couple of years ago - but such is the fast-paced nature of the industry, and also I guess a testament to how certain major breaches become part of infosec folklore. Like TJX, or Heartland - and no, I’m not going to look up when any of those occurred because I’ll probably end up feeling a lot older than I already do.
Enough reminiscing - let’s get down to it.
The Big Five
There’s been a lot of things I didn’t heart this week, although for one reason or another they ended up in my list of things to talk about. So, if you’re wondering about the stories regarding Facebook and Apple, and also Google, then yes, I did see them, and no, I don’t fancy talking about them.
But speaking of large companies, Kashmir Hill has undertaken what is perhaps becoming my favourite piece of tech journalism ever. WIth detailed write ups and slick videos showcasing how she cut out the big five of Amazon, Facebook, Google, Microsoft, and Apple from her life, one week at a time.
Considerations for When Your Apartment Goes “Smart”
Everything is getting ‘smart’ these days. By smart, I mean connected and vulnerable. So, what should you do if you live in an apartment where everyone is getting fancy new smart locks (or terribly insecure cheap locks depending on how you look at it).
Lesley Carhart recently found herself in the same position, and has written a really good post on security considerations if you ever find yourself in a similar position.
While we’re talking about Japan, a new law in Japan allows the nation's National Institute of Information and Communications Technology (NICT) to hack into citizens' personal IoT equipment as part of a survey of vuln
When it comes to threat actors and the malware variants they use, let’s talk dating — or rather, the way people date — because one could argue there are marked similarities between the two. You see, there are criminal groups who have a “type,” i.e. using malware that targets specific industries or even organizations — say, financial services (ever-popular and oh-so debonair) or perhaps critical infrastructure (spicy and daring!), or even healthcare for those who prefer staid and demure. Yet other groups are the free lovin’ types who go after multiple sectors using many different malware variants and approaches to accomplish their goal — no discriminating with this bunch.
Let’s look at one such example, APT10 / Cloud Hopper, which is likely the group behind a long running, sophisticated campaign that uses multiple malware variants to target many different sectors in many different countries. You can check out some of the pulses relating to APT10 / Cloud Hopper on the Open Threat Exchange (OTX).
The U.S. National Cybersecurity and Communications Integration Center (NCCIC) reports the campaign started in May 2016, and NCCIC last updated its alert in December 2018 — so it’s not going away yet.
The group known as APT10 / Cloud Hopper has hit quite a few victims over the last few years in many different sectors, such as: information technology, energy, healthcare and public health, communications, and critical manufacturing. However, their “date of choice” seems to be MSSPs due to the fact a that credential compromises within those networks could potentially be leveraged to access customer environments. From OTX pulse “Operation Cloud Hopper”:
The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organization might be exposed to, either directly or through your supply chain.
As any clever serial dater would do, APT10 / Cloud Hopper doesn’t use just one approach. The NCCIC reports they have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures — for example, PLUGX / SOGU and REDLEAVES. And although the observed malware is based on existing malware code, APT10 / Cloud Hopper modifies it to improve effectiveness and avoid detection by existing signatures.
How Can APT10 Group Impact You?
If these free lovin’ bad guys decide to come after you, they’re likely looking for your data (perhaps to steal intellectual property). At a high level, they’re accomplishing this by leveraging stolen administrative credentials (local and domain) and certificates to place sophisticated malware implants on critical systems (such as PlugX and Redleaves). Depending on the defensive mitigations in place, they then gain full access to networks and data in a way that appears legitimate to existing your monitoring tools. Voila! They’ve gone from first date to a home run!
With the constant barrage of headlines regarding breaches in the last few years, it seems that society in general has become numb to losing personal data. This year’s overarching cybersecurity theme is clear: We’re all in this together because we simply can’t do it alone. Effective defense demands a team effort where employees, enterprises, and end users alike recognize their shared role in reducing cybersecurity risks.
To borrow a phrase, “If not us, then who? If not now, then when? by John Lewis. Here are tips for improving your cyber risk management this year.
Tip #1: Balance risk versus reward.
The key is to balance risks against rewards by making informed risk management decisions that are aligned with your organization’s objectives — including your business objectives. This process requires you to:
Assign risk management responsibilities;
Establish your organization’s risk appetite and tolerance;
Adopt a standard methodology for assessing risk and responding to risk levels; and
Monitor risk on an ongoing basis.
Tip #2: Use your investments wisely.
When determining the best strategy for future cyber investments, it’s vital that you review your organization’s current security posture and existing security controls, including technology, people and processes. Before making new investments, perform an architectural and program review to understand how the existing controls can be utilized to address your identified risks. There are almost always ways to optimize, reduce cost, or minimize upcoming investments.
Tip # 3: Be nimble; make sure your strategy can quickly adapt.
Business is not static and neither are the solutions that enable and protect it. To grow, compete, and own its place in the market, a business must adopt new models and technologies to stay relevant and competitive. As the business evolves, so too must the operations and security solutions that protect it. Today, a cybersecurity strategy needs to be nimble to match the pace and dynamic modeling of the business it is protecting.
Tip #4: Don’t lose sight of the data — are you asking the right questions?
Before analyzing your security controls, take a step back to understand what data is needed to support the business, who that data must be shared with, and where that data is stored. Look at your operations, the flow of data into, throughout, and outside of your organization, and the risks associated with your business model. This will give you an understanding of the exposures that the data faces, enabling you to address and prioritize security measures. The three questions most organizations should be asking are:
How secure are we?
Are we going to be secure based on our current and future business plans?
Are we investing the right amount of time and resources to minimize risk and ensure security — especially people, technology and process?
Tip # 5: Re-imagine your security approach; don’t go looking for the silver bullet.
The cybersecurity market is flooded with solutions, leaving many organizations struggling to select the right protection for their business and get the best value from their investments. Most cybersecurity solutions, however, are point solutions, which don’t adequately address today’s threats.
Tip # 6: Make security awareness stick.
More than 90 percent of security breaches involve human error. These acts are not always malicious, but often careless and preventable. To change security
Breaches aren’t easy to deal with, especially if you are of the opinion that companies are people too. Having seen, been part of, and lent a shoulder to many a breach, here are nine of the common ways companies respond to breaches.
A delayed response is when a breach has occurred and the company is informed a long time after the fact, usually when the data appears on a dark web sharing site. The company sometimes informed by law enforcement, or by reading about it on Brian Krebs’ blog.
Complicated response (traumatic or prolonged)
A complicated breach becomes severe with time and can impact the entire company. This can be the case when regulators step in to look at a breach. Were you PCI DSS compliant? Well not anymore. Did you have European citizen data? Well say hello to my little GDPR friend.
Disenfranchised breaches are where the company experiences a loss, but others do not acknowledge the importance or impact. For example, an intellectual property breach that allows a competitor to get ahead is felt by the company, but elicits little, if any sympathy from customers.
A cumulative breach is when multiple breaches or incidents are experienced, often within a short period of time. For example, getting locked out of your IoT devices accounts while records are being exfiltrated out of the mainframe during a DDoS attack.
A cumulative breach can be particularly stressful because a company doesn’t have time to properly respond to one incident stating how they ‘take security seriously’ before experiencing the next.
Sometimes a company responds to a breach in extreme and hostile ways. In a manner befitting a toddler, the company may resort to blaming a partner or any other third party company.
On occasion the finger of blame is pointed towards an employee or contractor for not patching a system. Or, in some cases, the company will want to set an example and unceremoniously fire the CISO.
Also known as “keep this between us” is a conscious decision by a company to keep details of a breach limited to a very small group.
Problems can occur if customers or regulators get wind of it, and can cause bigger issues down the road. By then, the only viable option for companies is to shred the documents, wipe the hard drives, and research countries with non-extradition treaties.
Collective breach is felt by a wider group, and the impact is shared. It can be a useful tactic in bringing all people on the same side and put their differences aside.
When everyone is forced to change their passwords after a breach, it gives common ground for them to share the pain.
A favourite of social media giants, absent response is when a company doesn’t acknowledge or show signs of any response. This can be as a result of shock, denial, or simply passing everything onto business as usual.
It’s important to note that in some instances, just because you can’t see the signs of a response, it doesn’t necessarily mean that a company isn’t taking responsive actions.
Or it could just mean they don’t care, it can be hard to tell.
Remember all those posters telling you ‘it’s not a matter of
And in what feels like a blink of an eye, January 2019 is almost over. Time sure does fly when you’re having fun. But we’re not here to have fun, this is a serious weekly roundup of all the security news and views, with a few cynical observations thrown in for good measure.
Tables Turn on Journalists
Colorado journalists on the crime beat are increasingly in the dark. More than two-dozen law enforcement agencies statewide have encrypted all of their radio communications, not just those related to surveillance or a special or sensitive operation. That means journalists and others can’t listen in using a scanner or smartphone app to learn about routine police calls.
Law enforcement officials say that’s basically the point. Scanner technology has become more accessible through smartphone apps, and encryption has become easier and less expensive. Officials say that encrypting all radio communications is good for police safety and effectiveness, because suspects sometimes use scanners to evade or target officers, and good for the privacy of crime victims, whose personal information and location can go out over the radio.
How long before journalists start touting, “If you’re innocent you have nothing to fear.”
What would really be ironic is if journalists ask that police put backdoors into their comms so that journalists could listen in.
Would a Detection by Any Other Name Detect as Well?
One detection category is not necessarily “better” than other categories. While detection categories and descriptions might lead one to think that certain categories are better, the category alone is not enough to give a complete picture of the detection. It’s important to look at the technique under test, the detection details, and what’s considered normal behavior in your organization’s environment to help you understand what detections are most useful to you.
Over 24 million financial and banking documents were found online by researcher Bob Diachenko as one does I suppose.
The server, running an Elasticsearch database, had more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life.
Voicemail Phishing Campaign Tricks You Into Verifying Password
A new phishing campaign is underway that utilizes EML attachments that pretend to be a received voicemail and prompts you to login to retrieve it. This campaign also uses a clever tactic of tricking you into entering your password twice in order to confirm that you are providing the correct account credentials.
67% of small and micro businesses have experienced a cyber attack, while 58% have experienced a data breach within the last 12 months, according to a study conducted by the Ponemon Institute. Cybersecurity has become one of the major questions that plague the 21st century, with numerous businesses reporting significant losses resulting from loss of private customer data, denial of service (DoS) attacks that cripple operations and internal employee threats that pose a growing data security challenge for both small and large companies. When you consider the effects of the cyber attack in Alaska and the astounding number of businesses it crippled, it's clear that businesses owners need to understand the threats they face today.
The Question of Cybersecurity
A few decades ago, the thought of cyber warfare would have seemed far-fetched to say the least. But today, it has become as likely as it is terrifying, especially when you consider how many of our gadgets are connected to the internet - mobile phones, smart TVs, PCs, and IoT devices. The technical advancements in data-hacking have led to the parallel development of data-protection. While downloading an antivirus software may previously have been sufficient protection, this is now only a preliminary measure, and must be coupled with stronger controls like 2-factor authentication, access control, and raising threat awareness. The cyber-security industry grows steadily each day, and it is now possible to find adequate protection for all your gadgets: from your phone to your tablet and yes, even your new television set.
Artificial Intelligence Shaping Cybersecurity
If you have a basic interest in the tech world, you will have undoubtedly come across Sophia. Sophia is a humanoid robot and may be termed by many as the perfect illustration of how far AI has come. It is for this reason that AI is leading the cybersecurity field. This is through the application of the concept of synthesizing data. Basically, what this means is that two independent chunks of information can be combined to arrive at a single conclusion. In layman's terms, AI is expected to improve cybersecurity by speeding up incident response when malicious activity is detected, thwarting ransomware and automating practices. This way, companies will be able to remain a step ahead of potential cyber threats.
The Future of Cybersecurity Innovation
Conventionally, data transfer has been achieved through electrical signals. However, this may change if we enter the era of data exchange through light signals. This works through the use of photons as carriers of quantum information in cyberspace. Photons are light particles which are generated simultaneously in pairs. With timing controls, this would mean that data transfer would only be possible if twin-photon particles existed for the sender and recipient. Ultimately, the only way to hack the data would be to upend the laws of physics. More innovations like deep learning, cloud technology, and hardware will revolutionalize the future of cybersecurity, making it easier for companies to prevent cyber attacks.
The field of cybersecurity is shifting and improving daily to match the changing needs of today’s cyberspace. It is essential that everyone, including businesses, become familiar with the means with which to protect their data. Understanding the changing face of cybersecurity is a key step to achieving that goal.
What does it mean to be a thought leader? Is it merely the opposite of a thought follower, or is it more nuanced than that?
Becoming a thought leader is the epitome of professional success. But a thought leader isn’t a title that one attains by going to Harvard, or Cambridge. No, it’s a title bestowed by your peer
But wait, there are many naysayers in this world who will try to make out that thought leadership is a made up marketing term. But they're wrong. Thought leaders are the future, with them, the future is bright, and will lead us to an enlightened future, where blockchains and machine learning will co-exist in harmony, fuelled by cryptocurrencies and moderated by artificial intelligence.
So how does one become known as a thought leader? Simple, just watch this video and follow the awesome advice given by me and @SpaceRog
Every day, as a part of my work at AlienVault, I talk to prospective clients. Many of them are trying to put together a security plan for their business. Most of the people I talk to are IT professionals who, like everyone else, are learning as they go.
During my time in IT and the security industry, I have seen almost every type of network you could imagine. Most of them made sense and could be explained and I could understand why they were built the way they were. Some, not so much. During the last 10 years especially, I have started compiling network drawings and information on the many ways that networks are designed and deployed.
The following list of bullet points are my recommendations to an IT manager or business leader if they consulted me on how to put together information technology for their business. Please remember this is a fairly generic list and there are tons of deviations to take into consideration when building a network and then protecting it.
1. Policies and Procedures
Policies and procedures are the cornerstones of your IT governance. This is the “what is going to happen and how is going to happen” of your security posture, and from the big picture your entire IT infrastructure. Creating a solid policy and procedure document or documents will provide your organization with an IT and security blueprint for your initial build, maintenance, management and remediation of issues. Solid policy and procedure manual(s) will also prepare the environment to work within any framework and meet compliance requirements.
2. Gateway Security
Gateway security is essential to keeping the bad guys out. There are a number of popular firewalls on the market that will provide excellent security at the gateway. The needs of the environment will dictate which firewall will work best.
For example, a high throughput environment with a large internal IP count might require a Next Generation Firewall (NGF) that runs only a few services on board and reserves the majority of resources for ingress-egress traffic. On the other hand, an environment that requires a very high level of security but has limited WAN bandwidth may be better suited for a UTM (Unified Threat Management) firewall which runs a number of services onboard. Traditionally it also utilizes significant resources for services like deep packet inspection (DPI), data loss prevention, (DLP), gateway antivirus, website filtering, email filtering and other high-end security services.
Actually, antivirus is evolving and morphing like your favorite advanced persistent threat (APT) malware. A few years back the InfoSec industry started to break new ground on digging deeper into threats and breaches using threat intelligence in real-time to actively pursue malware based on heuristic data. Heuristic data became important as technology progressed to utilize behavioral analysis based on up-to-date threat intelligence.
These progressions in the industry gave rise to Endpoint Detection and Response (EDR), which is quickly morphing into a formidable companion to traditional antivirus and antiMalware protection. The very minimum that should be deployed into an environment includes a good reputable antivirus with antimalware capabilities, however, to get a definite head start on any co
It’s a plan for responding to a cybersecurity incident methodically. If an incident is nefarious, steps are taken to quickly contain, minimize, and learn from the damage.
Not every cybersecurity event is serious enough to warrant investigation. Events, like a single login failure from an employee on premises, are good to be aware of when occurring as isolated incidents, but don’t require man hours to investigate. Your cybersecurity team should have a list of event types with designated boundaries on when each type needs to be investigated. From there, you should have customized incident response steps for each type of incident.
The Importance of Incident Response Steps
A data breach should be viewed as a “when” not “if” occurrence, so be prepared for it. Under the pressure of a critical level incident is no time to be figuring out your game plan. Your future self will thank you for the time and effort you invest on the front end.
Incident response can be stressful, and IS stressful when a critical asset is involved and you realize there’s an actual threat. Incident response steps help in these stressing, high pressure situations to more quickly guide you to successful containment and recovery. Response time is critical to minimizing damages. With every second counting, having a plan to follow already in place is the key to success.
The Two Industry Standard Incident Response Frameworks
Introduced in no particular order, NIST and SANS are the dominant institutes whose incident response steps have become industry standard.
NIST stands for National Institute of Standards and Technology. They’re a government agency proudly proclaiming themselves as “one of the nation’s oldest physical science laboratories”. They work in all-things-technology, including cybersecurity, where they’ve become one of the two industry standard go-tos for incident response with their incident response steps.
The NIST Incident Response Process contains four steps:
Detection and Analysis
Containment, Eradication, and Recovery
SANS stands for SysAdmin, Audit, Network, and Security. They’re a private organization that, per their self description, is “a cooperative research and education organization”. Though more youthful than NIST, their sole focus is security, and they’ve become an industry standard framework for incident response.
The SANS Incident Response Process consists of six steps:
The Difference Between NIST and SANS Incident Response Steps
With two industry standard frameworks, there’s a chance you’re familiar with one but not the other. So let’s do a walk-through of their similarities and differences. First, here’s a side-by-side view of the two processes before we dive into what each step entails.
Placed side-by-side in a list format, you can see NIST and SANS have all the same components and the same flow but different verbiage and clustering. Let’s walk through what each of the steps entail to get into the nuanced differences of the frameworks.
For consistency, NIST steps will always be presented on the left and SANS on the right during the steps side-by-side compariso
London saw a few flakes of snow drop this week, and social media nearly broke with everyone sharing photos of the white pixie dust falling from the sky. Fortunately, I have few friends, and even fewer social media platforms that I use, so was saved from most of the insanity… well, except for my daughter singing “let it snow”.
TheCurious Case of the Raspberry Pi in the Network Closet
What would you do if you found a Raspberry Pi plugged into the network closet? Sounds like something from your worst nightmare, especially if you hadn’t commissioned any red team testing.
But that’s exactly what one team found, and this is the story of how they tracked down (almost) the suspect. If Scooby Doo has taught me anything, it was the janitor!
The DDoS Attacker Rescued by a Disney Cruise Ship is Sentenced to Over 10 Years in Prison
A 34-year old man has been sentenced to more than 10 years in prison, after being found guilty of launching a massive denial-of-service attack against Boston Children’s Hospital.
The sentencing of Martin Gottesfeld, from Somerville, Massachusetts, comes almost three years after he attempted to escape to Cuba – a plan that failed after his speedboat broke down in the choppy sea, and he was picked up by a Disney cruise liner.
In a post released on 1/8/19, I wrote about the record number of breaches in 2018. This brought to mind a podcast that I was listening to a few days back hosted by Corey Nachreiner, CTO of WatchGuard Technologies, Inc. on his 443 Podcast. Corey discussed the potential data deduplication problem on the Dark Web. This article will attempt to break down how this can happen and how this can cause issues not only for users of the Dark Web, but also for those whose data has been stolen and placed on the Dark Web for purchase.
The breaches of 2018 were vast and widespread, affecting businesses from fast food to department stores to airlines with record amounts of data being lost. If you look at just the breaches I referenced in the previous article, total PII records counts are over one billion in the United States. In India, every citizen in the country had their data compromised with the breach of Aadhaar, the Indian biometric IT program owned and operated by the government of India. The Aadhar breach alone accounted for 1.1 Billion records lost to hackers.
Researching this, I discovered that for just the US-based hacks in the article, Americans and foreign travelers doing business with one of the breached companies had a total of 1.3 billion records stolen. If you figure there are approximately 330 million citizens of the United States and if every person in the US was affected they would have their personally identifiable information exposed to the Dark Web approximately 4 times.
While that may not seem like a lot, please consider that it would be nearly impossible for every US citizen to be breached. The US does not have a mandatory centralized identification system as the Indian government has. Then, of course, not all 330 million Americans were affected by these breaches due to lack of exposure to affected breached sites, age, and other factors. Let’s say that 150 million Americans were affected in some way - which would mean that about half of all US citizens were affected by the breaches of 2018. Let’s also assume that another 150 million citizens of other countries were affected by the breaches of 2018. That would calculate to 300 million total people affected by the breaches of 2018.
With a nice round number like 300 million people being affected one could assume there would be some duplicate records. With that being said, there are probably a lot of duplicate records. The total number of records duplicated per affected person I calculate at 4.333 records. This is admittedly a pretty arbitrary number, considering some people are more active than others on the web or at a particular retailer. Some people fly frequently, while others may not fly or stay in hotels at all. But this is an estimate to work with.
From the results of the 2018 breaches, it is fairly safe to say that a very large number of people globally had their PII stolen and many of those had the information stolen several times. Each time a little more and different information was stolen. Many people look at a cyber breach as a big, scary and mysterious thing. What they should be more concerned with is that their data is stolen multiple times, from different sources.
A lot of information stolen is static, like social security numbers and driver’s license numbers; however, much of it is not. You can change your credit card numbers, passport numbers, addresses, and phone numbers. You can even improve your health or change it in some way that would make the stolen data inaccurate.
Once you look at the statistics from the 2018 breaches and th
According to Investopedia, “cryptocurrency is a digital or virtual currency that uses cryptography for security.” In other words, it’s electric money that is designed to be used by online users both safely and securely. The price of digital currencies, like Bitcoin and Ripple, have been all over the place throughout the past year — mainly because it’s a volatile online market that has celebrities, bankers, and other online users all wanting a piece of the pie.
While there are a number of people who are skeptical about the impact cryptocurrency will have on our future, there’s no doubt that it has sent shockwaves through just about every industry in the world.
The one question, however, many users are asking is what does the future have in store for cryptocurrency? Since 2009, online currencies haven’t just shown promise; they’ve started being used for various applications as well. Nowadays, it’s hard to hold a financial conversation without discussing cryptocurrency. It’s also not uncommon to hear the subject being talked about on the news, talk show radio, and of course, social media. This just goes to tell you how far this subject has come in such a short amount of time.
So, what impact will cryptocurrency have on us in 2019? Even though it’s hard to predict how much cryptocurrency will change within the coming years, we do know some changes that users should be on the lookout for this year. So, let’s take a look.
Citizens who are born in underdeveloped countries like Ghana, Brazil, Honduras, Nigeria, and certain parts of China are all at a disadvantage because of financial reasons. Aside from jobs being scarce and hard to find, residents also have a difficult time finding a safe place to store their money. While most people would consider going to a bank, you have to remember that in underdeveloped countries, banks might not be that common.
Fortunately, cryptocurrency has the power to solve some of these issues, which helps improve economic growth in smaller countries. That’s because anyone with internet access can open an account and create a cryptocurrency wallet, which provides users with the opportunity to store and transfer values safely and securely.
With cryptocurrency services becoming more popular, millions of unbanked people in other countries across the globe can finally have access to banking services. Furthermore, these platforms can be accessed through mobile apps, and handheld devices, making telecommunication in the financial world that much easier.
Giving Power Back to the People
The arrival of cryptocurrency has had a major impact in our world today by creating a shift in power; it takes the power out of economic and political leaders’ hands and puts it in the grasp of everyday citizens. The public’s trust in banks and other financial institutions has always been in question. With economic crisis’s going on throughout the world, trust in banking institutions and government leaders is something that continues to be talked about today as these leaders start to lose more and more trust.
Luckily, digital currencies can help people all over
There has been much discussion of a “software bill of materials” (SBoM) lately, for use when addressing security vulnerabilities. Many are curious, wanting to learn more. Googling the term gives lots of positive descriptions. This post will go negative, describing problems with the concept.
Rather than cover the entire concept, I want focus on a narrow part of it, so I asked Kate Brew to write a short blurb why she’s interested in SBoMs. Her response was:
“I am an Industrial Engineer by training. So when I heard of the concept of software BoM I was intrigued. Being able to quickly see all the components, open source or not, incorporated into an application appears like a valuable way to determine needed actions in the case of vulnerabilities found in a component. It seems efficient and helpful to me to have a clear view of components in an application.”
Software is never built wholly from scratch these days. Instead, software is built combining components, development frameworks, libraries, operating system features, and so on. It has a “bill of materials” describing the bits that make it up every much as hardware does.
When vulnerabilities happen, knowing this information can help. Good examples are the high profile Apache Struts bugs, where customers don’t know they are vulnerable because they are unaware that products they own include Struts. If only product vendors provided a list of sub-components, then customers would quickly know if they are vulnerable, and be able to act accordingly.
Some claim this sort of thing already exists in narrow industries, like medical and energy. They are pushing the concept for use everywhere because it’s already being used successfully somewhere.
This is a great story, but it isn’t true.
Software Bill of Materials Is a Misguided Concept for DevSecOps
Proponents are being deliberately vague defining exactly what should be in included in a software BoM. For hardware BoMs, you don’t list the ingredients of the circuit board, where you sourced the silica for glass fibers, or the recipe of the epoxy that binds them together. Hardware BoMs aren’t that granular because it’s not necessary. They include an indented list of components and sub-components. Hardware is basic. But when tracking software vulnerabilities, such granularity is important: you need to track every line of source code.
There are four levels of details for SBoMs:
Most of the discussion about SBoMs is roughly at the license level. The makers of software already track this, even when they don’t disclose it to customers. Commercial products track this for legal reasons, for compliance with legal contracts they have with suppliers. Open-source products track this for practical reasons, since you often have to hunt down install the dependencies yourself in order to make open-source work -- importing open-source implicitly means importing the license.
You see the artifacts of this everywhere. My parents just bought a new Subaru, which like most new cars contains a small screen for the maps and backup camera. On one of the pages on the screen I find something that lists a number of embedded components. Displaying this information is often a requirement of the license.
Software Bills of Materials Aren’t That Great for Tracking Vulnerabilities
SBoMs aren’t as useful as you’d think for tracking vulnerabilities, because it’s not granular enough. Take Linux, for example. The entire thing is licensed under the GPL. This hides the complexity that the kernel is around 20 million lines of code, and the GNU userland components are millions more. An SBoM saying this IoT product uses “Linux” hides a lot of the complexity of what may or may not exist in the product.
And we’re back into the swing of things with a proper first week on the books and plenty to talk about as to the weird and wonderful goings on in the world of security, technology and beyond.
International Security of Mystery
Joe Gray hasn’t really flown outside of the US other than Canada, so when presented with an opportunity to speak at conferences in Switzerland and Paris, he went about trying to find what a security professional should do when travelling internationally.
Crypto-currencies could provide a financial lifeline to a country hit hard by sanctions. Therefore it’s not surprising that universities in North Korea have shown a clear interest in cryptocurrencies. Recently the Pyongyang University of Science and Technology invited foreign experts to lecture on crypto-currencies. The Installer we’ve analysed above may be the most recent product of their endeavours.
This type of exploit allows an attacker to bypass any layer 2 restrictions built to divide hosts. With proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have misconfigurations which will allow for attackers to perform said exploit. In this article, I will go through the two primary methods of VLAN hopping, known as 'switched spoofing', and 'double tagging'. I will then discuss mitigation techniques.
The first thing to understand about DNS 'poisoning' is that the purveyors of the Internet were very much aware of the problem. Essentially, DNS requests are "cached", or stored, into a database which can be queried in almost real-time to point names like 'hotmail.com' or 'google.com' to their appropriate IP addresses. Can you imagine having to remember a string of numbers instead of a fancy name to get to your desired WWW (or GOPHER - if that's your thing) resources? 321.652.77.133 or 266.844.11.66 or even 818.104.22.168 would be very hard to remember. [Note: I have obfuscated REAL IP addresses with very fake ones here. Always trying to stay one step ahead of the AI Armageddon. Real IP addresses end with the numerical value of '255' within each octet.]
Companies both large and small must plan to protect their data. Failing to do so puts you at risk for financial trouble, legal liability, and loss of goodwill.
Make sure to deploy SIEMs to prevent such misfortunes befalling your business. If you know how to put them to use, SIEMs provide value out of the box. Here’s a quick recap on how SIEMs can benefit you with a few clicks.
Prevent SQL injection attacks by keeping an eye on the health of your systems. This will keep you ready if and when attacks do happen.
For handling watering hole intruders, SIEMs make it easy to monitor suspicious communication hinting at an attack in progress.
Gartner just released their 2018 Magic Quadrant for Security Information and Event Management (SIEM), which we’re once again excited to be part of!
Our inclusion in the Gartner SIEM MQ is further validation that our unique, unified approach to threat detection and response continues to resonate. Many continue to struggle with increasingly advanced threats, expanding attack surfaces, and a growing list of compliance requirements -- all with less IT staff, time, and money.
Since the beginning, AlienVault has taken a different approach to SIEM. We’ve sought to eliminate the main two barriers inherit to traditional SIEM offerings -- cost and usability.
Let’s face it, when it comes to most SIEM purchases, companies are left holding the bag for a very expensive “solution,” which they now have to try and make work. That’s like buying a new car, but only getting the frame and a box of engine parts — then being told some assembly required if you actually want to drive the car (and if you’re wondering about the tires, those are extra too). AlienVault set out to change this when we launched our Unified Security Management® (USM) solution.
Our goal has always been to make it as simple as possible for IT and security pros to quickly detect threats, efficiently respond to breaches, and manage compliance. This meant going beyond SIEM to deliver complete threat management,out-of-the-box -- no additional product purchases necessary, no convoluted licensing models, and no complicated integrations required.
We’ve stayed true to that goal with USM Anywhere™, our SaaS platform that seamlessly combines the essential security capabilities organizations need, while removing the administrative overhead they don’t. We appreciate that Gartner calls out AlienVault USM’s straightforward implementation -- two words you rarely hear when it comes to SIEM! Our simplified approach to SIEM and threat management is further evidenced by the fact that 46 percent of our customers are detecting threats on day one!
Moreover, our extensible SaaS architecture and growing “galaxy” of AlienApps allow us to rapidly deliver new features and functionality, including powerful, built-inresponse automation and orchestration with third-party IT and security technologies. Not only does this allow our customers to capitalize on existing investments, it saves valuable time and effort by enabling them to bring more of their security monitoring tools into USM’s single pane of glass -- without any daunting integration work!
And We’re Just Getting Started . . .
As we continue our evolution to AT&T Cybersecurity, we’re harnessing the power of one of the world’s largest cybersecurity operations.
“Okay, but what does this mean?” you ask.
It means we’re now delivering a unique combination of people, process, and technology to not only help you better detect and respond to threats, but also mitigate and manage ongoing risks. We’ll also continue to enrich our threat intelligence (now augmented with AT&T threat data), and improve the USM Anywhere platform, delivering new capabilities that simplify and automate your critical security processes, improve your security and compliance posture, and outpace the ever-evolving threat landscape.
During the holiday season people logged on to make purchases through online retailers, like no other time of the year. While there was significant growth in many segments of society on a global scale in 2018, we also saw a significant increase in online retail breaches where personally identifiable information was compromised at an alarming rate. With more and more people using online services for everything from ordering perishable food products to plane tickets and hotel reservations, 2018 proved to be a huge year for online/cybercriminals.
Here are some facts around some of the largest and most far-reaching retail breaches of 2018:
Many of these breaches were caused by flaws in payment systems that were taken advantage of by hackers.
Dozens of security breaches have occurred in 2018. Many of them were caused by flaws in payment systems, either online or in stores. Data breaches are on the rise for both retailers and other businesses.
These data breaches are a real danger for both companies and customers and can affect the trust shoppers have in brands.
According to a study by KPMG, 19% of consumers would completely stop shopping at a retailer after a breach, and 33% would take a break from shopping there for an extended period.
Cheddar's Scratch Kitchen
Darden Restaurant announced it was notified by government officials on August 16 that it had been the victim of a cyber attack.
Customers who visited Darden-owned Cheddar's Scratch Kitchen between November 3, 2017, and January 2, 2018, may have had their credit-card information stolen. Darden estimates that 567,000 payment card numbers could have been compromised.
Customers affected would have visited a Cheddar's location in any one of these states: Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, and Wisconsin.
Macy's did not confirm exactly how many people were impacted. However, a spokesperson for the company said the breach was limited to a small group of people.
Macy's said in a statement: "We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures. Macy's, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services."
In the previous blog in this four-part blog series, we discussed AWS IAM and how it can be compromised to allow for data exfiltration. In this blog we will drill into data exfiltration.
One of the more common issues reported on lately involves EC2 instances running data storage services like Elasticsearch and MongoDB, which by default don't have any credential requirements to interact with the data store. And if you don't get your security groups set up properly you can inadvertently expose, for example, the Elasticsearch port (9200) out to the Internet. If that happens, you can bet that somebody is going to find it and dump its entire data set.
Here’s a common scenario we’ve seen in AWS: A web application is capturing user details and analytics. The developers want to capture that data in a metrics-friendly repository (in addition to the database that the application uses) so they spin an EC2 instance, install Elasticsearch and start dropping data in it that is useful for analytics tracking. It’s probably not sensitive data so they’re not too worried about locking it down and for convenience, the backend Elasticsearch port is exposed to the Internet. As the analytics requirements evolve along with the application, more and more data ends up in the completely exposed data store. Then a bad guy does a port scan and finds it sitting there, ripe for the picking. It's become so common that adversaries have gone through the trouble of creating ransomware that fully hijacks the data store and encrypts the data within it.
With a public vulnerability search tool such as Shodan, you can do a search for publicly exposed Elasticsearch databases and it’ll give you a big list. It's not difficult to find systems that have been exposed this way and attackers are finding them pretty quickly.
The other way that data exfiltration takes place is through an application vulnerability, but this isn't AWS-specific. There are common application vulnerabilities that some attackers are very adept at discovering. A crafty attacker will bang on a web application long enough to find a vulnerability that they can use to exfiltrate data from the system. This technique is very effective because most web applications need access to some degree of sensitive data in order to be of any use.
Welcome to 2019! I hope that you had a well-deserved break over the holidays, and a special shout out to all the people that carried on pulling shifts in the SOC, were on-call, and helped ensure stuff stayed as secure as possible while the rest of us were eating and sleeping too much! I’ve said it before, and I’ll say it again, that you are the real backbone of the security industry, and although you may never go to conferences, or be heard on a podcast, or put your name to a blog - you go about your job keeping things as secure as possible.
We’re only half a week into the new year and the security world hasn’t slowed down in the slightest, so let’s just get down to what’s been going on these last few days, and catch up with some of the excitement that I missed while I was busy consuming mince pies.
Victorian Government Employees Details Stolen
We didn’t even make it a day into the new year without news of a data breach where thousands of records were stolen. Sure, it’s small compared to the millions of records we’re getting accustomed to reading about, but it’s significant nonetheless. It’s like data breaches have become an olympic level sport with everyone racing to be first.
The work details of 30,000 Victorian public servants have been stolen in a data breach, after part of the Victorian Government directory was downloaded by an unknown party.
The list is available to government employees and contains work emails, job titles and work phone numbers.
Employees affected by the breach were told in an email their mobile phone numbers may have also been accessed if they had been entered into the directory.
Getting up to the kind of breach numbers we’re all more used to, The Town of Salem (video game) was hit with a massive data breach last week that exposed the information on more than 7 million users.
The breach was discovered by the cybersecurity research Dehashed on December 28 when he received an anonymous email that indicated someone had gained access to the game’s database. Town of Salem is a role-playing game operated by BlankMediaGames.
In the battle for advertising revenue supremacy, social media giants have automated their whole process and seem to have forgotten to include any basic checks for, you know, looking for obvious scams. Like this little gem whereby an obvious PayPal phishing scam was sent as a promoted tweet.
An Alternative to the “Classic” Cyber Kill Chain Model for Internal Attacks and Breaches
Developed by Lockheed Martin, the Cyber Kill Chain® (CKC) framework is part of the Intelligence Driven Defense® model for the identification and prevention of cyber intrusions activity. The model identifies what adversaries must complete in order to achieve their objective.
In recent years there have been numerous articles written to contest the effectiveness of the Cyber Kill Chain Model as it currently exists. The intent of this article is in no way to disavow or be critical of the work put into creating the Cyber Kill Chain by the LM-CIRT. Instead what this article strives to prove is that with slight modifications there are variances to the CKC that could improve its accuracy in non-traditional attack vectors. Today’s threat landscape has expanded and evermore, cyber-security overlaps many other aspects of security. This article strives to not only reinforce this point but to offer a framework to further the effectiveness of the traditional CKC by providing additional aspects to the CKC, enabling analysts to better understand and further their efforts in stopping data theft and cyber crime more effectively and efficiently.
Purpose of this article – To test the validity of the CKC model against alternative attack vectors that do not utilize the classic cyber kill chain’s workflow, primarily based around internal actor theft of sensitive information.
The basis for the research - The research idea came from an article written by Ryan Stolte for the darkreading.com website. Link to the article is below.
Summary of the research – The author of the article, Ryan Stolte, posed the question of whether or not the existing Cyber Kill Chain Model as written by Lockheed Martin was sufficient for the increasingly versatile threat landscape of today versus the less dynamic threat landscape of 2007 when the CKC was first conceptualized and published.
The desired outcome of research – To create a new conceptual Internal Cyber Kill Chain Model that predicts the activities of an attack perpetrated by an internal malicious actor such as a disgruntled or disloyal employee.
In the referenced article, there is mention of two types of internal actors who are most likely to attempt to perpetrate a malicious cyber or social engineering attack on their employer.
Malicious Actors Defined
Most traditional attacks are carried out through some variant of a phishing attack, which means that most of the attacks are allowed into the network by an unknowing accomplice. In the article, the author breaks down the internal actors by categorizing them as “Flight Risks” and “Persistent Insiders”.
Flight Risks: Employees looking to leave the company can elevate the risk of data loss. They tend to be less sophisticated and exhibit less cautious behavior on their way out. The kill chain–style reactive risk model begins with looking for early indicators — for example, if an employee frequently visits job search websites, something he or she typically would not do. However, even if employees are visiting those kinds of websites, that doesn’t necessarily mean they are a threat. They be
Rohan Viegas of VMRay explains some of the key factors IT security teams should consider when evaluating a malware analysis sandbox and whether it’s a good fit for their existing SIEM environment. He then outlines how VMRay Analyzer complements and enhances the capabilities of AlienVault’s flagship platform, USM Anywhere.
Of the 2,216 data breaches that were studied by participating security vendors, 30% involved malware.
Six types of malware (ransomware, C2, RAM scraper, backdoor, etc.) were among the top 20 varieties of action used in the data breaches covered in the study.
Ransomware, used primarily to commit financial crimes, is now involved in more than 40% of malware attacks.
Malware attacks can be completed in minutes. However, due primarily to poor detection, an intrusion may not be discovered for weeks or months, potentially causing damage all the while.
“Full-featured SIEM, Looking for the Right Malware Sandbox”
When selecting an automated malware analysis sandbox to address these challenges, IT security teams should not only compare the side-by-side capabilities of different vendor products. They should also weigh how a particular sandbox will interact with their existing SIEM platform and the extent to which a product’s strengths (or its weaknesses) are utilized across the managed security ecosystem. Below are some key points to consider.
The sandbox’s detection efficacy. Malware today is designed to recognize when it is running inside an analysis environment and to stall or exit in the sandbox, thereby evading detection altogether or inhibiting the analysis by not fully revealing its behavior. This leaves blind spots in the analysis results, which can then be carried over to the SIEM. A key quality to look for in a sandbox is its ability to reliably conceal itself from the samples being analyzed so the malware can fully execute, giving you comprehensive visibility into the threat.
The quality of Threat Intelligence that can be shared. Another consideration is what types of threat information can be ingested by your SIEM and made available across your security environment. Important IOCs include severity scores, suspicious behaviors, network activity, dropped files etc. You also need to consider how complete that information is.
Full visibility into malware behavior is essential for generating quality threat intelligence. For instance, if you discover a malicious file, the analysis results should detail all the places it tried to reach out to, all the bad files it tried to create, and all the registry keys it tried to touch or modify.
How can the Threat Intelligence be used once your analysis results are handed off to your SIEM? Can the data be easily monitored? Correlated with other data sources? What actions can you take with this information? To build on the prior example, if your sandbox identifies a new malicious file that has reached out to an unfamiliar and presumably bad IP address, can you search your entire infrastructure for systems that have also accessed that address?
Rising to the Challenge
For organizations that have USM Anywhere or another comprehensive SIEM pla
If you use a free VPN, then you have to wonder how your provider earns money to cover their own costs. The answer often involves advertising, but it can also be through far more sinister means.
Running a VPN service costs a significant amount of money. There are setup costs, infrastructure costs, labor and other running costs. The companies behind these services generally want to make a profit as well.
Why are free VPNs a problem?
It really depends on your use case, but in general, VPNs are used to enhance both the online privacy and security of those who use one. Privacy and security tend to involve trust, which becomes especially important when we consider VPNs.
To understand this properly, we have to take a step back and examine how VPNs protect their users. The most common analogy is that a VPN provides an encrypted tunnel between the VPN client on a user’s device and the VPN server.
This tunnel essentially means that no other party can see the connections and data you are transferring between your device and the exit server. Your ISP, the government and other snoopers will be able to see that you are sending encrypted data through a VPN, but they won’t be able to see what it is.
If someone is examining the traffic between the exit server and the website you are visiting, they will be able to see that someone from the VPN’s server is connecting to the site, but they won’t know where the connection originates from.
In this way, a VPN’s encrypted tunnel protects users and their information from outside parties like hackers and governments, and also allows users to get around geo-restrictions by making it seem like their connection is coming from another place.
The point is that the VPN provider is the one that keeps you safe by letting you use their encrypted tunnel. Since all of your data goes through the provider, you need to find one that you can trust. If you can’t trust your provider, how can you know that your data is being kept secure and private?
What can a VPN provider see?
Technically, VPN providers have the capacity to see everything you do while connected. If it really wanted to, a VPN company could see what videos you watched, read emails you send, or monitor your search history.
Thankfully, reputable providers don’t do this. A good provider shouldn’t take any logs of your activity, which means that although they could theoretically access your data, they discard it instead. These “no-log” companies don’t keep copies of your data, so even if they get subpoenaed by a government agency, they have no data that they can hand over.
VPN providers may take different types of logs, so you need to be careful when reading the fine print of any potential provider. These logs can include your traffic, DNS requests, timestamps, bandwidth and IP address.
It will depend on your use case, but if you want your VPN to provide the highest level of privacy, then you will want to choose one that records no logs at all.
How do you know if a VPN provider keep logs?
How can you trust a VPN provider’s claims?
At the end of the day, you can never really be 100 percent sure. The closest we can get is if a VPN provider was served a warrant or subpoena and was unable to give any data because they simply don’t have it. Even so,
Healthcare is under fire and there’s no sign of the burn slowing.
Look, it’s no secret that hackers have been targeting hospitals and other healthcare providers for several years — and probably no surprise that healthcare is one of the top target industries for cybercrime in 2018. In the US alone, in fact, more than 270 data breaches affecting nearly 12 million individuals were submitted to the U.S. HHS Office for Civil Rights breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more.
Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself.
So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating.
One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018.
And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.
SamSam attackers are known to:
Gain remote access through traditional attacks, such as JBoss exploits
Connect to RDP over HTTP tunnels such as ReGeorg
Run batch scripts to deploy the ransomware over machines
SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading
Penetration testing, often called “pen testing” is one of several techniques used to verify cybersecurity posture and provide a level of assurance to the organization that its cyber defenses are functional. It’s a way of testing defenses against an adversary who mimics a cyber-criminal actor.
First Rule of Network Penetration Testing: Make sure you have a signed contract to perform the services of a pen tester, including a statement of work, and a detailed scope for the engagement. Failure to follow this advice could result in civil and/or criminal legal action being taken against you.
It should be noted that many compliance and regulatory requirements, including the General Data Protection Regulation (GDPR) require an organization to undertake regular testing to evaluate the effectiveness of organizational security controls. It stands to reason that the further an adversary can penetrate into your organization and retrieve sensitive and/or confidential information, the more evident the business case for improving your cyber security posture becomes.
The technique of cyber security pen testing is not without controversy. Detractors of pen testing as a cybersecurity test identify the techniques used by professional pen testers as generally reserved for sophisticated cyber criminals or nation state actors. The argument then is pen testing does not mimic the “every day” cybersecurity threat faced by the organization based upon the level of risk tolerance.
Although that argument runs right up against the evolution of and increasing sophistication of cyber-criminal attacks, an organization may not have the financial or IT resources to deal with the outcomes or recommendations of the pen test. In fact, a pen test can be a demoralizing experience for the organization’s already stressed IT resources and potentially document risks the organization would rather not have illuminated.
Simply put, a pen test requires a basic level of cyber hygiene and organizational readiness – there has to be organizational will to mitigate the “findings” of the pen test. If the organization has not instituted basic cyber security controls as prescribed by UK Cyber Security Essentials or the CIS top five security controls, then money invested in a pen test may be quite wasteful.
In short, If the organization has not:
1. Secured the internet connection with a firewall
2. Secured organizational devices and software
3. Controlled access to organizational data and services
4. Protected organizational endpoints from viruses and other malware
5. Made sure organizational devices and software are up to date
Then the pen test will not go well for your organization and an adversary will have a field day.
Penetration Testing Tools
There is a myriad of pen testing tools available with the majority being open source. The profession of Pen Tester is linked to professional certifications such as Certified Ethical Hacker, CompTIA Pen Test+ and Offensive Security Certified Professional (OSCP), and an extensive SANS curriculum all built around pen testing and use of popular tools is available.
Here is a list of common pen testing tools (OK, my favorite tools!) pen testers will unleash on an organization. Many folks in the business of professional pen testing have their own preferences and/or professional software is also available.
Common Network Penetration Testing Tools
Nmap – Free!
Network scanner and enumerator, supported by a massive community and extensible with a great deal of scripting capability.
At AWS re:Invent recently, I spoke to several booth visitors who asked, “What’s new with AlienVault?” It was exciting to talk through some of the improvements we’ve made over the last year and see their eyes widen as the list went on. As our customers know, we regularly introduce new features to USM Anywhere and USM Central to help teams detect and respond to the latest threats. You can keep up with our regular product releases by reading the release notes in the AlienVault Product Forum.
Let’s take a look at the highlights from our October and November releases:
Mac OS Support for the AlienVault Agent
In July, we announced the addition of endpoint detection and response (EDR) capabilities to USM Anywhere, enabled by the AlienVault Agent. The AlienVault Agent is an osquery-based endpoint agent that provides system-level security, including file integrity monitoring and host intrusion detection (HIDS). Over the last few months, we’ve listened carefully to customer input to guide our continued improvement of the AlienVault Agent, leading us to improve filtering rules for better control over data consumption and make a number of additional enhancements.
In November, we addressed a top customer request with the addition of Mac OS support for the AlienVault Agent. Now, USM Anywhere customers can use the AlienVault Agent for continuous threat detection and file integrity monitoring (FIM) on their Linux, Windows, and Mac hosts.
AlienVault Agent Queries as Response Actions
USM Anywhere accelerates incident response with the ability to orchestrate response actions directly from an alarm. With just a few clicks, you can take an immediate, one-time action or create a rule to make sure that action happens automatically going forward. (Check out examples of automated incident response in action in this blog post.)
To enhance your ability to respond swiftly and efficiently to potential threats, we’ve added a new response action to trigger AlienVault Agent queries. Like our other response actions, you can find this option directly from the detail view of an alarm or as part of an orchestration rule.
Launch AlienVault Agent Queries from Agents Page
In addition to the response action listed above, you can now trigger AlienVault Agent queries from the Agents page by clicking the “Run Agent Query” button. You can run queries against a single asset or all assets that have the AlienVault Agent installed.
It’s hard to believe the whole year has gone past and I’ve been hearting things nearly every week since it began.
I’d like to sum up 2018, so I started to look through all the posts from every week and I realised it was a mammoth task. There have been 40 “Things I hearted” blog posts this year, each with an average of 10 stories. And that doesn’t include the dozens of other stories that didn’t make the cut every week.
Suffice to say, it’s been a very busy year as far as information security is concerned. Which could mean that business is very good. Or it could just mean that business is as usual, we’re just getting better at covering the stories.
In YouTube fashion, I decided to do a video rewind of some of the notable stories of the year (minus Will Smith and the big budget)
Conspiracy videos aside, let’s have a recap of an assortment of stories that were hearted over the course of the year.
January 12th Edition
Toy Firm VTech Fined Over Data Breach
VTech, the ‘smart’ toy manufacturer has been fined $650,000 by the FTC after exposing the data of millions of parents and children.
Troy Hunt brought up the issue back in November 2015 and it made for a chilling read. Not only was the website not secure, but the data was not encrypted in transit or at rest.
Hopefully, this kind of crackdown on weak ‘smart’ devices will continue until we see some changes. Not that I enjoy seeing companies being fined, but it doesn’t seem like many manufacturers are paying much attention to security.
SAML-based single sign on systems have some vulnerabilities that allow attackers with authenticated access to trick SAML systems into authenticating as different users without knowledge of the victims’ password.
Even when you do your best to protect your sensitive users, and your admins have complex passwords that they change frequently, their machines are hardened, and their data is stored securely, attackers can still use lateral movement paths to access sensitive accounts. In lateral movement attacks, the attacker takes advantage of instances when sensitive users log into a machine where a non-sensitive user has local rights. Attackers can then move late
It’s December, which means it’s time to get those 2019 cyber predictions going. While there are many well-informed, and some not-so-well informed opinions out there, I’ve dug through the cyber underground, I’ve climbed data mountains, and delved to the depths of the dark web to seek out what is really happening.
Having spilt coffee, redbull, and tears, I am proud to present the soft underbelly of the cyber security industry, and what the future will hold.
Jayson Streetwill be exposed as a secret agent charged with obtaining DNA samples of as many hackers as possible. Close inspection will reveal Jayson stealing a strand of hair every time he offers an “awkward hug”. Having been outed, he will go on to start a podcast called, “The word on the Street”
HaveIBeenPwned will be purchased by FireEye. Troy Hunt will take the money and move to New Zealand where he’ll setup another website called “YesYouArePwned” with Kim dot com.
Bug Bounty and vulnerability disclosure pioneer Katie Moussouris will have no less than 10 instances a month of bug bounties being mansplained to her. At least 2 a month will try to prove her wrong by citing papers, without realising she authored them.
Richard Bejtlich will tell the world how it’s actually Papua New Guinea that is responsible for the majority of APT’s. He’ll admit that China was initially blamed as an internal joke that went a bit too far.
Jeff Moss will look in disgust at what he has created. In a fit of rage he’ll punch the ground, pull his hair yelling, “I’ve created a monster!” and cancel DEF CON. This will create a domino effect as all other conferences will come collapsing, leaving no security conferences active by the end of the year.
SwiftOnSecurity is unmasked as being The Grugq who would have gotten away with it, if it weren’t for those meddling kids.
Stuck in traffic YouTuber Wolf Goerlich will finally take a different route into work and realise traffic ain’t all that bad. As a result YouTube suspends his account, declaring the title misleading. Which is a polite way of saying ‘fake news’.
Investigative journalistBrian Krebs may unofficially be many companies' IDS, but in 2019 he’ll take it to new heights while launching his own subscription-only service called B-KIDS (Brian Krebs IDS) which companies can use to get the heads up if they’re going to be outed.
Reunions will become common, as professionals grow bored of corporate life. L0pht Hacking Industries will furiously lobby the US government, while over in Europe the Eurotrash Security podcast will regroup and take the show on the road once again.