What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2018-10-19 13:00:00 | Things I Hearted this Week, 19th October 2018 (lien direct) |
It’s been another eventful week in the world of cyber security. So let’s just jump right into it.
NCSC has Been Busy
NCSC collaborated with Australia, Canada, New Zealand, UK, and the USA to give us a report that highlights which publicly-available tools criminals are using to aid their cyber crimes.
Joint report on publicly available hacking tools | NCSC
The agency also commented on how it keeps criminals at bay by stopping on average 10 attacks on the government per week.
NCSC also published its Annual Review 2018 - the story of the second year of operations at the National Cyber Security Centre.
Targeting Crypto Currencies
It is estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534 million in crypto was stolen.
Targeted attacks on crypto exchanges resulted in a loss of $882 million | HelpNet Security
Twitter Publishes Data on Iranian and Russian Troll Farms
In an attempt to try and be more proactive in dealing with misinformation campaigns, Twitter has published its Elections Integrity dataset which includes attempted manipulation, including malicious automated accounts and spam. In other words it’s attempting to out - Iranian and Russian troll farms.
Twitter’s focus is on a healthy public conversation | Twitter
In light of this, it’s worth also revisiting this article by Mustafa Al-Bassam in which he researched UK intelligence doing the same thing targeting civilians in Iran.
British Spies Used a URL Shortener to Honeypot Arab Spring Dissidents | Motherboard
Equifax Engineer Sentenced
An Equifax engineer gets eight months for earning $75,000 from insider trading. He figured out he was building a web portal for a breach involving Equifax, which turned out to be the 2017 breach, and so decided to ride the stock drop.
Equifax engineer who designed breach portal gets 8 months of house arrest for insider trading | ZDNet
Mind the Skills Gap
(ISC)2 has released its 2018 global cyber security workforce study and it looks like the cyber security skills gap has widened to 3 million.
It’s worth bearing in mind that estimating the skills gap isn’t an eas |
Guideline | Equifax APT 38 | |
|
2018-10-18 18:13:00 | Detecting Empire with USM Anywhere (lien direct) |
Empire is an open source post-exploitation framework that acts as a capable backdoor on infected systems. It provides a management platform for infected machines. Empire can deploy PowerShell and Python agents to infect both Windows and Linux systems.
Empire can:
Deploy fileless agents to perform command and control.
Exploit vulnerabilities to escalate privileges.
Install itself for persistence.
Steal user credentials.
It has also evolved to support the initial attack phases of an attack, and can create malicious documents to deploy its agent.
Empire’s features are classified into listeners, stagers and modules. Below, we describe how AlienVault USM can detect these stages below on a Windows target.
Staging
Empire first attempts to deploy an agent using one of multiple stager modules. USM will generically detect the agent after Powershell is invoked with an encoded payload. Commands executed with encoded arguments are commonly used by attackers as an obfuscation technique, so they produce the USM alert ‘Defense Evasion - Obfuscated Command - Powershell Execution of Encoded Command’:
This alert detects most Empire stagers on Windows, when they use Powershell to executed an encoded command.
If enabled, the Windows Antimalware Scan Interface should also block the PowerShell command. The ‘Malware Infection - Windows Defender Malware Detected’ alert, shows the necessary information to locate the malicious file:
An alternative for an attacker is to craft an Office document with a macro, which will execute the agent command by running a crafted Windows process from the WMI Service:
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = 0
Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
objProcess.Create str, Null, objConfig, intProcessID
When the macro runs, the Windows Management Instrumentation Command will create a new process. USM will listen the Windows events to detect the WMIC call, commonly used in lateral movement scenarios. The ‘Lateral Movement - Remote WMIC Activity’ alert will raise displaying the malicious Powershell command:
Another way for an attacker to implant the Empire agent into their victims machine is to create a HTML Application using the Empire module windows/hta. In weak security configuration system, a simple spear phishing mail with a link to the crafted HTML application will be enough to get the agent running.
For each alert, the USM provides detailed information about the nature of the issue and useful recommendations for the security staff to follow:
|
|||
|
2018-10-17 13:00:00 | Best Cloud Tech Jokes and Memes (lien direct) |
We ran a contest in Spiceworks recently, asking folks for their best cloud tech jokes. Here are some of the funniest ones:
Those SpiceHeads sure have great senses of humor, of a highly techie variety!
      |
|||
|
2018-10-16 13:00:00 | AT&T Business Summit 2018 - First Impressions and Recap (lien direct) | From the 25th to the 28th of September 2018, I had the opportunity to attend the AT&T Business Summit in Dallas. I walked away with a whole new perspective on AT&T business, what a conference could be like, and the Dallas Cowboys. The Future is Here The show floor at the summit was small when compared to some of the mega-conferences like RSA. But what it lacked in volume, it more than made up for in quality and variety of technologies.on display across different industry verticals. There were robots that could fold your laundry, or take you on an augmented reality tour of a factory. We were even introduced to “Pepper” a cute interactive robot. Pepper's a fan of @gwenstefani, too! Check out those dance moves. #ATTBizSummit @ATTBusiness pic.twitter.com/MX5ntUsrj2 — Sarita Rao (@saritasayso) September 27, 2018 There was a lot of other embedded technology on display, like portable medical devices, which can be operated by anyone to provide details to a doctor. Or, IoT technology embedded within trucks that can send a whole host of data to allow effective fleet management. Some of the broad themes from the technology on display, and from what was discussed on stage were IoT and smart cities, 5G, and software defining of most things. Day 1 Video Recap Hitting High Notes with the Keynotes Showcasing technology aside, conferences can be defined by the quality of speakers and talks that are given. AT&T Business did not disappoint, with some great discussions and presentations by the likes of Malcolm Gladwell, Anderson Cooper, Thaddeus Arroyo, Barmak Meftah, Queen Latifah, Reese Witherspoon, and Tony Blair, to name a few. Power panel - Anderson Cooper, Doug Parker, Meg Whitman, Thaddeus Arroyo...Disruption is Coming for EVERYONE! #ATTBizSummit #transformation pic.twitter.com/SM9lu0xxkG — Anne Chow (@TheAnneChow) November 1, 2017 “Security isn’t a technology problem. We need to view security as a business problem” Barmak Meftah, President AT&T Cybersecurity Solutions & CEO @alienvault #AttBizSummit @ATTBusiness pic.twitter.com/8IwA6QFQ3g — Susan Torrey (@smtorrey) September 26, 2018 | Guideline | ||
|
2018-10-15 13:00:00 | Security Travel Tips (lien direct) |
In honor of NCSAM, we decided to ask the Twitter community for security travel tips, to help us be more safe when travelling. Here's the original Tweet:
Want some AlienVault swag? Send us your top tip for #security while traveling by October 8 for potential inclusion in an upcoming blog. Of the tips we include in the blog, we’ll randomly select 3 people to win an AlienVault swag bag! #securityawareness @J4vv4D @securitybrew pic.twitter.com/1XvzKnMbMv
— AlienVault, an AT&T company (@alienvault) October 3, 2018
We got some neat answers.
1. Use a screen protector on an airplane or while working in public
2. Buy Freeze Fraud bags to store your laptop in while out of your hotel room. Tamper evident bags give you peace of mind your hardware hasn't been tampered with.
— Jake Williams (@MalwareJake) October 4, 2018
For the love of everything confidential: privacy screens for phone, tablet, phablet, laptop, etc! Flights to DC make for the best shoulder surfing!
— Glenn it's S��CTOBER �� (@NTKramer) October 4, 2018
Know your threat model. Not everyone needs a burner phone, burner laptop, and 7 proxies. Know the trust boundaries, and mitigate the issues that make sense for you.
— Willa (@willasaywhat) October 4, 2018
Dont do work.
Your work existed before you and wont end cuz you disapeared for a week or less. Smart companies and CEOs always have backup for critical employees.
No matter how secure you can try to be... if you are targeted they will get you while you are traveling.
— 9656B73F0889AC044EB47F452C059A6C (@SGFja2Vy) October 4, 2018
Avoid beig an obvious target by studying the area well enough to not need a map upon arrival.
Carry the bare minimum hardware & files - if a device is lost/stolen/dam |
Threat | ||
|
2018-10-12 13:00:00 | Things I Hearted this Week, 12th October 2018 (lien direct) |
What is a Vulnerability?
The part that most people don’t seem to understand enough is that an attack only matters if something is at stake. A transaction of some sort needs to occur, otherwise it doesn’t matter if someone performs the particular attack against you.
When is a vulnerability not a vulnerability? | Medium, Tanya Janca
An Analysis of CVE-2018-0824
While we’re on the topic of vulnerabilities, I’ve said it before, but one of the best things that has come out from bug bounty programs is the writeups that sometimes follow which detail the thought process and the steps taken.
Similarly, it’s always insightful to see when security researchers not only create an exploit, but also spend some time analysing its patch and writing up how it works.
Marshalling to SYSTEM - An analysis of CVE-2018-0824 | Code White Sec
Visualising Your Threat Models
Do you struggle finding the right tool for threat model diagramming? Well, this may be the one for you, if your requirements match the ones of Michael where the app had to:
Support DFD and attack trees
Enjoyable and easy to us
Free and cross platform
Not web or ‘cloud’ based
Draw.IO for threat modeling | Michael Riksen
Brutal Blogging: Go for the Jugular
Ever wondered whether you should get into blogging? Ever started to write a blog but run out of ideas? Ever wonder why your blog post gets no love?
Well, fear not, because Kate Brew brings to you all these answers and more in her great DerbyCon 2018 talk
Brutal blogging: Go for the jugular | Youtube
Blockchain Eating its Greens?
Walmart Inc., in a letter to be issued Monday to suppliers, will require its direct suppliers of lettuce, spinach and other greens to join its food-tracking blockchain by Jan. 31. The retailer also will mandate that farmers, logistics firms and business partners of these suppliers join the blockchain by Sept. 30, 2019.
Walmart Requires Lettuce, Spinach Suppliers to Join Blockchain | Wall Street Journal
Do you Know What You’re Building?
Across the technology industry, rank-and-file employees are demanding greater insight into how their companies are deploying the technology that they built. At Google, Amazon, Microsoft and Salesforce, as well as at tech start-ups, engineers and technologists are increasingly asking whether the products they are working on are being used for surveillance in places like China or for military projects in the United States or elsewhere.
Tech Workers Now Want to Know: What Are We Building This For? | The New York Times
Why Logic Errors Are So Hard to Catch
The fact that a relatively simple flaw allowed an anonymous hacker to compromise 50 million Facebook accounts serves as a powerful reminder: When hackers, professional or amateur, find business logic errors, as |
Tool Vulnerability Threat | ||
|
2018-10-11 13:00:00 | AlienVault Product Roundup – the Latest Updates! (lien direct) |
September was another busy month for product development at AlienVault, an AT&T Company. We are excited that the AlienVault Agent is getting great traction with our USM Anywhere user base, and we are continuing to add feature enhancements to the Agent. You can keep up with all of our regular product releases by reading the release notes in the AlienVault Product Forum.
Here are the highlights from our September releases.ea
Enhancements to the AlienVault Agent!
Coming off the successful introduction of the USM Anywhere EDR functionality enabled by the AlienVault Agent, we are excited to announce more improvements to the Agent. The feedback from our users on the Agent has been great thus far, and in September we added more filtering capabilities, designed to give users more control over what types of data the agent is collecting. You can now apply regular filtering rules to Agent events, giving you the flexibility you need over what data you collect. We will continue to add feature enhancements to the Agent in the coming months.
The USM Anywhere API is here!
Following up to our API release in USM Central, which has been very popular with our MSSPs, we are happy to announce the introduction of the API in USM Anywhere. Available for Standard and Premium Edition customers of USM Anywhere, you can now extract alarms and events from USM Anywhere to help you with independent workflows. This is the first major step towards a full set of API functionality build out in USM Anywhere.
Enhancements to the AlienApp for ConnectWise
Building on its initial release, the AlienApp for ConnectWise now works with on premises deployments of ConnectWise Manage. Service management teams that use on premises deployments of ConnectWise Manage can now leverage automated service ticket creation from USM Anywhere for alarms and vulnerabilities, as well as the synchronization of asset information.
Defects and Optimizing the UX
In addition to these new capabilities, the team has rolled out enhancements to the user interface and has addressed multiple defects and inefficiencies. Make sure to read the product release notes for all the details.
USM Central Highlights
Following on the introduction of the API in August, we are pleased to announce the availability of additional API endpoints that allow customers and partners to retrieve vulnerabilities, deployment information, and configuration issues for connected USM Anywhere instances. This continues the build out of the USM Central API, and stay tuned as we continue to add more API endpoints in the coming months.
Threat Intelligence Highlights
It’s been a typically active month for the AlienVault Labs Security Research team, curating the threat intelligence for USM as well as writing content on new & emerging threats. As a reminder, USM receives continuously updated correlation rules and endpoint |
Threat | ||
|
2018-10-10 13:00:00 | Time to Cover your Selfie Camera (lien direct) |
I am reading an excellent book named “Cringeworthy: A Theory of Awkardness”, which examines exactly as the title describes, awkward situations and how to deal with them. I love reading non-fiction books that are not InfoSec related. There is so much to learn out there about so many topics. Sometimes, however, I am lead back to my InfoSec passion (or, perhaps it’s an illness).
In the book, author Melissa Dahl mentions two companies that are working on some fascinating software that can read human emotions via facial expressions. This is a compelling development in technology, reaching beyond facial recognition. Facial recognition, you may recall has had some of its own challenges to overcome.
Of course, emotional recognition software would not be useful for authentication, as there are only seven emotions. To review, they are happiness, sadness, fear, anger, surprise, contempt, and disgust. As you read this, are your inner InfoSec senses perking up? They should be.
Part of the way that emotions can be identified are through micro expressions. Micro expressions detect subtle changes in a face, but they happen so fast that it requires specialized training for the human eye to detect them. Those trained in micro expression recognition can detect, along with the seven emotions, other traits, such as a person’s level of deception.
While there are not many folks trained in micro expression recognition, a computer may be programmed to respond with alarming accuracy and speed. Rather than thinking that computerized emotion recognition could be used in a court of law (probably inadmissible as evidence, much like a polygraph), or during an interrogation (also of questionable usefulness), think of the economics of the technology.
One way in which this new technology may be used is to gauge a person’s response when viewing something on the screen. Using this technology, an advertiser could change what is presented based on the person’s response. You seemed to retreat a bit when you were shown the large automobile. Let’s pop an advertisement of the fuel-efficient hybrid. You enjoyed the flowers that popped up on your birthday? Let’s pop some chocolate onto the screen with a savings coupon.
The privacy concerns of such a technology have lead me to place a piece of electrical tape over the front-facing camera on my phone. I was never a big selfie person to begin with, and this technology is certainly enough to cure me of any urge to have that camera exposed. Remember, the camera and microphone on your electronic devices are software controlled, so unless you carefully examined that end user license agreement, you may have already given camera control over to one of your applications.
Like many others, I have had my |
Guideline | ||
|
2018-10-09 13:00:00 | 5 Steps to Maximize Your Financial Data Protection (lien direct) |
A series of high-profile data breaches in 2017 made it clear that it's becoming more difficult to protect your and your customer's sensitive information from nefarious agents. As businesses expand, they develop and implement security policies that help protect their sensitive information from outsiders. Still, business growth means more computers, more laptops and more mobile phones—and more network endpoints means more security vulnerabilities and more opportunities for a small oversight to turn into a major data breach.
Financial data breaches can spell disaster, especially for small businesses that have fewer resources to allocate toward proactive security measures and fraud prevention. To help out, we've outlined five steps that you can take to maximize your financial data protection in 2018.
Take Inventory of Your Sensitive Financial Data
The first step to effective financial data protection is to identify the data that is more important to protect. Your full assessment should answer the following questions:
What data do I need to secure?
What computers, servers, laptops, networks, or other devices is the information stored on?
What devices can be used to access the data?
What roles/titles will have permission to view the data?
The best way to start enhancing data security is by restricting access. Isolate or segregate the data onto the fewest number of devices possible, and make it accessible to the fewest number of people. Conduct thorough background checks and ask for references when hiring employees that will come into contact with financial data.
Implement Effective Password Controls
Passwords are an important security measure used to prevent unauthorized users from accessing company laptops, e-mail accounts and other resources that could contain sensitive financial information. Password controls are a set of imposed guidelines for how your staff should set up the passwords that they use to access your sensitive data. Typical password controls include:
Ensuring that passwords are long enough and that they contain a mixture of upper and lower-case letters, numbers and symbols. As passwords get longer, they become exponentially harder to hack by brute force. Hackers use all kinds of tricks to try and guess passwords—writing software that guesses dictionary words or combinations of words from the dictionary, or that guesses birth dates formatted in different ways. Passwords should be 10-12 characters long.
Ensuring that passwords are changed on a regular basis, at least every 90 days for passwords used to access sensitive financial data.
Ensuring that each individual user is assigned one username and password, and that login credentials are never shared.
Protect Your Network with a Firewall
Companies storing and transmitting financial data on an internal network should implement a firewall. A firewall is a hardware or software security device that monitors all incoming and outgoing network traffic and uses predefined security guidelines to determine whether it should be allowed or blocked. Firewalls establish a barrier between your trusted internal network and unauthorized external actors that might try to access or attack it.
You may want to hire a cyber security expert who can help customize your firewall to your unique circumstances and advise you on how to address other potential network security threats.
Look Out for Phishing Scams
Sometimes, fraudsters don't have to gain access to your systems using technological means to attack your company financiall |
Hack Vulnerability | ||
|
2018-10-08 17:09:00 | Delivery (Key)Boy (lien direct) |
Introduction
Below we’ve outlined the delivery phase of some recent attacks by KeyBoy, a group of attackers believe to operate out of China. They were first identified in 2013 targeting governments and NGOs in South East Asia. Their primary targeting continues to this day, though they have also been known to target more diverse victims such as the energy sector.
Malware Delivery through Open Source Exploit Kits
KeyBoy sent the following email to India's Ambassador to Ethiopia from an email address at nic[.]in, India's National Informatics Centre.
Boy_Open_Source_Exploit_Kits.png)
The file f43f60b62002d0700ccbcbd9334520b6
The attached malicious document downloads and executes a script that installs the final payload:
Boy_final_payload.png)
This script contains text (eg; “” ) which matches a pre-packed version of the popular CVE-2017-0199 exploit available on GitHub.
We’ve seen other malicious documents where KeyBoy have tested another exploit generator. In that case KeyBoy didn’t change the default settings so the document meta-data provides some obvious hints that the document is malicious:
Boy_Tested.png)
Delivered Malware
The next stage in these attacks is typically a malware family known as TSSL. This malware originally identified by PwC and more recently described by Trend Micro and CitizenLab.
Most samples are built on the attackers machine fr |
APT 23 | ||
|
2018-10-08 13:00:00 | AlienVault at SpiceWorld 2018 this Week! (lien direct) |
SpiceWorld is taking place next week in Austin, TX! For those unfamiliar, the event is Spiceworks' yearly conference for IT pros and bacon lovers.
The AlienVault team is ready to meet and greet their favorite SpiceHeads, new and old, at the Austin Convention Center, October 8th-10th! The conference features educational IT sessions, networking opportunities and a two-day expo with welcome reception on Monday evening packed with exhibitors showcasing the latest in information technology solutions!
Visit us at Booth #10!
Visit booth #10 located near the middle of the expo hall floor! Back by popular demand, we’re bringing back the SpiceHeads’ favorite Alien swag this year – flashy green sunglasses, and yummy cosmic slushies! We are also participating in the Passport to Prizes program again, so be sure to stop by the booth to get a stamp, meet the AlienVault team and learn about the AlienVault Threat Alerts in Spiceworks, which is a free tool! Learn how to quickly identify and respond to potential threats in your environment with threat alerts, and take a deeper dive with a demo of our USM Anywhere product. It’s the ONLY security solution that automates threat hunting everywhere modern threats appear: endpoints, cloud, and on-premises environments – all from one unified platform.
Attend "Realities of the Digital Transformation: How to Address the Threats We Face Today”
Join Jaime Blasco, VP and Chief Scientist of AlienVault, an AT&T Company, Todd Waskelis, AVP, AT&T Security Solutions, and Spiceworks (moderator) on Tuesday, October 9th from 2:15pm-3:15pm in 17AB for this informative session.
We’re looking forward to seeing you all in Austin!
|
Threat | ||
|
2018-10-05 13:00:00 | Things I Hearted this Week: 5th Oct 2018 (lien direct) |
There was no update last week because I was in Dallas for the AT&T Business Summit which was a great event. Chuck Brooks wrote a detailed post on his experience, while I made a couple of videos charting my time.
But enough of that, lets see what went down in the world of security over these last few days.
Facebook breach
One of the biggest stories in these past few days must be the Facebook breach. The company issues a security update on September 28th which led with the facts,
On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.
At this stage, there are probably more questions than answers and it’s likely this is one story that will play out for a long time.
The ultimate fallout from the Facebook data breach could be massive | Help Net Security
Facebook faces $1.6 billion fine as top EU regulator officially opens probe into data breach | CNBC
What we still don’t know about the Facebook breach | The Verge
The Facebook security meltdown exposes way more sites than Facebook | Wired
Local file inclusion at IKEA.com
Flatpack vulnerabilities now available in this great writeup by Jonathan Bouman.
Local file inclusion at IKEA | Medium / Jonathan Bouman
Out of office notices for OSINT
A nice reminder by Stuart Coulson on the perils of out of office notifications, and how they can divulge a lot more than you’d want to anyone.
Out Of Office notices for OSINT | HiddenText
While you’re on the HiddenText site, check out, Seven types of cyber criminals : 2018 version
Put ads down your Pi-Hole
Nobody really likes ads when they’re browsing online. So, they sometimes revert to using adblockers. But there are some issues with those as well.
Surely, in an industry full of clever tech people, hackers, and tinkerers, there is a better way - enter Pi-hole.
Self-described as a black hole for internet ads, it is basically a mini DNS server you run on a Raspberry Pi in your local network through which your traffic goes and then blacklists any malicious domains.
Both |
Data Breach | ||
|
2018-10-04 15:20:00 | Top Five MITRE ATT&CK Framework Use Cases (lien direct) |
What is the MITRE ATT&CK?
The MITRE ATT&CK framework is abuzz in the cybersecurity industry lately, and its utility has a lot of professionals excited. The ATT&CK framework predecessor was the Cyber Kill Chain developed by Lockheed-Martin in 2011.
ATT&CK incorporates what MITRE calls Tactics and Techniques to describe adversarial actions and behaviors. Techniques are specific actions an attacker might take, and tactics are phases of attacker behavior. At Threatcare, we’ve watch the steady adoption of the ATT&CK framework over the years. We’ve also seen innovative cybersecurity professionals use the framework in ways that have surprised the MITRE team.
ATT&CK incorporates the 11 Tactics listed below, and each Tactic has numerous Techniques.
MITRE ATT&CK Tactics:
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Command and Control
Top Five Use Cases
(in no particular order)
- Red Team
There have been several attempts to standardize Red Team tactics and techniques for years. The ATT&CK framework doesn’t address everything a red team should do but is a major step in the right direction. The framework has standardized the terminology used among Red Teamers, helping make Red Teams more effective, especially across large organizations. Red teams also have the ability to carry out real-world scenarios using ATT&CK as a guide, making both training and operations more effective.
- Blue Team
On the defense side of the house, the ATT&CK framework helps Blue Teams better understand what attackers are doing in a concise, comprehensive way. This allows them to better determine what mitigation to put in place on the network. And, as with Red Teams, ATT&CK can act as a standardized method for training.
- Vendor Bake-Offs
Until recently, there wasn’t a standardized way to evaluate security products. Now, with ATT&CK, organizations can test security products in a structured, methodical way.
Additionally, certain products are aligned to the ATT&CK Tactics, giving organizations visibility into potential overspending on products that have the same basic functionality. For instance, DLP should prevent Exfiltration Tactics, and Proxies should prevent Delivery Tactics. But do they successfully do this? And which vendor does it better?
- Breach and Attack Simulation (BAS)
If you’re not familiar with BAS, check out a primer on it here. Although BAS is a new category of cybersecurity tools, the ATT&CK framework has validated its need. Similarly to vendor bake-offs as mentioned above, MITRE ATT&CK can help your organization determine which BAS tool to implement.
At Threatcare, we’ve built ATT&CK Tactics and Techniques into our products and have been working closely with their team to ensure alignment. Learn more about Threatcare here.
- Remediation of Security Gaps
Given all of the above information, it should hopefully come as no surprise that your organization can build a solid understanding of how it can detect and defend its networks by comprehensively testing against the ATT&CK Tactics and Techniques. More insight into attacker behavior means better remediation of gaps and operational capabilities.
Conclus |
Tool | ||
|
2018-10-03 13:00:00 | AlienVault Agent Now Has Improved Filtering Capabilities (lien direct) |
On July 31st, we publicly launched new endpoint detection and response (EDR) capabilities in USM Anywhere, AlienVault’s unified solution for complete threat detection, response, and compliance. With EDR built into USM Anywhere, users can centralize security monitoring of their endpoint and network activities across cloud and on-premises environments, without the need to deploy, integrate, and manage a separate solution. The platform automatically correlates security events from across their IT infrastructure using continuous threat intelligence from the AlienVault Labs Security Research Team, helping security teams quickly detect, prioritize, and respond to threats.
Customers have been excited to use the new capabilities, which are enabled by the AlienVault Agent, a lightweight endpoint agent based on osquery that performs continuous endpoint monitoring as part of the unified platform. Amidst the positive feedback for the Agent, we’ve also asked customers to share the most important ways we can continue to improve its functionality. More granular control over the data the Agent collects has been the most requested enhancement
Today, we’re pleased to deliver the ability to filter events from the AlienVault Agent for added control over your data consumption. Now, you can create a filtering rule directly from any agent-based event in USM Anywhere, making it fast and easy to customize the data you collect.
Filtering rules aren’t the only way to regulate your data consumption with the AlienVault Agent. When you deploy the Agent, you immediately leverage the expertise of the AlienVault Labs Security Research Team to manage your data usage with the “optimized” configuration profile, which is selected by default. The Labs Team designed this configuration profile to collect only the security-relevant data from your endpoints, enabling you to get up and running quickly without consuming more data than you need. Alternatively, you can choose to collect additional endpoint data, including syslog events, by switching to the “full” profile. With either configuration profile, you can add filtering rules for additional control over the type of data the agent collects.
Deploying the AlienVault Agent extends USM Anywhere’s powerful threat detection and response capabilities to the endpoint, enabling you to detect modern threats and monitor critical files (FIM) on your Windows and Linux endpoints. Continuous threat intelligence from the AlienVault Labs Security Research Team ensures the AlienVault Agent’s queries are always up-to-date to detect the latest threats.
Unlike point security solutions, USM Anywhere combines multiple security capabilities into a unified cloud platform, including EDR, SIEM, IDS, vulnerability assessment, and more, giving you the essential security capabilities you need in a single pane of glass, drastically reducing cost and complexity.
Learn more about the AlienVault Agent and the new EDR capabilities in USM Anywhere:
Try it out (and create your own filtering rule!) in our interactive demo experience
Read the EDR solution brief
See a real-world example of malware |
Malware Vulnerability Threat | ||
|
2018-10-01 13:00:00 | Observability and Visibility in DevSecOps (lien direct) |
To celebrate AllDayDevOps coming up October 17 - here's an on-topic blog.
Automation is Your Friend DevSecOps
Companies often turn to software as a solution when they need to solve a problem. Whether it’s to automate or enhance a task, or gain valuable information in an easily consumable fashion. The same is true for security teams on both sides of the red and blue line. Security professionals build tools to automate exploitation, detect attacks, or process large amounts of data into a usable form. By allowing staff members to understand how these software solutions behave in live environments, security teams can avoid common pitfalls. They can also increase the value that they receive from these tools overall.
When discussing software design, the word “visibility” gets tossed around a lot. People may use the word to describe the benefits provided by the software. They may use it to describe a quality of the software’s operation. They may even use it to describe how easy it is to gain an understanding of how the software was designed (i.e. open source). This has led me to believe that when we are talking about visibility, we are really talking about three specific concepts that form this bigger idea:
Insight - the valuable data received due to the software’s function
Transparency - being able to see how software is designed to function
Observability - the ability to view the actual actions software takes and its performance while taking those actions
For consumers of software, insight is the big focus, mostly because it is perceived as relating directly to value. As the role of security teams evolve, both offensive and defensive, these teams have realized that they can't just be consumers. Security teams need to be builders, maintainers, and providers. Security processes, procedures, and software need to be consumable by the greater organization. While good insight and consumable data are a requisite for quality software; what increases buy-in, improves impact in the org, and ultimately makes security software successful are the observability and transparency aspects.
Transparency in Security
In modern agile and DevOps style software development organizations, everything is in source (other than secrets), and every service has mandatory levels of documentation. Engineering teams operate this way in order to foster inter- and intra-team operability of services, to streamline troubleshooting in the event of an outage, and to increase the understanding of how individual services interact with other environment or application components.
Breaking Down Barriers to Collaboration in DevSecOps
For security teams that solve problems by writing code, or who actively work with code written by other teams, conforming to this pattern goes a long way. The similarity in process helps break down barriers to collaboration. Removing any disparity in quality between the systems being secured and the systems doing the securing helps normalize the idea that security is just one quality of the system. Leveraging a transparent approach fosters a greater degree of understanding between the security organization and the rest of the enterprise.
This idea of transparency might cause some shudders on the red side of security: historically, notions of operational security and stealth have permeated red practitiones' methods. These notions are indeed good things when conducting adversarial simulation or incident response, but there is no reason to conceal the function or performance of security software from the teams that have to interact with it outside of these specific scenarios. It is almost a cliché now t |
Guideline | ||
|
2018-09-27 13:00:00 | One Day, NCSAM will be a Fond Memory (lien direct) |
October is National Cyber Security Awareness Month (NCSAM), and I thought it would be a neat idea to offer some ideas about best practices for good passwords. Since I have written about this before, I figured it would be the easiest thing ever, especially with all the advances in password management technology, and the new NIST Guidelines. I could talk about the usual things, like:
Use a password manager;
Use a passphrase instead of a password;
Don’t re-use passwords;
YAWN;
Etc.
All these tips seem so “common”, tired, and repetitive. We have heard this all before from some of the giants of the InfoSec community. There are hundreds of articles from every known source that offer the same tips on best practices for passwords, dating back many years. Clearly, the problem is not a lack of information. The problem is not with the message, as that is clearly splashed all over the internet.
Some of us, myself included, have previously followed the misguided approach that we should treat the patient, rather than the disease. However, the disease is outpacing the cures.
As Bruce Schneier has stated, the problem is not with the patient.
Technology has created a world of easy access, and it keeps getting easier. Everything is available at the click of a link, yet we security folks, the messengers of online safety, spend much of our time like a bad piano teacher with a ruler, ready to slap the fingers of the person who clicks that link without first thinking of the consequences.
There have been so many advances in the technology that can unobtrusively improve the security experience for everyone. All the tools exist to create a silent security wall that protects the online experience. For example:
Multi-Factor authentication has been a major leap towards protecting identities, preventing many credential-theft scams. I have posited in the past that this needs to mandatory for all online systems.
URL obfuscation, which masks a hyperlink and checks it against known exploits before loading the destination page, can protect against clicking a link that is not what it purports to be. With everything based in the cloud, this is an easy redirection scheme to silently protect online browsing.
Browser plug-ins, such as IDN-Safe, which protects you against malicious sites that use hidden Unicode characters in URL names.
Safe Wi-Fi – Products, such as LookOut Mobile, offer a feature that will detect SSL stripping to protect consumers against connecting to rogue Wi-Fi hotspots.
The main hurdle to overcome with some of these tools is that their best features are unavailable at the consumer level. While that may make good business sense, it leaves us with the same problem of the crutch of “user awareness” as our primary tool towards security.
This all leads me back to my “password best practices” advice for NCSAM. Yes, all of the standard password rules still apply, but only because that is the current state of affairs.
What can we do to change this approach? Is it possible to dem |
Tool Guideline | ||
|
2018-09-25 13:00:00 | Extortion, the Cloud, and the Geopolitical Landscape - Black Hat 2018 Survey Results (lien direct) |
At Black Hat 2018, we surveyed attendees on diverse topics ranging from how to react to extortion, what impact the geopolitical landscape is having on the industry, and whether the shiny veneer of the cloud is beginning to fade. Our Security Advocate, Javvad Malik, has put together an excellent report on the survey. The report is based on our survey at the AlienVault booth of 963 participants at Black Hat 2018 and interviews with security experts. Read the whole report by Javvad.
Key Findings
38% say the Chief Information Security Officer (CISO) should be the one to negotiate extortion and/or ransom demands
46% of those surveyed say security remains the biggest blocker to cloud adoption
54% of participants believe US public sector infrastructure is either unprepared or very unprepared to defend against cyber attacks
People are relatively confident in calling a hacker's bluff:
Read the report for all the details!
|
|||
|
2018-09-24 18:10:00 | MadoMiner Part 1 - Install (lien direct) |
2018 seems to be a time for highly profitable cryptominers that spread over SMB file-shares. Following my analysis on ZombieBoy in July, I found a new malware sample that I’m calling MadoMiner. With the help of Chris Doman, I was able to analyze it to discover that it uses techniques similar to ZombieBoy, because it hijacks Zombieboy’s CPUINFO.exe.
However, MadoMiner is much, much, larger, in terms of:
The size of the malware;
The amount of systems infected; and
Total profit gained by the attackers.
The previously analysed ZombieBoy was earning around $750 a month, while mining at its maximum power. MadoMiner, on the other hand, is earning around $6015 a month, while only mining at 50% power:
Malware Analysis
An overview of the Install module is below. Depending on the victim’s architecture, obtained from CPUInfo.exe, either x86.dll or x64.dll is installed:
X86.dll and x64.dll are virtually identical just one is specifically for x86-x64 OS architecture and one is specifically for x86 OS architecture.
Domains
MadoMiner appears to use two different servers to distribute payloads for each module.
http://da[dot]alibuf.com:3/
http://bmw[dot]hobuff.info:3/
In addition, in Mask.exe, the second module, here are some identified mining servers used by MadoMiner:
http://gle[dot]freebuf.info
http://etc[dot]freebuf.info
http://xmr[dot]freebuf.info
http://xt[dot]freebuf.info
http://boy[dot]freebuf.info
http://liang[dot]alibuf.com
http://dns[dot]alibuf.com
http://x[dot]alibuf.com
Exploits
During the execution of the Install module, MadoMiner makes use of several exploits:
CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
CVE-2017-0143, SMB exploit
CVE-2017-0146, SMB exploit
Installation
MadoMiner begins on a victim’s computer as a DLL installed by the EternalBlue/DoublePulsar exploits. Depending on OS architecture, you’ll either find x86.dll or x64.dll installed on your computer. Both are basically the same, just adjusted for operating system.
Just like ZombieBoy, MadoMiner makes use of a heavily modified version of ZombieBoyTools in order to install its DLL. The reason for this it seems, is that the CPUInfo.exe dropped by the Install module of MadoMiner appears to be the same CPUInfo.exe dropped by an earlier version of 64.exe, a module from ZombieBoy (similar to current day CPUInfo in ZombieBoy, sans embedded miner and anti-VM guards).
In fact, if CPUInfo.exe in MadoMiner is ran without the surrounding Install module, it will attempt to communicate with ZombieBoy’s servers and ultimately install ZombieBoy
Packet showing malware communicating to ca[dot]posthash.org:443
Setup
Once either x86.dll or x64.dll is successfully installed and executed on a victim’s computer, several actions are performed. First, 2 UPX packed modul |
|||
|
2018-09-24 13:00:00 | Alert Fatigue and Tuning for Security Analysts (lien direct) | Alert fatigue is a real problem in IT Security. This can set in at the worst time, when an analyst checks their tools and sees yet another event, or even another 50-100 events, after they just checked. They click through events looking for the smallest reason they can find to dismiss the event so they won’t need to escalate, or further investigate, the issue. They’ve been through this before, they can see where the real problems are, and they just want to get rid of these events and continue getting other work done. Unfortunately, as many know, one innocent looking event could put you on the trail of a bad actor in the environment. Each event must be investigated thoroughly to make sure that there is no evidence of an incident. Going through alerts multiple times, the fact that they can be very similar is a large part alert fatigue. Another part of the cause is false positives. Analysts may find it difficult to maintain vigilance when the majority of events that they go through are false positives. There are new technologies that have come out that claim they are able to reduce the number of false positives. While they may, or may not, be effective in ingesting alerts and identifying true positives, this only adds on to the workload of analysts, creating yet another tool to log into and get alerts from. There are also many articles currently about alert fatigue within cybersecurity. An article from Tripwire describes alert fatigue as a combination of too many false positives as well as a reason to raise the security awareness of your organization. Another article from CSO notes that a large number of organizations deal with too many false positives that overload their analysts. This article goes a step further and advises on several steps that can be taken to help reduce the risk of alert fatigue. These are definitely good steps to help your organization improve its ability to respond to alerts and reduce analyst workload. I recommend reading through and seeing what can be done. Tuning I would also add one more step: tuning. This seems obvious, but it is often overlooked. Let me first tell you what I mean by tuning. Tuning is a combination of reducing false positives, working with alerts, and correlating events and trends to ensure greater accuracy. Each of these helps the analyst by refining alerts being looked into. Tuning needs to be a balanced approach that will reduce the number of unnecessary events received and ensure that there are no blind spots an attacker can take advantage of to slip by unnoticed. The first step of tuning is to figure out what is important to alert on and what is not. In my opinion there is a big section of alerts that can be immediately kicked out of the analyst’s queue. That would be any blocked attacks. Attacks that are blocked by the technology guarding the perimeter and internals of the network and endpoints can be a great story to executives and can even give you trends and areas to look at to make sure that nothing else is needed for protection. However, the alerts that are generated that say something was blocked just add to the data that has to be looked into if sent to the analyst. What Alerts Do You Care About? Removing blocked attacks helps the analyst pay more attention to potential incidents that were not stopped. After you’ve done that, the next matter of importance is: what alerts do you care about? To determine that takes a bit of research. You need to determine what impacts you the most, down to what could be a threat but may, or may not, be worth investigating. That involves knowing: where sensitive information is | Threat | ||
|
2018-09-21 14:18:00 | Forrester Says that AlienVault “Challenges” Enterprise SIEM vendors (lien direct) | Forrester just released their “Security Analytics Wave” report that evaluates Security Analytics/SIEM technologies used by large enterprises (5000+ employees). I am super excited that AlienVault was included for the first time and placed as a “Challenger”. This is quite incredible if you think about it. To include AlienVault as a challenger in a group of vendors that provide big data platforms to large enterprises is a major note on the state of the market. AlienVault has always taken a contrarian approach to traditional SIEM/big data based security techniques. We do not require our users to set up data lakes, or train machine learning algorithms - instead we make it as simple as possible to quickly detect threats, efficiently respond to breaches and manage compliance. We provide a SaaS platform to remove the administrative overhead of a big data product, we integrate the essential security capabilities most customers need and our Labs team delivers Threat Intelligence on a daily basis to train all of the technologies in our platform. The result is that 46% of our customer are investigating an alarm within 24 hours!! In contrast, it takes days maybe more to just deploy and populate a big data store leave alone constructing analytics workflows. In our early years we quickly gained a large, loyal following in organizations with less than 5000 employees. Our approach has helped security champions in more than 7000 organizations around the world along with over 80000 subscribers to our Open Threat Exchange (OTX). In fact, Forrester did an objective analysis of the impact USM Anywhere has had on some real world users of the product. They found that there was an 80% reduction in the time spent on ‘security engineering’ (time spent deploying, maintaining, integrating security technology), an 80% improvement in the time to detect an incident and an average of 6000 hours a year saved on their audits (2.5 full time employees!). You can find this report here https://www.alienvault.com/resource-center/analyst-reports/forrester-total-economic-impact-study Our inclusion in the Wave reflects that our value proposition is now resonating with a broader set of customers by making a noticeable dent in ‘traditional’ approaches that require a security team to procure, deploy, integrate security controls into a data lake and research teams to stay current on threats and tune AI and ML algorithms. In addition, organizations need an operations team to continuously monitor dashboards and respond to the threats. This approach is heavy in technology and heavy in people - it is exactly what we set out to solve with USM Anywhere. As we continue our evolution and become AT&T Cybersecurity it gives us access to one of the world’s largest cyber-security operations. We look forward to leveraging this knowledge to improve the USM Anywhere platform, deliver new capabilities and expand our threat intelligence to disrupt the status quo and help organizations of all sizes strengthen and simplify their security postures. To learn more about the USM Anywhere platform, you can take a look at our interactive demo (https://www.alienvault.com/products/usm-anywhere/demo) or call us ( | Threat | ||
|
2018-09-21 13:00:00 | Things I Hearted this Week, 21st Sept 2018 (lien direct) |
Next week I’ll be flying out to Dallas, Texas to attend the AT&T Business Summit. I’ve never been to Dallas before, so hope to check out the sites and maybe even find out who did shoot JR (if you’re born after 1983 that reference probably means nothing to you).
Do Breaches Affect Stock Market Share Prices?
A common question that comes up is whether a breach actually impacts a company’s share price or not. There are a varying degrees of opinions and anecdotes, but what we really need is data.
Comparitech has published a very detailed breakdown, complete with methodology and data used. Some of the key findings include:
In the long term, breached companies underperformed the market. After 1 year, Share price grew 8.53% on average, but underperformed the NASDAQ by -3.7%. After 2 years, average share price rose 17.78%, but underperformed the NASDAQ by -11.35%. And after three years, average share price is up by 28.71% but down against the NASDAQ by -15.58%. It’s important to note the impact of data breaches likely diminishes over time.
Share prices of breached companies hit a low point approximately 14 market days following a breach. Share prices fall 2.89% on average, and underperform the NASDAQ by -4.6%
After about a month, share prices rebound and catch up to NASDAQ performance on average
After the first month, the companies we analyzed actually performed better than they did prior to the breach. In the six months leading up to a breach, average share price grew 3.64%, compared to 7.02% following a breach. Similarly, the companies underperformed the NASDAQ by -1.53% leading up to the breach, but managed to outperform it by 0.09% afterward.
Finance and payment companies saw the largest drop in share price performance following a breach, while healthcare companies were least affected
Breaches that leak highly sensitive information like credit card and social security numbers see larger drops in share price performance on average than companies that leak less sensitive info
Analysis: How data breaches affect stock market share prices | Comparitech
Europol Internet Organised Crime Threat Assessment 2018
Ransomware continues to be the biggest malware threat to businesses around the world, but mobile threats and cryptojacking are emerging as serious challenges, according to Europol.
The law enforcement organization’s annual Internet Organised Crime Threat Assessment (IOCTA) provides a good snapshot of current industry trends. It reflects the findings of many security vendors: that ransomware is slowing but still the most widespread financially motivate threat out there, ahead of banking Trojans — and will be so for several years.
DDoS attacks were second only to malware in terms of volume in 2017, as infrastructure becomes more “accessible, low-cost and low-risk.”
Internet organised crime threat assessment 2018 | Europol
IOCTA 2018 report (pdf) | Europol
Europol: Ransomware Will be Top Threat for Years | Infosecurity Magazine |
Ransomware Malware Threat Guideline | ||
|
2018-09-18 13:00:00 | AI and ML; Key Tools in Emerging Cybersecurity Strategy and Investment (lien direct) |
Recently, the Defense Advanced Research Project Agency (DARPA) announced a multi-year investment of more than $2 billion in new and existing programs in artificial intelligence called the “AI Next campaign. Agency director, Dr. Steven Walker, explained the implications of the initiative: “we want to explore how machines can acquire human-like communication and reasoning capabilities, with the ability to recognize new situations and environments and adapt to them.”
Indeed, artificial intelligence (AI) and correlating machine learning (ML) applications have emerged as hot topics in the emerging technology and cybersecurity communities. They are about recognizing “new situations and environments” and adapting to them. According to KPMG, in 2017, AI was a major focus areas of global VC investments -over $12B and doubling the volume of 2016. Many of those investments included aspects relating to information security. Now that the DARPA investment (that is directed to much more than cybersecurity uses) has been added to the investment money trail, there is no doubt AI will be part of our cybersecurity future.
There is evidence that AI and ML can be valuable tools to help us navigate the cybersecurity landscape. Specifically it is being used to help protect against increasingly sophisticated and malicious malware, ransomware, and social engineering attacks. AI’s capabilities in contextual reasoning can be used for synthesizing data and predicting threats.
AI and ML may become new paradigms for automation in cybersecurity. They enable predictive analytics to draw statistical inferences to mitigate threats with fewer resources.
In a cybersecurity context, AI and ML can provide a faster means to identify new attacks, draw statistical inferences and push that information to endpoint security platforms. This is especially important because of the major shortage of skilled cybersecurity workers and growing attack surface. According to Cybersecurity Ventures CEO Steve Morgan, the Human attack surface is to reach 6 billion people by 2022 and Cyber-crime damage costs to hit $6 trillion annually by 2021, AI and ML cybersecurity capabilities are very important and increasingly valuable.
Former White House Cybersecurity Coordinator Rob Joyce said in a 2016 presentation at USENIX: “If you really want to protect your network,” he advised, “you have to know your network, including all the devices and technology in it.” A successful attacker will often “know networks better than the people who designed and run them.” With the right combination of data, computing power, and algorithms, artificial intelligence can help defenders gain far greater mastery over their own data and networks, detect anomalous changes (whether from insider threats or from external hackers), and quickly address configuration errors and other vulnerabilities.”
To provide more depth to his insights, Both AI and ML can be integral aspects of automation and adaptive networks. Applications for automated network security in |
Ransomware Malware Threat | ||
|
2018-09-17 13:00:00 | People and Passwords (lien direct) |
In today's world, the Internet is a vast place filled with websites, services, and other content. Most content along with computers and other technology requires a password. The number of passwords a person has to know continues to grow. While it’s safe to say we use passwords to keep your accounts confidential, they can also be very frustrating and inconvenient to create and remember. The outcome is the use of simple, common passwords, same password on different accounts, and habits such as writing passwords.
Weak passwords are common
For example, reports from Techspot.com, Fortune.com, and USAToday.com show, that in 2017, passwords like 123456 and football were two of the top ten most used passwords. Why are such passwords still being used? They are easy to remember. People will often add weak passwords into simple variations where the alpha and number (numeric) strings combined with special characters. For instance, Football and 123456 become Football123456!, a memorable yet easily guessed password.
Current practices require complex passwords
Various companies have released their own best practices. Symantec’s how-to article, for instance, states a secure password is at least eight characters in length, has an uppercase, lowercase, and a number. Take [Football] for example. You can replace the “o” for a “0” and “a” for “@” resulting in F00tb@ll. Here, the updated password meets most policies enforced by many web applications such as Google and Outlook. It has an uppercase (F), a lowercase (tball), a number (00), a special character (@), and meets a minimum length of eight characters. Microsoft, however, takes this a step further in some of their guidelines. They state it must not be in the dictionary or incorporate the name of a person or computer. Guidelines such as those in place, demand a complex password. For example, W#T24.ro5*&F is complex yet painful to memorize.
There is a problem with difficult passwords
People, out of convenience and frustration, will try to circumvent password policies the mentioned. This becomes more prevalent as the policies get stricter. It is hard enough to remember a password like W#T24.ro5*&F. By the time you’ve memorized it, the time has come to change it and you can’t repeat the last 8 passwords. So what do people do? They add or change one or two characters (i.e. W#T24.ro5*&F turns into W#T24.ro5*&F1 or W#T24.ro5*&F123 and F00tb@ll turns into F00tb@ll123 or F00tb@ll321). While password expiration policies are arguably a best practice, they are not common outside an enterprise environment. Many websites, such as banks, do not require you to change your password regularly and those that do, might not have a decent policy on repeating passw |
Tool Guideline | LastPass | |
|
2018-09-14 13:00:00 | Things I Hearted this Week, 14th September 2018 (lien direct) |
With everything that keeps going on in the world of security, and the world at large, most eyes were focused on Tim Cook as he and his merry men took to the stage and announce the latest and greatest in Apple technology.
There didn’t seem to be anything totally mind-blowing on the phone end. Just looked to be more bigger, faster, and powerful versions of the iPhones at eye-watering prices.
The Apple watch now has a built-in FDA-approved ECG heart monitor. Which is pretty cool as an early-warning system that a stroke is imminent - I assume to allow you to take some smart HDR selfies, apply the correct filters, and post to Instagram before you collapse.
But enough about that, let’s get down to business.
British Airways Breached
BA suffered a rather large breach which included payment information (including CVV) and personal details.
While the investigation is ongoing, some security experts believe the breach was caused due to malicious code being injected into one of the external scripts in its payment systems.
British Airways hack: Infosec experts finger third-party scripts on payment pages | The Register
As an affected customer, I accept that companies get breached. But the advice seemed pretty poor.
British Airways breached | J4vv4D
Boards need to get more technical - NCSC
The government is calling on business leaders to take responsibility for their organisations’ cyber security, as the threat from nation state hackers and cyber criminal gangs continues to rise. Ciaran Martin, head of NCSC believes that cybersecurity is a mainstream business risk and that corporate leaders need to understand what threats are out there, and what are the most effective ways of managing the risks. They need to understand cyber risk in the same way they understand financial risk, or health and safety risk.
NCSC issues new advice for business leaders as Ciaran Martin admits previous guidance was “unhelpful” | New Statesman
Hunting in O365 logs
Cloud is great, but sometimes making sense of the logs can be a pain. If you’re struggling with O365 logs, then this document could be really useful.
Detailed properties in the Office 365 audit log | Microsoft
GCHQ data collection violated human rights, Strasbourg court rules
GCHQ’s methods in carrying out bulk interception of online communications violated privacy and failed to provide sufficient surveillance safeguards, the European court of human rights has ruled in a test case judgment.
But the Strasbourg court found that GCHQ’s regime for sharing sensitive digital intelligence with foreign governments was not illegal.
It is the first major challenge to the legality of UK intelligence agencies intercepting private communications in bulk, following Edward Snowden’s whistleblowing revelations.
GCHQ data collection violated human rights, Strasbourg court r |
Data Breach Threat Guideline | Tesla | |
|
2018-09-11 13:00:00 | Explain Cryptojacking to Me (lien direct) | Last year, I wrote that ransomware was the summer anthem of 2017. At the time, it seemed impossible that the onslaught of global ransomware attacks like WannaCry and NotPetya would ever wane. But, I should have known better. Every summertime anthem eventually gets overplayed. This year, cryptojacking took over the airwaves, fueled by volatile global cryptocurrency markets. In the first half of 2018, detected cryptojacking attacks increased 141%, outpacing ransomware attacks. In this blog post, I’ll address cryptojacking: what it is, how it works, how to detect it, and why you should be tuning into this type of threat. What is Cryptojacking? Crytojacking definition: Cryptojacking is the act of using another’s computational resources without their knowledge or permission for cryptomining activities. By cryptojacking mobile devices, laptops, and servers, attackers effectively steal the CPU of your device to mine for cryptocurrencies like Bitcoin and Monero. Whereas traditional malware attacks target sensitive data that can be exploited for financial gain, like social security numbers and credit card information, cybercriminals that launch cryptojacking campaigns are more interested in your device’s computing power than your own personal data. To understand why, it’s helpful to consider the economics of cryptocurrency mining. Mining for cryptocurrencies like Bitcoin and Monero takes some serious computing resources to solve the complex algorithms used to discover new coins. These resources are not cheap, as anyone who pays their organization’s AWS bill or data center utility bill can attest to. So, in order for cryptocurrency mining to be profitable and worthwhile, the market value of the cryptocurrency must be higher than the cost of mining it – that is, unless you can eliminate the resource costs altogether by stealing others’ resources to do the mining for you. That’s exactly what cryptojacking attacks aim to do, to silently turn millions of devices into cryptomining bots, enabling cybercriminals to turn a profit without all the effort and uncertainty of collecting a ransom. Often, cryptojacking attacks are designed to evade detection by traditional antivirus tools so that they can quietly run in the background of the machine. Does this mean that all cryptomining activity is malicious? Well, it depends on who you ask. Cryptomining vs. Cryptojacking As the cryptocurrency markets have gained value and become more mainstream in recent years, we’ve seen a digital gold rush to cryptomine for new Bitcoin, and more recently, Monero. What began with early adopters and hobbyists building home rigs to mine for new coins has now given way to an entire economy of mining as a service, cryptoming server farms, and even cryptomining cafes. In this sense, cryptomining is, more or less, considered a legal and legitimate activity, one that could be further legitimized by a rumored $12 Billion Bitman IPO. Yet, the lines between cryptomining and cryptojacking are blurry. For example, the cryptomining “startup” Coinhive has positioned its technology as an alternative way to monetize a website, instead of by serving ads or charging a subscription. According to the website, the folks behind Coinhive, “dream about it as an alternative to micropayments, artificial wait time in online games, intrusive ads and dubious marketing tactics.” Yet at the same time, Coinhive has been one of the most common culprits found | Malware Threat | NotPetya Wannacry Tesla | |
|
2018-09-10 13:00:00 | VLAN Hopping and Mitigation (lien direct) |
We’ll start with a few concepts:
VLAN
A VLAN is used to share the physical network while creating virtual segmentations to divide specific groups. For example, a host on VLAN 1 is separated from any host on VLAN 2. Any packets sent between VLANs must go through a router or other layer 3 devices. Security is one of the many reasons network administrators configure VLANs. However, with an exploit known as 'VLAN Hopping', an attacker is able to bypass these security implementations. Learn more about network segmentation and VLANs here.
VLAN Hopping
This type of exploit allows an attacker to bypass any layer 2 restrictions built to divide hosts. With proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have misconfigurations which will allow for attackers to perform said exploit. In this article, I will go through the two primary methods of VLAN hopping, known as 'switched spoofing', and 'double tagging'. I will then discuss mitigation techniques.
Switched Network
It is crucial we understand how switches operate if we would like to find and exploit their vulnerabilities. We are not necessarily exploiting the device itself, but rather the protocols and configurations instructing how they operate.
On a switch, a port is either configured as an access port or a trunking port. An access port is typically used when connecting a host to a switch. With the implementation of VLANs, each access port is assigned to only one VLAN. A trunking port is used when connecting two switches or a switch and a router together. Trunking ports allow for traffic from multiple VLANs. A trunk port can be configured manually or created dynamically using Dynamic Trunking Protocol (DTP).
DTP is a Cisco proprietary protocol where one use is to dynamically establish a trunk link between two switches.
Switched Spoofing VLAN Attack
An attacker acts as a switch in order to trick a legitimate switch into creating a trunking link between them. As mentioned before, packets from any VLAN are allowed to pass through a trunking link. Once the trunk link is established, the attacker then has access to traffic from any VLAN. This exploit is only successful when the legitimate switch is configured to negotiate a trunk. This occurs when an interface is configured with either "dynamic desirable", "dynamic auto" or "trunk" mode. If the target switch has one of those modes configured, the attacker then can generate a DTP message from their computer and a trunk link can be formed.
Double Tagging
Double tagging occurs when an attacker adds and modifies tags on an Ethernet frame to allow the sending of packets through any VLAN. This attack takes advantage of how many switches process tags. Most switches will only remove the outer tag and forward the frame to all native VLAN ports. With that said, this exploit is only successful if the attacker belongs to the native VLAN of the trunk link. Another important point is, this attack is strictly one way as it is impossible to encapsulate the return packet.
VLAN Hopping Exploit
Scenario 1 - Switch Spoofing Attack In this scenario there exists the attacker, a switch, and the target server. The attacker is attached to the switch on interface FastEthernet 0/12 and the target server is attached to the switch on interface FastEthernet 0/11 and is a part of VLAN 2. Take a look at the following topology. |
|||
|
2018-09-07 13:00:00 | Things I Hearted this Week, 7th Sept 2018 (lien direct) |
Welcome to another week of security goodness. I think we’re in that weird part of the year where most summer holidays are coming to a close, so people are opening their inboxes - saying NOPE - and shutting them back down again. Or maybe that’s just me. Although I am glad that the kids are finally back to school. But for those of you who may be struggling, here’s a handy article on how to minimise stress before, during, and after your vacation.
Hot Hot Security
The Scoville Scale is a measurement chart used to rate the heat of peppers or other spicy foods. It can also can have a useful application for measuring cybersecurity threats. Cyber-threats are also red hot as the human attack surface is projected to reach over 6 billion people by 2022. In addition, cyber-crime damage costs are estimated to reach $6 trillion annually by 2021. The cybersecurity firm RiskIQ states that every minute approximately 1,861 people fall victim to cyber-attacks, while some $1.14 million is stolen. In recognition of these alarming stats, perhaps it would be useful to categorize cyber-threats in a similar scale to the hot peppers we consume.
A Scoville Heat Scale For Measuring Cybersecurity | Forbes
Spying on the Spies
Spyware may seem like a good option if you want to keep an eye on what online activities your children get up to… or, if you’re the insecure type (or worse), to see what your significant other gets up to.
The problem is that these spying tools have been shown to be woefully insecure time and time again.
For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records | KrebsOnSecurity
Spyware Company That Marketed to Domestic Abusers Gets Hacked | Motherboard
Facebook fell victim to fake news
It’s not surprising to hear that fake news made its way onto Facebook. What is worrying is that Facebook’s own training materials fell for fake news.
|
Vulnerability Threat | ||
|
2018-09-05 13:00:00 | Malware Analysis for Threat Hunting (lien direct) |
If you're not into Wireshark, procmon and Windows Sysinternals you might be in the wrong place :)
Malware analysis allows the analyst to see what actions are taken and allows us to use those actions to build a profile that can be used to detect and block further infections and find related infections. We run the malware in labs to determine how they act, we give them different inputs to see how the behavior changes, we run them through debuggers to disable safeties and checks that it might have against analysis, and we may even use a disassembler to more fully understand the paths that the malware may take. Using these techniques, the malware analyst builds a list of indicators that can be used to detect and block the malware that they are examining, build information about who may be targeting their network, and even what the malware may be gathering. I’m going to narrow my focus to behavior analysis and give some examples of what can be done with threat hunting and this technique.
Behavioral Analysis for Malware
Behavioral analysis is the step of running the malware under controlled conditions where you can observe the actions that the malware takes. By running the malware in a completely isolated environment we can tell what the malware would do if it was unable to communicate. With behavioral analysis, you take everything a step at a time. When it is completely isolated does it try to scan for a network? If yes, then go ahead, add it to one, and see what happens. After that does it start looking for? Give it to it. The main goal of this type of analysis is to see what the malware does in a step-by-step process, allowing you to map its different actions and have a better overall picture of the malware before you start examining it in debuggers or through disassembly. I would say that this is one of the more fun parts of the analysis process.
Basic Lab Environment for Malware Analysis
Your basic lab environment should contain:
VMware/Virtualbox with the following computers:
Windows with Wireshark, Process Monitor, and procDOT installed.
REMnux (has everything preinstalled that you will need)
Make sure that your VMs are set to host only networking and that your windows machine has your REMnux box as the default gateway by setting a static IP address. This ensures that the first hop will be to REMnux and will allow the traffic control that we would want.
Tools for Malware Behavioral Analysis
There are several tools that you want to use to gather the most information that you can:
Wireshark: This tool isused to gather network traffic on a given interface. The follow option will allow you to view pages and traffic, and it even allows you to recreate and save files that were transferred while the packet capture was running. https://www.wireshark.org/
Process Monitor: (procmon) This tool is used to record the full activity of a computer for the time that it is monitoring. This is extremely useful for detailing actions taken |
Malware Threat | ||
|
2018-09-04 13:00:00 | Cyber Security Awareness Month - Phishing (lien direct) |
It’s September, which means it’s almost October, which is National Cyber Security Awareness Month (NCSAM)!
NCSAM was launched by the National Cyber Security Alliance & the U.S. Department of Homeland Security in October 2004. This government and industry collaboration was started with the intention to ensure citizens and companies of all sizes have access to resources needed to stay safe and secure online.
Every year, the official program focuses on a series of weekly themes. Many individuals and companies also share their own best practices and ideas for security awareness.
In doing our part, we’re also publishing a series of posts during September and October to help share some of our favourite resources and tips on staying safe online.
Phishing:
Kicking off the festivities, I’m highlighting one of the most prevalent threat vectors there is: phishing.
Phishing can take place under many guises and have different objectives - but at a high level it’s nearly always an email sent which claims to be from a trusted person or entity that attempts to trick the recipient into performing an action.
Examples of phishing emails can include:
The tax office claiming you have underpaid, or are due a repayment with a malicious document attached.
Your CEO asking that you make a large payment to a new supplier immediately.
The IT team asks you send them your password in an email or via a form.
Your bank asking you to login and confirm details.
A service provider threatening to cut off your service unless you respond to them immediately with information.
You get an unsolicited job offer, or a lucrative work-from-home scheme
A match on a dating site asks excessive personal information, or for money or gifts.
This is not an exhaustive list, but all of these tactics seek to instill a sense of urgency in the recipient, trying to get them to respond quickly usually using the broad hooks of money, employment, love, or threats (MELT).
There are many telltale signs you can usually look out for, such as the tone of the email, the grammar and spelling, or the email headers that can indicate whether an email is genuine or not. However, for the most part, it is best to err on the side of caution, and if something doesn’t feel right or genuine it’s best to confirm directly with the alleged sender of the email.
While there are a growing number of tools available to defend against cybercrime, education remains one of the most important tools in our defence. It is only by gaining a greater understanding of the threats and techniques encountered - in both personal and business settings - that we can best protect ourselves.
A short video on phishing
And a slightly more in-depth video on how to spott a phishing email
|
Threat | ||
|
2018-08-31 13:00:00 | Things I Hearted this Week, 31 Aug 2018 (lien direct) |
After a week in Vegas for Blackhat, and then a week’s vacation, I’m back with your favourite dose of security roundup. Giving you the security news and views you deserve, not need.
So, let’s just jump into it and make up for lost time.
Adventures in Vulnerability Reporting
Discovering vulnerabilities and getting rewarded for bugs is the new hotness. Being new, there are many teething problems as organisations and researchers struggle to get on common grounds as to how to best disclose them.
Natalie Silvanovich of Google’s Project Zero has documented her adventures and an example of a particularly poorly conceived vulnerability disclosure process in this blog:
Adventures in vulnerability reporting | Project Zero
Natalie raises some very valid points in her post about how researchers will sometimes abandon the disclosure process altogether if it becomes frustrating. As we saw when a Microsoft Windows 0day was disclosed unceremoniously through Twitter.
Microsoft Windows zero-day vulnerability disclosed through Twitter | ZDNet
And while we’re on the topic of vulnerabilities, Adrian Sanabria drops the truth (with stats) on patching. You should always patch when you can, but when you can’t, you need a plan B.
Another Year, Another Critical Struts Flaw | Nopsec
Twitter Bots
Twitter bots are spoken about frequently, usually in the same breath as fake news or disinformation. But how big a problem are bots, and do they actually influence public opinion or are they merely trolls?
The good folk over at SafeGuard cyber may be able to shed some light on it with a detailed report that looked at over 300k bots and tracked their behaviour and tactics - providing an analysis of how bots are deployed to reshape public perception.
How Russian Twitter Bots Weaponize Social Media | SafeGuard Cyber
A True Password Manager Story
I can neither confirm nor deny that I’ve ever blamed Graham Cluley for anything… but this is a good post by Stuart on the trials and tribulations of adopting a password manager.
I’m OK, but Graham Cluley made me do it | Hidden Text
While we’re discussing passwords, a different Stuart has written a very open and honest discussion on the use of two-factor authentication. It’s well worth a read.
Before You Turn On Two-Factor Authentication… | Stuart Schechter, Medium
Probably The Best Tech Keynote in the World
I’ll be honest, up until a couple of weeks ago, I hadn’t heard of James Mickens who is a professor at Harvard University.
I watched his keynote presentation at Usenix, and haven’t been this entertained and captivated by a technology talk in … well, never.
It’s well worth carving out 50 minutes out of your day to |
Vulnerability | ||
|
2018-08-30 13:00:00 | Ethical Hacking: An Update (lien direct) |
How has the world of hacking changed over the past decade? More and more companies are hiring ethical hackers to hack systems and show vulnerabilities. Penetration testers try to access systems by any means possible, including through social engineering. Let’s look at what ethical hacking is, how it’s done, and how it will change in the future.
Source
Ethical Hacking
Commonly known as “white hat” hackers, as opposed to black hat, ethical hackers are generally employed by a company to hack into the company’s systems and show them vulnerabilities. Some will help patch up the holes, while others simply expose what’s wrong and leave it to the company’s IT team.
The word “hacker” carries a certain connotation and is usually negative. However, it’s best to think of them in “Old West” terms. The sheriff in the old west always wore a white hat and was the good guy. The outlaw wore a black hat. Hence, the terms white hat and black hat hacker; one aims to help while the other is malicious.
In order to combat black hat hackers, white hat hackers have to think like black hat hackers. Some may have even started as black hat hackers, gained skills, and decided to use those skills for good.
Unlike in previous years, where dealing with ethical hackers could be a grey area, white hat hackers are often certified as an ethical hacker. They can prove they are using their skills to benefit a company rather than trying to break into the company’s system and actually steal information.
Penetration Testers
Coincidentally, penetration testers do steal information. They can also steal physical computers, hard copies of information, and more. Pen testers are sometimes not limited to just computer systems. Instead, much like the mindset of a hacker mentioned above, they do whatever they can to access a system, such as using social engineering or email spoofing. They are often part of the “red team,” hired to find holes in security.
Imagine, for instance, someone calling IT and claiming they forgot their password. The password is reset, and the employee leaves happy. The problem is that it wasn’t actually the employee but someone posing as them who now has access to the system.
A member of the red team might be able to swipe a pass card, enabling them access to a server room. From there, they can directly connect to the server, accessing information. The sticky note Jan from accounting keeps on her computer monitor to remind her of her logins? Gone the next morning. Everyone from |
Hack Guideline | ||
|
2018-08-28 13:00:00 | AlienVault Product Roundup July / August 2018 (lien direct) |
It’s been a busy summer at AlienVault! Amid some major company announcements, we continue to evolve USM Anywhere and USM Central with new features and capabilities that help you to defend against the latest threats and to streamline your security operations. You can keep up with our regular product releases by reading the release notes in the AlienVault Product Forum. Here are a few of the highlights from our July and August 2018 releases:
New EDR capabilities with the new AlienVault Agent
On July 31, 2018, we publicly launched new endpoint detection and response (EDR) capabilities in USM Anywhere, extending the platform’s powerful threat detection and response capabilities to the endpoint. Read the blog post here. By deploying the AlienVault Agent - a lightweight and adaptable endpoint agent based on osquery - you can expand your security visibility to detect modern threats and monitor critical files (FIM) on your Windows and Linux endpoints, whether in the cloud, in your data center, or remote.
The new EDR capabilities were made available automatically and seamlessly to all USM Anywhere customers, without requiring any subscription upgrades, system updates, or the purchase of add-on products to access the capabilities.
AlienApp for ConnectWise
The AlienApp for ConnectWise is now included in the Standard and Premium editions of USM Anywhere. Service management teams that use ConnectWise Manage can leverage automated service ticket creation from USM Anywhere alarms and vulnerabilities as well as synchronization of asset information.
Slaying Defects and Optimizing the UX
In addition to these new capabilities and apps, in every update this summer, the team has rolled out enhancements to the user interface and / or has addressed multiple defects and inefficiencies. Make sure to read the product release notes for all the details.
USM Central Roundup and Look Ahead
Earlier this month, Skylar Talley, AlienVault Senior Product Manager for USM Central, wrote a blog post recapping the recent improvements to USM Central and outlining his vision for the product in the next few months. You can read the full post here. The highlights include:
Two-way alarm status and label synchronization
Orchestration rules management across USM Anywhere deployments
USM Central API availability (You can find the API documentation here.)
Threat Intelligence Highlights
USM Anywhere receives continuously updated rules and (new!) endpoint queries to detect not only the latest signatures but also higher-level attack tools, tactics, and procedures – all curated for you by the machine and human intelligence of the AlienVault Labs Security Research Team.
The AlienVault Labs Security Research team publishes a weekly threat intelligence newsletter, keeping you informed of the threats they are rese |
Threat Medical | APT 38 | |
|
2018-08-27 13:00:00 | Earning a Cyber Security Certificate: Pros and Cons (lien direct) |
The need for highly skilled cyber security professionals is not slowing down. As cyber crime continues to plague both the public and private sectors, demand is soaring for experts with the skills to help protect businesses and combat ever-evolving threats.
If you’re looking to pursue or advance your career in cyber security, you may be wondering how much education you’ll need to qualify for certain jobs. As cyber crime has intensified over the past decade, new educational programs have emerged to help train aspiring cyber security experts. There are now undergraduate and graduate degrees, along with certificates and certifications focused on cyber security.
In this article we’ll examine the certificate option. Careers in cyber security tend to pay well and — because a certificate requires a significantly smaller investment in time and money than an undergraduate or graduate degree — it can be an appealing option to those looking to get their start in cyber security or make a career switch. But because cyber security is a particularly complex field, a certificate on its own may not be enough. Depending on your goals and your situation, a certificate may or may not offer the return on investment you are seeking. Here’s a related blog on whether certificates are worth your time.
Is a Cyber Security Certificate Right for You?
If you are looking to launch a career in cyber security, it’s very possible that you’ll need more than a certificate to get your foot in the door. In fact, although there is an abundance of job openings, many of these openings exist because employers can’t find candidates with the right level of education and experience.
A certificate may be a good option if you are just looking to learn more about the field and are still considering your career options but are not ready to commit to more than that. On the other hand, if you are more advanced in your career and are looking into pursuing a certificate with the possibility of moving into a degree program, you should make sure to find a certificate program that will allow you to transfer your courses.
A certificate could also be a good option for those working in human resources, information security, web development, computer network architecture or similar tech-related fields who need to brush up their cyber skills but don’t need or want to commit to more.
Since most certificate programs include high-level introductory classes that cover the basics of cyber security, such programs can be a great way to get a taste for what working in the field might be like. However, if you’re hoping to pursue a career in cyber security, a certificate on its own likely won’t suffice to get you where you want to go.
What to Consider When Pursuing a Cyber Security Certificate
If you decide that a certificate program is right for you, be sure to find a university that offers graduate programs in cyber security and will allow you to transfer your credits should you decide to advance your education even further.
Be wary of for-profit programs. If you are going to pursue a certificate, there are many well-regarded institutions that offer certificate programs and will likely deliver a stronger education coupled with a better reputation.
Remember that there is a big difference between a certificate and a certification. |
Guideline | ||
|
2018-08-21 13:00:00 | Antivirus Evasion for Penetration Testing Engagements (lien direct) |
During a penetration testing engagement, it’s quite common to have antivirus software applications installed in a client’s computer. This makes it quite challenging for the penetration tester to run common tools while giving the clients a perception that their systems are safe, but that’s not always the case. Antivirus software applications do help in protecting systems but there are still cases where these defenses can be bypassed.
Antivirus evasion is a broad topic and this article only presents very basic methods to bypass detection when the program is resting as a file in a non-volatile storage. Evasion techniques for a run-time state are quite different and challenging because of behavior monitoring done by antivirus programs.
In this article, I will be discussing a few techniques that can be used to bypass antivirus software applications like string manipulation and code substitution. Before anything else however, an understanding of programming is required because I’ll assume that the detected software application has its source code available for modification. I’ll probably work out another separate article for evasion of programs that don’t have their source code available.
There will be two basic steps to do. First will be finding the cause of the detection while the next step goes into how the detection can be bypassed. This is because we won’t be able to fix something if we don’t know what the problem is.
Looking for the Origin of the Detection
For the demonstration, I will be using an object-oriented language, specifically C#, with the help of Visual Studio 2012. I grabbed a snippet from here specifically the functions “startup” and “USBSpread” while creating a new project to put both of these. This is what it looks like after creating a console project in C#:
Please note that I have minimized the region of the code in the screenshot above to make it short. I’ll leave the credits where it is due for both those functions. After compiling the project and scanning it in VirusTotal, the result shows two antiviruses detecting it namely ESET and Sophos.
Please forgive me. If any of you are not familiar, VirusTotal actually distributes copies of a scanned file, especially if a few antiviruses detect it. Chances are that if you are reading this right now, the scan results might have changed already when you visit the link. This endangers your tool to become detected very fast and should not be used for scanning when you are developing a penetration testing tool to be used for legal assessments.
Now here comes the fun part. How can we find out what’s causing the detection? Since we have a copy of the source code, what we can do is remove parts of the code line by line and rescan it. To start off, I have commented out the whole “USBSpread” function as seen below:
Compiling this and scanning in VirusTotal will give us a&nbs |
|||
|
2018-08-20 13:00:00 | (Déjà vu) How to Get into InfoSec: InfoSec Career Path Hacking (lien direct) |
Maybe you've always dreamt of getting into the InfoSec field, and have been thinking about getting into information security for a while, or it's just coming to mind now. Regardless of where you are in your journey, welcome to the InfoSec community! In the words of the great Kung Fu Master, Shifu, “There is no level zero.”
If you’ve seen Kung Fu Panda, you may recall that Po is a panda who eats, sleeps, and breathes Kung Fu, yet finds himself outside that community. He dreams of being a warrior. One day, he sees an opportunity to witness a significant moment in Kung Fu history and so he sets out on his journey. But first, he must climb to the temple. It would have been easy for him to zig-zag his way to the top of the mountain, though it might have taken longer. Instead, he started with the logical place... the stairs - a much shorter path. You too will have to choose your path to awesomeness. Allow me to illuminate the way.
“There is no level zero.”
Find Your Why
Po wanted to be great at Kung Fu purely for the sake of being great. Unfortunately, that probably won’t be enough to sustain you in the InfoSec field. We all have selfish motivations, but they should pale in comparison to the greater good of our community, industry, and humanity. You will meet many who have forgotten that we are doing this for people, not to serve technology. Find your "why", and let it be outside yourself. That motivation will carry you through the many challenges, twists and turns along the way.
“You will meet many who have forgotten we are doing this for people…”
Take the Shortest Path
The circuitous route is to acquire the necessary skills along whatever path you are on now. Even so, you will at some point have to focus on the particulars of those skill areas and invest in them.
The alternative is the more direct route of certification and/or education. Although it may be more difficult, it will give you a more immediate opportunity. Certifications offer concentrated, focused training in a specific set of topics to support your goals. For example, the SANS Institute and CompTIA have well-planned certification roadmaps. Simply take a look at them, consider your current ability level and pick a certification as a starting point. Another resource is the free site Cybrary.it which hosts training courses in the certification area of your choosing. Don't forget to schedule your exam to give you motivation. Just taking an exam is a learning experience. Here’s a blog on the value of certifications you might want to look at.
A wise mentor once told me that in order to be successful in InfoSec you need strong bases in at least one but preferably two of three areas: development, system administration, or networking. You may, perhaps, choose certifications such as Python and Powershell, A+, NET+, CCNA, Windows, Linux, and others. These may be vendor specific or vendor-agnostic. Employers will prefer a mix of both, depending on their alliances, partnerships, and the technologies that they leverage to deliver their business. Security job postings are an excellent source of this business intelligence.
Regardless of how you choose to invest your time and ene |
Threat | ||
|
2018-08-20 13:00:00 | (Déjà vu) How to Get into Infosec: InfoSec Career Path Hacking (lien direct) |
Maybe you've always dreamt of getting into the InfoSec field, and have been thinking about getting into information security for a while, or it's just coming to mind now. Regardless of where you are in your journey, welcome to the InfoSec community! In the words of the great Kung Fu Master, Shifu, “There is no level zero.”
If you’ve seen Kung Fu Panda, you may recall that Po is a panda who eats, sleeps, and breathes Kung Fu, yet finds himself outside that community. He dreams of being a warrior. One day, he sees an opportunity to witness a significant moment in Kung Fu history and so he sets out on his journey. But first, he must climb to the temple. It would have been easy for him to zig-zag his way to the top of the mountain, though it might have taken longer. Instead, he started with the logical place... the stairs - a much shorter path. You too will have to choose your path to awesomeness. Allow me to illuminate the way.
“There is no level zero.”
Find Your Why
Po wanted to be great at Kung Fu purely for the sake of being great. Unfortunately, that probably won’t be enough to sustain you in the InfoSec field. We all have selfish motivations, but they should pale in comparison to the greater good of our community, industry, and humanity. You will meet many who have forgotten that we are doing this for people, not to serve technology. Find your "why", and let it be outside yourself. That motivation will carry you through the many challenges, twists and turns along the way.
“You will meet many who have forgotten we are doing this for people…”
Take the Shortest Path
The circuitous route is to acquire the necessary skills along whatever path you are on now. Even so, you will at some point have to focus on the particulars of those skill areas and invest in them.
The alternative is the more direct route of certification and/or education. Although it may be more difficult, it will give you a more immediate opportunity. Certifications offer concentrated, focused training in a specific set of topics to support your goals. For example, the SANS Institute and CompTIA have well-planned certification roadmaps. Simply take a look at them, consider your current ability level and pick a certification as a starting point. Another resource is the free site Cybrary.it which hosts training courses in the certification area of your choosing. Don't forget to schedule your exam to give you motivation. Just taking an exam is a learning experience. Here’s a blog on the value of certifications you might want to look at.
A wise mentor once told me that in order to be successful in InfoSec you need strong bases in at least one but preferably two of three areas: development, system administration, or networking. You may, perhaps, choose certifications such as Python and Powershell, A+, NET+, CCNA, Windows, Linux, and others. These may be vendor specific or vendor-agnostic. Employers will prefer a mix of both, depending on their alliances, partnerships, and the technologies that they leverage to deliver their business. Security job postings are an excellent source of this business intelligence.
Regardless of how you choose to invest your time and ene |
Threat | ||
|
2018-08-16 13:00:00 | Do You Take Security Seriously? (lien direct) |
Well Javvad Malik has created another awesome report taking on what taking security seriously actually looks like - both for customers and providers. Here's a little excerpt:
The “we take security seriously” line is the security equivalent of the infamous call center “your call is important to us” line. Everybody says it because that’s what you say.
Taking security seriously is not a statement to be made, it’s achieved by making security part of your process, and that’s visible to everyone. - Scott Helme
Taking security seriously isn’t measured by a solitary point in time, nor can it be boiled down to implementing a single standard set of controls. There are many factors that contribute to this mindset.
If someone says they take security seriously, they should be able to defend that statement in some manner. It doesn’t need to be a universally accepted position; it just needs to be something that shows they have put some thought into it and arrived at a logical conclusion.
Security doesn’t always need to be visible. It doesn’t need to be done for ‘show’ - a “security theatre” if you will. The problem today is that too many companies don’t think about security in earnest at all - well at least not until they get breached. After a breach, however, they all inevitably state: ‘we take security seriously’.
The Japanese say you have three faces. The first face, you show to the world. The second face, you show to your close friends, and your family. The third face, you never show anyone. It is the truest reflection of who you are.
Similarly, you could say that security has three faces. The security you show to the world, the security that is visible internally in your organization, and the third reflects how you truly feel about security - that is the real measure of
seriously you take security.
Read the whole report here!
|
|||
|
2018-08-15 13:00:00 | Discovering CVE-2018-11512 - wityCMS 0.6.1 Persistent XSS (lien direct) |
Content Management Systems (CMS) are usually good to check out for security issues, especially if the system is gaining popularity or being used by a number of people. Doing a white box type of assessment not only gives the potential to discover security issues but it opens interesting possibilities if ever a bug is found. This is because a white box assessment looks into the internal structure of how an application works.
WityCMS, for instance, is a system made by CreatiWity which assists in managing content for different uses, like personal blogging, business websites, or any other customized systems. In this post, I will walk through the steps of setting up the CMS, finding a web application issue, and processing a CVE for it.
Installation (Windows with XAMPP)
1. Download a copy of the source code (Version 0.6.1).
2. Extract the folder /witycms-0.6.1 from the archive to C:\xampp\htdocs\ or where ever you have installed XAMPP in Windows.
3. Assuming Apache and MySQL are running, visit http://localhost/phpmyadmin/index.php.
4. Click on the "databases" tab.
5. Type in “creatiwity_cms” as the name of the database and click create.
6. You should now able to browse the application by visiting http://localhost/witycms-0.6.1/
7. Fill in data required. Like for “Site name”, I’ve added in “Test”. Click on the Next button.
8. Next comes defining the homepage of the system. You can choose any from the options. For example:
9. Setting up the database is next. From step #5, I have used the database name “creatiwity_cms” so this goes in the database setup.
10. Enter the administrator account details and click “Launch install!” (I have added user “admin” with the password of “admin” here)
11. Once successful, this page should pop up:
Finding a Web Application Security Issue
Since this article is about CVE-2018-11512, I will be limiting the scope of finding web application vulnerabilities to a persistent XSS vulnerability. But first, let’s try to understand what a persistent XSS is.
According to OWASP, “Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted we |
Vulnerability Guideline | ||
|
2018-08-14 13:00:00 | Improving Threat Detection through Managed Security Service Providers (MSSPs) (lien direct) |
Executive Summary:
Cybersecurity is a growing concern as breaches continue to increase in frequency and make headline news. Unfortunately, due to time and other constraints, many smaller businesses postpone the complicated task of risk management, only to eventually succumb to the devastating ramifications of a cyberattack. While the security solutions themselves appear complicated, the ability to mitigate risk is within reach of all. Through partnering with a trusted Managed Security Service Provider (MSSP) that offers expertise to ensure the safety of sensitive systems and data, every company – no matter the size – can lessen the risks involved.
Every day we see a new headline that turns the spotlight on cyberattacks of retail giants and enterprise businesses. It’s alarming and causes a ripple effect of fear across our daily lives. While this intense publicity increases awareness for cybersecurity in general – it’s not always effective at bringing attention to business leaders who think smaller companies are inherently unattractive targets for cybercriminals. In actuality, this sort of misunderstanding leaves companies highly vulnerable, especially those with limited resources, expertise, and budgets. As threat tactics evolve, they are more exposed than ever due to:
New malware variants introduced daily
Complexity of securing multiple points of access
Cybersecurity skills shortage – coupled with lack of time and money
What’s more, thinking a company is safe in today’s threat climate is potentially one of the most costly mistakes smaller companies can make. They are easy targets, with slim chances of recovery as an attack averages $117,000 in costs, which factors into a 40% chance of survival.
The Value of MSSPs
Fortunately, there’s a silver lining. With help from a trusted Managed Security Service Provider (MSSP), companies with limited resources can ensure their systems are safe and protected without hiring an in-house team. Whether it’s day-to-day monitoring, analysis, detection, response, and reporting on vulnerabilities, these security experts offer businesses of all sizes the peace of mind they need – at surprisingly affordable costs.
For more information on how working with an MSSP can help your business mitigate risk, watch this short and informative video
AlienVault MSSPs
For nearly a decade, we’ve equipped an extensive network of MSSPs with robust technology that allows for quick reaction and response to security challenges, worldwide. AlienVault Unified Security Management (USM) is a cornerstone in building successful managed security and compliance service offerings. Trusted by 7,000+ customers, we simplify security, save costs, and reduce complexity and deployment time for businesses of all sizes.
What’s Next?
Visit our website to learn more about outsourcing your security needs or get introduced to one of our trusted MSSP pa |
Malware Threat Guideline | ||
|
2018-08-13 16:24:00 | The Black Hat Recap (lien direct) |
BlackHat is always one of the most interesting conferences of the year. Firmly sandwiched between BsidesLV and DefCon, it brings a unique mix of research and people to Las Vegas.
We unveiled our new booth design, which featured a huge Alien head hovering above the shiny new green and black booth, which had a presentation theatre on one side and demo pods on the other.
As always, the booth proved to be a great hit and served as the central point where we could meet old friends and new.
The Talks
Parisa Tabriz, director of engineering at Google, delivered the keynote address at this year’s BlackHat. Tabriz likened most security to a game of whack-a-mole and encouraged security professionals to embrace three steps of in an interesting address:
Tackling root cause
Picking milestones (and celebrating achieving them)
Building out a coalition (beyond the industry)
Our own Aliens had a couple of speaking sessions. Sanjay Ramanath delivered a session entitled the Defender's Dilemma to the Intruder's Dilemma.
Over at the Diana Initiative at DefCon, Kate Brew presented, "Age Like a Fine Wine, not a Fine Whine" - I was particularly disappointed to have missed this talk as I had to fly back home and there was a no photos or video policy.
The ever-expanding show
I missed BlackHat last year, and this year it felt as if I'd almost walked into RSA. The vendor halls seemed a lot bigger and spaced out than before. With over 250 vendors exhibiting, there was a lot of floor space to cover, technologies to see, and swag to be grabbed.
However, perhaps one of the most interesting aspects of the show floor is across from the main hall in the BlackHat Arsenal. The Arsenal is an area for independent researchers where open-source tools and products are demonstrated in 20-minute sessions in an informal setting.
I recall the first time I saw the Arsenal a few years back, it was in a small corner with a handful of tools - but it has grown into an almost con-within a con. The organisers have definitely done a great job with it, and you should have it on your list of things to see next time you are at a BlackHat.
Swapping parties for breakfasts
People usually ask what the parties are like - every night in Vegas there appears to be a party or event of some sort. However, if you're like me, then parties may not be your scene. So I spent the week getting early nights and arranging breakfast meetings instead.
Personally, this was one of the best decisions I made. It was great to get up well-rested, to sit in a quiet venue and have good discussions over breakfast.
While this approach may not be for everyone, my pro tip for Vegas is always to schedule some quiet time away from the noise.
Until next time
When it was all said and done, it was a very enjoyable, if not tiring week filled with great content, the opportunity to meet up with old colleagues, and make some new connections. We look forward to seeing you at an event soon.
|
|||
|
2018-08-09 13:00:00 | What You Need to Look for When Choosing a Hosting Company for Your Startup (lien direct) |
Whether you sell clothes online or have recently set up a financial services firm, every startup needs to have a strong online presence in order to make the right moves in 2018. To do this, it is critical that you align with a premium-quality hosting provider. After all, if you choose a web host that is unreliable and does not deliver high levels of performance, then the usability and speed of your website will suffer. Not only will this frustrate your customers and prospects, but it will cause your search engine ranking to fall too. This is something that no business can afford, but especially not a startup that’s struggling to get established. So, with that in mind, read on to discover all of the different things you need to look for when choosing a hosting company for your startup.
Start by identifying your hosting needs
The first thing you need to do is understand your hosting needs. You won’t be able to find the right web host for you if you do not know what you need. To determine this, you need to first ask yourself a number of different questions, including the following:
What type of platform are you going to use for your website? For example, will it be WordPress or a different platform?
What sort of website are you going to build?
Are you going to build a portfolio website, organisational website, blogging website, or something else?
Are you interested in building more than one website?
What is the sort of volume of traffic that you are aiming for?
Are you going to require special software to code your site, for example, .net, java, php, etc.?
By answering these important questions, you will be able to figure out what you need so that you have a good starting point in your quest to find the best web host for your particular requirements.
Reliability, performance, and server uptime
There really is only one place to begin when it comes to assessing the quality of a web host business, and this is by looking at the level of performance and the guaranteed uptime they provide. Don’t settle for anything less than the best in terms of uptime, as your business cannot afford to be offline. Companies like HostGator and SiteGround guarantee 99.9 percent uptime. You should not settle for anything less than 99 percent.
Other factors also play a critical role in helping you determine whether a web host is reliable or not. This includes things like bandwidth, daily back-ups, and RAID protected storage. You will also want to ensure that the company provides 24/7 customer support, as you want to have complete peace of mind that any issues will be dealt with immediately so that they do not have a negative impact on your business.
In terms of site back-ups specifically, there are a few key questions you can ask a prospective company to get a better understanding of this aspect:
Do you only provide the back-up itself or do you offer assistance in restoring the back-up?
Do you offer any plug-ins for site back-ups?
How often do automatic back-ups take place?
Are there any options for manual site back-ups?
Is there the option for site back-ups within the admin control panel?
This will help you determine how frequently back-ups occur and whether or not there is any level of customisation. This is critical because no business can afford to lose their critical data, so you need to be able to back-up your data according to your requirements.
Price and refunds
|
|||
|
2018-08-07 13:00:00 | USM Central Product Roundup and Look Ahead (lien direct) |
We have an audacious goal on the USM Central Product team. We believe that we can create the most phenomenal security platform for MSPs and MSSPs on the market with the combination of USM Central, USM Anywhere, and USM Appliance. As we move into Q3, we wanted to take some time to stop and reflect a bit on our journey. We thought it’d be helpful to provide some perspective on the problems we believe USM Central should solve for our customers, recap what we’ve built so far, and preview what’s ahead of us as we storm ahead into the back-half of the year.
When prioritizing our efforts for USM Central, we always try to ask ourselves two questions. The first is, “how can we help our MSSP / MSP partners to be more efficient?” For instance, are they taking some redundant action multiple times across several deployments? What data are they looking for in the “child deployments” that would be helpful to view in USM Central? The second is, “how are USM Central users “patching” our functionality?” By talking to our partners every week, we try to understand what other systems or tools they are using in conjunction with our products and find ways that we could either 1) address that need in product or 2) integrate with the existing workflow. While USM Anywhere continues to push the envelope on core security capabilities, we believe we can create “SOCs with superpowers” with USM Central by showing up every day and trying to answer those two questions. Below, you’ll find a short summarization of our recent efforts and what we’re excited about moving forward.
Alarm Status and Label Synchronization
Labels are a simple yet powerful method to track the status of alarms in the various stages of the investigation cycle, classify alarm data for analysis/reporting, or even show “proof of work” to your end customers. Before USM Central, any edit to a label in the child instance would not be reflected in the Federation Server, requiring an analyst to make the label or alarm updates in multiple places. Today, any changes made to an alarm from connected USM Anywhere deployments are automatically synced to USM Central, and USM Central users can standardize labels across all of their USM Anywhere deployments. We're hoping this will dramatically streamline alarm workflows. Check out the details of this feature in the documentation here.
Orchestration Rule Management
Often, when our MSSP partners create an orchestration rule in USM Anywhere for one client, they recognize that it would be useful to deploy that same rule to another client. Additionally, when onboarding a new client, we’ve found that it’s helpful to do a comparative audit with another more mature deployment to make sure all of you've covered all of your bases, from filtering to alarm rules. With the most recent release of USM Central, all of the rules for your connected USM Anywhere deployments are now synced to USM Central. USM Central users can filter their view to only view rules from selected deployments or to copy a rule and quickly apply it to another customer.
API Availability
Do you use a ticketing system to generate tickets for alarms generated within your AlienVault deployment(s)? Maybe you customize reports or dashboards by using data from AlienVault and other products for use internally or client presentations?
You can now generate an API key in product for the USM Central API. The REST interface will allow you to search for alarms for all of you connected USM Anywhere or USM Appliance instances. For this first release, we've only exposed an Alarms endpoint, but we& |
Vulnerability | ||
|
2018-08-06 13:00:00 | Black Hat 2018 will be Phenomenal! (lien direct) |
The AlienVault team is ready to meet and greet visitors at Black Hat USA 2018, August 8th and 9th at the Mandalay Bay Convention Center in Las Vegas! Black Hat is one of the leading security industry events. The conference features the largest and most comprehensive trainings, educational sessions, networking opportunities and a two-day expo packed with exhibitors showcasing the latest in information security solutions from around the world!
Visit us at Booth #528!
Visit booth #528 located below the large, green alien head! We will be leading theater presentations twice an hour. Attendees will get a cool AlienVault collectors t-shirt, as well as a chance to win a pair of Apple® AirPods during our daily raffle. Stop by and meet the AlienVault team and learn about the recently announced endpoint detection and response capabilities now part of the USM Anywhere platform! USM Anywhere is the ONLY security solution that automates threat hunting everywhere modern threats appear: endpoints, cloud, and on-premises environments – all from one unified platform. Check out this awesome video by Javvad Malik, Community Evangelist for AlienVault, to learn more here!
Attend "From the Defender's Dilemma to the Intruder's Dilemma" Session for a chance to win a Nintendo Switch!
Join AlienVault VP of Product Marketing Sanjay Ramnath at a Black Hat speaking session. Sanjay will be speaking on Wednesday, August 8th from 10:20am-11:10am in Oceanside E on 'From the Defender's Dilemma to the Intruder's Dilemma'. We will be handing out raffle tickets before the session begins. Be sure to check out this session for the chance to win a Nintendo Switch!
Get Access to the Exclusive Security Leaders Party at Black Hat!
AlienVault is co-sponsoring one of the hottest security parties at Black Hat! Join us on Wednesday night from 8:00 - 10:00pm - guests will enjoy music, food, and a full open bar at the best venue at Mandalay Bay, Eyecandy Sound Lounge!
This will be the most talked about party of BHUSA 2018! We expect to reach capacity, so don't hesitate to get on the list now!
Event Details:
Date: Wednesday, August 8th
Time: 8:00 - 10:00 PM
Location: Eyecandy Sound Lounge, Mandalay Bay
We can’t wait to see you all at #BHUSA this week!
|
Threat Guideline | APT 32 | |
|
2018-08-03 13:00:00 | Things I Hearted this Week, 3rd Aug 2018 (lien direct) |
It’s August already. The kids are off on their summer vacations telling me how bored they are every 5 minutes, and the annual security gathering in Las Vegas of Blackhat, Defcon, and BsidesLV is all but upon us.
There will be no recap next week because I’ll probably be getting ready to fly home - but normal service should resume the following week.
The Red Pill of Resilience in InfoSec
Another insightful write up by Kelly Shortridge, which happens to be the full text of her keynote on resilience. It touches on, and expands many concepts to uncover what it really means to be resilient in infosec, and what the industry can do.
The Red Pill of Resilience in InfoSec | Medium, Kelly Shortridge
VDBIR Data
The Verizon Data Breach Report has become the staple go-to report for security professionals wanting to understand the breach landscape. But a once-a-year report is usually too long for most of us to wait to see what’s new.
So the good folk have created an interactive portal where you can explore the most common DBIR patterns.
VDBIR Portal | Verizon enterprise
Reddit Breached
Reddit disclosed a breach and say they’re still investigating. It appears that the attacker was able to bypass SMS-based two-factor (two-step) authentication.
We had a security incident. Here’s what you need to know | Reddit
It’s worth revisiting this blog by Paul Moore on the difference between two-factor and two-step authentication.
The difference between two-factor and two-step authentication | Paul Moore
Alex Stamos off to Academia
Facebook chief security officer Alex Stamos is leaving the social network to work on information warfare at Stanford University. The social network has not named any replacement.
Facebook's security boss is offski. Not to worry, it has 'embedded security' in all divisions | The Register
CISCO + DUO = DISCO!
Cisco has announced it will be acquiring DUO Security for $2.35bn in cash it found lying behind the sofa.
Cisco is buying Duo Security for $2.35B in cash | Tech Crunch
Farcial Recognition
Amazon’s face surveillance technology is the target of growing opposition nationwide, and today, there are 28 more causes for concern. In a test the ACLU recently conducted of the facial recognition tool, called “Rekognition,” the software incorrectly matched 28 members of Congress, identifying them as other people who have been arrested for a crime.
|
Data Breach Threat | ||
|
2018-08-02 13:00:00 | Standing Out as an Information Security Student (lien direct) |
As students, we get told that college is enough to land us anything we want, I can honestly say from my experience, that was not the case at all. I grew up in a household where education will land you where you want, and you don’t need to be external with the system, so I assumed as long as I have a good GPA to show, any company would want me. You don’t have to do exactly what I did. Honestly, I advise you not to, and you’ll see why. Instead, use this as awareness that you shouldn’t just allow your classes to speak for you and you should get ahead while you have time. I’m going to explain a little about my background in education and then dive into what I did during my 3rd year of university to make me go from being declined from every position I apply for, to having a table full of internship offers that were from many different sides of business, including the medical field.
My Educational Background
I started university at a school that focused on the offensive side of security, I finished 2 years then decided to travel to a different city to attend a new university that titles me as a cybersecurity engineer, so I started to focus on the defensive side of security.
Note that this university has a cybersecurity program that is very well known in the state, that’s why I transferred. So 3rd year hit, I figured it was getting close to start applying for internships for the upcoming summer. I felt like I needed to finally enter this field, 3 years of being JUST a student is enough. I want to finally have a title I loved in the real world.
How it started
It got close to winter break, so I decided to start applying for 2018 summer internships. I felt pretty confident, 3.98 GPA, engineering school, strong courses, and a good university. Unfortunately, this is where it started, decline after decline, not even getting past the first stage prior to interviewing. It felt like not a single company wanted me and I was becoming more and more destroyed after each "We regret to inform you" letter. I felt like the past 3 years have been a waste.
Okay, decline after decline, it’s clearly my fault, I’m doing something wrong, but what? My GPA is really good, I don’t understand why I’m not even getting past the first stage, I felt weak and unimpressive. I opened up my resume and really started looking at it. I tried looking at it from a professional perspective, if I was hiring this student, what am I looking for? Then I noticed it, I’m just a student, I noticed all I have to show was a number (my GPA), and courses I’m required to take for my field, that’s it. I had no other way to show who I AM, other than my resume representing that I am a college student. There was no information about ME, WHAT I LIKE, WHAT I DO, NOTHING.
The 4-month long journey
That’s when I really freaked out, I want so much in life yet all I’ve been is a student that doesn’t work on my career outside of school. Book after book, I’ve been a student, I never really introduced myself to this field, to my future, and to who I want to be. All I’ve been doing is listening to my professors teach me, rather than also teach myself. So, I did the only thing I felt like I needed to do, time to play catch up and get ahead. During school, for 4 months, I began doing side project after side project. This was fun yet destroying my mental and physical health, I slept on average 2-4 hours a night (7 nights a week) on my couch right next to my computer just to get up and continue. I didn’t eat much, didn’t see my family much, barely socialized, and didn’t care to go to some of my classes. A few projects I’ll say I was doing were created/solved cryptography puzzles, built a self-driving car, research |
Threat | ||
|
2018-07-31 13:00:00 | Extending Threat Detection to the Endpoint with New EDR Capabilities in USM Anywhere (lien direct) | Back in April, we began to invite USM Anywhere customers to try out our new endpoint agent, the AlienVault Agent, in an Early Access program. The overwhelming interest in the program alone was telling; over 37% of USM Anywhere customers (60% of our MSSP partners) raised their hands to participate. Our conversations with customers during the program were even more telling; Our customers want deeper security visibility of their endpoints without having to manually deploy and administer third-party endpoint agents. What’s more, they want advanced threat detection capabilities for the endpoint that pick up where their traditional antivirus tools fall short. What we heard from our customers echoes the current conversation in the larger cybersecurity community regarding endpoint security. That is that, today, malicious actors are increasingly targeting the endpoint with attacks designed to evade traditional endpoint prevention and protection tools. Organizations are struggling to keep up, as the enterprise EDR solutions that offer advanced endpoint threat detection are often too complex or expensive for most organizations. USM Anywhere is uniquely positioned to solve for this challenge, as the platform is built to evolve as the threat landscape changes. Its extensible architecture allows us to seamlessly and automatically introduce new security capabilities, integrations, and threat intelligence to the platform, giving our customers comprehensive threat coverage without having to layer on more point security solutions to contend with the latest attacks. Since we first launched USM Anywhere, we’ve been steadily extending its reach to detect modern threats wherever they appear. The endpoint is no exception. Today, I’m pleased to announce the launch of new endpoint detection and response (EDR) capabilities in USM Anywhere. You can read the full press release here. With EDR capabilities delivered as part of the unified platform, USM Anywhere users can centralize security monitoring of their endpoint and network activities across their cloud and on-premises environments, without having to deploy or integrate a separate EDR solution. This not only streamlines security operations, but it also allows users to correlate network and endpoint security data for better threat prioritization and faster incident investigation and response. These capabilities work through the AlienVault Agent, a lightweight, adaptable endpoint agent based on osquery that easily deploys to Windows and Linux endpoints and is easy to manage in USM Anywhere. The feedback we’ve received from USM Anywhere customers in the Early Access program has been positive and has helped to drive the product development leading up to today’s launch and beyond. We asked customers which features or use cases were the most exciting or useful to them. Top responses included: Continuous endpoint monitoring / automated detection of advanced endpoint threats File integrity monitoring (FIM) to help with PCI DSS or other compliance requirements | Malware Threat Guideline | ||
|
2018-07-30 13:00:00 | Hope for the Best, Plan for the Worst (lien direct) |
In an attempt to wake up companies that may not be taking security as seriously as they should, they are often told, "It's not a matter of if, but when."
Historically, I've not been the biggest fan of this term, in that it has a certain undertone of doom and gloom. A bit like one of those life insurance commercials that morbidly remind you that you will die some day and you want your loved ones to be looked after financially.
The reality is though, that as depressing as it may sound, we will all die at some point. And it is likely that a company that uses technology and is connected to the internet in some way, shape or form, will likely experience and incident of some magnitude over the course of its life.
Being attacked or compromised by an external or internal party isn't a black swan event that falls outside of the norm. It's very much a part of everyday life.
Where many companies go wrong is believing they can eliminate these attacks completely. But this isn't practical because randomness and variability are the rule, not the exception.
It's like when you have a flight to catch, most people will tend to leave earlier than needed to factor in unforeseen traffic, or other delays. Because we know and understand that a journey consisting of planes, trains, and automobiles will inevitably encounter some delays. So we plan for it.
Similarly, enterprises should plan for the unexpected, build it into its fabric to ensure it can not only remain resilient, but flourish in times of adversity.
So, what can make a company more resilient to security incidents and black swan events?
Hack yourself
What better way to see how an attacker will fare against your systems than to subject your systems yourself to the same stresses. It's not so much a case of proving that all your systems are unbreakable, but rather it gives you a level of assurance as to how long your defences can hold up, whether you have effective means of detecting and responding, and perhaps more importantly, what the impact on the business or customers will be.
Add redundancies
Often, when speaking of redundancies we think of business continuity planning which inevitably many boil down to the art of "buying two of everything."
Often a company may avoid the cost associated with having redundant systems because it may never be used. Although, the truth is that not needing a redundant system is the exception, not the rule.
It's also important to have alternative redundancies in place. For example, if a system goes down, is there a manual workaround that could be deployed? Could online transactions be diverted to call centres? If cash is unavailable, can cryptocurrencies be used? Or precious metals? Or cigarettes even.
Not all risks are created equal
Critical assets are the life blood of an organisation. They are the crown jewels that help the company be profitable through sales, services, or innovation. But it can become easy to miss some of the risks amongst the large sea of issues.
Which is why it can make sense for companies to at least adopt a dual risk strategy whereby it can play it safe in some areas and take more risks in other.
Have multiple points of resilience
It's not just attacks that are on the rise. There are a number of factors such as errors, changes, or infrastructure migrations that can all lead to security incidents. Therefore it's important to build resilience at multiple points across the business.
Maybe it's time to stop fearing, or thinking of the phrase, "it's not if, but w |
Guideline | ||
|
2018-07-27 13:00:00 | Things I Hearted this Week, 27th July 2018 (lien direct) |
Welcome to your weekly security roundup, providing you all with the security news you deserve, but maybe might not need.
As always, these news stories are human-curated by me - no fancy algorithms, no machine learning, and definitely no trending topics here.
We are less than two weeks away from Blackhat in sunny Las Vegas. We’ll be there - pop along to booth 528 and say hello if you’re there.
Google: Security Keys Neutralized Employee Phishing
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes.
Google: Security Keys Neutralized Employee Phishing | Krebs on Security
While we’re on the topic of phishing, attackers used phishing emails to break into a Virginia bank twice in eight months, making off with more than $2.4 million in total. Now the bank is suing its cybersecurity insurance provider for refusing to fully cover the loss.
Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M | Krebs on Security
We’re probably going to see more of this kind of back and forth as companies that have taken out cyber insurance and suffered a breach fight with their insurers over liability and who will cover the cost.
Somewhat related:
Scam of the week, another new CEO fraud phishing wrinkle | KnowBe4
Breaking the Chain
Supply chain and third party risks are getting better understood, but understanding a risk doesn’t necessarily mean it will reduce the risk.
Tesla, VW, and dozens of other car manufacturers had their sensitive information exposed due to a weak security link in their supply chains.
Tesla, VW data was left exposed by supply chain vendor Level One Robotics | SC Magazine
SIM Swap - A Victim’s Perspective
This is a really good write-up by AntiSocial engineer taking a look at how SIM swap fraud can impact victims, and why mobile phone operators need to do more to prevent this kind of fraud.
“It’s an all too common story, the signal bars disappear from your mobile phone, you ring the phone number – it rings, but it’s not your phone ringing. Chaos ensues. You’re now getting password reset emails from Facebook and Google. You try to login to your bank but your password fails. Soon enough the emails stop coming as attackers reset your account passwords. You have just become the newest victim of SIM Swap Fraud and your phone number is now at the control of an unknown person.”
SIM Swap Fraud - a victim’s perspective | AntiSocial Engineer
EU Fails to Regulate IoT Security
In this week’s head-scratching moment of “what were they thinking?”, the European Commission has rejected consumer groups' calls for mandatory security for consumer internet-connected devices because they believe voluntar |
Data Breach Hack | Tesla | |
|
2018-07-26 13:00:00 | New! AlienVault USM Anywhere Challenge Coin: What is it and how do I get one? (lien direct) |
AlienVault has minted a challenge coin to acknowledge the commitment and dedication it takes to become an AlienVault® Certified Security Engineer. Becoming certified in any technology is something to be proud of but becoming certified on AlienVault® USM Anywhere™ proves that you are skilled in deploying and managing a threat detection solution that’s trusted by thousands of customers worldwide. The coin design proudly displays the AlienVault logo, along with a specific serialization that makes it a unique, one of a kind object.
So how do you earn an AlienVault challenge coin?
The coin is earned by passing the current version of the AlienVault® Certified Security Engineer (AVSE) exam.
It’s been three months since we introduced the certification for AlienVault® USM Anywhere™ so we thought it might be helpful to share how to prepare for the AlienVault® Certified Security Engineer (AVSE) and provide some background on what candidates can expect.
Since introducing the certification, we have seen a dramatically higher pass rate for those candidates who’ve attended both the AlienVault® USM Anywhere™: Deploy, Configure, Manage (ANYDC) and the AlienVault® USM Anywhere™: Security Analysis (ANYSA) courses. The certification validates the lessons learned in both courses so while it is not required, attending both courses will provide you the skills and knowledge you’ll need to successfully complete the AVSE certification. Attending the training also gives you hands-on experience with the product and the best possible path to earning the AVSE certification. A certification exam voucher is included with each course.
For candidates who have not taken the training but still need to prepare for the certification, we recommend reviewing the AVSE exam blueprint which can be found at the following link: https://www.alienvault.com/certification/avse.
AlienVault USM Anywhere documentation is also a great resource for review. It provides valuable insight into the product especially for candidates who have not taken the training courses. AlienVault USM Anywhere is a powerful product that continues to deliver new features and functionality. The documentation is the best way to stay current on the latest version of the product. You can find the documentation at the following link: https://www.alienvault.com/documentation/usm-anywhere.htm
We want to wish everyone the best of luck in their pursuit of AlienVault certification. If you are currently AVSE certified, please reach us at certification@alienvault.com and we’ll get your challenge coin out to you asap. If you have any questions about purchasing training you can reach us at https://www.alienvault.com/contact or call 888-613-6023.
Earn AlienVault’s challenge coin today and showcase your AlienVault USM Anywhere expertise!
|
Threat | ||
|
2018-07-25 13:00:00 | You are Doing Cloud Vendor Assessments Wrong (lien direct) |
I’m a firm believer in “trust but verify” and I’m just going to come out and say it, most security professionals are conducting 3rd party assessments wrong. I’m in a unique spot where I’m on both sides of the fence: we conduct vendor assessments and we fill out questionnaires required by potential customers. Some folks put very little effort into this process so it feels like it’s just a “checkbox.” If it’s just a checkbox then why waste everyone’s time? In his book, “The Speed of Trust,” Stephen M. R. Covey talks about the 7 Low-Trust Organizational Taxes and one of those is bureaucracy. So, when I see little effort put into questionnaires, it makes me think the individual works for a low-trust organization or they simply don’t understand how to verify our trust. Therefore, it’s time to change your process.
There is a market for companies that conduct 3rd party risk assessments and their market for risk rating reports on vendors (I find most are misleading). But you don’t need to hire a 3rd party company to conduct the cloud vendor risk assessment and you definitely don’t need some generalized risk rating of an overall cloud company. So how do you trust a cloud vendor?
The very first step is to understand the business requirements: what is the business wanting to do with the cloud vendor? What data is involved in this business process? Has the business looked at other vendors? If so, which ones?
Once you figure out the business requirements and their path to selecting the vendor, go to the vendor’s website and read their privacy policy. The first question that needs answering is who owns the data? Next, go to their compliance page and get a copy of their SOC2 report. The Service Organization Control (SOC) 2 examination demonstrates that an independent accounting and auditing firm has reviewed and examined an organization’s control objectives and activities and tested those controls to ensure that they are operating effectively. There are five trust principles and the SOC2 report will reflect which trust principles were tested. There are two types of SOC 2 reports: Type I and Type II. The Type I report is issued to organizations that have audited controls in place but have not yet audited the effectiveness of the controls over a period of time. The Type II report is issued to organizations that have audited controls in place and the effectiveness of the controls have been audited over a specified period of time.
If they have a SOC2 Type 2 and other certifications, do you really need them to fill out your lengthy security questionnaire? I say no. We receive so many questionnaires where we answer “refer to SOC2 or refer to AOC, etc.” If you really want to know how to verify our trust, read the findings of our certifications. Then if you are still uneasy about our trust, then send a question that really matters to you. If you send us a question, “Do you conduct vulnerability scans?” then you obviously don’t understand the PCI requirements. Send us the questions that will help you verify that trust.
Buyer beware: if the vendor states they have a certification and sends you AWS’ certification, that is a BIG RED FLAG. In fact, run!
The certifications you are looking for are what your vendor achieved, not their vendor. As with all cloud vendors, there is a shared responsibility with security and compliance. AWS has a great write-up on this located here.
|
Vulnerability Guideline |
To see everything:
Our RSS (filtrered)
