What's new arround internet

Src Date (GMT) Titre Description Tags Stories Notes
AlienVault.png 2019-01-18 14:00:00 Things I Hearted This Week, 18 Jan 2019 (lien direct)

London saw a few flakes of snow drop this week, and social media nearly broke with everyone sharing photos of the white pixie dust falling from the sky. Fortunately, I have few friends, and even fewer social media platforms that I use, so was saved from most of the insanity… well, except for my daughter singing “let it snow”.

TheCurious Case of the Raspberry Pi in the Network Closet

What would you do if you found a Raspberry Pi plugged into the network closet? Sounds like something from your worst nightmare, especially if you hadn’t commissioned any red team testing.

But that’s exactly what one team found, and this is the story of how they tracked down (almost) the suspect. If Scooby Doo has taught me anything, it was the janitor!

Ad Company Serves Magecard Code

To quote Miss IG Geek, when your supply chain is so long you don’t even know who’s got their fingers in your website, you cannot manage your risk.

Yeah, go ahead, ask me to disable my ad-blocker.

Hunting the Con Queen of Hollywood: Who's the "Crazy Evil Genius" Behind a Global Racket?

This is a story from last July, but only saw it this week, and wow. This is a masterclass in social engineering, and the work of someone who genuinely seems to enjoy tormenting her victims.

The DDoS Attacker Rescued by a Disney Cruise Ship is Sentenced to Over 10 Years in Prison

A 34-year old man has been sentenced to more than 10 years in prison, after being found guilty of launching a massive denial-of-service attack against Boston Children’s Hospital.

The sentencing of Martin Gottesfeld, from Somerville, Massachusetts, comes almost three years after he attempted to escape to Cuba – a plan that failed after his speedboat broke down in the choppy sea, and he was picked up by a Disney cruise liner.

Facebook Cybersecurity Exec Victim of Swatting Call

A Facebook cybersecurity exec had his home swatted by Palo Alto police after a prank call claimed he shot his wife, tied up his kids, and placed pipe bombs around the house.

A SWAT squad arrived in force at the exec's home, a two-bedroom house in Palo Alto, ordered him to ste

AlienVault.png 2019-01-17 14:00:00 The Dark Web has a Serious Deduplication Problem (lien direct)

In a post released on 1/8/19, I wrote about the record number of breaches in 2018. This brought to mind a podcast that I was listening to a few days back hosted by Corey Nachreiner, CTO of WatchGuard Technologies, Inc. on his 443 Podcast. Corey discussed the potential data deduplication problem on the Dark Web. This article will attempt to break down how this can happen and how this can cause issues not only for users of the Dark Web, but also for those whose data has been stolen and placed on the Dark Web for purchase.

The breaches of 2018 were vast and widespread, affecting businesses from fast food to department stores to airlines with record amounts of data being lost. If you look at just the breaches I referenced in the previous article, total PII records counts are over one billion in the United States. In India, every citizen in the country had their data compromised with the breach of Aadhaar, the Indian biometric IT program owned and operated by the government of India. The Aadhar breach alone accounted for 1.1 Billion records lost to hackers.   

Researching this, I discovered that for just the US-based hacks in the article,  Americans and foreign travelers doing business with one of the breached companies had a total of 1.3 billion records stolen. If you figure there are approximately 330 million citizens of the United States and if every person in the US was affected they would have their personally identifiable information exposed to the Dark Web approximately 4 times.

While that may not seem like a lot, please consider that it would be nearly impossible for every US citizen to be breached. The US does not have a mandatory centralized identification system as the Indian government has. Then, of course, not all 330 million Americans were affected by these breaches due to lack of exposure to affected breached sites, age, and other factors. Let’s say that 150 million Americans were affected in some way - which would mean that about half of all US citizens were affected by the breaches of 2018. Let’s also assume that another 150 million citizens of other countries were affected by the breaches of 2018. That would calculate to 300 million total people affected by the breaches of 2018.

With a nice round number like 300 million people being affected one could assume there would be some duplicate records. With that being said, there are probably a lot of duplicate records. The total number of records duplicated per affected person I calculate at 4.333 records. This is admittedly a pretty arbitrary number, considering some people are more active than others on the web or at a particular retailer. Some people fly frequently, while others may not fly or stay in hotels at all. But this is an estimate to work with.

From the results of the 2018 breaches, it is fairly safe to say that a very large number of people globally had their PII stolen and many of those had the information stolen several times. Each time a little more and different information was stolen. Many people look at a cyber breach as a big, scary and mysterious thing. What they should be more concerned with is that their data is stolen multiple times, from different sources.

A lot of information stolen is static, like social security numbers and driver’s license numbers; however, much of it is not. You can change your credit card numbers, passport numbers, addresses, and phone numbers. You can even improve your health or change it in some way that would make the stolen data inaccurate.

Once you look at the statistics from the 2018 breaches and th

AlienVault.png 2019-01-15 14:00:00 What Impact Will Cryptocurrency Have in 2019? (lien direct)

According to Investopedia, “cryptocurrency is a digital or virtual currency that uses cryptography for security.” In other words, it’s electric money that is designed to be used by online users both safely and securely. The price of digital currencies, like Bitcoin and Ripple, have been all over the place throughout the past year — mainly because it’s a volatile online market that has celebrities, bankers, and other online users all wanting a piece of the pie.

While there are a number of people who are skeptical about the impact cryptocurrency will have on our future, there’s no doubt that it has sent shockwaves through just about every industry in the world.

The one question, however, many users are asking is what does the future have in store for cryptocurrency? Since 2009, online currencies haven’t just shown promise; they’ve started being used for various applications as well. Nowadays, it’s hard to hold a financial conversation without discussing cryptocurrency. It’s also not uncommon to hear the subject being talked about on the news, talk show radio, and of course, social media. This just goes to tell you how far this subject has come in such a short amount of time.

So, what impact will cryptocurrency have on us in 2019? Even though it’s hard to predict how much cryptocurrency will change within the coming years, we do know some changes that users should be on the lookout for this year. So, let’s take a look.

Economic Growth

Citizens who are born in underdeveloped countries like Ghana, Brazil, Honduras, Nigeria, and certain parts of China are all at a disadvantage because of financial reasons. Aside from jobs being scarce and hard to find, residents also have a difficult time finding a safe place to store their money. While most people would consider going to a bank, you have to remember that in underdeveloped countries, banks might not be that common.

Fortunately, cryptocurrency has the power to solve some of these issues, which helps improve economic growth in smaller countries. That’s because anyone with internet access can open an account and create a cryptocurrency wallet, which provides users with the opportunity to store and transfer values safely and securely.

With cryptocurrency services becoming more popular, millions of unbanked people in other countries across the globe can finally have access to banking services. Furthermore, these platforms can be accessed through mobile apps, and handheld devices, making telecommunication in the financial world that much easier.

Giving Power Back to the People

The arrival of cryptocurrency has had a major impact in our world today by creating a shift in power; it takes the power out of economic and political leaders’ hands and puts it in the grasp of everyday citizens. The public’s trust in banks and other financial institutions has always been in question. With economic crisis’s going on throughout the world, trust in banking institutions and government leaders is something that continues to be talked about today as these leaders start to lose more and more trust.

Luckily, digital currencies can help people all over

AlienVault.png 2019-01-14 16:28:00 Software Bill of Materials (SBoM) - Does It Work for DevSecOps? (lien direct)

There has been much discussion of a “software bill of materials” (SBoM) lately, for use when addressing security vulnerabilities. Many are curious, wanting to learn more. Googling the term gives lots of positive descriptions. This post will go negative, describing problems with the concept.

Rather than cover the entire concept, I want focus on a narrow part of it, so I asked Kate Brew to write a short blurb why she’s interested in SBoMs. Her response was:

“I am an Industrial Engineer by training. So when I heard of the concept of software BoM I was intrigued. Being able to quickly see all the components, open source or not, incorporated into an application appears like a valuable way to determine needed actions in the case of vulnerabilities found in a component. It seems efficient and helpful to me to have a clear view of components in an application.”

Software is never built wholly from scratch these days. Instead, software is built combining components, development frameworks, libraries, operating system features, and so on. It has a “bill of materials” describing the bits that make it up every much as hardware does.

When vulnerabilities happen, knowing this information can help. Good examples are the high profile Apache Struts bugs, where customers don’t know they are vulnerable because they are unaware that products they own include Struts. If only product vendors provided a list of sub-components, then customers would quickly know if they are vulnerable, and be able to act accordingly.

Some claim this sort of thing already exists in narrow industries, like medical and energy. They are pushing the concept for use everywhere because it’s already being used successfully somewhere.

This is a great story, but it isn’t true.

Software Bill of Materials Is a Misguided Concept for DevSecOps

Proponents are being deliberately vague defining exactly what should be in included in a software BoM. For hardware BoMs, you don’t list the ingredients of the circuit board, where you sourced the silica for glass fibers, or the recipe of the epoxy that binds them together. Hardware BoMs aren’t that granular because it’s not necessary. They include an indented list of components and sub-components. Hardware is basic. But when tracking software vulnerabilities, such granularity is important: you need to track every line of source code.

There are four levels of details for SBoMs:

  • Licenses
  • Modules
  • Patch levels
  • Backports

Most of the discussion about SBoMs is roughly at the license level. The makers of software already track this, even when they don’t disclose it to customers. Commercial products track this for legal reasons, for compliance with legal contracts they have with suppliers. Open-source products track this for practical reasons, since you often have to hunt down install the dependencies yourself in order to make open-source work -- importing open-source implicitly means importing the license.

You see the artifacts of this everywhere. My parents just bought a new Subaru, which like most new cars contains a small screen for the maps and backup camera. On one of the pages on the screen I find something that lists a number of embedded components. Displaying this information is often a requirement of the license.

Software Bills of Materials Aren’t That Great for Tracking Vulnerabilities

SBoMs aren’t as useful as you’d think for tracking vulnerabilities, because it’s not granular enough. Take Linux, for example. The entire thing is licensed under the GPL. This hides the complexity that the kernel is around 20 million lines of code, and the GNU userland components are millions more. An SBoM saying this IoT product uses “Linux” hides a lot of the complexity of what may or may not exist in the product.

A new Linux vuln is discovered at th

AlienVault.png 2019-01-11 14:00:00 Things I Hearted This Week, 11th Jan 2019 (lien direct)

And we’re back into the swing of things with a proper first week on the books and plenty to talk about as to the weird and wonderful goings on in the world of security, technology and beyond.

International Security of Mystery

Joe Gray hasn’t really flown outside of the US other than Canada, so when presented with an opportunity to speak at conferences in Switzerland and Paris, he went about trying to find what a security professional should do when travelling internationally.

Lesley Carhart’s blog which is referenced in Joe’s article probably has one of the most comprehensive posts on the topic

Mondelez Sues Zurich in Rest for Cyber Hack Insurance

And so it begins…

Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay out on a $100m claim for damage caused by the NotPetya cyber attack.

2019 - The Year of Cloud-Based Cybersecurity

Yes, it’s a prediction piece, but a rather specific one talking about how we’re seeing a rise in cloud-based security analytics and operations.

The Cyber-Attack That Sent an Alaskan Community Back in Time

They still don’t know where it c

AlienVault.png 2019-01-10 14:00:00 Top 12 Blogs of 2018 (lien direct)

Time to look back on the top AlienVault blogs of 2018! Here we go:

A North Korean Monero Cryptocurrency Miner by Chris Doman

Crypto-currencies could provide a financial lifeline to a country hit hard by sanctions. Therefore it’s not surprising that universities in North Korea have shown a clear interest in cryptocurrencies. Recently the Pyongyang University of Science and Technology invited foreign experts to lecture on crypto-currencies. The Installer we’ve analysed above may be the most recent product of their endeavours.

 VLAN Hopping and Mitigation by Pam

This type of exploit allows an attacker to bypass any layer 2 restrictions built to divide hosts. With proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have misconfigurations which will allow for attackers to perform said exploit. In this article, I will go through the two primary methods of VLAN hopping, known as 'switched spoofing', and 'double tagging'. I will then discuss mitigation techniques.

DNS Poisoning and How To Prevent It by Jeff Thompson 

The first thing to understand about DNS 'poisoning' is that the purveyors of the Internet were very much aware of the problem. Essentially, DNS requests are "cached", or stored, into a database which can be queried in almost real-time to point names like 'hotmail.com' or 'google.com' to their appropriate IP addresses. Can you imagine having to remember a string of numbers instead of a fancy name to get to your desired WWW (or GOPHER - if that's your thing) resources? 321.652.77.133 or 266.844.11.66 or even 867.53.0.9 would be very hard to remember. [Note: I have obfuscated REAL IP addresses with very fake ones here. Always trying to stay one step ahead of the AI Armageddon. Real IP addresses end with the numerical value of '255' within each octet.]

 4 SIEM Use Cases That Will Dramatically Improve Your Enterprise Security by Stephen Roe

Companies both large and small must plan to protect their data. Failing to do so puts you at risk for financial trouble, legal liability, and loss of goodwill.

Make sure to deploy SIEMs to prevent such misfortunes befalling your business. If you know how to put them to use, SIEMs provide value out of the box. Here’s a quick recap on how SIEMs can benefit you with a few clicks.

  • Prevent SQL injection attacks by keeping an eye on the health of your systems. This will keep you ready if and when attacks do happen.
  • For handling watering hole intruders, SIEMs make it easy to monitor suspicious communication hinting at an attack in progress.
  • If you’re worried about malware infection, commun
AlienVault.png 2019-01-09 14:00:00 AlienVault in Gartner MQ for SIEM (lien direct)

Gartner just released their 2018 Magic Quadrant for Security Information and Event Management (SIEM), which we’re once again excited to be part of!

Our inclusion in the Gartner SIEM MQ is further validation that our unique, unified approach to threat detection and response continues to resonate.  Many continue to struggle with increasingly advanced threats, expanding attack surfaces, and a growing list of compliance requirements -- all with less IT staff, time, and money.

Since the beginning, AlienVault has taken a different approach to SIEM. We’ve sought to eliminate the main two barriers inherit to traditional SIEM offerings -- cost and usability.

Let’s face it, when it comes to most SIEM purchases, companies are left holding the bag for a very expensive “solution,” which they now have to try and make work. That’s like buying a new car, but only getting the frame and a box of engine parts — then being told some assembly required if you actually want to drive the car (and if you’re wondering about the tires, those are extra too). AlienVault set out to change this when we launched our Unified Security Management® (USM) solution.

Our goal has always been to make it as simple as possible for IT and security pros to quickly detect threats, efficiently respond to breaches, and manage compliance. This meant going beyond SIEM to deliver complete threat management, out-of-the-box -- no additional product purchases necessary, no convoluted licensing models, and no complicated integrations required.

We’ve stayed true to that goal with USM Anywhere™, our SaaS platform that seamlessly combines the essential security capabilities organizations need, while removing the administrative overhead they don’t. We appreciate that Gartner calls out AlienVault USM’s straightforward implementation -- two words you rarely hear when it comes to SIEM! Our simplified approach to SIEM and threat management is further evidenced by the fact that 46 percent of our customers are detecting threats on day one!

Moreover, our extensible SaaS architecture and growing “galaxy” of AlienApps allow us to rapidly deliver new features and functionality, including powerful, built-in response automation and orchestration with third-party IT and security technologies. Not only does this allow our customers to capitalize on existing investments, it saves valuable time and effort by enabling them to bring more of their security monitoring tools into USM’s single pane of glass -- without any daunting integration work!

And We’re Just Getting Started . . .

As we continue our evolution to AT&T Cybersecurity, we’re harnessing the power of one of the world’s largest cybersecurity operations.

 “Okay, but what does this mean?” you ask. 

 It means we’re now delivering a unique combination of people, process, and technology to not only help you better detect and respond to threats, but also mitigate and manage ongoing risks. We’ll also continue to enrich our threat intelligence (now augmented with AT&T threat data), and improve the USM Anywhere platform, delivering new capabilities that simplify and automate your critical security processes, improve your security and compliance posture, and outpace the ever-evolving threat landscape.

More to come . . .

AlienVault.png 2019-01-08 14:00:00 2018 Sees Record Number of Online Retail Data Breaches (lien direct)

During the holiday season people logged on to make purchases through online retailers, like no other time of the year. While there was significant growth in many segments of society on a global scale in 2018, we also  saw a significant increase in online retail breaches where personally identifiable information was compromised at an alarming rate. With more and more people using online services for everything from ordering perishable food products to plane tickets and hotel reservations, 2018 proved to be a huge year for online/cybercriminals.

Here are some facts around some of the largest and most far-reaching retail breaches of 2018:

Dozens of security breaches have occurred in 2018. Many of them were caused by flaws in payment systems, either online or in stores. Data breaches are on the rise for both retailers and other businesses.

These data breaches are a real danger for both companies and customers and can affect the trust shoppers have in brands.

According to a study by KPMG, 19% of consumers would completely stop shopping at a retailer after a breach, and 33% would take a break from shopping there for an extended period.

Example Breaches

Cheddar's Scratch Kitchen

Darden Restaurant announced it was notified by government officials on August 16 that it had been the victim of a cyber attack.

Customers who visited Darden-owned Cheddar's Scratch Kitchen between November 3, 2017, and January 2, 2018, may have had their credit-card information stolen. Darden estimates that 567,000 payment card numbers could have been compromised.

Customers affected would have visited a Cheddar's location in any one of these states: Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, and Wisconsin.


Macy's confirmed that some customers shopping online at Macys.com and Bloomingdales.com between April 26 and June 12 could have had their personal information and credit card details exposed to a third party.

Macy's did not confirm exactly how many people were impacted. However, a spokesperson for the company said the breach was limited to a small group of people.

Macy's said in a statement: "We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures. Macy's, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services."


Adidas announced in June&

AlienVault.png 2019-01-07 14:00:00 Data Exfiltration in AWS: Part 2 of Series (lien direct)

In the previous blog in this four-part blog series, we discussed AWS IAM and how it can be compromised to allow for data exfiltration. In this blog we will drill into data exfiltration.

One of the more common issues reported on lately involves EC2 instances running data storage services like Elasticsearch and MongoDB, which by default don't have any credential requirements to interact with the data store. And if you don't get your security groups set up properly you can inadvertently expose, for example, the Elasticsearch port (9200) out to the Internet. If that happens, you can bet that somebody is going to find it and dump its entire data set.

Here’s a common scenario we’ve seen in AWS: A web application is capturing user details and analytics.  The developers want to capture that data in a metrics-friendly repository (in addition to the database that the application uses) so they spin an EC2 instance, install Elasticsearch and start dropping data in it that is useful for analytics tracking.  It’s probably not sensitive data so they’re not too worried about locking it down and for convenience, the backend Elasticsearch port is exposed to the Internet. As the analytics requirements evolve along with the application, more and more data ends up in the completely exposed data store.  Then a bad guy does a port scan and finds it sitting there, ripe for the picking. It's become so common that adversaries have gone through the trouble of creating ransomware that fully hijacks the data store and encrypts the data within it.

Here are some examples:

Data Exfiltration: Risks


With a public vulnerability search tool such as Shodan, you can do a search for publicly exposed Elasticsearch databases and it’ll give you a big list. It's not difficult to find systems that have been exposed this way and attackers are finding them pretty quickly.

Application Abuse

The other way that data exfiltration takes place is through an application vulnerability, but this isn't AWS-specific. There are common application vulnerabilities that some attackers are very adept at discovering. A crafty attacker will bang on a web application long enough to find a vulnerability that they can use to exfiltrate data from the system.  This technique is very effective because most web applications need access to some degree of sensitive data in order to be of any use.

AlienVault.png 2019-01-04 14:00:00 Things I Hearted This Week, 4th Jan 2018 (lien direct)

Welcome to 2019! I hope that you had a well-deserved break over the holidays, and a special shout out to all the people that carried on pulling shifts in the SOC, were on-call, and helped ensure stuff stayed as secure as possible while the rest of us were eating and sleeping too much! I’ve said it before, and I’ll say it again, that you are the real backbone of the security industry, and although you may never go to conferences, or be heard on a podcast, or put your name to a blog - you go about your job keeping things as secure as possible.

We’re only half a week into the new year and the security world hasn’t slowed down in the slightest, so let’s just get down to what’s been going on these last few days, and catch up with some of the excitement that I missed while I was busy consuming mince pies.

Victorian Government Employees Details Stolen

We didn’t even make it a day into the new year without news of a data breach where thousands of records were stolen. Sure, it’s small compared to the millions of records we’re getting accustomed to reading about, but it’s significant nonetheless. It’s like data breaches have become an olympic level sport with everyone racing to be first.

The work details of 30,000 Victorian public servants have been stolen in a data breach, after part of the Victorian Government directory was downloaded by an unknown party.

The list is available to government employees and contains work emails, job titles and work phone numbers.

Employees affected by the breach were told in an email their mobile phone numbers may have also been accessed if they had been entered into the directory.

Town of Salem Breach Affects 7 Million Accounts

Getting up to the kind of breach numbers we’re all more used to, The Town of Salem (video game) was hit with a massive data breach last week that exposed the information on more than 7 million users.

The breach was discovered by the cybersecurity research Dehashed on December 28 when he received an anonymous email that indicated someone had gained access to the game’s database. Town of Salem is a role-playing game operated by BlankMediaGames.

Promote Your Scams

In the battle for advertising revenue supremacy, social media giants have automated their whole process and seem to have forgotten to include any basic checks for, you know, looking for obvious scams. Like this little gem whereby an obvious PayPal phishing scam was sent as a promoted tweet.

And we think we’re going to clean up fake news.

AlienVault.png 2019-01-03 14:00:00 The “Internal” Cyber Kill Chain Model (lien direct)

An Alternative to the “Classic” Cyber Kill Chain Model for Internal Attacks and Breaches

Developed by Lockheed Martin, the Cyber Kill Chain® (CKC) framework is part of the Intelligence Driven Defense® model for the identification and prevention of cyber intrusions activity. The model identifies what adversaries must complete in order to achieve their objective.

In recent years there have been numerous articles written to contest the effectiveness of the Cyber Kill Chain Model as it currently exists. The intent of this article is in no way to disavow or be critical of the work put into creating the Cyber Kill Chain by the LM-CIRT. Instead what this article strives to prove is that with slight modifications there are variances to the CKC that could improve its accuracy in non-traditional attack vectors. Today’s threat landscape has expanded and evermore, cyber-security overlaps many other aspects of security.  This article strives to not only reinforce this point but to offer a framework to further the effectiveness of the traditional CKC by providing additional aspects to the CKC, enabling analysts to better understand and further their efforts in stopping data theft and cyber crime more effectively and efficiently.[1]

Purpose of this article – To test the validity of the CKC model against alternative attack vectors that do not utilize the classic cyber kill chain’s workflow, primarily based around internal actor theft of sensitive information.

The basis for the research - The research idea came from an article written by Ryan Stolte for the darkreading.com website. Link to the article is below.


Summary of the research – The author of the article, Ryan Stolte, posed the question of whether or not the existing Cyber Kill Chain Model as written by Lockheed Martin was sufficient for the increasingly versatile threat landscape of today versus the less dynamic threat landscape of 2007 when the CKC was first conceptualized and published.

The desired outcome of research – To create a new conceptual Internal Cyber Kill Chain Model that predicts the activities of an attack perpetrated by an internal malicious actor such as a disgruntled or disloyal employee.

In the referenced article, there is mention of two types of internal actors who are most likely to attempt to perpetrate a malicious cyber or social engineering attack on their employer.

Malicious Actors Defined

Most traditional attacks are carried out through some variant of a phishing attack, which means that most of the attacks are allowed into the network by an unknowing accomplice. In the article, the author breaks down the internal actors by categorizing them as “Flight Risks” and “Persistent Insiders”.

Flight Risks

Flight Risks: Employees looking to leave the company can elevate the risk of data loss. They tend to be less sophisticated and exhibit less cautious behavior on their way out. The kill chain–style reactive risk model begins with looking for early indicators — for example, if an employee frequently visits job search websites, something he or she typically would not do. However, even if employees are visiting those kinds of websites, that doesn’t necessarily mean they are a threat. They be

AlienVault.png 2018-12-27 14:00:00 How Malware Sandboxes and SIEMs Work in Tandem to Effectively Detect Malware (lien direct)

Rohan Viegas of VMRay explains some of the key factors IT security teams should consider when evaluating a malware analysis sandbox and whether it’s a good fit for their existing SIEM environment. He then outlines how VMRay Analyzer complements and enhances the capabilities of AlienVault’s flagship platform, USM Anywhere.

For IT security organizations, malware threats and attacks continue to play a prominent role in the threat landscape. According to Verizon’s 2018 Data Breach Investigations Report:

  • Of the 2,216 data breaches that were studied by participating security vendors, 30% involved malware.
  • Six types of malware (ransomware, C2, RAM scraper, backdoor, etc.) were among the top 20 varieties of action used in the data breaches covered in the study.
  • Ransomware, used primarily to commit financial crimes, is now involved in more than 40% of malware attacks.
  • Malware attacks can be completed in minutes. However, due primarily to poor detection, an intrusion may not be discovered for weeks or months, potentially causing damage all the while.

“Full-featured SIEM, Looking for the Right Malware Sandbox”

When selecting an automated malware analysis sandbox to address these challenges, IT security teams should not only compare the side-by-side capabilities of different vendor products. They should also weigh how a particular sandbox will interact with their existing SIEM platform and the extent to which a product’s strengths (or its weaknesses) are utilized across the managed security ecosystem. Below are some key points to consider.

The sandbox’s detection efficacy. Malware today is designed to recognize when it is running inside an analysis environment and to stall or exit in the sandbox, thereby evading detection altogether or inhibiting the analysis by not fully revealing its behavior. This leaves blind spots in the analysis results, which can then be carried over to the SIEM. A key quality to look for in a sandbox is its ability to reliably conceal itself from the samples being analyzed so the malware can fully execute, giving you comprehensive visibility into the threat.

The quality of Threat Intelligence that can be shared. Another consideration is what types of threat information can be ingested by your SIEM and made available across your security environment. Important IOCs include severity scores, suspicious behaviors, network activity, dropped files etc. You also need to consider how complete that information is.

Full visibility into malware behavior is essential for generating quality threat intelligence. For instance, if you discover a malicious file, the analysis results should detail all the places it tried to reach out to, all the bad files it tried to create, and all the registry keys it tried to touch or modify.

How can the Threat Intelligence be used once your analysis results are handed off to your SIEM? Can the data be easily monitored? Correlated with other data sources? What actions can you take with this information? To build on the prior example, if your sandbox identifies a new malicious file that has reached out to an unfamiliar and presumably bad IP address, can you search your entire infrastructure for systems that have also accessed that address?

Rising to the Challenge

For organizations that have USM Anywhere or another comprehensive SIEM pla

AlienVault.png 2018-12-24 14:00:00 The Dangers of Free VPNs (lien direct)

If you use a free VPN, then you have to wonder how your provider earns money to cover their own costs. The answer often involves advertising, but it can also be through far more sinister means.

Running a VPN service costs a significant amount of money. There are setup costs, infrastructure costs, labor and other running costs. The companies behind these services generally want to make a profit as well.

Why are free VPNs a problem?

It really depends on your use case, but in general, VPNs are used to enhance both the online privacy and security of those who use one. Privacy and security tend to involve trust, which becomes especially important when we consider VPNs.

To understand this properly, we have to take a step back and examine how VPNs protect their users. The most common analogy is that a VPN provides an encrypted tunnel between the VPN client on a user’s device and the VPN server.

This tunnel essentially means that no other party can see the connections and data you are transferring between your device and the exit server. Your ISP, the government and other snoopers will be able to see that you are sending encrypted data through a VPN, but they won’t be able to see what it is.

If someone is examining the traffic between the exit server and the website you are visiting, they will be able to see that someone from the VPN’s server is connecting to the site, but they won’t know where the connection originates from.

In this way, a VPN’s encrypted tunnel protects users and their information from outside parties like hackers and governments, and also allows users to get around geo-restrictions by making it seem like their connection is coming from another place.

The point is that the VPN provider is the one that keeps you safe by letting you use their encrypted tunnel. Since all of your data goes through the provider, you need to find one that you can trust. If you can’t trust your provider, how can you know that your data is being kept secure and private?

What can a VPN provider see?

Technically, VPN providers have the capacity to see everything you do while connected. If it really wanted to, a VPN company could see what videos you watched, read emails you send, or monitor your search history.

Thankfully, reputable providers don’t do this. A good provider shouldn’t take any logs of your activity, which means that although they could theoretically access your data, they discard it instead. These “no-log” companies don’t keep copies of your data, so even if they get subpoenaed by a government agency, they have no data that they can hand over.

VPN providers may take different types of logs, so you need to be careful when reading the fine print of any potential provider. These logs can include your traffic, DNS requests, timestamps, bandwidth and IP address.

It will depend on your use case, but if you want your VPN to provide the highest level of privacy, then you will want to choose one that records no logs at all.

How do you know if a VPN provider keep logs?

Most VPN providers will state on their websites whether or not they take logs, and if so, what kind. If the privacy policy doesn’t state the logging policy, or they make their logging process unclear, it’s best to assume the worst. No-log policies can be a huge selling point of many VPNs, so if a company doesn’t make their practice clear, it’s best to assume that they do keep logs in some form.

How can you trust a VPN provider’s claims?

At the end of the day, you can never really be 100 percent sure. The closest we can get is if a VPN provider was served a warrant or subpoena and was unable to give any data because they simply don’t have it. Even so,

AlienVault.png 2018-12-20 14:00:00 Let\'s Chat: Healthcare Threats and Who\'s Attacking (lien direct)

Healthcare is under fire and there’s no sign of the burn slowing.

Look, it’s no secret that hackers have been targeting hospitals and other healthcare providers for several years — and probably no surprise that healthcare is one of the top target industries for cybercrime in 2018. In the US alone, in fact, more than 270 data breaches affecting nearly 12 million individuals were submitted to the U.S. HHS Office for Civil Rights breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more.

Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself.

So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating.

One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018.

And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.  

SamSam attackers are known to:

  • Gain remote access through traditional attacks, such as JBoss exploits

  • Deploy web-shells

  • Connect to RDP over HTTP tunnels such as ReGeorg

  • Run batch scripts to deploy the ransomware over machines

SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading

AlienVault.png 2018-12-19 14:00:00 Network Penetration Testing (lien direct)

What is Penetration Testing?

Penetration testing, often called “pen testing” is one of several techniques used to verify cybersecurity posture and provide a level of assurance to the organization that its cyber defenses are functional. It’s a way of testing defenses against an adversary who mimics a cyber-criminal actor.

First Rule of Network Penetration Testing: Make sure you have a signed contract to perform the services of a pen tester, including a statement of work, and a detailed scope for the engagement. Failure to follow this advice could result in civil and/or criminal legal action being taken against you.

It should be noted that many compliance and regulatory requirements, including the General Data Protection Regulation (GDPR) require an organization to undertake regular testing to evaluate the effectiveness of organizational security controls. It stands to reason that the further an adversary can penetrate into your organization and retrieve sensitive and/or confidential information, the more evident the business case for improving your cyber security posture becomes.

The technique of cyber security pen testing is not without controversy. Detractors of pen testing as a cybersecurity test identify the techniques used by professional pen testers as generally reserved for sophisticated cyber criminals or nation state actors. The argument then is pen testing does not mimic the “every day” cybersecurity threat faced by the organization based upon the level of risk tolerance.

Although that argument runs right up against the evolution of and increasing sophistication of cyber-criminal attacks, an organization may not have the financial or IT resources to deal with the outcomes or recommendations of the pen test. In fact, a pen test can be a demoralizing experience for the organization’s already stressed IT resources and potentially document risks the organization would rather not have illuminated.

Simply put, a pen test requires a basic level of cyber hygiene and organizational readiness – there has to be organizational will to mitigate the “findings” of the pen test. If the organization has not instituted basic cyber security controls as prescribed by UK Cyber Security Essentials or the CIS top five security controls, then money invested in a pen test may be quite wasteful.

In short, If the organization has not:

1.     Secured the internet connection with a firewall

2.     Secured organizational devices and software

3.     Controlled access to organizational data and services

4.     Protected organizational endpoints from viruses and other malware

5.     Made sure organizational devices and software are up to date

Then the pen test will not go well for your organization and an adversary will have a field day.

Penetration Testing Tools

There is a myriad of pen testing tools available with the majority being open source. The profession of Pen Tester is linked to professional certifications such as Certified Ethical Hacker, CompTIA Pen Test+ and Offensive Security Certified Professional (OSCP), and an extensive SANS curriculum all built around pen testing and use of popular tools is available.

Here is a list of common pen testing tools (OK, my favorite tools!) pen testers will unleash on an organization. Many folks in the business of professional pen testing have their own preferences and/or professional software is also available.

Common Network Penetration Testing Tools

  1. Nmap – Free!

Network scanner and enumerator, supported by a massive community and extensible with a great deal of scripting capability.

  1. The Metasploit Framework available on K
AlienVault.png 2018-12-17 14:00:00 AlienVault Monthly Product Roundup October / November 2018 (lien direct)

At AWS re:Invent recently, I spoke to several booth visitors who asked, “What’s new with AlienVault?” It was exciting to talk through some of the improvements we’ve made over the last year and see their eyes widen as the list went on. As our customers know, we regularly introduce new features to USM Anywhere and USM Central to help teams detect and respond to the latest threats. You can keep up with our regular product releases by reading the release notes in the AlienVault Product Forum.

Let’s take a look at the highlights from our October and November releases:

Mac OS Support for the AlienVault Agent

In July, we announced the addition of endpoint detection and response (EDR) capabilities to USM Anywhere, enabled by the AlienVault Agent. The AlienVault Agent is an osquery-based endpoint agent that provides system-level security, including file integrity monitoring and host intrusion detection (HIDS). Over the last few months, we’ve listened carefully to customer input to guide our continued improvement of the AlienVault Agent, leading us to improve filtering rules for better control over data consumption and make a number of additional enhancements.

In November, we addressed a top customer request with the addition of Mac OS support for the AlienVault Agent. Now, USM Anywhere customers can use the AlienVault Agent for continuous threat detection and file integrity monitoring (FIM) on their Linux, Windows, and Mac hosts.

AlienVault Agent Queries as Response Actions

USM Anywhere accelerates incident response with the ability to orchestrate response actions directly from an alarm. With just a few clicks, you can take an immediate, one-time action or create a rule to make sure that action happens automatically going forward. (Check out examples of automated incident response in action in this blog post.)

To enhance your ability to respond swiftly and efficiently to potential threats, we’ve added a new response action to trigger AlienVault Agent queries. Like our other response actions, you can find this option directly from the detail view of an alarm or as part of an orchestration rule.

Launch AlienVault Agent Queries from Agents Page

In addition to the response action listed above, you can now trigger AlienVault Agent queries from the Agents page by clicking the “Run Agent Query” button. You can run queries against a single asset or all assets that have the AlienVault Agent installed.

AlienVault.png 2018-12-14 14:00:00 Things I Hearted this Year 2018 (lien direct)

It’s hard to believe the whole year has gone past and I’ve been hearting things nearly every week since it began.

I’d like to sum up 2018, so I started to look through all the posts from every week and I realised it was a mammoth task. There have been 40 “Things I hearted” blog posts this year, each with an average of 10 stories. And that doesn’t include the dozens of other stories that didn’t make the cut every week.

Suffice to say, it’s been a very busy year as far as information security is concerned. Which could mean that business is very good. Or it could just mean that business is as usual, we’re just getting better at covering the stories.

In YouTube fashion, I decided to do a video rewind of some of the notable stories of the year (minus Will Smith and the big budget)

Conspiracy videos aside, let’s have a recap of an assortment of stories that were hearted over the course of the year.

January 12th Edition

Toy Firm VTech Fined Over Data Breach

VTech, the ‘smart’ toy manufacturer has been fined $650,000 by the FTC after exposing the data of millions of parents and children.

Troy Hunt brought up the issue back in November 2015 and it made for a chilling read. Not only was the website not secure, but the data was not encrypted in transit or at rest.

Hopefully, this kind of crackdown on weak ‘smart’ devices will continue until we see some changes. Not that I enjoy seeing companies being fined, but it doesn’t seem like many manufacturers are paying much attention to security.

March 9th Edition

SAML, SSO Many Vulnerabilities

SAML-based single sign on systems have some vulnerabilities that allow attackers with authenticated access to trick SAML systems into authenticating as different users without knowledge of the victims’ password.

Sounds like a lot of fun.

March 30th Edition

Investigating Lateral Movement Paths with ATA

Even when you do your best to protect your sensitive users, and your admins have complex passwords that they change frequently, their machines are hardened, and their data is stored securely, attackers can still use lateral movement paths to access sensitive accounts. In lateral movement attacks, the attacker takes advantage of instances when sensitive users log into a machine where a non-sensitive user has local rights. Attackers can then move late

AlienVault.png 2018-12-13 14:00:00 The REAL 2019 Cyber Security Predictions (lien direct)

It’s December, which means it’s time to get those 2019 cyber predictions going. While there are many well-informed, and some not-so-well informed opinions out there, I’ve dug through the cyber underground, I’ve climbed data mountains, and delved to the depths of the dark web to seek out what is really happening.

Having spilt coffee, redbull, and tears, I am proud to present the soft underbelly of the cyber security industry, and what the future will hold.

You’re welcome.

Jayson Street will be exposed as a secret agent charged with obtaining DNA samples of as many hackers as possible. Close inspection will reveal Jayson stealing a strand of hair every time he offers an “awkward hug”. Having been outed, he will go on to start a podcast called, “The word on the Street”

HaveIBeenPwned will be purchased by FireEye. Troy Hunt will take the money and move to New Zealand where he’ll setup another website called “YesYouArePwned” with Kim dot com.

Bug Bounty and vulnerability disclosure pioneer Katie Moussouris will have no less than 10 instances a month of bug bounties being mansplained to her. At least 2 a month will try to prove her wrong by citing papers, without realising she authored them.

Richard Bejtlich will tell the world how it’s actually Papua New Guinea that is responsible for the majority of APT’s. He’ll admit that China was initially blamed as an internal joke that went a bit too far.

Jeff Moss will look in disgust at what he has created. In a fit of rage he’ll punch the ground, pull his hair yelling, “I’ve created a monster!” and cancel DEF CON. This will create a domino effect as all other conferences will come collapsing, leaving no security conferences active by the end of the year.

SwiftOnSecurity is unmasked as being The Grugq who would have gotten away with it, if it weren’t for those meddling kids.

Stuck in traffic YouTuber Wolf Goerlich will finally take a different route into work and realise traffic ain’t all that bad. As a result YouTube suspends his account, declaring the title misleading. Which is a polite way of saying ‘fake news’.

Investigative journalist Brian Krebs may unofficially be many companies' IDS, but in 2019 he’ll take it to new heights while launching his own subscription-only service called B-KIDS (Brian Krebs IDS)  which companies can use to get the heads up if they’re going to be outed.

Reunions will become common, as professionals grow bored of corporate life. L0pht Hacking Industries will furiously lobby the US government, while over in Europe the Eurotrash Security podcast will regroup and take the show on the road once again.

AlienVault.png 2018-12-12 14:00:00 New AlienVault and AT&T Cybersecurity Consulting Solution for Cyber Risk and Compliance Management (lien direct)

Let’s face it, managing cyber risk and compliance is hard. Many organizations struggle to gain the visibility needed to truly understand their overall cyber risks. They also struggle to maintain that visibility as they take on digital business transformation and new cloud computing initiatives. It’s no easy task for organizations to continually align their security priorities to changes in the regulatory landscape, their IT environment, and an always-shifting threat landscape, especially for organizations with limited IT resources.

That’s why we are excited to announce a new solution to help organizations of any size to help reduce their cyber risks and simplify their journey to work toward compliance. Together, AT&T Cybersecurity Consulting and AlienVault, an AT&T Company, are bringing together the people, process, and technology in one unified solution to help organizations improve cyber risk and compliance management. In doing so, we’re making it simple and fast for organizations to consolidate their requirements and to accelerate their security and compliance goals. Download the solution brief to learn more.

“Managing cyber risk and compliance requires an ongoing review of your IT assets and data, security practices, and personnel — and no single security tool provides that holistic visibility,” said Russell Spitler, SVP of Product for AlienVault, an AT&T company, “With a unified solution from AT&T Cybersecurity Consulting and AlienVault, we can help organizations to reduce the complexity and cost of having to juggle multiple products and vendors.”

This solution addresses many of the most challenging aspects of meaningful risk reduction (i.e. you are actually making progress in reducing risks, not simply “managing risks,”) and maintaining continuous compliance. The solution includes: risk assessment, scanning and remediation vulnerability assessment, employee cybersecurity awareness training,  continuous network monitoring for the latest threats, and reporting for compliance as well as for internal policy. It is ideal for organizations that are getting started with or want to accelerate their efforts for PCI DSS or HIPAA, but also for non-compliance organizations that are looking to evaluate and improve their cyber risk posture quickly and efficiently.

Unlike other solutions for cyber risk and compliance that are often oversized and do not adapt to an organization’s existing security model, AlienVault and AT&T Cybersecurity Consulting offer flexible options that allow any organization to tailor-fit a solution to their unique environment, business goals, and budget. The solutions include:

  • Risk-based Cyber Posture Assessment led by AT&T Cybersecurity Consultants
  • ASV-provided External Vulnerability Scanning Services from AT&T Consulting Services
  • AlienVault USM Anywhere - a unified platform for threat detection and response
  • AT&T Cybersecurity IQ Training - cybersecurity user training and assessments

For more details on the products and services included in this solution, read the solution brief here >

Following AT&T Business’ acquisition of AlienVault in August, this offering is the first to combine the phenomenal threat detection and incident response capabilities of AlienVault USM Anywhere and AlienVault Labs Threat Intelligence with the world-class expertise of AT&T Cybersecurity Consulting.

“It’s no secret that cybercrime has become its own industry, giving criminals access to a bat

AlienVault.png 2018-12-11 14:00:00 A HIPAA Compliance Checklist (lien direct)

Five steps to ensuring the protection of patient data and ongoing risk management.

Maintaining security and compliance with HIPAA, the Health Insurance Portability and Accountability Act, is growing ever more challenging. The networks that house protected health information (PHI or ePHI) are becoming larger and more complex — especially as organizations move data to the cloud. At the same time, security professionals are faced with an evolving threat landscape of increasingly sophisticated threat actors and methods of attack.

For example, 2018 threat intelligence research by AlienVault Labs reports a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from health care providers and other similar entities who must protect and keep assets, systems, and networks continuously operating.

One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware.

To help address these security challenges and ensure adherence to compliance mandates, security and IT professionals should consider how people, processes, and technology can be used together to create a holistic IT security compliance program that simplifies preparation, auditing and reporting, as well as ongoing security risk management and breach monitoring and response. Here’s a five-step HIPAA compliance checklist to get started.

Certification and Ongoing HIPAA Compliance

HIPAA sets the standard for protecting sensitive patient data. Any entity that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was adopted to promote the “meaningful use of health information technology” and address the privacy and security concerns associated with the electronic transmission of health information. Although there is no standard or implementation specification that requires a covered entity to “certify” compliance, the evaluation standard § 164.308(a)(8) requires covered entities to perform ongoing technical and non-technical evaluations that establish the extent to which their security policies and procedures meet the security requirements. Evaluations can be performed and documented internally or by an external organization that provides evaluation or “certification” services. However, HITECH requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

Step 1: Start with a comprehensive risk assessment and gap analysis

Your compliance strategy should start with a solid foundation, which is why the first step in your journey to HIPAA compliance should be a readiness assessment that includes a comprehensive risk and compliance analysis of your electronic health record (EHR) environment. This assessment is often best done by a third party with expertise in healthcare security and compliance, as HIPAA regulations can be confusing and cumbersome. Using a third party with

AlienVault.png 2018-12-10 14:00:00 Who Would You Hire in Your SOC? (lien direct)

I got curious about what kind of people are most desired in a Security Operations Center (SOC). I wondered how accepting InfoSec blue teamers would be to having a team member with a great attitude and system administration or network management skills, versus someone with deep InfoSec knowledge and skills. So I did a poll on Twitter to learn more. 

After reviewing the Twitter poll results and the very insightful comments, I was even more curious about how SOC hiring decisions are made. Luckily, one of my Twitter pals reached out via DM and indicated he is a SOC hiring manager! And he’d be happy to have a call with me to give me the scoop on what he looks for when hiring for his SOC as long as he remained anonymous! 

While I can’t name him, I can tell you he has 20+ years of experience in the InfoSec industry and is in the process of building his second SOC. The first team he built had about 25 people, was focused on infrastructure rather than cloud, and encompassed both SOC and GRC. The team he is building out now is focused on outsourcing (MSSP), which is a different story entirely. Here are his insights:

Age is a Number

He made the excellent point that the terms "junior" and "senior"  SOC analysts relate more to experience in a SOC vs the person's age. Older folks doing a career transformation might well be considered “junior" and someone in their 20’s who has had a home lab and network might have years of useful experience and be considered “senior”.

A Balanced SOC Team

The best team mixes some senior folks with junior people. A lot of SOC work is a *grind* with eyes always on the glass. Whereas junior folks can be quite happy to do that for a few years, some more senior folks may want to get into other roles than the front line of defense.

In addition, your first job in InfoSec may be a stepping stone to where you want to get. You might want to be a malware researcher, but starting as a blue team defender is an excellent way to learn more about malware.

Mainly Cloudy

Times are changing – whereas deep skills on particular hardware, like a specific firewall, may have been important in the past, now SOC hiring managers tend to me more cloud oriented. They’re looking for a blend of skills, including DevOps, SecOps, scripting, cloud instrumentation and understanding of cloud infrastructure. Hiring managers are looking for nimble applicants with a flexible skill set. For example, to be good in a SOC job today, you will likely need to know how to monitor application logs as well as traditional security controls.

Advice for Students

Don’t be afraid to get your hands on tech. Classes are one thing – but also build yourself a home lab. Show some enthusiasm and initiative. Be flexible – avoid just knowing a few specific tech tools. Network! (More to come on that).

Advice for Curmudgeons

If you’ve “seen it all” – you might appear grumpy. Grumpiness is OK, as long as you work with and support the junior folks. The SOC team isn’t a great place for a grump who wants to just be left alone. Toxic people are not welcome on a SOC team, no matter what skills they may have.

Important Tech Checklist for SOC

  • Coding / scripting
  • Understanding of network stack and knowing things like how routing, VLANs and ACLs work
  • Machine Learning / Automation (at least take some free courses for awareness)
  • Core security controls
  • Cloud technology infrastructure

Can a Red Teamer Be Good in a SOC?

Sure, if they want to be on the Blue Team. They typically have the right skill set. However, Red Teamers live to find and exploit weaknesses. Red Teamers don’

AlienVault.png 2018-12-07 14:00:00 Things I Hearted This Week, 7th December 2018 (lien direct)

It’s December, so you’re either on holiday, wishing you were on holiday, or hoping the next security article you read isn’t related to predictions.

Well, I can’t help you with the holidays, but I can promise there will be no predictions here. It’s just good old-fashioned news of the juiciest news that made my heart flutter

US Postal Service

Ah, the good old USPS was running a weakness that allowed anyone who has an account to view details of around 60 million users, and in some cases modify the account details on their behalf.

Luckily, a security researcher spotted the error about a year ago and notified USPS.

Unluckily, the USPS didn’t respond to the researcher or fix the issue.

Luckily, the researcher reached out to little known cyber-reporter by the name of Brian Krebs who contacted USPS and lo-behold a miracle happened and the issue was fixed in 48 hours!

This raises the question as to is there anything lesser-known researchers who don’t have the public profile of Brian Krebs can do to help companies fix issues outside of a formally defined bug bounty program?

Back in September, Troy Hunt posted on the very topic on the effectiveness of publicly shaming bad security. And not to say I agree with shaming companies, but when you look at instances like USPS, you do wonder if there is a better way.

GCHQ Reveals it Doesn't Always Tell Firms if Their Software is Vulnerable to Cyber Attacks

In other words, spy agency keeps secrets.

There are four reasons given as to why GCHQ may not disclose flaws, being:

  1. There is no way to fix it
  2. The product is no longer supported
  3. The product is so poorly designed it can never be secure
  4. There is an overriding intelligence requirement that cannot be fulfilled in any other way

I particularly like number 4 as the catch-all clause. You could say there’s an overriding intelligence requirement to almost anything, and refuse to release any details under secrecy laws.

I’m not necessarily bashing GCHQ, governments have been known for stockpiling exploits. They have a particular mission and objective, and this is how they go about fulfilling it. However, it does mean companies should not rely solely on GCHQ or other government agencies for their threat intelligence. Rather, building its own capabilities and threat sharing channels remain necessary.

Scamming the Scammers

I don’t think there are many stories more satisfying than when scammers get taken for a ride. This time courtesy of Hacker Fantastic who got contacted by the famous singer Rhianna out of the blue to help her get some money.

AlienVault.png 2018-12-06 14:00:00 Password Stealers Aren\'t Letting up Any Time Soon (lien direct)

Password security has always been a challenge. Brute force attacks are constantly getting more powerful, but they aren’t the only threat you have to worry about. A range of password stealing malware continues to grow in popularity.

One example, Agent Tesla, has seen its detection rate grow 100% in just three months, according to data from LastLine. Despite this rapid growth, Agent Tesla is far from the most popular. That title goes to Pony, which represents 39% of the total password stealer detections, according to Blueliv’s 2018 report, The Credential Theft Ecosystem. LokiPWS and KeyBase trailed Pony at 28% and 16%, respectively.

These password stealers are each capable of stealing credentials and other information from a wide variety of programs. Each is unique with its own techniques for delivery and a range of features that hackers can use to mount attacks.

Despite the differences, each of these programs can have severe impacts on their victims. The negative impacts can range from having all of the money stolen from an individual’s accounts, to the theft of a company’s intellectual property. The key features of some of the most common password stealers are listed below:

Agent Tesla

Like most password stealers, Agent Tesla can access a wide variety of your information, ranging from your credentials to your keystrokes. It can even take screenshots and videos from your device’s camera. Agent Tesla targets a number of major programs, including web browsers, email clients, FTP applications and other commonly used software.

Once Agent Tesla has been installed on a target’s computer, it can also be used to download other malware. This feature allows threat actors to intensify their attacks and make them even more devastating.

Its pricing shows that the malware industry hasn’t been left behind in the X-as-a-service boom, because it is available as part of a plan that starts from $15 per month. This price includes all the 24/7 support someone might need to assist them in their criminal endeavors. Of course, payments are made in Bitcoin.

Despite running what must have been an incredibly profitable business, Agent Tesla’s creators have recently posted an update stating it will crack down on illegal use of the program. Under its terms of service, it declares that the software must only be used within the law, but features such as anti-antivirus throw these intentions into question.

Due to the recent media attention that Agent Tesla has received, the developers will strip some of its more questionable features, such as anti-antivirus and webcam capture. They also claim to be banning those who are using the program maliciously. Only time will tell whether the creators are sincere, or if this is merely an attempt to keep the authorities from knocking down their doors.


Pony is currently the most popular password stealer, but it’s certainly not new. In the past, it has been used to control a number of enormous botnets, which by 2013 had already stolen more than two million credential sets.

In 2014, it involved into a series of attacks that stole $200,000 worth of cryptocurrencies, as well as 700,000 sets of credentials. In recent years, Pony has seen prominence as a loader alongside other malware, such as CryptoWall and Angler. These programs, a type of ransomware and an exploit kit, respective

AlienVault.png 2018-12-05 14:00:00 Protecting the Wrong Things (lien direct)

Businesses rely on technology more today than they ever have in the past. In fact, many business models are built entirely around a technology which, if disrupted, could spell ruin.

A traditional business with a brick and mortar presence is probably better-placed to withstand an extensive online disruption or outage. For example, if a bank’s online system or mobile app is unavailable, it has other options to fall back on – even if it does involve customers physically having to walk into branches to deposit cheques.

But those examples are rare, and even the most traditional of businesses are embracing the digital revolution at a rapid pace, vaporizing physical assets in the process. One only has to look at their smartphone and see how many physical items it has replaced, from maps, to flashlights, to cameras.

So, it’s important that the digital infrastructure that underpins the modern world is resilient. The ‘A’ in the security CIA of ‘Confidentiality, Integrity and Availability’ helped professionals focus on business continuity planning, and disaster recovery.

But have we been focusing on the wrong things?

Earthquake Resilient Buildings

Recently a building surveyor was explaining to me the concept of earthquake-resilient buildings. He highlighted an important point that in most countries, building code objectives are mapped to collapse resilience, not to damage. The analogy is akin to a car which has designated crumple zones to absorb the brunt of the force during an accident.

In other words, resilience in buildings and vehicles is all about saving lives - not the building or the vehicle.

Which makes me wonder whether businesses have focused on building resilience into the wrong parts. Is the industry focused more on saving the building or the vehicle at the expense of lives?

Broadly speaking, while lives are not literally at risk, (although with IoT making its way into every facet of life including medical devices, the risk does increase), there is a lot of personal information that companies are in possession of which slips through the radar of most planning sessions. The response often summed up as, “let’s offer free credit monitoring for a year for our affected customers.” In the building analogy, it’s the equivalent of, “Sorry your building collapsed and everyone died during the earthquake. Here’s a year’s coupon to stay in a local hotel.”

Crown Jewels

Companies are pretty good at protecting their own crown jewels. But they’re often limited in what they do for their customers.

One of the reasons is that the emphasis is put on the wrong type of information. PCI DSS is a well-meaning standard, but forced companies to focus on protecting payment card data. The problem with this approach is that card data is pretty much a commodity. It naturally ages, and new cards need to be issued as a matter of course. A breach simply accelerates the process. The point being that payment cards have natural resilience built into them.

That’s not to say that when cards are breached there isn’t a cost associated. It’s to avoid bearing the burden of these costs that card issuers rallied to have PCI DSS implemented, with the threats of big penalties to any company that was beached. This in turn forced companies to disproportionately invest into protecting card numbers over actual customer information. Protecting the buildings at the expense of its inhabitants.

Regulations like GDPR are a step in the right direction with its focus on protecting the pr

AlienVault.png 2018-12-04 14:00:00 Is Cybersecurity Insurance on Your Holiday Shopping List? (lien direct)

Three simple steps to protecting your small business

Continued news reports of large-scale data breaches and the steady increase of cyber fraud like spam calls, identity fraud and unauthorized account access should be enough to scare anyone. So-called nation-state hackers attempting to infiltrate government entities and universities, massive data breaches, and new Ransomware threats are constantly in the headlines. So why doesn’t this encourage more small business owners to take cybersecurity more seriously?

Many small businesses are currently going digital and moving data, applications and services to the cloud. In fact, the most innovative small businesses have embraced digital transformation as an integral part of their growth plans. This evolution makes their business more vulnerable to a lurking hacker. And perhaps too trustingly, many small business owners think that because of their size, they are not a target. Hackers don’t discriminate. Malware doesn’t discriminate.  Everyone is a target, and in fact, hackers see the data that small businesses have as a gateway to attacking larger businesses. And Malware essentially looks for open doors (i.e. unpatched machines) to infect.

As we look to the start of a new year, there is no better time to assess your business’s cybersecurity posture – or in some cases start from scratch – to ensure you are prepared and can respond to cyberattacks. Here are a few affordable and simple recommendations that can improve your cybersecurity posture and help protect your business from the inevitability of a cyberattack in 2019:

  1. Stay Aware: The simplest thing you can do is to stay current on trends and threats affecting small businesses. We’ve seen unprecedented levels of attacks on small business in 2018, especially with Ransomware (where your device is essentially taken hostage for a fee). It’s essential to understand the types of attacks that could put your business at risk as well as the current cybersecurity landscape. Visit AT&T Cyber Aware for the latest news, information to report fraud associated with your AT&T Business account.
  1. Hire a consultant: A consultant can take a holistic look at your business, identify the gaps and help you understand how to improve your cybersecurity posture. While some see consultants as an added expense, their role is essential for small businesses that don’t have an IT or cybersecurity expert on staff. A consultant can help you develop and implement a plan for monitoring for threats, incident response and remediation that’s within your budget.
  1. Buy Cyber Insurance:  Cybersecurity insurance isn’t new. Large enterprises have had a cybersecurity insurance policy in place for decades now. However, 2019 is going to be the first year that it’s accessible and affordable to businesses of all sizes. For AT&T Business customers, this is made possible through policies, underwritten by CNA, with Lockton Affinity serving as the insurance broker.  

A recent Ponemon Institute Report found that in 2017, cyberattacks cost small and medium-sized businesses an average of $2,235,000. That’s a staggering number that will only continue to increase as hackers become more sophisticated and continue to target the most vulnerable.

My advice to

AlienVault.png 2018-12-03 14:00:00 Award-winning Quarter Caps a Phenomenal Year (lien direct)

We’ve had a lot to celebrate this year. AlienVault, now an AT&T company, has received many awards, including three this quarter. In October, USM Anywhere was named the 2018 Cloud Security Solution of the Year after receiving the most votes in the industry. This recognition validates our SaaS-driven deployment model that integrates critical security capabilities into a unified platform enabling faster threat detection and response across cloud and on-premises environments. Here’s a photo of Sophia Anastasi, AlienVault UK Partner Account Manager, accepting the award at Computing Security’s awards ceremony.

Our channel team is also receiving industry accolades. Last Thursday night at the Channelnomics Innovation Awards ceremony in New York City, Mike LaPeters, Vice President of Global Channels, accepted the award for Security Partner Program of the Year in North America. In October, Mike was selected as a winner of the 2018 Channel Futures Circle of Excellence Awards for his vision, innovation and advocacy of the indirect channel in helping AlienVault solution providers create business value for their customers.

On AlienVault receiving these awards, Mike said, “Both of these awards are a testament to our focus on enablement. We help participants in the AlienVault Partner Program to create new opportunities for business growth, expansion and profitability powered by AlienVault USM.”

With 2018 coming to close, we are excited to see what the new year brings as we continue to deliver phenomenal security products to our customers and solution providers.

AlienVault.png 2018-11-30 14:00:00 Things I Hearted this Week - 30th Nov 2018 (lien direct)

Last week I was off attending IRISSCON in Dublin and so there was no update, and this week I’ve been at the SAN EU security awareness summit - so while I have been hearting things for the last two weeks, I’ve not had a chance to put them down.

I don’t want to miss two weeks in a row - so I’ll give you a quick download and hopefully normal service will resume next week!

Chat app Knuddels fined €20k under GDPR regulation

The chat platform violated GDPR regulation by storing passwords in clear text and for this reason, the regulator imposed its first penalty under the privacy regulation.

IOC Origins

Richard Bejtlich gives a historical view into the origins of IoC’s

The spread of low-credibility content by social bots

The massive spread of digital misinformation has been identified as a major threat to democracies. Communication, cognitive, social, and computer scientists are studying the complex causes for the viral diffusion of misinformation, while online platforms are beginning to deploy countermeasures. Little systematic, data-based evidence has been published to guide these efforts. Here we analyze 14 million messages spreading 400 thousand articles on Twitter during ten months in 2016 and 2017. We find evidence that social bots played a disproportionate role in spreading articles from low-credibility sources.

The $1M SIM Swap

A 21-year-old has been accused of SIM-swapping the mobile number of a Silicon Valley executive in order to steal roughly $1 million in cryptocurrency.

A day in the life of a trickbot hunter

Nice writeup!

Crypto hacking

If you maintain any software libraries that deal with cryptocurrency wallet private key, there's a huge incentive for hackers to compromise your library's dependencies, and dependencies of dependencies. That's what happened with this npm package

Get SaaSy

The NCSC's new SaaS security collection provides a lightweight approach for determining the security of any SaaS application. The collection also includes security reviews of the 12 most asked-about SaaS services used across UK government.

AlienVault.png 2018-11-28 14:00:00 IAM and Common Abuses in AWS (lien direct)

This is the first of a 4 part blog series on security issues and monitoring in AWS.

Identity and Access Management (IAM) in AWS is basically a roles and permissions management platform. You can create users and associate policies with those users. And once those users are established you get set of keys (access key and a secret key), which allow you to then interact with an AWS account.

So, it's kind of like having a card key into the data center, and if you get into the data center, you have physical access to assets and you can do a bunch of things - in the AWS world there is no physical access to a data center therefore you can create keys and an API and you can interact with the API to do the same things that you would do in a physical environment, like physically racking servers in a data center.

Common IAM risks are associated with folks getting a hold of, for example, a set of keys that have some policy associated with them that enables an attacker to get into the environment and do some potentially risky stuff.

Following are a couple examples:

  • EC2 instance creation or deletion. This is fairly common and relatively easy to do compared with the other examples. If somebody gets a hold of a set of keys  that allows them to create EC2 instances in your AWS account, that’s the first thing they're going do. There are a lot of bots out there looking for this access, and if a bot finds a set of keys that allows it to start interfacing with EC2, it's going to spin up a bunch of instances - likely to start mining cryptocurrency.

This actually happened to Tesla, a pretty good sized company with quite a few resources to allocate to securing their infrastructure. There are many examples in the news about keys getting published to GitHub inadvertently, and there are bots out there scraping GitHub looking for access keys and the second they find them they’re in your AWS account seeing what they can do.

  • Another scenario is roles that do automated things, like take RDS snapshots or EBS snapshots. The attacker might abuse the automated process to back up various resources like EBS or an RDS database.

If an attacker gets access to that role or the keys associated with it and takes snapshots of these resources, they can deploy a new RDS database based on the snapshot. And when they do that they get to reset the passwords associated with the database. So now they've got access to all of your data without actually having to have the passwords required on the RDS instance.

It's the same thing with the EBS (Elastic Block Store) snapshot. If somebody is able to take a snapshot, basically of a hard drive in AWS, they can launch a new instance connected to that block store and do some interesting things with it.

For example, assuming they’re able to create an SSH key pair in your account, they could launch a new instance from the snapshot and assign their key pair to the instance, giving them full access to the data of the original instance. If they can’t create SSH keys in your account, they might try to mount the snapshot to an existing instance they can already access.

Basically this is a crafty way to work around credential control and access control. This is a technique that's been used to actually exfiltrate data out of AWS, just by taking snapshots.  

  • The last example is account hijacking. One story that got some headlines a while back involved attackers getting full control of an AWS account through a set of keys. The account was compromised so thoroughly that trust in the service was eroded to
AlienVault.png 2018-11-27 14:00:00 Security Orchestration, Automation and Response (SOAR) - The Pinnacle For Cognitive Cybersecurity (lien direct)

The cognitive tools/technologies of machine learning (ML) and artificial intelligence (AI) are impacting the cybersecurity ecosystem in a variety of ways. Applied AI machine learning and natural language processing are being used in cybersecurity by both the private and public sectors to bolster situational awareness and enhance protection from cyber threats. The algorithmic enablers that make ML and AI pinnacles of cybersecurity are automation and orchestration. 

Last year, the research and analyst firm Gartner created a term called SOAR. It stands for Security Orchestration, Automation and Response. A key element of SOAR has been the automation and orchestration elements. An excellent analysis of the impact of automation was provided by Stan Engelbrecht in his column in Security Week called The Evolution of SOAR Platforms

Stan noted “as SOAR platforms evolve, they are requiring less experience from users. Vendors embed security expertise into the products, in the form of pre-built playbooks, guided investigation workflows, and automated alert prioritization. 

Automation and orchestration features have also reached a level of sophistication where they can be integrated into an existing security framework without relying on users to know exactly what should be automated.”

Indeed, SOAR and corollary cybersecurity automation technologies combined with ML and AI tools can be viewed as a strong framework for mitigating evolving threats. AI and ML have emerged into new paradigms for automation in cybersecurity. They enable predictive analytics to draw statistical inferences to mitigate threats with fewer resources. In a cybersecurity context, AI and ML can provide a faster means to identify new attacks, draw statistical inferences and push that information to endpoint security platforms.

Three significant factors are heightening their risk:  

1) Skilled Worker Shortage: It is widely noted that the cybersecurity industry is facing major skilled worker shortages. According to data published on Cyberseek, U.S. employers in the private and public sectors posted an estimated 313,735 job openings for cybersecurity workers between September 2017 and August 2018. That's in addition to the 715,000-plus cybersecurity workers already employed. It is not just a U.S. problem, but a global problem and the demand for skilled workers to address the growing prevalence and sophistication of cyber-threats is growing exponentially.

2) Expanding Digital Connectivity: The expanding connectivity of the Internet of Things (IoT) has greatly increased cyber vulnerabilities. IoT refers to the general idea of devices and equipment that are readable, recognizable, locatable, addressable, and/or controllable via the internetThis includes everything from home appliances, wearable technology and cars. Gartner predicts that there may be nearly 26 billion networked devices on the IoT by 2020.  The numbers of devices provide a larger attack surface with more targets for cyber criminals and makes defending networks and endpoints even more difficult.

3) Sophistication of Adversaries: Cybersecurity criminals are using machine learning techniques to discover vulnerabilities on their targets and to automate their own attacks (with increasing success). They often share tools available on the Dark Web and hacker attacks are now faster, more calculating, and more lethal. The threat actors are many and varied including nation states, criminal enterprises, and hacktivists.

AlienVault.png 2018-11-26 18:00:00 AlienVault Delivers Phenomenal Cloud Security for AWS Customers (lien direct)

Viva Las Vegas! We aliens have landed at AWS re:Invent 2018 (Booth #1506), bringing phenomenal threat detection, response, and compliance to the AWS cloud. As I gear up for a full day of live product demos, I thought I’d take a moment to highlight some of the ways in which AlienVault is delivering phenomenal security to our customers’ AWS environments and beyond.

We’re monitoring more AWS services than ever, giving you deeper security visibility of your AWS infrastructure.

In 2018, we’ve expanded the number of AWS services that USM Anywhere monitors to include Amazon GuardDuty, Amazon Macie, AWS Application Load Balancer, Amazon Redshift, AWS Lambda invocations, AWS Web Application Firewall, and Amazon API Gateway. This is in addition to the other services we monitor and alert on, including AWS CloudTrail, Amazon S3 access logs, Amazon ELB access logs, Amazon VPC flow logs, AWS Config, Amazon CloudFront, and Amazon CloudWatch. Expanding our AWS threat coverage continues to be a priority for us as more and more customers undergo digital transformations and begin to leverage cloud services and applications to run their businesses. USM Anywhere continuously and automatically monitors AWS infrastructure for threats and anomalous behaviors, assesses your AWS environment for vulnerabilities and configuration errors, and simplifies logging and reporting—all from one cloud-hosted platform.

What’s more, USM Anywhere centralizes security monitoring across AWS, multi-cloud, hybrid, and on-premises networks, including SaaS applications like Office 365 and G Suite, ensuring continuous coverage even as you migrate workloads and data from the network to the cloud and helping to eliminate security blind spots. This single-pane-of-glass approach alleviates the need to invest in multiple, siloed security monitoring tools for clouds, networks, and data centers, as John Chesser, Director of Cybersecurity Solutions at DataPath, a certified AlienVault MSSP, pointed out. “There's time, money, resources that are impacted by having to use the multitude of products out there. With USM Anywhere, I've got it all."

We’re keeping your defenses current with continuous AWS-specific threat intelligence.

As part of the continuous threat intelligence subscription built into USM Anywhere, the AlienVault Labs Security Research team maintains an AWS-specific correlation rule set. Threat actors are increasingly targeting insecure cloud accounts to access exposed data or set up cryptojacking operations. Once an attacker has gained access to your AWS account, their actions and behaviors may be unique or specific to the environment, such as programmatically spinning up new services. It’s not enough to rely on traditional threat intelligence, which focuses on network threats rather than cloud-specific attacks. That’s why the AlienVault Labs Security Research Team curates AWS-specific threat intelligence, researching and analyzing millions of security events every day using a combination of machine learning, human analysis, and the community-sourced threat data of the AlienVault Open Threat Exchange (OTX) and its 100,000+ global participants.

Here are a few examples of AWS-specific correlation rules added in 2018:

  • The password associated with an administrator of a Windows instance was retrieved through the AWS console, which may indicate co
AlienVault.png 2018-11-20 14:00:00 Let\'s Talk about Segregation of Duties (lien direct)

Segregation of duties is a fundamental information security practice. In simple terms, it means you split out important tasks between two or more people. This prevents one person getting drunk on all the power they wield, and also prevents one person from making a mistake that can have undesired consequences.

One of the best examples of segregation of duties can be seen in movies when it comes to launching nuclear missiles. The system relies on two people on opposite sides of the console to put in and turn their keys at the same time. This segregation or separation of duties ensures that one person can’t launch a nuclear missile on their own.

Segregation of duties works best well when there is a clearly defined function and where there is some physical separation.

For example, in a call centre or a banking app, a low junior administrator may be able to authorise payments up to $500, but anything above that would need supervisors’ approval. The junior admin can enter in the details, and send it off to the supervisor who can then approve or decline it.

But in many cases, the broader application can sometimes have some flaws.

In one of my first jobs in IT Security, our team had implemented a process for separating duties whenever a new HSM key (key change ceremony) needed to be loaded.

I worked in the team that would have half the password to complete this task, and another team would hold the other half. Much like the end of the film Bulletproof Monk; I even had my half of the password tattooed on my back – I still don’t know what it says to this day.

Once a project was underway, it meant I’d have to travel across the country to the data centre with my half of the password in order to change the key with the help of a colleague.

The only problem with that is - have you ever worked on a project? It’s never on time - always delayed. And datacenters are COLD!

So here I was sat in a datacenter with this other guy who was about 50, but was clearly experienced in these projects as he was sitting under a blanket he’d brought, reading his book and munching on some snacks.

What’s wrong with this scenario? Other than the fact I didn’t have a blanket or snacks - that we’ve travelled from different parts of the country, with half of a password, only to be sat together for hours. Invalidating all the expensive measures taken to segregate the two halves of the password.

Even worse, I had no idea what I was doing or how to do it. I was told the documentation was up to date and easy to follow - but documentation being up to date is one of the biggest lies our team told. So, I ended up having to ask my colleague to help me out -  which inevitably meant I gave him my half of the password and asked him to enter it… yeah, separation of duties kind of fell apart right there.

Having said that, those were simpler times, there was no bring your own device, and there certainly wasn’t anything hosted in the cloud.

Many times when organisations adopt cloud apps, they overlook segregating duties, or defining job functions for role-based access control (RBAC). So, it ends up with an all-or-nothing approach. Which works fine if all employees are trustworthy, and never make a mistake. Unfortunately, it’s all too easy to make a mistake.

When a single contractor is able to inadvertently leak the personal details of all employees in the database, one has to consider whether one person should have the power to do that, or if the access sh

AlienVault.png 2018-11-19 14:00:00 Is the Internet of Things Threatening Your Company\'s Security? (lien direct)

The internet of things (IoT) is changing nearly every industry. Smart devices that can collect and process data, and even make decisions based on that data, though artificial intelligence promises to disrupt business as we know it for years to come.

However, there are some legitimate concerns. The more connected devices your company has, the more potential vulnerabilities are out there. As business owners we want to be able to access the data we collect through the IoT, but we also need to be able to protect that data, and we bear the responsibility for keeping that data secure.

This, like many areas of business, is a time for brutal honesty. If you have vulnerabilities, you need to fix them. You don’t want to be part of the headlines about companies who acted too late or not at all. Your security must adapt to the IoT, and it needs to do so now.

Is the internet of things threatening your company’s security? There are a few questions you will need to ask yourself and your IT department to truly determine the answer:

How do I know?

Most experts agree that the weakness in any network is the devices that make up the IoT. For example, if you have smart light bulbs in your home, they are likely controlled by a hub which not only provides you with more flexibility in controlling them, but also provides security so they do not become a weak point in your network.

This is why an intrusion detection system (IDS) is so important. Technologies from companies like AlienVault allow you to monitor for threats and even give you advice on how to prevent harm from them. Remember there is more than one area of vulnerability in any system. Cloud-based IDS, network IDS, and host-based IDS, along with file integrity management systems, are all essential parts of your strategy.

These alerts tell you there is an attack and can even reveal threats to you, which allows you to put remediation and prevention strategies in place. But what are the threats you should be aware of?

What are the threats?

Why don’t we have houses that are completely smart and controlled by IoT devices? What about our cars? Part of the reason is that a hacker with the right tools could potentially take over control of a house or even a connected car from the owner or driver. For example, the Bangladesh National Bank lost $81 million due to an IoT-based attack.

What are these types of attacks? There are actually several, and they mirror other types of cyberattacks.

  • Distributed Denial of Service (DDoS): Chrysler/Jeep was vulnerable to this type of attack. Essentially, control of devices or a system is taken by a hacker. Sometimes this comes with ransomware, where the owner or user has to pay to get that control back.
  • Malware: IoT devices can be used by an attacker to spread malware, sometimes to more than one devic
AlienVault.png 2018-11-16 14:00:00 Things I Hearted this Week - 16th November 2018 (lien direct)

Collecting stories over the course of the week is always fun. You start reading one story, and before you know it you’re down the rabbit hole of technology, security, and privacy reading up papers on how scientists want to embed IoT devices in giraffes necks.

Fear not, I am here to strip away the mundane and irrelevant and bring you only the best in news, designed to make your heart flutter.

Why Google consuming DeepMind Health is scaring privacy experts

Google’s decision to bring DeepMind Health, the medical unit of the AI-powered company it acquired four years ago, closer to the mothership may leave 1.6 million NHS patients with “zero control” over where their personal data goes, experts say – while an independent body set up to oversee the protection of such data has been broken up.

While there’s not denying that there are huge benefits to be gained from better aggregation and analysis, but by whom, with what oversight, and where does it end?

In related Google news, the company has published its first quarterly transparency report with stats on the security of the Android ecosystem.

On a side note, maybe we give big data analytics too much credit sometimes.

User Behavior Analytics Could Find a Home in the OT World of the IIoT

UBA has been around in data-centric IT for at least four years, but it has never become industry-standard primarily because in the real world, user behavior in IT is so varied and complex that UBA often creates more false alarms than useful ones. In IT, UBA has often failed to find the dangerous needle in the immense haystack of user behavior. But user behavior in process-centric OT is much simpler: OT systems run the plant, and scripted user activity is nowhere near as varied as in IT, with its multiple endpoints and inputs, email browsing, multipart software stacks, etc.

Busting SIM Swappers and SIM Swap Myths

SIM swapping attacks primarily target individuals who are visibly active in the cryptocurrency space. This includes people who run or work at cryptocurrency-focused companies; those who participate as speakers at public conferences centered around Blockchain and cryptocurrency technologies; and those who like to talk openly on social media about their crypto investments.

REACT Lieutenant John Rose said in addition to or in lieu of stealing cryptocurrency, some SIM swappers will relieve victims of highly prized social media account names (also known as “OG accounts“) — usually short usernames that can convey an aura of prestige or the illusion of an early adopter on a given social network. OG accounts typically can be resold for thousands of dollars.

AlienVault.png 2018-11-15 17:12:00 Defending Against Zero-Day Attacks with AlienVault USM Anywhere (lien direct)


Recently, an AlienVault customer reached out to ask how AlienVault handles the detection of  zero-day attacks, which are exploits against previously unknown vulnerabilities. In this blog, I shed light on how we approach this.

Modern security products rely on some definition of threats, whether that definition is as specific as a signature that identifies a unique strain of malware or as general as a behavior pattern that threat actors employ broadly across different strains of malware. The challenge of security is keeping those definitions up to date as attacks emerge and evolve in the wild every single day. Most organizations outside of the Fortune 500 do not have the resources to tackle this challenge on their own. 

There are a few approaches to this challenge of staying ahead of the always-shifting threat landscape and new zero-day attacks. One is to discover vulnerabilities before threat actors discover them and figure out how to exploit them. Another is to identify the active exploit in the wild early and to quickly update your defenses immediately to detect and respond to it.

AlienVault uses both of these approaches to keep our customer environments secure in the face of zero-day attacks. Let’s take a deeper look at how.

Early Access to New Vulnerability Information

One way to stay ahead of emerging threats is to know about the vulnerability before threat actors have an opportunity to exploit it. As soon as a new software vulnerability or security flaw becomes public knowledge, threat actors go to work, taking advantage of the time it takes for security vendors to update their tools and for security teams to then identify and patch their vulnerabilities. That’s why it’s a security best practice for software researchers to inform security vendors of new threats and vulnerabilities before they announce them to the general public.

For example, AlienVault participates in Microsoft’s Microsoft Active Protections Program (MAPP). Through this program, AlienVault Labs receives early access to new vulnerability information for Microsoft and Adobe products before Microsoft publishes it in its monthly security update. This allows us to update the defenses in USM Anywhere ahead of a public announcement, giving our customers a headstart in identifying and remediating the vulnerabilities in their environments.

Discovering Zero-Day Attacks as they Emerge in the Wild

Of course, the “good guys” are not always the first to discover new vulnerabilities.  All too often, threat actors find and exploit vulnerabilities before vendors have the opportunity to discover and release patches for them. Thus, zero-day vulnerabilities are often discovered after they’ve been exploited in a successful zero-day attack. That’s why it’s important to have a constant watchful eye on the global threat landscape as well as the ability to operationalize new threat information as soon as it becomes available.

The Power of the Global Threat Intelligence Community

AlienVault has a couple of strategies here.  First, AlienVault USM Anywhere is unique in its ability to detect zero-day attacks thanks to its direct integration with the Open Threat Exchange (OTX), the world’s largest open threat intelligence sharing community. The global OTX community of over 100,000 security researchers and practitioners contribute 19 million pieces of threat data daily, and they often alert the community within the initial minutes or hours of discovering an attack in the wild. This threat data is available to any OTX user to consume in their security tools. For AlienVault USM Anywhere users, OTX threat data is integrated and ready to use in the platform. Users can subscribe to any OTX Pulse to enable security alerting

AlienVault.png 2018-11-14 14:00:00 Top 10 PCI DSS Compliance Pitfalls (lien direct)

Despite the fact that PCI DSS has been in effect for over a decade, and most merchants are achieving compliance, some of the world’s largest retailers have been hit by to data breaches. The sad truth is that achieving compliance doesn’t guarantee data protection, even for large organizations.

For example, more than five million credit card numbers were stolen in 2018 hacks of two major retailers. 

Earlier this year, I hosted a webcast with Jacques Lucas from Terra Verde (one of our partners) covering challenges and best practices for achieving and maintaining compliance with PCI DSS. In his role as a QSA, Jacques has "seen it all" in terms of what commonly causes stumbling blocks for organizations on their compliance journey, which he summarized in a slide covering the Top 10 Pitfalls for PCI DSS Compliance.

As a follow-on from the webcast, I wanted to dive into that area further to provide tips and best practices to help companies address those Top 10 Pitfalls for PCI-DSS. 

1. Improper scoping

The PCI DSS standard defines the scope of the cardholder data environment (CDE) as all of the systems, people, processes, and technologies that handle cardholder data. A common misconception is to overlook the systems that support and secure the CDE, and fail to include them in scope.

Specifically, any systems involved in managing the security of in-scope systems are also considered in-scope, and need to be secured and monitored. Some examples include: IAM servers; Domain controllers; Key Management servers, Firewalls/IDS/IPS systems; Log management/SIEM systems; AV Management servers and more.

Pro-tip: Segmentation and monitoring are the two critical success factors in avoiding the pitfalls associated with improper scoping. Isolate in-scope assets from the rest of your environment with granular network segmentation and access control policies. Additionally, monitor all access activity to validate compliance and respond to emerging risks.

2. Failing to patch systems regularly

PCI DSS requirement 6 outlines the need to patch systems on a regular basis. Additionally, it specifies that critical security patches must be installed within a month of their release. The challenge is that patching processes can be very disruptive, and even well-established companies can easily fall behind. For example, in one high profile breach it took the company more than four months to identify an unpatched vulnerability that provided a foothold for their devastating data breach.

Pro-tip: Identifying unpatched assets and applications is a must. Be sure you schedule regular vulnerability assessment scans and prioritize patching and remediation procedures for your in-scope systems. Monitor your in- scope systems with a combination of security controls including host-based and network-based IDS, file integrity monitoring, and SIEM event correlation.

3. Failing to audit access to cardholder data

PCI DSS requirement 8 outlines how to secure access to cardholder data, specifically requiring two-factor authentication for remote access to all in-scope systems. While many organizations have implemented two-factor authentication, they often fail to audit this access to verify that these controls are working as expected.

In fact, SecurityMetrics reports that insecure remote access was the largest single origin of compromise being used in more than 39% of investigated breaches against merchants.

Pro-tip: Implement two-factor authentication on all of your CDE assets. Sched

AlienVault.png 2018-11-13 14:00:00 New Vice President of Asia Pacific Graham Pearson Joins the Alien Nation (lien direct)

Today, we are happy to share that Graham Pearson has been appointed Vice President of Asia Pacific (APAC) for AlienVault, an AT&T company. In this role, Graham will lead our operations and sales strategy in the region. He is excited about joining AlienVault and providing APAC companies with the unified security management approach they need in moving to the cloud and keeping up with today’s evolving threats. “Joining AlienVault is a huge opportunity for me; it’s the right time and they have the right product at the right price for enabling fast, effective threat detection and response.”

With more than 30 years of sales experience in the IT industry, 22 of those in cybersecurity, Graham has worked with Fortune 500 companies and fast growing start-ups. Most recently, he was Vice President for Okta, an identity management company, in APAC. In four years, he grew Okta’s Australian office from one employee to 50, supporting 400+ customers in the sales territory. Graham’s experience includes sales leadership roles for Oracle’s Security and Identity Management solution and Security Business Unit within the Fusion Middleware space. He also held various sales positions at CA Technologies and Websense for security products.

When Graham is not working, he enjoys spending time with his wife and two kids, ages 17 and 13. Here’s more about Graham’s journey to AlienVault!

Here’s a picture of Graham with his wife, Leila, while vacationing in Las Vegas.

AlienVault.png 2018-11-09 14:00:00 Things I Hearted this Week, 9th Nov 2018 (lien direct)

Another week, another trove of articles I read so that I could bring you only the best. Because that’s just the kind of person I am. You’re welcome.

A SOCless detection team

I can’t remember if I shared this article a few months back, and I’m too lazy to go take a look - but it’s worth revisiting.

We don’t talk about threat detection and response without mentioning a SOC in the same breath. But a SOC is just one mechanism to facilitate the desired outcome. What if we could achieve the same result, but without a SOC?


Hey there! How much are you worth?

Have you ever stopped to think just how much your life is worth? I mean really think about it. For instance, let’s say you wanted to sell everything you have – your house, your car, your job, your private life, photos and home movies from your childhood, your accounts on various social media, your medical history and so on – how much would you ask for it all?

US Cyber Command starts uploading foreign APT malware to VirusTotal

I think this is a good move, the more sharing, the better for defensive security right? Of course there are always caveats and scenarios where one would not share, but broadly speaking I hope more companies and government departments jump on board.

The Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command (USCYBERCOM), set in motion a new initiative through which the DOD would share malware samples it discovered on its networks with the broader cybersecurity community.The CNMF kicked off this new project by creating an account on VirusTotal, an online file scanning service that also doubles as an online malware repository, and by uploading two malware samples.

You're Going To Get Breached -- So How Should You Respond?

We live in an age in which the rate of technological advancement is unparalleled. But of course, with new technologies come new security vulnerabilities. The best example being the imminent arrival of 5G and the rise of connected devices, which alone already present numerous vulnerabilities. According to Ponemon Institute's 2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report, 52% of organizations are not confident their current anti-virus software will protect them from ransomware.

Even with the rise of artificial intelligence in cybersecurity and enhanced defensive software capabilities, hackers have shown themselves to be consistently one step ahead. With this in mind, businesses need to stop asking, “Will I be hacked?” and instead tackle the inevitable question, “When will I be hacked?”

AlienVault.png 2018-11-08 14:00:00 Beginner\'s Guide to Open Source Intrusion Detection (IDS) Tools (lien direct)

Originally written by Joe Schreiber

Re-written and edited by Trevor Giffen (Editorial Contractor)

Re-re edited and expanded by Rich Langston

Whether you need to monitor hosts or the networks connecting them to identify the latest threats, there are some great open source intrusion detection (IDS) tools available to you.

List of Open Source IDS Tools

  • Snort
  • Suricata
  • Bro
  • Samhain Labs
  • OpenDLP

IDS Detection Techniques

There are two primary threat detection techniques: signature-based detection and anomaly-based detection. These detection techniques are important when you’re deciding whether to go with a signature or anomaly detection engine, but vendors have become aware of the benefits of each, and some are building both into their products. Learning their strengths and weaknesses enables you to understand how they can complement one another.

Signature-based IDS Tools

With a signature-based IDS, aka knowledge-based IDS, there are rules or patterns of known malicious traffic being searched for. Once a match to a signature is found, an alert is sent to your administrator. These alerts can discover issues such as known malware, network scanning activity, and attacks against servers.

Anomaly-based IDS Tools

With an anomaly-based IDS, aka behavior-based IDS, the activity that generated the traffic is far more important than the payload being delivered. An anomaly-based IDS tool relies on baselines rather than signatures. It will search for unusual activity that deviates from statistical averages of previous activities or previously seen activity. For example, if a user always logs into the network from California and accesses engineering files, if the same user logs in from Beijing and looks at HR files this is a red flag.

Both signature-based and anomaly-based detection techniques are typically deployed in the same manner, though one could make the case you could (and people have) create an anomaly-based IDS on externally-collected netflow data or similar traffic information.

Advantages and Disadvantages

Fewer false positives occur with signature-based detection but only known signatures are flagged, leaving a security hole for the new and yet-to-be-identified threats. More false positives occur with anomaly-based detection but if configured properly it catches previously unknown threats.

Network-Based IDS (NIDS)

Network-based intrusion detection systems (NIDS) operate by inspecting all traffic on a network segment in order to detect malicious activity. With NIDS, a copy of traffic crossing the network is delivered to the NIDS device by mirroring the traffic crossing switches and/or routers.

A NIDS device monitors and alerts on traffic patterns or signatures. When malicious events are flagged by the NIDS device, vital information is logged. This data needs to be monitored in order to know an event happened. By combining this information with events collected from other systems and devices, you can see a complete picture of your network’s security posture. Note that none of the tools here correlate logs by themselves. This is generally the function of a Security Information and Event Manager (SIEM).


Ah, the venerable piggy that loves packets. Many people will remember 1998 as the year Windows 98 came out, but it was also the year that Martin Roesch first released Snort. Although Snort wasn't a true IDS at the time, that was its destiny. Since then it has become the de-facto standard for IDS, than

AlienVault.png 2018-11-06 14:00:00 The Many Ways your Phone Communicates (lien direct)

Are you familiar with all the ways that your smart phone communicates?  The other evening, at dinner, I was describing to a friend how the VPN software I use on my phone masks my location when I am on the internet.  Sometimes, am in Helsinki, and other times, I may be in another part of the world.  My friend asked “how expensive are your data charges for all the texts you receive while you are masquerading around the globe?”  I realized that she was unfamiliar with all the ways that a smart phone communicates.  Others at the table were also curious.

You have probably heard about how the smart phone in your pocket is more powerful than the computer that powered the Apollo Space missions.  Not only is your phone computationally more powerful, but it can also communicate across more conduits, most of which did not exist back in those early days of space exploration.  These technologies are separate and distinct.

Here are some non-technical explanations that we, as InfoSec professionals, should share with our friends and family about how a phone communicates:

Text messages rely on a cell number in order to function.  This is controlled by the Subscriber Identity Module (the SIM card), which resides in the phone.  Your SIM card holds your cell phone number.  Anyone who can access your SIM card can make phone calls under your identity, and sadly, leave you holding the bill.  This s why it is very important to report a lost phone to your cell phone provider.  It does not matter if your phone is password protected.  The SIM card can be used in any similar unlocked phone to make phone calls. 

Internet and other data connections are governed by your IP address.  The phone relies on information from the SIM card to determine the carrier, but it does not use the same signal pathway as a text message.  That is why using a VPN does not result in international text charges. 

You can connect to any Wi-Fi in absence of a SIM card.  The Wi-Fi Signal does not need a phone number or a carrier to communicate.  It is relying on the Wi-Fi provider to complete its connection.  Of course, you cannot receive text messages without a SIM card, even on Wi-Fi.  Usually, your phone will often remind you that there is no SIM card installed.

Recently, 75% of Americans experienced a test of the “Presidential Alert” system.  Even if your phone was in silent mode, the alert triggered the klaxon-level alarm on the device.  This raised some speculation by none other than the comically adorable John McAfee about the presence of an “E911” chip on the phone.  Bruce Schneier commented that, “This is, of course, ridiculous. I don't even know what an E911 chip is. And -- honestly -- if the NSA wanted in your phone, they would be a lot more subtle than this.”

Remember that there are also both Bluetooth and Near Field Communication (NFC) capabilities on your phone. These are usually used in conjunction with the other communication features. For example, you can connect to your Bluetooth in your automobile and then use the phone to make a phone call.  Although Bluetoo

AlienVault.png 2018-11-05 14:00:00 Financial Data and Analysis Predictions for 2019 (lien direct)


The use of big data and data from the internet of things (IoT) is changing business so rapidly it is hard to predict what is next, and financial analytics are certainly no exception. While the need for financial analysts continues to rise, the way analysts performs their day-to-day functions is evolving.

More data than ever before is put into the evaluation of company financials, market analysis, and investment predictions. A company’s decision to issue bonds, split stock, or even initiate stock buyback options is much more informed than ever before.

So where is data and financial analytics taking us in 2019? Here is a closer look:

Advanced Analytics and Data Science


Data and analytics are more pervasive than ever in nearly every enterprise. They are increasingly the key to nearly every process a business engages in. These statistics tell the story best:

  • Deep neural networks or deep learning is in 80 percent of data scientists’ toolboxes.
  • By 2020 more than 40 percent of data science tasks will be automated.
  • Nearly 50 percent of analytics queries are done via natural language queries (voice) or are auto-generated.

In large part, this is due to wider adoption of artificial intelligence options. What this means for business and the future of analytics is simply this: by the end of 2019, 10 percent of IT hires will be writing scripts for bot interactions.

In fact, according to the McKinsey Global Institute, despite the growth of both data and the use of artificial intelligence to analyze it, most companies are “only capturing a fraction of their potential value in terms of revenue and profit gains.”

Their weaknesses, ones that can be solved with proper data and analytics, are many. Here are a few:

  • Inefficient matching of supply and demand. Many companies are not taking advantage of analytics that can predict with amazing accuracy seasonal demand and annual lulls.
  • Prevalence of underutilized assets. Many businesses have assets that sit idle or employees and departments duplicating tasks, something easily determined by honest analytics.
  • Dependence on demographic data rather than more efficient behavioral data. Behavioral data says a lot more about both clients and employees, and is much easier to use.

Over the next year, more companies will become dependent on analytics, and those companies who do not adapt will be three times more likely to fail.

The Bloc

AlienVault.png 2018-11-02 13:00:00 Things I Hearted this Week, 2nd Nov 2018 (lien direct)

It’s November already, where has the year gone to? I can almost still remember typing out the words for the years first ‘Things I hearted’ blog back in January. Re-reading it now, it feels as if not much has changed, big messes, breaches, an in-fighting seemed like the usual for the year.

I was speaking with my colleague Chris Doman a couple of days ago, and he did point out that 2018 overall has largely been better because we haven’t seen any large scale attack like WannaCry. He did pause and then add “yet” - so I suppose you could say we’ve improved because this year has caused less havoc than last year? Let’s chalk risk reduction down to a win and get on with it.

IBM Acquired Red Hat

A few weeks ago, prior to the announcement of the acquisition, IBM came up in discussion with a few friends and one of them said that IBM is one of those companies that everyone has heard of, but hardly anyone knows what they exactly do outside of a few services they use.

As the cool kids say, this may have been a statement designed to “throw shade” (young and hip people, please correct me if I’ve used the term incorrectly - I already embarrass my children enough by misusing lingo), but the fact is that the statement is rather true, only because most people are still trying to work out why IBM would shell out 33.4 Instagrams for Red Hat.

The Supply Chain

I won’t give any more air time to that ridiculous ‘grain of rice’ Bloomberg story. However, it did give everyone time to pause and think about the supply-chain and how fragile it is. It’s easy to overlook the reliance businesses have on partners and their security.

Dan Goodin took a peek behind the curtain of this shady practice and wrote on two supply-chain attacks.

Would you Compromise Privacy for $850m?

Under pressure from Mark Zuckerberg and Sheryl Sandberg to monetize WhatsApp, Brian Acton pushed back as Facebook questioned the encryption he'd helped build and laid the groundwork to show targeted ads and facilitate commercial messaging. Acton also walked away from Facebook a year before his final tranche of stock grants vested. “I

AlienVault.png 2018-11-01 13:00:00 Cybersecurity & Formula 1 Racing - It\'s a Profession (lien direct)

This is perspective from one of our MSSP partners, CyberHat.

Formula 1 is a serious business.  It takes years of expertise and practical foot work to design, build and operate a winning Formula 1 team.  It's easy to think that success depends on the car and the technology.  But in reality, a cutting edge engine in the best car in the world can’t win a race alone. Without an expert driver and a highly experienced and dedicated support team, you just can’t finish first.

When it comes to Cybersecurity everyone wants to win the race of protecting their assets and detecting and responding to threats to mitigate risk.  Most organizations today will invest heavily in cyber security technology, buying it, integrating it and implementing into the organization, yet very few will focus on the teams driving the technology, supporting and utilizing it.

It’s a simple belief that if you get a good enough car, you don’t need to be a good driver, when the reality is exactly the opposite – if you’re a good enough driver, you can get a lot out of pretty much every car. 

Today, more and more companies are looking for fully encompassing cyber security solutions and are gradually consolidating in to Security Operation Centers (SOC)s to help manage their security issues and this is a smart move. SOCs are where Cybersecurity teams detect, analyze and respond to threats on an organization.  Their core task is to use the tools and skills at hand in order to provide the organization with an ongoing, relevant and professional security posture. 

Yet in the current cybersecurity landscape not all SOCs were created equal. It is important to understand what components are imperative for a SOC to be most effective. 

Formula 1 fact: The best Formula 1 Pit Crew can refuel and change a tire in just 3 seconds.

They are the best in their field and they are dedicated to a strong set of processes.  This is true for the SOC team as well.  High expertise and seamless teamwork are important to effectively curtail the dangers of cyber-attacks and navigate the cyber field safely and in a timely manner.  Many SOCs might have dedicated Tier 1/2 analysts, who can change tires and refuel seamlessly on the usual runbook procedures for many common or predictable cyber threats, but they are not experts in managing larger scale incidents like a blown gasket or jammed piston which entails the response of more experienced Mechanical Team or in Cyber Tier 3/4 Analysts.

These are highly trained specialized professionals with in-depth experience that are able to tackle complex unusual incidences and attacks under severe time pressure. For example, sometimes cyber-attacks cannot be detected, deflected or blocked before they begin.  Then it is the SOCs responsibility to contain and protect as well as investigate and conduct a meticulous analysis for preventing similar incidences, through a dedicated Forensics Team.  The Forensics Team of a SOC is dedicated to evaluating necessary damage repair and implementing novel  or near realtime responses.

The core trade for a professional is the old saying – “practice makes perfect”, it’s a simple question of consta

AlienVault.png 2018-10-31 13:00:00 It\'s the Season of Lists - Time for a Meaningful Risk List (lien direct)

I attended the Cybersecurity Summit in Phoenix recently and presented on the topic of minimizing risk. There were some great conversations around the value of risk management within the cyber threat landscape. Here are some of my musings from the event.

We are now at the forefront of a world of digital transformation. Beyond being a buzz word digital is part and parcel of our daily lives today.  According to the World Economic Forum report earlier this year, cyber-attacks and date theft/fraud bubbled up to number two and three of the top five threats in terms of likelihood of occurrence and cyber risks intensified. With the scale of attacks today, along with the ingrained expectation that you’re either an organization that has been breached or you’re going to be, there is a lot of chatter about investments being made in cybersecurity technologies and how breaches still happen. Prevention is now being balanced with detection and response. Given this, the focus has turned to the need for cyber to be addressed as a business challenge and measurement of risk is key.

Before you go ahead with a cybersecurity investment plan for 2019, consider answering the questions below.

• What are your top 5 cyber risks based on priority?

• Can you describe the actual loss impact in business terms for each of your top 5 risks?

• How are these cyber risk impacts aligned to your risk appetite?

•Are you truly reporting on cyber risks or is it compliance driven with reporting on control effectiveness? 

• Have you considered how you plan to deal with the current risks, emerging risks and treat these risks on an ongoing basis?

A common business edict is: “If we can measure it, we can manage it.”  In the security space, the term GRC (Governance, Risk and Compliance) is common, but typically most organizations have been driven by the compliance focus. Spending has been primarily compliance driven, and along the way, too many risk assessments have been conducted with a checklist approach. As you plan for the 2019 cybersecurity budget, here are four handy tips to consider that can help cut to the core of cyber risk management.

1. Risk counts, but don’t just be counting

Counting all the risks – as an end – is just a part of thorough risk identification. The question is not, in any case, how many risks you can think up, but what is relevant to your business, i.e. what exactly the key vulnerabilities are in achieving your business objectives.

2. Ongoing debate of Qualitative versus Quantitative

The key here is structured versus abstract. You must be able to measure the risk and quantify it. However, if your organization is going the qualitative route, keep in mind you must back the risk with data to differentiate the levels of risk.  After you have conducted a meaningful risk assessment to identify the inherent risks faced because of the business you do, the next step will be to understand what Risk Mitigation strategies are required, with what priority, invoking what resources.

3. Continuous Cyber Risk Monitoring

Cyber risk presents a moving target as organizations undergo major transformations by accelerating cloud adoption, increasing digital transformation investments, and advancing data analytics sophistication. As these transformations continuously grow the digital footprint, they outpace the security protections companies have in place.

AlienVault.png 2018-10-30 13:00:00 AlienVault Open Threat Exchange Hits Major Milestone with 100,000 Participants (lien direct)

Today, I’m excited to announce that AlienVault® Open Threat Exchange® (OTX™) has grown to 100,000 global participants, representing 36% percent year-over-year growth. AlienVault OTX, launched in 2012, is the world’s first free threat intelligence community that enables real-time collaboration between security researchers and IT security practitioners from around the world. Every day, participants  from more than 140 countries contribute 19 million pieces of threat data to the community.

OTX enables companies and government agencies to gather and share relevant, timely, and accurate information about new or ongoing cyber-attacks and threats as quickly as possible to avoid major breaches (or minimize the damage from an attack). As Russell Spitler, SVP of Product for AlienVault, an AT&T company,  explains, “Attackers rely on isolation - they benefit when defenders don’t talk to each other. We can’t be everywhere at once, but they can learn from each others’ experience. With the growth in OTX membership, we all benefit from the diversity of threat intelligence from an even wider variety of participants.”

To provide big-picture perspective on the billions of security artifacts contributed to OTX this year, AlienVault Security Advocate Javvad Malik and Threat Engineer Chris Doman have created the OTX Trends Report for 2018 Q1 and Q2. Like the 2017 report, this analysis reveals trends across exploits, malware, and threat actors, including top-ten rankings of the most seen exploits and adversaries recorded in vendor reports. The analysis reveals changes in the threat landscape, including a shift in the most reported exploits. For example, this year’s report reveals a rise in server exploits, as well as marking the first time an exploit targeting IoT devices (GPON Routers) has made the list of most-seen exploits.

Encouragingly, the OTX Trends Report shows an uptick in information sharing across the InfoSec industry, including a plethora of independent research sharing on Twitter. According to the report, “As more companies and researchers look at ways to share threat data, we see more usable and useful information flow into OTX. This openness and collaboration has resulted not only in organisations being able to defend themselves better - but increasing circles of trust within the industry where actual threat intelligence is being shared more openly. A trend that we have seen grow over the years.”

The sheer volume of security events included in the OTX Trends Report reflects the importance of keeping up with the latest threat intelligence. Without threat sharing, malicious actors can easily reuse effective exploits and pivot their attacks from target to target. A campaign affecting the UK legal industry can be repurposed for bankers in the United States, while security researchers operating in silos start from scratch each time. For example, the OTX Trends Report shows that the most commonly reported exploit, CVE-2017-11882, has been reused widely. By joining OTX, participants can strengthen their defenses and share real-time information about emerging threats, attack methods, and malicious actors. The diversity of OTX participants representing different countries, industries, and organization sizes provi

AlienVault.png 2018-10-29 17:00:00 MadoMiner Part 2 - Mask (lien direct)

This is a guest post by independent security researcher James Quinn.      

If you have not yet read the first part of the MadoMiner analysis, please do so now.  This analysis will pick up where Part 1 left off, while also including  a brief correction.  The x64 version of the Install module was listed as identical to the x86 Install module.  However, this is not correct.  The x64 Install module is identical in run-through to the 360Safe.exe module, which will be discussed later in this analysis.

In addition, take care with this portion of the malware.  The batch script for Mask.exe, DemC.bat, appears to run if it detects any copies of itself during runtime, or if you run the x64 version of install on a 32 bit machine.

Where Install.exe was in charge of infecting new victims with MadoMiner, it seems Mask.exe is where the real payoff lies.  Mask.exe utilizes XMRig miners in order to mine for XMR which it then sells for profit.  While madominer was earning $6,000 a month as of the last analysis,

Around 10/14, MineXMR closed the old address due to botnet reports.  A new address has been identified at 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433, mining through minexmr.com again.  Currently, the hashrate is at 109Kh/s, and steadily rising.

Also, around the time that the address changed, MadoMiner also became drastically different.

Malware Analysis

Where Install.exe only downloaded 1 file from a remote host, Mask.exe downloads two files.  In addition, the servers used to download the files are also different than Install.exe, increasing the proposed size of the botnet.


In addition to the 2 domains identified in part 1, a new domain has also been identified for a distribution server:

  • http://d.honker[dot]info

However, the domain is currently dead.  In addition, the mining server currently used is pool.minexmr[dot]com

A C2 server(newly updated version):

  • http://qq.honker[dot]info

Previously identified distribution domains:

  • http://da[dot]alibuf.com:3/
  • http://bmw[dot]hobuff.info:3/

Previously Identified IPs:


Previously identified mining servers:

  • http://gle[dot]freebuf.info
  • http://etc[dot]freebuf.info
  • http://xmr[dot]freebuf.info
  • http://xt[dot]freebuf.info
  • http://boy[dot]freebuf.info
  • http://liang[dot]alibuf.com
  • http://dns[dot]alibuf.com
  • http://x[dot]alibuf.com

In addition, http://da[dot]alibuf.com:3, the main distribution server, seems to have been registered by bodfeo[at]hotmail.com in early October 2017. According to an analysis by Steve Butt of DomainTools, this email was linked to APT19/c0d0s0, however it was most likely due to domain reselling.


During the execution

AlienVault.png 2018-10-29 13:00:00 Spicing up the MSSP World (lien direct)

We love conducting  surveys at conferences. Not only do we gain insights from some of the smartest people in attendance, but we get a few extra minutes to mingle and get to know them better.

So, while we were at SpiceWorld in Austin this year, we sought to capture thoughts on outsourcing security. Of the attendees, 380 participated in our survey to bring us the following insights.

How Much is Outsourced?

The first question was to establish a baseline as to how current security operations programs are currently sourced.

A majority, at 60 percent, run security operations completely in-house. On the other side of the spectrum, a shade under 5 percent of participants’ companies completely outsource security operations.

The remaining participants outsource some aspects of their security operations with most keeping the majority of functions in-house.

Attitudes Towards Outsourcing

The question that then arises is how participants felt about outsourcing security operations as a whole.

Just over a quarter, 26 percent, believed that security should never be outsourced.

However, 41 percent believed that security operations should be outsourced as much as possible, as long as the service provider is good. Perhaps the key point here is the caveat being the quality of the service provider. Companies looking to outsource any aspect of its security operations should vet potential providers and assured  that the provider is fulfilling its part of the deal.

Gaining that assurance can take many forms. At a simple level it could be unplugging a server and waiting to see how long it takes for the provider to notice. Alternatively, at the risk of sounding like Jeremiah Grossman, the right incentives are needed here. Be that in the form of the vendor providing some warranty, or even insurance.

Another aspect which we did not go into were some of the drivers that lead to companies outsourcing.

The skills gap is an important discussion point. Many companies don’t have the right staff, or the right number of staff internally to fulfill the increasing needs. According to the 2018 (ISC)2 Cybersecurity Workforce Study, there is a shortage of nearly 3 million  cybersecurity professionals.

Another factor could be that many security operations tools, technologies, and processes have become increasingly standardised over the years. This standardisation allows companies to outsource certain aspects of security operations in a relatively commoditised manner.


In an attempt to get an indication as to the direction the market is heading, we sought to understand budgets and future spending trends.

The majority of participants believe that the return on investment is justified when outsourcing security. This should not be surprising for most security operations tasks that have good economies of scale. 

Furthermore, both in-house and outsourced security operations budgets are largely looking to increase. For in house-security operations, 33 percent reported a p

AlienVault.png 2018-10-26 13:00:00 Things I Hearted this Week, 26th October 2018 (lien direct)

Wordpress Wants to Erase its Past

I was just flexing my clickbait title muscles with the heading here. But according to a talk at DerbyCon, the WordPress security team stated its biggest battle is not against hackers but its own users, millions of which continue to run sites on older versions of the CMS, and who regularly fail to apply updates to the CMS core, plugins, or themes.

The Penalties Keep Rolling in

Looks like the regulators have recently seen the Arnie classic, Pumping Iron, as they flex their muscles to penalise companies for lax security.

First up, supermarket giant Morrisons has been told by the Court of Appeal that it is liable for the actions of a malicious insider who breached data on 100,000 employees, setting up a potential hefty class action pay-out.

In other news, Facebook has been fined £500,000 by the UK's data protection watchdog for its role in the Cambridge Analytica data scandal.

The Information Commissioner's Office (ICO) said Facebook had let a "serious breach" of the law take place.

The fine is the maximum allowed under the old data protection rules that applied before GDPR took effect in May.

Breaches at 32,000 feet

Cathay Pacific has admitted that personal data on up to 9.4 million passengers, including their passport numbers, has been accessed by unauthorised personnel in the latest security screw-up to hit the airline industry.

British Airways still encountering turbulence following its hack in September has revealed a further 185,000 customer details could have been compromised!

Fool Me Once

Children’s Hospital of Philadelphia has reported two data breaches that occurred in August and September of 2018.

The hospital on August 24 discovered that hacker had accessed a physician’s email account on August 23 via a phishing attack. A second breach found on September 6 revealed unauthorized access to an additional email account on August 29.

Some Notes for Journalists About Cybersecurity

The recent Bloomberg article about Chinese hacking motherboards is a great opportunity to talk about problems with journalism.

Journalism is about telling the truth, not a close approximation of the truth,  but the true tru

AlienVault.png 2018-10-25 13:00:00 NCSAM Finale: Social Media Sharing Tips (lien direct)

This is the last in our blog series on security awareness to celebrate National Cyber Security Awareness Month (NCSAM). We decided to take on social media sharing tips, and we tapped the Spiceworks community of IT pros for tips and tricks. We made it a contest, with the winner getting a $200 airline voucher. Here is the winning entry:

We we received plent of other great ideas. One of the prevalent ones was using multi-factor authentication.

A second prevalent idea was avoiding social media, which certainly would protect security and privacy, but possibly also be no-fun :(

There were also many mentions of using password managers.

Click bait was pointed out as a problem to avoid.

Here some other interesting perspectives.

Even though I couldn't win the contest, I tossed in one of my favorite ways to stay safe online.

There was also a very novel way to protect onine purchases, but it's so much work!

Thanks to everyone contributing ideas! The original post in Spiceworks is here.






AlienVault.png 2018-10-24 13:00:00 The Importance of Patch Management (lien direct)

With each passing year, our world becomes more and more digital. Our social interactions and personal data as well as many of our jobs are based primarily on the internet. Although this shift has come with great benefits, it’s also opened us up to a heightened threat of cyber terrorism. 2017 saw some of the most devastating high-profile attacks in history, opening the eyes of business of all sizes to the importance of stronger security. With no end to cybercrime in sight, the best defense is to be better prepared. There are various practices that can be applied to achieve this, and implementing a patch management system is one of them.

In its most basic sense, patching is the process of repairing IT system vulnerabilities that are discovered after the infrastructure components have been released on the market. These patches can apply to a variety of system components, including operating systems, servers, routers, desktops, emails, client info, office suites, mobile devices, firewalls and more. Depending on a company’s information system design, the method of patch management may differ slightly.

Failure to follow adequate patch management procedures greatly increases the risk of falling victim to a devastating attack. In the second quarter of 2017, we saw a global ransomware hack the systems of over 150 countries and hundreds of organizations all as a result of poor patch management. These unattended vulnerabilities in IT infrastructure open companies up to numerous security challenges, the top five being:

  1. Absence of proper coordination of security measures taken by the operations department and the IT department.
  2. Inability to keep up with regulatory standards.
  3. Failure to develop an automated security channel.
  4. Inability to protect systems from malware, DDoS attacks and hacktivism.
  5. Failure to upgrade the existing software and applications to improve the system security.

Outsourced patch management

For many companies, the reason behind their failure to properly patch vulnerabilities is the simple fact that it’s difficult. The process is time-consuming and, depending on the size of a company, there could be numerous vulnerabilities opening simultaneously. Outsourcing patch management to a more qualified company can relieve IT teams of that immense burden and prevent potentially fatal neglect. Additionally, outsourced IT companies have the advantage of economies of scale and can spend the necessary time required for testing updates before updating client systems.

Automated patch management

Automation is a trending feature in technology this year, including patch management. With this method, a cloud-based automation system is able to regularly scan and apply patches to software and systems of any kind regardless of location. This reduces the need for ongoing management of the patching system itself, meaning even the most limited IT teams can stay up-to-date with security. Furthermore, as automation allows for patches to be applied 24/7, the downloading and installation processes won't disrupt a work day, and the potential for human error while installing patches is removed.

Whichever route you choose, the importance of the matter stays the same. While hackers have made it clear they don’t discriminate against company size or industry, preventive measures are necessary for everyone. With a strong patch management system in place, the occurrence of a vulnerability can be immediately rectified by way of consistent monitoring of the system and a patch released

AlienVault.png 2018-10-23 13:00:00 Why Spending More On Security Isn\'t The Answer (lien direct)

Volume 8 of the AT&T Cyber Insights report looked into whether organizations who are investing more in cybersecurity are achieving better outcomes than those who aren’t.

The outcome of the research was a resounding no.

On the surface, this may seem counter-productive. After all, how many CISO’s have you ever heard complain about having too much security? However, if we look at the trend as an inverted U, or the law of diminishing returns, when you overdo something, you eventually stop seeing benefits, and may even see losses.

Getting the Porridge just Right

Much like Goldilocks, the question that arises is how much security is just right?

Former Director of the Enterprise Security Practice at 451 Research, Wendy Nather, wanted to establish The Real Cost of Security. In her research,  security professionals provided a wide range of responses as to what security technologies are needed, with the majority of the respondents being able to trim down their list to around 10. The pricing of these 10 technologies varied greatly depending on a number of factors such as vendor, mode of deployment, whether it was open source, and so on - the price range varied anywhere from $225,000 to $1.46m in the first year, including technology and staff.

Expense in Depth

For many companies, especially those with small or mid-sized security teams, managing 10 or more individual security products can be challenging.

Former Forrester analyst Rick Holland coined the phrase ‘expense in depth’. That is where many companies will use the defense in depth concept to justify the need for more security products. The problem with this approach is that it can lead to buying too many technologies which don’t complement each other, which inevitably results in a multi-layered approach that provides minimal return on investment.

This leads us to a bit of an impasse. A variety of security controls are needed to provide adequate coverage. But too many security products lead to an increase in expense not just to procure, but to manage, which can lead to security shelfware.

More Capability in Fewer Products

In order to avoid some of these pitfalls, companies, especially ones with small to mid-sized security teams, should look to invest in fewer products that offer greater functionality.

The good news is that many security technologies have become standardised and no longer need to be acquired or deployed individually. For example, vulnerability scanning is largely a standardised function. While some scanners may perform better than others - by and large, you can point it to your assets and receive an expected output.

So, the question companies should ask, what benefits are being gained by running vulnerability scanning as a separate service with a standalone technology? Compare this to a platform which offers several security functions of which vulnerability scanning is one. The same could be said for anti-virus, or IDS, or SIEM’s. The value in running any of these as dedicated standalone services is diminishing.

Take the example of your smartphone. It has replaced many devices such as a pager, phone, camera, even a flashlight, into one device.

One could argue that a standalone dedicated camera, or flashlight is a superior product, which may be true, but it

1 2 3 4 5 6 7 8 9 10 11

Information mise à jours le: 2019-01-19 06:03:28
Voir la liste des sources.

Mon email:

Vous souhaitez ne rien manquer: Notre RSS (filtré) Twitter