This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-04T19:52:09+00:00 www.secnews.physaphae.fr AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault Open Threat Exchange (OTX)? Roger gives background on OTX and how it works for information sharing. He describes the Pulses within OTX and how they work for the community, as well as the new Private Group feature in the latest version of OTX. How Do You Make Threat Intelligence Available to Organizations of All Sizes? Roger talks about how AlienVault makes handling threat intelligence doable with the unified security product (USM) married with OTX threat information and AlienVault Labs security research. What are the Challenges of Threat Detection Today? Roger talks about how Bad Guys are morphing to defy detection techniques and what to do about it.      Related StoriesNew Threat Detection Platforms for the Midsized EnterpriseResist the Ransom]]> 2016-09-07T13:00:00+00:00 http://feeds.feedblitz.com/~/192860474/0/alienvault-blogs~Key-Questions-on-Threat-Detection-Answered-by-Roger-Thornton-AlienVault-CTO www.secnews.physaphae.fr/article.php?IdArticle=26170 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Okay, so now that we’ve covered FORZA (don’t get confused here), let’s discuss a newer, more novel model gaining widespread popularity, which is the Diamond Model of Intrusion Analysis; a model of intrusion analysis built by analysts, asking the simple question, “What is the underlying method to our work?” The model establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim. These features are edge-connected representing their underlying relationships and arranged in the shape of a diamond, giving the model its name. In its simplest form, the model describes that an adversary deploys a capability over some infrastructure against a victim. These activities are called events and are the atomic features. Analysts populate the model’s vertices as events are discovered and detected. The vertices are linked with edges highlighting the natural relationship between the features. By pivoting across edges and within vertices, analysts expose more information about adversary operations and discover new capabilities, infrastructure, and victims. The Diamond Model of intrusion analysis comprises the core features of an intrusion event: adversary, capability, infrastructure, and victim. The core features are linked via edges to represent the fundamental relationships between the features which can be exploited analytically to further discover and develop knowledge of malicious activity. ]]> 2016-09-06T13:00:00+00:00 http://feeds.feedblitz.com/~/192237180/0/alienvault-blogs~Digital-Forensics-According-to-the-FORZA-Model-and-Diamond-Model-for-Intrusion-Analysis www.secnews.physaphae.fr/article.php?IdArticle=20590 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC A roundup of the week’s news, commentary, and observations. Ever wondered what File Integrity Monitoring is? Well, wonder no more as Jim Hansen explains all. Ransomware is everywhere. It’s growing. Can you Resist the Ransom? When security and convenience collide we get beauty sites that let anyone read customers' personal information Not really surprising, but still saddening that many hospitals transmit your health records unencrypted. Car hacking is the future – and sooner or later you’ll be hit Why we need to change the psychology of security. Great piece by my ex-colleague Adrian Sanabria What qualities do you look for when hiring information security professionals? Here’s a post by Christian Frichot that can give you some ideas.      Related StoriesWhat is File Integrity Monitoring?Resist the RansomThe Alien Eye in the Sky - Friday 26th August ]]> 2016-09-02T13:38:00+00:00 http://feeds.feedblitz.com/~/190142476/0/alienvault-blogs~The-Alien-Eye-in-the-Sky-Friday-nd-September www.secnews.physaphae.fr/article.php?IdArticle=10950 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2016-08-31T13:00:00+00:00 http://feeds.feedblitz.com/~/188911118/0/alienvault-blogs~New-Threat-Detection-Platforms-for-the-Midsized-Enterprise www.secnews.physaphae.fr/article.php?IdArticle=9703 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The answer to that, frankly, is organizations of almost all kinds. The power of these solutions, combined with the increasing sophistication and diversity of modern threats, and the targeting of even small businesses, makes file integrity monitoring very compelling. However, certain businesses in particular will find file integrity monitoring essential. These include: Businesses that face serious compliance requirements. Pertaining to file integrity monitoring, such requirements come in two classes — standards or regulations that explicitly demand file integrity monitoring (like PCI DSS) and those whose requirements are more abstract, but certainly imply file integrity monitoring (like Sarbanes-Oxley). In general, any time a standard or regulation states that data must be monitored or managed so as to ensure its integrity, file integrity monitoring solutions will likely be playing a substantial role in the process. Businesses that have a substantial on-premise IT infrastructure of any kind. This doesn’t just mean “enterprise,” usually defined as “organization with a thousand employees or more,” but can mean a mid-market business or even a small business. What matters is not the headcount, but the server count and the]]> 2016-08-30T13:00:00+00:00 http://feeds.feedblitz.com/~/188362568/0/alienvault-blogs~What-is-File-Integrity-Monitoring www.secnews.physaphae.fr/article.php?IdArticle=9514 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 14,032 US victims netting losses of $960 million in the past 3 years. What can you do? Defense-in-depth is the most effective approach. You cannot rely any single approach to stop the attacks. These are my key focus points for defense: Spam Filter – Make sure you have a reputable spam filter. This can greatly reduce the initial number of malicious emails but certainly not all of them. This is especially true for spear phishing emails which are much harder for the filters to detect. SPF records – Enabling SPF records for your email domain makes it much more difficult for attackers to spoof emails to your domain. This is very helpful in combating the CEO Fraud cases. Anti-virus – Keep your anti-virus up to date, but do not depend on it to stop everything. Even the best AV will not stop everything. Many file embedded macros will not even show as a threat with anti-virus and with the rate malware variants are being released each day it simply cannot keep up. The Virus Bulletin RAP quadrant demonstrates this issue well. Limit access – Make sure users have the least amount of privilege needed to perform their job. This means not only permissions on the servers, file shares or workstations, but to the network as well. This is where network enclaves are your friend. Your accounting workstations do not typically need access to the same network as your SQL servers. Likewise, developers’ workstations don’t typically need access to the finance department workstations. This can greatly reduce the ability of malware to spread, or ransomware to encrypt network files in the event of an incident. It can also create “choke points” where network traffic can be analyzed more easily by an IDS or IPS. For example, the Banner Health breach (3.7 million individuals impacted) started with the POS machines that were on the same network as the clinical systems. Analyze network traffic – Deploy IDS sensors in key network locations to watch for IoCs (Indicators of Compromise) that can report suspicious activity. These are best used with a SIEM to correlate events and create alerts along with actionable intelligence. Time is worth more than gold during an incident response and the sooner you are aware of the issue and are able to act with good intelligence, the better off you are. Have good backup]]> 2016-08-29T13:00:00+00:00 http://feeds.feedblitz.com/~/187779712/0/alienvault-blogs~Resist-the-Ransom www.secnews.physaphae.fr/article.php?IdArticle=9350 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC WhatsApp to share data with Facebook. So much for the comfort that end-to-end encryption provides. Story of a researcher who infected a scammer with Locky for messing with his mother. Hacking back is considered illegal in many jurisdictions, but we doubt the scammer will be pressing charges. The U.S. to share supply chain threat intel with industry. This is the kind of initiative we hope to see more of from the Government. Better threat sharing will benefit everyone. They’re free to use OTX for it too. Intelligent Cyber Defense using Threat Analysis Can you explain encryption to me? Can you explain it to your boss? Finally, we had a bit of fun at BsidesLV and Blackhat 2016 a few weeks ago and recorded a parody song on being an Infosec Star.      Related StoriesTechnology Foraging for Cybersecurity SolutionsCan You Explain Encryption to Me?The Alien Eye in the Sky - Friday 19th August ]]> 2016-08-26T13:00:00+00:00 http://feeds.feedblitz.com/~/186249530/0/alienvault-blogs~The-Alien-Eye-in-the-Sky-Friday-th-August www.secnews.physaphae.fr/article.php?IdArticle=8973 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Figure 1 – Test database I developed a parser which parses the database and puts the data from the DB fields into the event fields of OSSIM so I will not describe the parser itself (thankfully, there is enough info about that in official AlienVault documents). What I will do is write two custom functions. The first one (parse_command) will parse the fields from the column “message” of the DB and get the issued command value. The other one (parse_result) will parse the fields from the column “message” of the DB and get the result of the command. Solution The solution consists of: Writing the function “parse_command”; Writing the function “parse_result”; Adding the functionality of our new functions to OSSIM parser. Writing the function “parse_command” First of all I have to remind you that OSSIM custom functions should be written in Python. So if you are not familiar with Python, please explore tutorials about programming in python. To use a custom function in OSSIM you should first add it to the file: /usr/share/alienvault/ossim-agent/ParserUtil.py You can add your function anywhere in the file (just don’t add it inside the text of another function). I added mine after “dummy function”. The following is the text of “parse_command” function: def parse_command(input): res = re.search(r'command:.*;', input) ​ return (res.group(0).split(": ")[1].strip(";")) For those familiar with Python it’s easy to understand that this function gets the value passed to it and applies a regular expression to it. The regular expression extracts the data that matches the regular expression “command:.*;”. After that it cuts away the word “command:” as well as the trailing semicolon. Then it returns what’s left, which is the ]]> 2016-08-25T13:00:00+00:00 http://feeds.feedblitz.com/~/185594716/0/alienvault-blogs~Using-Custom-Functions-in-USM-and-OSSIM-for-Additional-Parsing-of-Log-Data www.secnews.physaphae.fr/article.php?IdArticle=8744 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault blog posts that include the term. The Daserf malware has been around for about 10 years, created by a low-profile team that the security response crew at Symantec named ‘Tick’. Daserf is used by Tick to harvest data from its victims. Tick’s most recent attacks have focused on technology, aquatic engineering, and broadcasting segments in Japan. However, it has also compromised systems in the US, Australia, India, Singapore, and South Korea. How it Works Tick has used different methods to compromise the targeted systems to install the Daserf malware. One approach was to compromise web sites by exploiting a Flash vulnerability and launch a watering hole attack. The watering hole technique enables an attacker to infect visitors to the website with malware, and Tick used it to install a downloader (Gofarer). This downloader first collects information about the victim’s device and then installs Daserf. Another approach used by Tick is spear phishing, to get the malware installed on the victims’ devices (Spear phishing often involves the use of targeted emails with attachments containing malware to get the victims to install malware directly). The Daserf malware has some interesting features to reduce the chance of detection. One is that some versions of it utilized stolen digital certificates to appear legitimate to antimalware tools. Another is to store the harvested data in .rar file format, which many users cannot open without installing an additional file management utility on their systems. Figure 1 below illustrates the use of a watering hole technique to install the downloader, which then installs the backdoor, which then harvests data and sends it back to the C&C server. Source: Symantec Impact on you Daserf was created to avoid detection and harvest data from targeted organizations. Although focused primarily on Japan, Daserf has been used to target organizations outside of Japan, so you should not consider yourself immune from this threat. It exploits vulnerabilities in common applications and operating systems to gain access to victims’ devices, and you can reduce your exposure to this data harvesting attack (and other attacks), with regular vulnerably assessment scans. These scans will identify any vulnerable systems, which enables you to remediate vulnerabilities before attackers can exploit them. How AlienVault Helps The AlienVault Unified Security Management (USM) platform delivers the essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to threats like Daserf. One of the essential security capabilities built into the USM platform is Vulnerability Assessment, which can identify vulnerable ]]> 2016-08-24T13:00:00+00:00 http://feeds.feedblitz.com/~/184946764/0/alienvault-blogs~Daserf-%e2%80%93-A-Backdoor-to-Espionage www.secnews.physaphae.fr/article.php?IdArticle=8543 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC In government, there is an extensive infrastructure of agencies geared toward facilitating technology foraging. For specifically enhancing cybersecurity capabilities, there are dedicated research and development efforts being conducted at (among other agencies) the Department of Homeland Security (DHS), the Department of Defense (DOD), the Department of Energy/National Labs (DOE), and in the Intelligence Community (IC). The Department of Homeland Security The Department of Homeland Security defines technology foraging as a process of “identifying, locating and evaluating existing or developing technologies, products, services and emerging trends. This approach allows faster development and increases partnership opportunities and resources to assist the development of current or future homeland security systems and needs.” In 2011, DHS established the Technology Foraging Office to canvas patents, journals, labs, and forums looking for adaptable ideas and early-stage technologies for the homeland security mission. The DHS foraging initiative serves as an excellent collaborative model for an encompassing, foraging map across industry, academia and government agencies. The Science & Technology Directorate of DHS (DHS S & T) operates a variety of programs complimenting the R & D and technology foraging mission for “Leap-Ahead Technologies” in cybersecurity. DHS’s S & T Homeland Security and Research Projects Agency (HSARPA) conducts analysis to understand these organizations’ current missions, systems, and processes and ultimately identifies operational gaps where new technologies can have the most impact. Program managers lead teams of national experts to develop, test, and evaluate these new homeland security technologies and capabilities. In response to the increasing importance of the cybersecurity mission, S&T formally established the Cyber Security Division (CSD) within HSARPA. DHS S & T Transition to Practice (TTP) was created as a result of the White House’s Federal Cybersecurity R & D Strategic Plan, as well as the Comprehensive National Cybersecurity Initiative (CNCI). TTP’s key role is” identifying innovative, federally funded cybersecurity research that addresses cybersecurity needs, and is helping to transition this research into the Homeland Security Enterprise through partnerships.” According to the DHS “Cyber Security Division Transition to Practice Technology Guide” several focus areas cover the critical vulnerability and cybersecurity landscape of the Directorate. These include: 1) Internet Infrastructure Security; 2) Critical Infrastructure/Key Resources; 3) National Research Infrastructure; 4) Leap-Ahead Technologies; 5) Cyber Security Education; 6) Identity Management; 7) Cyber Forensics; and 8) Software Assurance. DHS & DOE National Labs DHS S & T works closely via the Transition to Practice Program in areas of technology foraging with the DOE National Labs and Federally Funded research and Development Centers (FFRDC’s). These include some of our nation’s most recognized national Labs including: Lawrence Livermore, Oak Ridge, Argonne, Sandia, Idaho National laborato]]> 2016-08-23T13:00:00+00:00 http://feeds.feedblitz.com/~/184323670/0/alienvault-blogs~Technology-Foraging-for-Cybersecurity-Solutions www.secnews.physaphae.fr/article.php?IdArticle=8477 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2016-08-22T13:54:00+00:00 http://feeds.feedblitz.com/~/183774390/0/alienvault-blogs~Can-You-Explain-Encryption-to-Me www.secnews.physaphae.fr/article.php?IdArticle=8268 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC some of the impressions. Gartner announced its 2016 Magic Quadrant for SIEM and AlienVault once again remained a visionary. I tackle what this meant in one feast of a blog. Google is more than a search engine. In the right hands with the right commands it is useful to assist in hacking. Guest blogger Jayme Hancock illustrates how penetration testers use Google. The Sans 2016 Cyber Threat Intelligence survey was released and had a lot of interesting insight into the maturing capabilities of enterprises. OTX was highlighted as an essential part of many enterprise programmes. Intelligent Cyber Defense using Threat Analysis Incident Response Checklists Do whistleblowers ever win? Researcher who exposed VW gain little. Remaining on the topic of cars, Auto group pushes best practices for vehicle security. Mozilla to block Flash in Firefox browser – about time. A tutorial on Configuring NPS 2012 for Two-factor Authentication New attack bypasses HTTPS protection on Macs, Windows, and Linux Microsoft REST API Guidelines – a good set of principles. Sage suffered a data breach initial reports suggested a malicious insider, which appears to have been validated as a 32 year old female employee has been arrested. Something that reads like the bug equivalent to national novel writing month. Good writeup on high frequency security bug hunting with 120 bugs in 120 days. I found it very interesting to learn that Starbucks has more money on customer cards than many banks have on deposit. Did Starbucks consider this would happen when it introduced customer cards? Does this materially change its business model? Is it possible Starbucks could make more money from its customer deposits than coffee?]]> 2016-08-19T14:21:00+00:00 http://feeds.feedblitz.com/~/182273458/0/alienvault-blogs~The-Alien-Eye-in-the-Sky-Friday-th-August www.secnews.physaphae.fr/article.php?IdArticle=10959 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Me irl Not a day goes by in my life where I don’t use Google search. Nothing is easier than loading up the page, typing in a phrase, and seeing 650,000 related articles come back to you -- but therein lies the problem. Google is an amazing tool but tends to over-deliver unless you’re very specific and know a few advanced search operators. In this blog post, I’m going to attempt to show some relatively simple Google hacks that will make recon a breeze, and hopefully translate over into the rest of your searches as well. Google search operates a few ways. Typing a phrase will look for the exact phrase, as well as variations of the phrase (adding or subtracting words), to try to come close to what you want. It also operates on Boolean operators such as “OR,” and “AND.” Finally, there are some advanced filters you can write inline with your search to help narrow things down. For the purposes of this post, we’re going to focus on the last two methods. I've also included a cheat sheet to help with more advanced Google hacking during your penetration testing The Basics of Search There are two basic searches I use all the time; quotes around phrases, and the + operator. These two functions alone can be immensely helpful when gathering information or filtering through junk. Quotes around phrases require Google to search the whole phrase, not just parts of it. Take a look at the results for -------Begin RSA Private Key-------- with and without quotes; they will be significantly different. You can also place a quote around a single word - without it, Google will try looking at variations of the word (for example, the phrase ‘Malware Hunting’ without quotes may return results for Malware Hunters, Malware Hunt, Virus Hunting, etc.) The + operator before a word will only return results that specifically include that word. Building upon the last example, a search for “-------Begin RSA Private Key--------” +openssl will only return results where OpenSSL is being discussed along with that phrase. Boolean Operators in Google: No really, just give me what I want. Google search results vastly improve with the AND or OR operators. AND is similar to the + operator above, and can be used in parenthesis as well to build queries. It binds two terms together and will only give you exact results. In this example, we’re trying to find a previous AlienVault blog post on building a Malware Hunter’s home lab. Searching Malware Hunter Home Lab by itself does return what we want, but also returns over 45,000 other pages -- and after the first few pages, the relevance of each result drops dramatically. By modifying this to contain some Boolean operators and quotation marks, we can search for malware AND "hunter" "home lab" and narrow this down to 3,500. The results are also much more geared toward what we want. Using the example above, maybe we don’t quite recall what the phrasing of the article was. We remember that it was either malware or virus hunting, and it was a home lab setup. Using the query (malware OR virus) hunting AND “home lab” we can narrow down to 4,200 results, from malware virus hunter home lab which returns a whopping half million. Another operator you should know is the NOT operator. Google simply uses a minus sign in front of the word to exclud]]> 2016-08-18T13:00:00+00:00 http://feeds.feedblitz.com/~/181562402/0/alienvault-blogs~How-Penetration-Testers-Use-Google-Hacking www.secnews.physaphae.fr/article.php?IdArticle=8129 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC CISO may get fired. The Only Thing That Is Constant Is Change -” – Heraclitus The ever-changing cyber security world has to offer more than before. You should not expect attackers to use the same techniques every time - you need to take a proactive approach to discover what is happening to others and learn from their mistakes. Incorporating cyber threat intelligence with your cyber security strategy helps you to fight against cybercrime. Regular monitoring and reporting of emerging threats and vulnerabilities can alert you to take timely action before an actual attack occurs. By using threat analysis, you can: Take proactive defense measures Narrow down focus areas and put the maximum effort where required Make procurement decisions (what software and hardware to buy in the future) Recruit people for your team with relevant skill sets Reduce false positives Convince or communicate with management about real dangers to the business Provide up-to-date information to the incident response team for their investigation Traditional approach VS Intelligent approach Cyber threat intelligence primarily focuses on external threats. Through collecting and processing threat information and generating the actionable information, it enhances cyber defense and helps stop attacks as quickly as possible. Collecting Threat Intelligence Organizations can access huge databases of malware signatures, logs and other threat vectors, but converting this information into intelligence is the real art. Let’s look into the threat indicators that really matter. The most common threat indicators are: Hashes (signatures) Compromised or malicious domains and IP addresses Malware spreading by phishing emails can be identified using its hash identifier. Hash is a unique identifier that every computer program has, and by collecting the updated information of the malware/virus hash file, you can alert your security solution to block the malicious file at its first entry. Apart from the malicious file, you should block the compromised domain hosting/spreading phishing pages, as well as track the blacklisted IPs and domains, and block their access so that they never reach your organization’s technology infrastructure. The risks associated with the threat indicators we've discussed are: Malware, spyware and backdoors Phishing, spam and other fraudulent activity Darknet IP addresses C&C (command and control) servers that manage botnets and instigate DDoS attack Anonymous proxies and P2P sharing websites We utilize public and private data feeds to collect information about these threat indicators. Threatcrowd, also available in MALTEGO, is a well-known project providing feeds of blacklisted / malware-spreading websites with hash details. ]]> 2016-08-16T13:00:00+00:00 http://feeds.feedblitz.com/~/180281138/0/alienvault-blogs~Intelligent-Cyber-Defense-using-Threat-Analysis www.secnews.physaphae.fr/article.php?IdArticle=8035 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Gartner’s 2016 magic quadrant for security information and event management (SIEM).AlienVault customers consistently reinforced the key value proposition of Unified Security Management (USM) of being a more comprehensive and affordable option; as highlighted in the report:“Customers report the security monitoring technologies included with USM offer a lower cost for more capabilities compared with products from most competitors in the SIEM space.”What’s a meal?A question that often crops up is what the various categories in the magic quadrant mean, and how can a customer use the magic quadrant to make effective purchasing decisions.To help answer this, I often like to use the analogy of a meal.A Michelin star restaurant will prepare and serve a meal in a very specific manner that will be different from a local family-run diner. Both of these will be different from a fast-food chain offering a meal-deal. Some supermarkets also sell a sandwich, potato chips, and a drink, as a ‘combo-meal’.While all of these are classed as meals, and will satisfy hunger, the cost, taste, and overall experience will vary greatly.Which is where the magic quadrant is useful in its attempt to distinguish technology vendors. Some are the equivalent of Michelin star restaurants, while others resemble a fast-food meal deal.Dietary requirementsHowever, it’s important to bear in mind, the technology is only one half of the story. The other half is down to the user requirements and needs.Extending our meal analogy, the choice of venue will be determined by a number of factors other than budget such as the number of people attending, whether it’s a celebration, or whether it’s for personal or business needs.The other main consideration to take into account is whether there are any dietary requirements. There’s no point in booking a table at the best steakhouse in town if some of the guests are vegetarians. Or not taking into account a guest who may be diabetic, lactose intolerant, or suffer a nut allergy.The point being, that the best restaurant in the world, that serves the best food may still be woefully inadequate to meet your particular needs.A Technology BuffetSo whilst the magic quadrant is a useful benchmark to showcase some comparable features – the question remains as to what your individual requirements are.It is why we approach the market with a broad, comprehensive, and affordable offering that extends beyond SIEM. Therefore, if you have needs for a SIEM, want to conduct vulnerability scans, behavioural monitoring, discover assets, detect intrusions on both host or network, need access to threat intelligence, all whilst maintaining flexibility to deploy on premise or in the cloud – then we want to be able to provide that to you in a simple-to-understand offering.There may be some brilliant steak houses in town, but we don’t want to offer a restricted menu. Rather offer a technology buffet that offers something to everyone. We believe that customers should not have to change their business operation in order to effectively use a security product – rather have a security product that adapts to the business operations, no matter how it is structured. That is our vision, and why we believe Gartner continues to showcase us as the only visionary in the SIEM space.]]> 2016-08-11T14:28:00+00:00 http://feeds.feedblitz.com/~/177884478/0/alienvault-blogs~Gartner-Magic-Quadrant-for-SIEM-A-Visionary-Feast www.secnews.physaphae.fr/article.php?IdArticle=7659 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC SANS Incident Handling Handbook and Lenny Zeltser's Security Checklists.Emergency Contact Communications ChecklistIt’s important to create a detailed communication plan with the specifics of when to put it into place, that way you’ll know who to call, why you need to contact them, how you can contact them, and what to say once they are on the phone. It’s also very important to get overall consensus on your approach. The entire incident response team should know whom to contact, when it is appropriate to contact them, and why. In particular, review the potential worst case scenarios (e.g. an online ordering system going down right in the middle of Cyber Monday) and identify the necessary staff who can get these critical systems back online, as well as the management team who will need to remain updated throughout the crisis.System backup and recovery checklists (for all OSes in use, including databases)Every system will have a different set of checklist tasks based on its distinct configurations and operating system. It’s also important to document the time it takes for each step required to restore operations, and also test full system backup and full system recovery while you’re documenting each checklist. You also need to include specific steps recorded for testing and verifying that any compromised systems are completely clean and fully functional."Jumpbag" checklistsIt’s recommended by SANS, one of the leading sources of information for the incident responder, that each incident response team member have an planned and protected “jump bag” all ready to go that contains the important tools needed for a quick “grab-and-go” type of response. Their suggested items include:Documenting the who, what, where, why, and how during an incident in an Incident Handler’s JournalA contact list of incident response team membersUSB drivesA bootable USB drive or Live CD with up-to-date anti-malware and other software that can read and/or write to file systems of your computing environment (and test this, please)A laptop with forensic software (e.g. FTK or EnCase)Anti Malware utilitiesComputer and network toolkits to add/remove components, wire network cables, etc. and hard duplicators with write-block capabilities to]]> 2016-08-10T13:00:00+00:00 http://feeds.feedblitz.com/~/177284986/0/alienvault-blogs~Incident-Response-Checklists www.secnews.physaphae.fr/article.php?IdArticle=7410 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 360 SkyEye Labs published a detailed analysis of the OnionDog APT earlier this year, and during the dog-days of Summer (see what I did there?) it seems appropriate to revisit this malware. OnionDog has been around for several years and exploits a vulnerability in Hangul office software, which is a popular Korean-language productivity suite. Hangul software is also widely deployed in South Korean Government agencies and facilities.The group behind OnionDog is the Lazarus Group, exposed by AlienVault and other threat intelligence teams as part of Operation Blockbuster for its targeting of Sony Pictures and a range of other targets.How it WorksOnionDog used various techniques to entice victims to open the malicious attachment. The attachments targeted a range of government agencies and utilities, such as power, water, ports, transit, and rail to lure its victims (see the screenshot of the ‘Investigation Report of the Korean Railway Accident” below).Source: 360 SkyEye LabsThe malware installs a back door to the compromised system, collects and forwards information about the compromised systems to the C&C server, as well as infecting any device attached to the USB drive.Impact on youThe regional nature of OnionDog will likely limit your exposure to this particular version of the threat if you’re not located in South Korea. However, if there is a user of Hangul software on your network, or if someone in your office may have visited an office that uses Hangul software and plugged a device into a compromised system, you may be at risk of data loss. However, although this version of the malware is localized to South Korea, the Lazarus Group could easily choose another popular application to target specific organizations in other countries.How AlienVault HelpsThe AlienVaultâ Unified Security Management (USM)™ platform delivers the essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to threats like OnionDog. The AlienVault Labs team regularly updates the rulesets that drive the threat detection and response capabilities of the AlienVault USM platform, to keep you up to date with new and evolving threats such as OnionDog. The Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the latest threats, and how to detect and respond to them.The Labs team recently updated the USM platform’s ability to detect this new threat by adding IDS signatures to detect the malicious traffic and a correlation directive to link events from across a network that indicate a system compromised by OnionDog. Learn more about the]]> 2016-08-09T13:00:00+00:00 http://feeds.feedblitz.com/~/176703272/0/alienvault-blogs~OnionDog-%e2%80%93-An-Example-of-a-Regional-Targeted-Attack www.secnews.physaphae.fr/article.php?IdArticle=7188 False Medical APT 38 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC At BSides Las Vegas, Javvad gave a great talkGreat talk from @J4vv4D on managing your InfoSec ego. Love the "Personal OSI model" #BSidesLV pic.twitter.com/z31nSyVGXw— norsey (@norsec0de) August 3, 2016Javvad getting pranked by a Twitter pal catching him in an awkward moment@J4vv4D I will just leave this here pic.twitter.com/SAV1oaNUJH— Matt Summers (@dive_monkey) August 3, 2016Band theme of AlienVault boothLauren doing her 100th demo of the dayJavvad recruiting band membersSigned up @krypt3ia to join the band. If you see him, tell him he's a Rockstar! He loves it :-) pic.twitter.com/ZSmC8vPm4W— Javvad Malik (@J4vv4D) August 4, 2016First TiaraCon and my BFFs, Cheryl and Vineetha!.@3ncr1pt3d with the tiara contest judge, @pvineetha!!! pic.twitter.com/tDIW9X1x41— fl3uryz (@fl3uryz) August 5, 2016In TiaraPrepping for @tiarac0n woot!!! pic.twitter.com/kDzMLsqBTJ— Sparky Brew (@securitybrew) August 5, 2016No Black Hat is complete without an Awkward Hug from Jayson Street]]> 2016-08-08T17:10:00+00:00 http://feeds.feedblitz.com/~/176271226/0/alienvault-blogs~Black-Hat-Impressions www.secnews.physaphae.fr/article.php?IdArticle=7149 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC “All I know is this: nobody’s very big in the first place, and it looks to me like everybody spends their whole life tearing everybody else down.” - One Flew Over the Cuckoo’s Nest (1975)I love this quote from this film and unfortunately, despite the fact that it’s now 41 years later since the film’s release, it’s still relevant and in my experience is quite systemic in the IT security field. In the sixteen years I’ve worked in the industry, the “more elite than thou” attitude has in my humble opinion turned what could have been the greatest penetration testers ever into less than simply because of their attitude.I’m here to debunk the common attack on penetration testers that seems to be so prevalent in the industry, which is “you’re not as good of a penetration tester as someone who can write code.”I’m sorry, but this simply couldn’t be further from the truth. The best penetration testers in the world that I’ve met, from the United States to Europe, couldn’t code their way out of a paper bag. I’ve published numerous vulnerabilities, including how to hack VPN appliances, which I spoke about at Blackhat Briefings in 2001 (in my former life as Eric Hines) at Cesar’s Palace, Las Vegas, which uncovered numerous flaws in the company’s routing logic of packets from the public side of the VPN to its private network without IPSec and without IKE. You could simply route traffic right into the private network from the outside simply by setting your default gateway to the VPN’s public IP address. This attack could even be performed from the Internet as well because the VPN allowed source routed packets to traverse its interfaces! Now, 15 years later, I’m hacking into connected automobiles and autonomous cars for European automakers remotely from the Internet, taking control of the steering wheel and braking system by hacking the car’s ECUs through GSM. Ask me how only programmers could identify these vulnerabilities.So before I go into today’s article, I’ll end with this, do not listen to the “nay-sayers,” there will always be someone out there to tell you that you aren’t good enough or “elite” enough to be as good of a penetration tester as someone who can code.Remember, “you must be imaginative, strong-hearted. You must try things that may not work, and you must not let anyone define your limits because of where you come from. Your only limit is your soul. What I say is true – anyone can [be a penetration tester]… but only the fearless can be great.” – Chef Gousteau, Ratatouille (2007)Okay, so you want to perform a penetration test? You must adopt a methodology. Otherwise, you will be flying all over the place with no intended direction. Whether you choose the Penetration Testing Execution Standard (PTES), the OWASP web application penetration testing project, or your own bastardized version of those that creates your own unique modus operandi, it’s important to have one. Please see my short video on this topic.​ In any case, your methodology should include at the minimum:Reconnaissance: This is where you will footprint your attack surface, such as running portscans and identifying services and their versions. Don&r]]> 2016-08-03T13:00:00+00:00 http://feeds.feedblitz.com/~/173199190/0/alienvault-blogs~One-Flew-Over-the-Cuckoo%e2%80%99s-Test-Performing-a-Penetration-Test-with-Methodology www.secnews.physaphae.fr/article.php?IdArticle=5636 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC What USB devices are connected to your hostsThe need for speedIn v5.3, our primary focus is on efficiency – how can we help you get to the information you need more quickly and use the product in a more efficient way. Based on your feedback, we’ve made the following changes to help you work more quickly.Alarm IdentificationNo more sticky notes! Every alarm in USM and OSSIM has an alarm ID. You can use these IDs to search for alarms in the Web UI or to link directly to the alarm in the URL to help you find and share the information you need faster.Vulnerability Scans for Large NetworksMonitoring a big network? You don’t need to create multiple scans anymore. Run vulnerability scans on any size network - including a /16 network. Large scans will be split up into multiple scans of 3500 assets each and will run consecutively.Alarm and Event RiskThe first thing you’ll notice is the new color-coded risk visualizations on the alarm and events screens. Green for low, orange for medium, and red for high. Risk is calculated based on the reliability and priority of the event and the asset value that has been assigned to the asset involved. Additionally, we’ve updated our filters so that you can quickly see all events and alarms with a certain level of risk.Improved Policy CreationWe know how cumbersome it can be to create policies for USM and OSSIM, so we tried to make things a bit easier. In v5.3, you can quickly create policies based on risk by setting alerts for any events with reliability/priority "greater than" or "less than" a certain level.Bulk Delete Messages in the Message CenterClean up that inbox and manage your messages more efficiently. You can now delete multiple messages at once in the Message Center, instead of deleting them one by one.Know what your users are doing on your networkBeyond efficiency, the second focus for our team was to improve your ability to detect insider threats. According to the 2016 Verizon Data Breach Report, “The majority of use of unapproved hardware in breaches involve use of USB drives to steal data.” AlienVault v5.3 delivers several enhancements to improve your ability to find indicators of insider threats such as data exfiltration and unauthorized user activity. These enhancements also improve your ability to comply with the latest regulatory requirements.USB Device DetectionUSB devices are the most common type of unapproved hardware used to steal data during a breach. As an enhancement to our insider threa]]> 2016-08-02T15:30:00+00:00 http://feeds.feedblitz.com/~/172706108/0/alienvault-blogs~Whats-new-in-AlienVault-v www.secnews.physaphae.fr/article.php?IdArticle=5269 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC upcoming events page. We hope to see you there.Ransomware is a huge issue for businesses and even individuals. While there are some examples of poorly executed ransomware campaigns, the majority of users that get infected either have to wipe their system and start from scratch if they don’t have backups – or resign themselves to paying the ransom.However, ransomware gangs are in it for a business. Therefore, it is possible to negotiate price, or get extensions on payment deadlines. We wonder what is next? Easy to make monthly instalments?Web Shells are commonly utilised to enable remote control of a machine. But what exactly is a web shell, and how do they work? This detailed post goes into some of the mechanics.Bug Bounties elicit different responses on their usefulness and value. Whichever side of the fence you sit on as to how effective they are in improving security overall. It is undeniable that one of the best things that come out of these are where researchers publicly publish their findings in how they went about their work. This writeup entitled ‘How we broke PHP, hacked Pornhub and earned $20,000’ is no exception.Open Threat Exchange (OTX) introduced some cracking new features this week. Most notable is the introduction of Private Groups, which allows users to create private groups other OTX users and control access to the htreat data shared within that group.You’ve experienced a breach – should you tell? An interesting post which asks the question that most security professionals will consider at some point in their careers.Security tools are plentiful, both free and commercial. But what if you wanted to know the best tools to implement the CIS security controls? Rich Johnson has been chronicling the tools that can help IT administrators comply with the standard formerly known as the “SANS Top 20 Security Controls.” This week he published part 16.The Mad Max DGA (domain generation algorithm) is a targeted Trojan. Arbor networks has a nice write-up on how they reverse engineered it.The IOC’s can be downloaded in OTX:TorrentLocker has been travelling with several cases of international brand names being used by malware authors to propagate malware through phishing emails. These emails contain misleading links that download malicious Zip files, which, in turn, contain a JavaScript file that downloads the TorrentLocker ransomware. ]]> 2016-07-29T13:00:00+00:00 http://feeds.feedblitz.com/~/170644182/0/alienvault-blogs~The-Alien-Eye-in-the-Sky-Friday-th-July www.secnews.physaphae.fr/article.php?IdArticle=4955 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Open Threat Exchange (OTX) today. This new feature allows users within OTX to create a private group of other OTX users and control access to the threat data shared within that group. Threat data contained within the private group stays in the private group and is not shared more widely with the rest of the OTX community. This allows OTX users within the private group to collaborate with other security professionals in a tighter, more controlled way. There's a short video about it.This enabling feature is modeled after the concept of Information Sharing and Analysis Centers, also called ISACs, that share threat information related to cyber and physical threats with their members. These ISACs have been in existence since the late 1990s and are a result of Presidential Decision Directive-63, signed into effect on May 22nd, 1998 by President Bill Clinton. The mission laid out is simple:Protect the nation's critical infrastructures from intentional acts that would significantly diminish the abilities of the Federal Government to perform essential national security missions and to ensure the general public health and safety, state and local governments to maintain order and to deliver minimum essential public services, and the private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial and transportation services.Since the introduction of the Directive in 1998, 24+ ISACs have been established to provide threat collaboration and information sharing and to assure the continuity and viability of critical infrastructures. This includes the Financial Services ISAC (FS-ISAC), Information Technology ISAC (IT-ISAC), and the Research and Education Network ISAC (REN_ISAC). Each ISAC is focused on a specific sector and only organizations in that sector can participate.So, what about everybody else? ISACs provide critical information to their members. What’s the first rule of ISAC club? You don’t share information outside of ISAC club. Great for those organizations who are members. Not so great for those who are not.With the new private groups functionality in OTX, we’ve made it easier for all organizations to more easily create their own ISAC-like groups without the overhead, cost, and infrastructure necessary to establish a place to share the information you need to better protect your infrastructure. Here are a couple of examples of how this new feature can be used:A researcher may want to collaborate with peers or friends within a specific industry on a new threat before sharing the data with the larger OTX community.A CISO may want to create an industry-specific or region-specific group to review or collaborate on recent threats targeting their industry or region so they can better combat those threats.Academic colleagues may want to collaborate with other academics on research projects and leverage the OTX framework and infrastructure to manage and control the threat information they have learned about.An ISAC that doesn’t have automated tools to keep track of and disseminate threat information quickly can leverage OTX and the new private groups function to host and distribute information to their members.There are plenty of other examples too. If you have not yet signed up, you should. OTX is an open community that allows you to get updates related to the latest threats as well as collaborate with]]> 2016-07-26T13:00:00+00:00 http://feeds.feedblitz.com/~/169301286/0/alienvault-blogs~Open-Threat-Exchange-OTX-Introduces-New-Features www.secnews.physaphae.fr/article.php?IdArticle=4712 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC security incident than a breach.User-level compromiseIf you discover that a hacker has cracked one of your users' accounts, you have a potentially more serious situation. Review your logs to determine whether the user accessed sensitive information or installed unauthorized software.Root compromiseIf a black hat gains access to a system ID, you're in big trouble. You'll need to save the data from the affected system for forensic use, wipe and reinstall the operating system and everything that runs on it, and bring in an outside organization to conduct an in-depth security audit.Physical compromiseNot all break-ins come over the wires. Some criminals may get their hands on an unencrypted laptop or backup tape that holds sensitive data. Treat theft of physical assets just like a user-level or root compromise, depending on what was stolen.Many states have laws that address security breaches. If you do business in California, for instance, you fall under S.B. 1386, which requires "notification to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Similar laws apply in ]]> 2016-07-25T13:00:00+00:00 http://feeds.feedblitz.com/~/168802880/0/alienvault-blogs~Youve-Experienced-a-Breach-%e2%80%94-Should-You-Tell www.secnews.physaphae.fr/article.php?IdArticle=4638 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC all over the news this week, with initial reports of the app obtaining excessive permission, to reports of people being injured, or mugged by luring unsuspecting users.But this isn’t a new problem, simply a repackaging. Mobile apps are notorious for requesting excessive permissions – something that users should scrutinize whenever installing a new app. However, in this case, it appears as if it was a failing on behalf of Google in allowing an app to not only request admin privileges, but do so without displaying a prompt to users. It’s an issue that apparently Google is seeking to fix as soon as possible. However, it does beg the question whether or not other not-so-popular apps have been able to sneak under the radar in the past. Does your company have a way of managing this risk?Summer of Pwnage Is a hacker community event that has been examining Wordpress vulnerabilities. With only a few days left, it has found over 60 Wordpress vulnerabilities, which goes to show that community-powered efforts do work – but more importantly raises the question whether or not Wordpress itself is adequately secure.Ranscam, recently uncovered by the Cisco Talos team, is a new unsophisticated ransomware that simply deletes users files and demands a ransom to get access to them again. It also performs other destructive actions like deleting the core Windows executable responsible for System Restores, deleting several registry key associated with booting into Safe Mode, and more.Indicators of compromise for Ranscam in Open Threat Exchange can be downloaded:Arguably one of the biggest case rulings this last week was when a court ruled Microsoft does not need to respond to US warrants for overseas data. Had this ruling gone against Microsoft, the impact would have been felt throughout US-based cloud-computing companies. While this is probably not the last we’ll hear on the matter – one cannot downplay the significance of this case.Keydnap is Mac OS-specific malware that establishes a permanent backdoor to a C&C server and attempts to exfiltrate the Keychain file. The good news is if Gatekeeper is running in an unmodified state, it should be able to detect the downloaded malicious file as an unsigned Mach-O executable, block its execution and display a warning.As Macs continue to proliferate through the consumer and enterprise, we can expect to see a continued rise in Mac-specific malware.Turkey had a failed coup attempt. The Grugq writes a great article on the role of cyber in coups and why it was so influential this time.Europe’s Advocate General gave the opinion that where personal data is saved, it should only be used for investigating ‘serious’ crime.The key principle being applied here is one to safeguard the privacy of individuals.However, the definition of serious crime is on]]> 2016-07-22T17:40:00+00:00 http://feeds.feedblitz.com/~/167497020/0/alienvault-blogs~The-Alien-Eye-in-the-Sky-Friday-nd-July www.secnews.physaphae.fr/article.php?IdArticle=4579 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC printable PDF version of the case study.Founded in 1893, the University of Wisconsin–Superior (UW-Superior) is a public university located in Superior, Wisconsin. UW–Superior grants bachelor’s, master’s, and specialist’s degrees. The university currently enrolls about 2,450 undergraduates and 150 graduate students from over 40 different countries. Ranked as 23rd by U.S. News and World Report’s “Best Online Bachelor’s Programs/Best Online Programs,” UW-Superior strives to ensure their record of 96% of graduates who join the workforce or continue their education.There are approximately 1200 computers and 50 servers on the UW-Superior campus for faculty, staff, and lab use. Roughly 500 students living in the residence halls on campus also have access to UW-Superior’s network services for their daily use.In early 2015, UW-Superior’s IT team was looking to replace their outdated intrusion prevention system. As a result of budget restrictions, however, they needed to find a cost-effective security solution that would still meet the needs of their large network.Tom Janicki, Technology and Infrastructure Services Director at UW-Superior, was tasked with updating the campus’s intrusion detection system (IDS). However, he soon realized that finding an IDS system at a price that met his limited budget was proving to be a challenge.“The replacement quote from the IDS vendor we had been with forever was around $100,000. There was absolutely no way we would be able to get that approved. We also have an aging phone system that we needed to replace so I couldn’t justify such a high cost for a new IDS. I felt extremely helpless and asked myself, ‘What am I going to do to protect my campus? Our intrusion prevention system is end-of-life.’ The next quote that came in was closer to $200,000,” said Janicki.While researching alternative IDS solutions, Janicki came across AlienVault’s Unified Security Management™ (USM) platform. “I read a review in SC Magazine and decided to go through a self-guided demo. Afterwards, I spoke with a sales rep and was floored by the price he quoted,” said Janicki.After a full evaluation, UW-Superior decided to leverage AlienVault USM to meet their IDS needs. They then quickly began the process of deploying it in their campus network with professional services provided by AlienVault.“We had opted for professional support to deploy USM but I wasn’t sure what that would entail. At the time I believed the support would simply be working through the setup on my own and calling in if I had problems. I didn’t realize it was going to be separate from standard AlienVault support. I was pleasantly surprised to have an actual dedicated engineer who was assigned to help me out the whole way. I didn’t have to open a single ticket. The engineer reached out to me and the whole system was extremely fast and easy to set up. We were up and running within a matter of days,” said Janicki.As Janicki and his team became familiar with using AlienVault USM as their intrusion detection system, they began to implement the other tools that make up the USM platform. During this process, Janicki was pleased to realize that because so many security features were already included in USM, like behavioral monitoring, SIEM and vulnerability assessment, he would not have to purchase additional security tools that he previously thought he would require.“We definitely got a lot of bang for our buck with USM. What I found amazing was the enormous amount of information from different sources that it could gather, correlate, and store.The engineer woul]]> 2016-07-21T13:00:00+00:00 http://feeds.feedblitz.com/~/167145302/0/alienvault-blogs~University-of-WisconsinSuperior-Secures-their-Campus-Network-with-AlienVault-USM www.secnews.physaphae.fr/article.php?IdArticle=4498 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Get rid of that any/any rule on your firewallMonitor that Firewall!Having a tool like AlienVault Unified Security Management (USM) ingesting logs from the firewall, and monitoring ingress/egress traffic is a strong additional layer to add to your risk mitigation strategies. IP reputation and Open Threat Exchange (OTX) indicators of compromise will help identify weaknesses in your rule sets, and aid you in further improving your security posture. As this thread on Spiceworks demonstrates, practitioners struggle with monitoring of firewall logs without a platform like USM.Here are some screen shots of using USM to monitor a firewall.]]> 2016-07-20T13:00:00+00:00 http://feeds.feedblitz.com/~/166906212/0/alienvault-blogs~Firewall-Egress-Blocking-and-Monitoring www.secnews.physaphae.fr/article.php?IdArticle=4421 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Phishing is the little black dress of cyber-attacks: always in fashion, goes with anything, and, despite being around for over 20 years, still seems to be a hit. In fact, a recent experiment by JPMorgan showed that 1 in 5 employees will click on a phishing email.Even more troubling, a recent study by the Ponemon Institute showed that phishing can cost an average 10,000-person company $4 million USD annually. When you add in the fact that more and more cybercriminals are using phishing attacks to spread dangerous (and expensive) malware and ransomware, it’s easy to see the importance of stopping phishing attacks before they start.These attacks have the potential to become a huge professional concern as well; the CEO of FACC was recently fired after an email scam that appeared to come from his email cost the company over $54 million. It may be that when an email comes through with your name on, even if you didn’t send it, you could be held responsible.But don’t lose hope, there is good news! In order to be effective, phishing attacks still need us to play along and do something we shouldn’t — send over information, download attachments, or click on malicious links, etc. We just finished putting together a new guide that highlights all the different ways attackers try to trick us into doing those things (you can check it out here), and as we were writing it, we identified seven good email habits that smart users follow in order to see through the ploys and keep themselves safe:Check twice, click once: Before you click on any links in an email be sure to hover over the hyperlink to see the destination URL first. Phishers will often hide their URLs in email text with things like “just click here to confirm” or “we just need some more information, please "fill out this form” in order to get someone to click without thinking about it. Hovering over the linked-text will show you the URL that the link is pointing to. If it’s not familiar, don’t click.Check with the sender if you’re unsure about an email: A favorite tactic of phishers is to find a list of executives at a company and send emails impersonating those executives to get employees to reveal sensitive information. If you get an email with any request that seems out of the ordinary — no matter who it is from — you should check with the sender to confirm it is legit. If that person says they didn’t send an email then you issue should report it to IT immediately.Learn to recognize phishing red flags: Spelling errors, vague requests, misleading headlines, and odd groups of people in the “To” section are all signs you may be looking at a phishing email. It’s always better to be safe than sorry with emails, so if you see]]> 2016-07-19T13:00:00+00:00 http://feeds.feedblitz.com/~/166661686/0/alienvault-blogs~The-Seven-Habits-of-Highly-UnPhishable-Users www.secnews.physaphae.fr/article.php?IdArticle=4338 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Cyber Secure Car 2016 conference in Munich, Germany on this topic was on June 14 - but you can watch the video of the talk now.I’d like to start out defining some terminology to get both of us on the same page. Electronic Control Units or an ECU is a generic term for any system that controls one or more of the electrical system or subsystems in a transport vehicle.Connected automobiles, like any transport vehicle, is built with numerous ECUs. Any connectivity, with either an infotainment system inside the car (the head unit) or an ECU will require connectivity to a back-end, which is typically the automobile maker, who is able to “push” patches and data to the system remotely. This is typically done through cellular base stations (BTS).A cellular base station provides connectivity between mobile phones and the wider telephone network, also referred to as a cell tower. The first thing you need to remember is that any IoT device should be viewed from the vantage point of a hacker attempting to compromise a regular computer system. It, like any networked host, has an identifying address on the network and is therefore susceptible to being identified and further targeted. The same goes for cellular networks, where instead of an IP address like on computer networks, the identifiers are the IMSI of the SIM chip and the ARFCN beacons from the MSP base stations. Like any networked node, exploitation of vulnerabilities is not relegated to just the device itself, but also the communication infrastructure it is connected to that it relies on for connectivity to other devices.As a result of penetration tests Brier & Thorn has performed over the years of IoT devices, including connected transport vehicles, IT security related to IoT is almost like Marty McFly jumping into the DeLorean and going back 20 years in IT security when the worse thing we had to worry about was skript kiddies defacing our web site by using WuFTPD exploits and rexec to compromise our servers. Similar to the inherent flaws in IP version 4 of nodes implicitly trusting anything it communicates with when IPSec isn’t being used for transport security, connected automobiles fall victim to the same types of attacks affected by a lack of authentication with its peers. Like a mobile phone, an ECU that uses cellular to communicate with its backend is going to automatically associate with its closest base station or cell tower and trust it. You can see where we’ll be headed first in our kill chain; a pattern of transaction activities that are linked together in order for a successful compromise to occur.The Kill Chain Model (KCM) that we will be employing in this article in demonstrating the numerous attack vectors against a connected automobile is: intelligence collection; threat modeling; vulnerability analysis; and exploitation.In our Intelligence Collection phase, we footprint the target, in our case an ECU that is connected to its back-end over cellular using a built-in SIM chip. Therefore, the intelligence collection phase provides us vulnerabilities in not just the ECU, but also the cellular network it is associated to as well as information we can harvest from the ECU itself through stimulus and response.The attack v]]> 2016-07-18T13:00:00+00:00 http://feeds.feedblitz.com/~/166406298/0/alienvault-blogs~Understanding-Electronic-Control-Units-ECUs-in-Connected-Automobiles-and-How-They-Can-Be-Hacked www.secnews.physaphae.fr/article.php?IdArticle=4237 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC points out, it’s one of three new pieces of malware to target Mac OS by installing backdoors.How it WorksSo far, it’s not clear how the malware gets on the victim’s system initially. The usual suspects, such as email attachment or malicious web sites…are the usual suspects.The malware is in a zip file that contains a Mach-O executable with a seemingly innocuous extension, such as .jpg or .txt (Mach-O is a format used by iOS and OSX for native executables).Upon closer inspection, however, of the contents of the zip file, you’ll see that there is a ‘space’ character at the end of the extension (see screenshot below). The write-up from ESET explains that “…double-clicking the file in Finder will launch it in Terminal and not Preview or TextEdit.”Screenshot showing details of the malware file masquerading as an imageSource: ESETOnce launched, the file does several things in rapid succession:Downloads and installs icloudsyncd, a malicious process that maintains the backdoor to the C&C serverSwaps out the contents of the Mach-O executable with a decoy document that matches the format of the executable’s extension (e.g., .jpg or .txt), to appear legitimateImpact on youOnce installed, the Keydnap backdoor starts looking for the Mac OS keychain. For those of you not familiar with the pot of gold the keychain represents in Mac, it contains:Application passwordsLogin credentialsCredit card infoYou get the idea...Good news: If you have not disabled or modified the settings on Gatekeeper, it’s on by default in OS X, and it will detect the downloader file as an unsigned Mach-O executable, block its execution and instead display a warning. If you have modified Gatekeeper, you may want to rethink your strategy.How AlienVault HelpsThe AlienVault Unified Security Management (USM) platform provides the essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to threats like Keydnap. The AlienVault Labs team regularly updates the rulesets that drive the threat detection and response capabilities of the AlienVault USM platform, to keep users up to date with new and evolving threats. The Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the latest threats, and how to detect and respond to them.The Labs team recently updated the USM platform’s ability to detect this new threat by adding IDS signatures to detect the malicious traffic and a correlation directive to link events from across a network that indicate a system compromised by Keydnap. Learn more about these updates in the latest ]]> 2016-07-15T16:32:00+00:00 http://feeds.feedblitz.com/~/165797300/0/alienvault-blogs~Keydnap-%e2%80%93-All-Your-Keychain-Are-Belong-to-Us www.secnews.physaphae.fr/article.php?IdArticle=4152 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Information Sharing:Information is a first step. In the past couple of years, the Department of Homeland Security (DHS) with Congressional and private sector support has developed guidelines for information sharing among several sectors with industry. Information sharing helps allow both government and industry to keep abreast of the latest viruses, malware, phishing threats, and especially denial of service attacks. Information sharing also establishes working protocols for resilience and forensics that is critical for the success of commerce and enforcement against cyber-crimes.Both the US and EU have reached out in recent years to the private sector to establish priorities, protocols for information sharing, and lines of communication to respond to potential incidents. The fact is that 85% of the World Wide Web and most of the world’s critical infrastructure is owned and operated by private sector companies. Many of the recent cyber breach attacks against multi-nationals have been successful, including in banking, health, and retail that impacts the economic system and citizens around the globe.Cooperative Research, Development and Rapid Deployment:Keeping up with cybersecurity threats is often daunting and requires a holistic effort. There are a wide variety of architectures, systems, and jurisdictions and adaptability and scalability to upgrade to new security technologies and processes is a significant challenge.While there is an array of promising technologies being developed, there are is no immediate technological panacea to stop intrusion. But there are promising technologies that include better encryption, biometrics, smarter analytics, automated network security. Informed risk management planning, training, network monitoring, and incorporating Next Gen layered hardware/software technologies for the enterprise network, payload, and endpoint security. All of these are all components of what can be improved via cooperative efforts in research, development, and deployment efforts.A closer partnership between governments and the private sector could help produce tactical and long-term strategic cybersecurity solutions quicker. Cooperative research and development in new technologies such as hardware, software algorithms and operational processes are needed just to keep up with the evolving global threat matrix. There are no areas on the cybersecurity spectrum that do not need more investment and modernization to help fill capability gaps.Enhanced Cybersecurity Alliances:Currently, there are few established international norms to collectively combat cybercrime against critical infrastructures on the global scale. There is a need to include governments and industries to discuss scenarios and establish protocols for policy and action in regard to the evolving threat matrix and the potential spiraling effects of cybersecurity incidents.The United States has made a concerted effort to establish alli]]> 2016-07-13T13:00:00+00:00 http://feeds.feedblitz.com/~/165205890/0/alienvault-blogs~Embracing-Global-PublicPrivate-Cybersecurity-Alliances www.secnews.physaphae.fr/article.php?IdArticle=4000 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Flat networkIs the network so flat that it could be used as a spirit level? Do words such as segmentation or zones not exist? If so, you could be looking at SDD.User ManagementIs there a proper process in place to manage joiners, movers, and leavers? Or are there more orphan accounts than Oliver Twist?If the system administrator and the receptionist both have the same access, maybe segregation of duties or privilege account management doesn’t exist.Vulnerability managementOne of the first steps to addressing security is admitting that you have issues that need fixing. Vulnerability scanning helps companies discover where vulnerabilities lie and put in place a prioritized plan to patch or fix them.This trait that is often lacking in companies that are suffering from SDD.Behavioral monitoringA common excuse for not improving security is “it’s always been done this way”.However, that may not be strictly true. Without a form of behavioral monitoring in place to build up a picture of what normal net flow looks like, or when services are available or not, how can one say with certainty that things haven’t changed?SDD grows stronger in the company of apathy.Intrusion DetectionEven companies that have installed anti-virus or a firewall can suffer from what we refer to as type 2 SDD.That is the absence of intrusion detection capabilities on the network and host. Without these in place, breaches are only discovered when they appear in the news.SIEMCollecting, analyzing, correlating and alerting on events is the key function of a SIEM. However, without the fundamental supporting blocks being in place, such as having an inventory to identify critical assets or knowing what counts as anomalous behavior, a SIEM may not be the complete answer to curing SDD.Some companies suffer from a milder form of SDD in which they do have a properly configured SIEM in place. However, they lack the staff or rigor needed to investigate and respond to alerts that are generated.User (un)awarenessMany companies that suffer from SDD ha]]> 2016-07-11T13:00:00+00:00 http://feeds.feedblitz.com/~/164678864/0/alienvault-blogs~SDD-Security-Deficit-Disorder www.secnews.physaphae.fr/article.php?IdArticle=3847 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC It so happens that cyber security is absolutely everyone’s responsibility, whereas IT security is the responsibility of everyone within the organization.Apparently data security is important… to whom, one can only guess. Probably to people who like using the term data security.Finally, it appears that information security is indeed information risk management. It must be a thing for consultants.     Related StoriesClicking With The EnemyInfoSec Implications of Britain Leaving the EUSecurity is NOT an IT Problem - It’s a Business Resilience Pr]]> 2016-07-07T13:00:00+00:00 http://feeds.feedblitz.com/~/163811528/0/alienvault-blogs~Naming-Security www.secnews.physaphae.fr/article.php?IdArticle=3741 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Dataprise’s Information Security Symposium on June 16th at the Dataprise Corporate Office and Technology Center in Rockville, MD. Over 50 business leaders joined this intimate event eager to discover more about the latest best practices and proactive risk management approaches related to Information Security. Below are a few highlights from the event:Charles Ames, the State of Maryland’s Chief Information Security Officer, Delivering Keynote Speech at Dataprise’s Information Security SymposiumThe evening kicked off with the State of Maryland’s Chief Information Security Officer, Charles Ames, delivering a keynote speech focusing on the question of how much security is enough and the aftermath of a security attack to a business. He spoke to the audience about the importance of understanding who your users are, what devices they are using, and fully comprehending administrative rights on your network. He also shared with attendees the eye-opening fact found in Verizon’s 2016 Breach Incident Report that 97% of breaches used legitimate third-party access to attack. Ames ended his keynote discussing what his team is working on within their Security Program to establish a Cyber Secure Maryland, including policy, baselining, centralizing security controls, threat identification and continuous diagnosis and mitigation.The Weakest LinkFollowing the insight from Charles Ames, a panel discussion moderated by Tim Foley, Senior Manager of Information Security & Strategic Consulting at Dataprise, then began featuring Ames and the following panelists:Joe Schreiber, Director of Solutions Architecture at AlienVault,Sean Ferrrara, Virtual Chief Information Security Officer (vCISO) at DatapriseThe discussion focused on key security topics such as the biggest trends, threats and the shift in how organizations are viewing security. But one of the most discussed points concentrated on the weakest link in every business’ security: employees.Discussion Panel at Dataprise’s Information Security Symposium“The weakest link in any organization is our people. They are our most valuable asset and are also our most vulnerable asset,” stated Ferrara. The discussion continued on, focusing on employee training, policy alignment with business culture, and the importance of executive buy-in.The panel also highlighted the importance of having an established security program and ensuring it aligns with overall business goals and objectives. “Tools have outputs, programs have outcomes and when we’re putting together an information security program, the business needs and the needs of the organization are going to drive what we would like the outcome to be,” stated Foley.The discussion also dove into ways businesses can prevent attacks and protect themselves from attacks happening in the first place. “Complacency is the enemy of vigilance, which is the key factor of any security operations center,” stated Schreiber in reference to the downside of using tools such as machine-learning, “and we want to keep that intact no matter the tool that’s used.”Assess, Protect, Detect, Respond]]> 2016-07-06T13:00:00+00:00 http://feeds.feedblitz.com/~/163530198/0/alienvault-blogs~Security-is-NOT-an-IT-Problem-Its-a-Business-Resilience-Problem www.secnews.physaphae.fr/article.php?IdArticle=3695 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2016-07-05T13:00:00+00:00 http://feeds.feedblitz.com/~/163223404/0/alienvault-blogs~Hacking-Multifunction-Printers-Lock-Stock-and-Two-Smoking-Printers www.secnews.physaphae.fr/article.php?IdArticle=3653 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Application security is arguably the single biggest challenge confronting security professionals today.By “application,” I mean any internally-developed build, regardless of whether its primary intended platform is the Web, mobile devices, or a traditional desktop OS like Windows. This is because all application builds must go through the standard cycle of development, testing, settling on a release candidate, and deployment into operations — at which time, too often, problems are found and the new build is sent back for fixes. So application security can often be improved by trying to improve on that cycle, at various points.Application Security for COTS (commercial-off-the-shelf) applications is inherently more limited, of course, and a topic for another post, though the section “How IT operations teams can improve application security” below is a good place to start.This perspective has led to DevOps initiatives (a combination of Development and Operations), which try to overcome traditional problems including:IT development and IT operations have often existed in isolation from each other — sharing few/no tools and information, and minimizing collaboration – especially problematic for application security.Both teams are now expected to continuously become more agile: capable of delivering new builds that are as feature-complete and bug-free as possible, yet in a shorter time and for lower costs. Application security is often viewed as an impediment to this goal due to its additional overhead.A more agile build cycle unfortunately also sometimes means new application security problems. So, toward improving that situation, there are many measures app stakeholders can and should adopt.How IT development teams can improve application securityFirst, from a development standpoint, it’s important to integrate application security best practices in coding regardless of the specific methodology (Waterfall, Agile, etc.). After half a century of careful analysis, we now know quite a bit about how programming errors tend to arise, and how best to avoid them.For instance, consider the SANS list of Top Twenty-Five Most Dangerous Programming Errors. This is a ranked list based on expected business impact, complete with prevention/remediation techniques in every case. Every developer should have it bookmarked — or even better, memorized as their starting point for application security.There are, additionally, various code vulnerability scanners designed specifically to improve application security at this early stage. I’ve gone into these in another recent blog entry, so won’t be exploring them in detail here, but they can help automatically spot cases in which best practices have not in fact been followed in coding.How cross-domain DevOps practices can improve application securityMuch of the newer insight concerns DevOps per se. As these two domains become more and more tightly integrated, all sorts of great new opportunities arise to drive up application security as a result. Four instances follow:Make sure development, testing, and deployment all have the identical context for the app to execute. By this, I primarily mean the servers involved. At all three stages, applications should have exactly the same operating system version, security patches, middleware, test data, etc. — in short, the complete operational context. Any variation across servers has the practical effect of invalidating test results and production expectations. You can think of this as very similar to a control experiment in scienc]]> 2016-06-30T13:00:00+00:00 http://feeds.feedblitz.com/~/162194226/0/alienvault-blogs~Application-Security-Methods-and-Best-Practices www.secnews.physaphae.fr/article.php?IdArticle=3506 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Executive Weakness?However, delivering user awareness training is often the easy part of the solution. Ensuring that it is effective and having confidence in its ability to change behaviours is slightly more challenging.Over a third of participants responded that their executives had fallen victim to a CEO fraud email. The confidence level about future events is even worse as over half of respondents stated that their execs could very well fall victim to phishing scams in the future. A further 30% stated this might be possible if the phishing scam was well-crafted and convincing.The challenge that lies here is two-fold. Firstly, most phishing scams that target execs are well-crafted and researched. Attackers typically register similar-looking domains and thoroughly research an exec’s background.Secondly, many execs have personal assistants who manage their day-to-day operations who are often more susceptible to social engineering tactics than the execs themselves. As such, it is important to train all users within the organisation as attackers will likely identify and strike through the weakest links.For attackers, the weakest links don’t always reside within the company.CEO fraud is a form of impersonation fraud, and isn’t always limited to personnel within the company. Third party suppliers, partners, and even customers are routinely targeted by such scams, so initiatives to raise awareness should include all associated parties, not just internal employees.Also, it is important to monitor third party activity and utilise up-to-date threat intelligence to bring to light the ever-evolving methods employed by criminals.The Price of DataRansomware has been on the rise over the last couple of years. Phishing emails usually provide access into an organisation. Once a malicious payload is executed, it connects to a Command and Control (C&C) server where the malware begins to encrypt specific file types on a system as well as shared drives. The ransomware will then demand payment, usually within a set time period, in order to unlock these encrypted files.From a business perspective, ransomware runs on a different model from traditional cyber attacks. In the case of ransomware, the attackers are typically not looking to steal data. In fact, the encrypted data itself would likely be worth nothing on the black market. However, for an individual or business, the locked files may be valuable from ]]> 2016-06-28T08:00:00+00:00 http://feeds.feedblitz.com/~/161681640/0/alienvault-blogs~Clicking-With-The-Enemy www.secnews.physaphae.fr/article.php?IdArticle=3439 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC year of the mega breach’). In 2015, high profile losses also hit the hospitality industry, with several large chains disclosing breaches. According to the 2016 Verizon Data Breach Investigations Report, attacks against POS environments were responsible for 95% of the confirmed data breaches in its Accommodation customers, and 64% in its Retail customers.The Trend Micro Cyber Safety Solutions Team recently published a report on FastPOS that highlights the risk to smaller organizations. FastPOS is a new malware variant that harvests both card data via a RAM scraper, and credentials via a keystroke logger.FastPOS is noteworthy for a couple of reasons:It sends the harvested data back to its C&C server immediately, rather than storing it on-site before exfiltration. In fact, it earned its moniker because of the unusually fast rate with which it exfiltrates any data it has stolen.The C&C server is also a forum for monetizing stolen cardholder data; below is a screenshot of cardholder data available for purchase.Source: Trend MicroImpact on youFastPOS is important to note as well because it has targeted smaller organizations as well as larger enterprises. Because of the speed with which FastPOS extracts data, smaller networks will likely have less chance to detect this threat and they may have not deployed the sophisticated threat detection technologies that would alert them to the harvesting and exfiltration of cardholder data.FastPOS represents a threat to all industries and organizations that use POS systems. The Trend Micro report sums it up well:Regardless of size and industry, an organization or a company can be affected by Point-of-Sale (PoS) threats. For more than three years, we have monitored and reported PoS threats targeting diverse verticals beyond retail; we have seen attacks affecting airports and parking lots, among others. It is a mainstream threat that has continuously evolved its tactics to expand their target base.”How AlienVault HelpsThe AlienVault Unified Security Management (USM) platform provides the essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to threats like FastPOS. The AlienVault Labs team regularly updates the rulesets that drive the threat detection and response capabilities of the AlienVault USM platform, to keep users up to date with new and evolving threats. The Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the latest threats, and how to detect and respond to them.The Labs team recently updated the USM platform’s ability to detect this new POS ]]> 2016-06-23T13:00:00+00:00 http://feeds.feedblitz.com/~/160625448/0/alienvault-blogs~FastPOS-Point-of-Sale-Malware-Targeting-SMEs www.secnews.physaphae.fr/article.php?IdArticle=3264 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC referendum taking place on 6/23/16 to decide whether Britain will remain part of the EU. From all the discussions leading up to this vote, a shorthand way of referring to the possibility of Britain exiting the EU has popped up: Brexit (British Exit).While many have debated and continue to debate the overall social and economic benefits of Britain remaining within or leaving the EU, we took it upon ourselves to ask attendees of Infosecurity Europe 2016 what they feel the potential security impact of a Brexit might be. The results are based on a survey of 298 security professionals at the event.Javvad Malik’s full report on the survey results is available in PDF form, while the highlights are presented in this great little infographic.     Related Stories2016 SANS Survey on Incident ResponseThe Rise of the Chief Data OfficerInfosecurity Europe 2016, a Recap ]]> 2016-06-22T13:00:00+00:00 http://feeds.feedblitz.com/~/160316676/0/alienvault-blogs~InfoSec-Implications-of-Britain-Leaving-the-EU www.secnews.physaphae.fr/article.php?IdArticle=3205 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC entire report. Here's an infographic with some of the key points:     Related StoriesThe Rise of the Chief Data OfficerInfosecurity Europe 2016, a RecapTurns Out, You Can’t Be Too Paranoid ]]> 2016-06-19T18:29:00+00:00 http://feeds.feedblitz.com/~/159936082/0/alienvault-blogs~SANS-Survey-on-Incident-Response www.secnews.physaphae.fr/article.php?IdArticle=3122 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC OverviewWhile traditional managed service provider (MSP) offerings, like system monitoring and management, are subject to price pressures and commoditization, the rapidly changing landscape of security threats make information security a high-value business. The existing infrastructure of NOCs make them uniquely suited to transition to SOCs, moving from offering increasingly lower-margin IT services to high-value information security monitoring and management.Key TakeawaysEver-changing security threats present an evolutionary business opportunity for MSPs. Businesses may have their own security tools—such as a firewall, antivirus, and integrated threat management—but are unlikely to have in-house specialized information security professionals.MSPs can begin with managed services and transition to higher profit monitored services. Transitioning MSPs might start the move to security solutions with managed services before transitioning to higher-profit monitored services. A SOC can offer one or both of these services to customers. The key distinction between managed and monitored services is that SOC security professionals are involved in reviewing and resolving issues for customers, whereas managed services push the issues back to the client for resolution.In addition, a SOC may provide revenue-generating secondary offerings to clients, including security training, pen testing, forensics, virtual chief information security officer (CISO), and more.NOCs have already spent the money and done the work necessary for a smooth conversion to a SOC. Businesses starting new projects want to understand how capital intensive the project is. For established NOCs, many of the big ticket items required to create a SOC are already in place, including the building and much of the equipment.Implementing procedures can be time consuming for a new operations center, but an established NOC already has created and optimized key processes, including issue ticketing systems and workflow, and how and when to interact with and contact customers. To fully deploy an incident management system can take a business anywhere from 18 months to three years; NOCs already have these systems in place as part of their daily operations.Additional staffing and tools are necessary to complete the NOC to SOC conversion. Tier 2 staff—information security experts—are a required investment for any SOC. A large staff of these higher-salaried Tier 2 employees isn’t necessary; a single Tier 2 can work with multiple Tier 1 staff members, who will multiply that Tier 2’s labor efforts, research, and skills. As the process is refined, efficiencies allow even more Tier 1 employees to work with the Tier 2 specialist, and even train to move into a Tier 2 position in the future.Tools are another important part of completing the NOC to SOC transition. A security information and event management (SIEM) platform allows the SOC to take a significant amount of information from a variety of sources—e.g., 30 million events in a day—and distill the data down to 10 or 15 alarms to be triaged for action. A threat intelligence tool that sits on top of the security platform brings extra value to customers b]]> 2016-06-16T13:00:00+00:00 http://feeds.feedblitz.com/~/159078678/0/alienvault-blogs~Turning-Your-MSP-NOC-into-a-MSSP-SOC www.secnews.physaphae.fr/article.php?IdArticle=2941 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The volume of data available to and collected by the public and private sectors has exponentially grown in each subsequent year. Industry has reacted to the rapid proliferation of information being generated and shared across verticals and with customers. Data has become such an essential component to many companies that a new strategic role of Chief Data Officer (CDO) has emerged in the C-suite.This commercial trend has also transcended to government, including in the current US Administration. Initially, the White House hired a top digital technologist to serve as the nation’s “chief data scientist in residence,” later the position evolved into of U.S. Chief Technology Officer. Prior to that, the Department of Transportation, Department of Commerce, Department of Energy, USDA, the Center of Medicare and Medicaid Services, the FCC, Federal Reserve and other independent agencies announced the implementation of Chief Data Officer roles.The rise of the Chief Data Officer is an exciting and transformational change that elevates the significance of data. This evolution clearly acknowledges that the data being collected is a separate entity from the systems running it. The creation of the CDO role is a testament to the growing importance that both the public and private are placing on data and data management. It also brings transparency, efficiency, and innovation into the executive process.Serving in the CDO role is not an easy task since it requires tech-savvy and leadership capabilities. A CDO should possess strong executive management skills and assume responsibility for developing managers who will work in systematically to ensure that data is treated as a strategic asset. A CDO should also work in tandem with the Chief Privacy Officer and the Chief Information Security Officer to ensure that there are unified standards. Security and integrity of that data are essential, especially in an environment where companies and agencies are facing a multitude of cybersecurity threats and are having their data regularly breached.The bulk of time and effort for any CDO should be directed internally, at least initially because of its volume and complexities and to gain insights into the historical commercial or cultural uses of the data. Every company or government agency has a unique mission and data profile.A requirement for the CDO role is to understand the mission and of how to best cultivate and interpret the data and internal resource. With the advances in computing technology and algorithms, incorporating levels of analytics to unattached and unstructured data sources and building in an automation capability has become fundamental to the process. Bringing meaning to the data is a science in itself.The new digital era of both industry and government is being impacted by profound technological innovation driven by information sharing and analysis. Data has become more than a commodity, it is a driving force that determines how we live, earn, and function as a society. The Chief Digital Officer role is to be the compass to ensure we head in the right direction.About the AuthorChuck Brooks serves as the Vice President for Government Relations and Marketing at Sutherland Government Solutions. He is also Chairman of CompTIA's New and Emerging Technologies Committee, Cybersecurity Market of the Year (Cybersecurity Excellence Awards), and on the advisory board of several companies and organizations. Brooks served at the Department of Homeland Security as the first director of legislative affairs for the Science and Technology Directorate. He also spent six years on Capitol Hill as a senior adviser to the late Sen. Arlen Specter (Pa.). He has an MA from the University of Chicago and a BA from DePauw University. Please follow him on Twitter @ChuckDBrooks and on ]]> 2016-06-15T13:00:00+00:00 http://feeds.feedblitz.com/~/158885766/0/alienvault-blogs~The-Rise-of-the-Chief-Data-Officer www.secnews.physaphae.fr/article.php?IdArticle=2841 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC GDPR, or the General Data Protection Regulation was top of mind for many attendees at Info Security Europe 2016.The GDPR is due to come into force in 2018 and has the potential to significantly alter the way businesses handle data. At over 200 pages long, the regulation is possibly the most wide-ranging pieces of legislation passed; ever.Notable GDPR ImplicationsThe introduction of new or a revamp of existing concepts in GDPR will cause some major changes to the operations of companies. These include,Consent for children: In order to use data relating to children, companies will need to seek parental consent. Children are identified as ‘vulnerable individuals’ and deserving of ‘specific protection.’Personal & Sensitive Data: The definition of what is personal or sensitive data has been expanded to include genetic and biometric data. Relevant to this is the introduction of tokenization as a privacy tool.Breach Communication law: A new security breach communication law will be introduced for all data controllers.Data Protection by Design: Businesses will need to demonstrate technical and procedural processes have been implemented which adhere to GDPR requirements at an early-stage.Enhanced individual rights: Includes the right to be forgotten, the right to request the porting of personal data to an alternative service provider, amongst others.Subject access: Upon request, data controllers must confirm if they have an individual’s personal data and provide a copy within one month. This will require organisations to assess its ability to provide data in a timely and accurate manner.Transferring data outside of the EEA: Under GDPR, transferring of personal data to countries outside of the EEA will continue to be restricted and will remain a significant issue for multinational organisations.Are you ready?These are just some of the high level changes that GDPR will bring in for European businesses. As more businesses delve into the details, more challenges will undoubtedly emerge. The UK’s Information Commissioner’s Office has been releasing guidance on how companies can prepare.Some companies I spoke to said they were preparing to appoint Data Privacy Officers across the business to assist with GDPR. Others were engaging external consultants to help with the implementation. Whichever way you look – it seems as if GDPR will remain a talking point for many years to come.    ]]> 2016-06-14T13:00:00+00:00 http://feeds.feedblitz.com/~/158703000/0/alienvault-blogs~Are-Businesses-Prepared-for-GDPR www.secnews.physaphae.fr/article.php?IdArticle=2780 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Another year and another Info Security Europe is in the books. In typical English manner, the weather remained unpredictable. It started with a hot summers day, followed by brief but heavy downpours that resulted in Olympia resembling a sauna that had been turned all the way up to eleven.But this didn’t dissuade the 15k+ attendees from descending upon the venue to participate in a very engaging three days as evidenced by the constant stream of visitors to the AlienVault booth.The Theme, (or lack thereof)In previous years at any security conference, it has often been possible to pick up on certain themes. Some years it’s about cloud security, other years it’s big data analytics.However, this year, there was a lack of a distinct theme that could be picked up from the marketing banners. This is probably a good thing. Rather than running after marketing buzzwords, it looks like many vendors are genuinely trying to focus on putting their best foot forward and articulating their strengths.A Maturing IndustryCould a lack of common theme be signs of a maturing industry? To some degree or another, I do believe this to be the case.As attackers and attacks become more democratised, the maturity is something that has been forced upon the industry. A unified approach to combat threats is essential, as Raj Samani, CTO of Intel Security said in his keynote, “Unless we collaborate as an industry, the bad guys will continue to make hundred of billions of pounds, euros, whatever, from us.”A European ConcernOn the AlienVault stand, we had many interesting and in-depth conversations. One of the major talking points at the stand, and indeed across the show, was preparing for the General Data Protection Regulation (GDPR), a new European regulation that has far-reaching implications for companies to strengthen data protection for individuals within the EU and control on exporting it.RecognitionDuring the week, SC Magazine held its 2016 European awards in which AlienVault won the excellence award for best SIEM Solution. A happy moment for the whole team and everyone involved.BSides LondonNo Infosec week would be complete without mention of BSides London which continues to grow year over year. Unfortunately, I was not able to make the whole day; in fact, I may have been the last person to pick up my badge.So at 4.15pm will @J4vv4D be the last check in to #BSidesLDN2016— Alan K (@AkinFoot) June 8, 2016Despite not making it to BSides in a timely manner, I did hear from all accounts that it was a brilliant event as always with some great talks. I do hope they were recorded!]]> 2016-06-11T13:00:00+00:00 http://feeds.feedblitz.com/~/157996746/0/alienvault-blogs~Infosecurity-Europe-a-Recap www.secnews.physaphae.fr/article.php?IdArticle=2701 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC CVE-2015-2545, which was announced and patched by Microsoft in September 2015. However, because of the low deployment rate of the patch by many organizations, the exploits targeting this vulnerability continues to be effective.The team at Kaspersky Labs has written a detailed report on the evolution of the threat, from its initial use by the Platinum group in August 2015 to its current usage by several threat groups to attack targets in several countries in the Asia/Pacific region. The technique commonly used to penetrate a network is Spearphishing, which uses malicious code embedded in a document from a legitimate-looking source that once opened compromises the victim’s system.From the Kaspersky Report: “The exploit is based on a malformed embedded EPS (Encapsulated Postscript) object. This contains the shellcode that drops a backdoor, providing full access to the attackers.”The Kaspersky Lab’s report also illustrates how bad actors will continue to modify attack techniques to improve infection rates and avoid detection. The graphic below illustrates how several groups have developed separate attacks to target the vulnerability:Timeline of Attacks Using Exploits that Target CVE-2015-2545 Source: Kaspersky LabsRelated Pulse: Impact on youCVE-2015-2545 has been with us since September 2015, and MSFT released a fix in update MS15-099, also released in September. That’s the good news. The bad news is that vulnerability affects Microsoft Office versions:2007 SP32010 SP22013 SP1 and 2013 RT SP12016In other words, there could be a lot of potentially vulnerable software running in your network. For those of you have deployed MS15-099, you get a gold star. Well done! For those of you who haven’t, your systems are at risk, especially those in government agencies in India, or targeted agencies in other countries like the Philippines, Myanmar and Nepal.How AlienVault HelpsThe AlienVault Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the latest threats, and how to detect and respond to them. The Labs team regularly updates the rulesets that drive the threat detection, prioritization, and response capabilities of the AlienVault Unified Security Management (USM) ]]> 2016-06-10T13:00:00+00:00 http://feeds.feedblitz.com/~/157832984/0/alienvault-blogs~Danti%e2%80%99s-APT-Inferno www.secnews.physaphae.fr/article.php?IdArticle=2668 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC @ChuckDBrooks and on ]]> 2016-06-09T13:00:00+00:00 http://feeds.feedblitz.com/~/157672818/0/alienvault-blogs~Digital-Convergence-and-Cybersecurity www.secnews.physaphae.fr/article.php?IdArticle=2614 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Minerva Security, which shares over 70 years of experience in the commercial physical security and fire safety industry.Security is on everyone’s minds these days.Fear of break-ins, disgruntled employees, and terrorism are the order of the day. So, the question is, how do we protect ourselves?We could go around with a ninja assassin as our bodyguard; however, that is impractical for a number of reasons. In this blog, I am going to share with you how you can protect yourself by building the “Ultimate Security System”. I will then scale it back a bit and show you what you can do more realistically with technology purchased online.Of course, if we are building the ‘Ultimate Security System”, we need to also protect the airspace surrounding our business from any potential threats. A radar net would complete the picture to prevent penetration by air along with seismic sensors to detect tunneling activities as well.The Ultimate Security System Transforms Your Business Into Fort Knox.When building your security system, it is critical to keep central computers, data storage and anything vital to the running of your security system at the center or the “Keep”. Executives are usually also found here with their protective service details.Access should be controlled via biometric scanners on the elevators and the height of their location will be dictated by how high up the fire engine companies' ladders will reach.The data, command, and control centers are usually underground and may be many stories beneath the earth to protect against EMP. This is further enhanced by setting up electromagnetic shielding in the walls as well. Other components of the Ultimate Security System:The floors, doors, and corridor have cameras, motion, and heat detectors for after-hours protection.Pressure sensitive flooring protects vital access points and mantrap double locked doorways isolate individuals until they have been granted access.Further out are the grounds that have sensors placed at all approaches and cameras and floodlights that leave no area unwatched.A double interior fence provides a runway for security dogs and their handlers to patrol.The twin fences are covered with capacitance detectors and motion sensors and may even be electrified.A perimeter wall and observation towers with infrared and night vision equipped cameras and personnel with night vision gear monitor the exterior grounds.Further out is additional fencing topped with barbed wire sensors and more cameras.Warning signs are posted and roving patrols of armed security randomly sweep the area.Cameras, floodlights, and movable spotlights surround the facility.In the air above, drones patrol in random patterns and even helicopters buzz the area to investigate intrusions.Security in some instances could also be beefed up with Lethal Force Hardware in the form of automatic machine guns similar to the ones you saw in the movies Alien and Congo. These sentry guns never sleep and are used by the US military to protect sensitive facilities.As you can see this type of security system could run into the millions of dollars, depending on the size of the area you want to be secured. The upkeep alone would also require a significant outlay of cash as well.The human element is the weak link in such a system. Constant vigilance over those who run the system is a necessity as well, as they could compromise it all. The Snowden affair highlighted this weakness as the NSA has similar security arrangements to those we have j]]> 2016-06-08T13:00:00+00:00 http://feeds.feedblitz.com/~/157533847/0/alienvault-blogs~Turns-Out-You-Cant-Be-Too-Paranoid www.secnews.physaphae.fr/article.php?IdArticle=2547 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault’s Unified Security Management (USM) platform. When he did, he realized that USM includes HIDS plus much more than he expected.“When I first looked at the offering, I was surprised to see that it is actually five products in one. I was very pleased to discover that, in addition to intrusion detection, AlienVault USM also includes asset discovery, vulnerability assessment, behavioral monitoring, and SIEM,” said Jeff.After speaking with a few AlienVault account reps and exhaustively researching competitive security products, the Bank of Marin team decided that they would move ahead with implementing USM, confident that it was a cost-effective solution that would meet their HIDS needs and also provide many additional capabilities.When Bank of Marin acquired USM they also purchased the five-day AlienVault beginner’s training course. Jeff found this training to be a huge help in jump-starting the install of the product and allowing him to be able to take advantage of the product’s features immediately.“The course helped me better understand all that USM has to offer. With the training, I‘ve been able to easily use a few of the tools that are available. However, eventually I’d like to go more in-depth with training on how to correlate the events and alarms. I think I’ll continue to evolve with the product but it will just take time,” said Jeff.Since purchasing AlienVault USM and incorporating it into his existing security system, Jeff says that he has successfully increased visibility into his network and also addressed Bank of Marin’s missing HIDS security layer.“I’m really pleased that USM allows me to have greater visibility into my network. 99 percent of the time the threat alerts it generates are false positives, which is as it should be, and that is fantastic. It’s been a great tool to help us identify anomalies and overall it aids my understanding of what is going on in the enterprise network at Bank of Marin, which is exactly what I was looking for in this product,” said Jeff.When researching anomalies at Bank of Marin, Jeff relies on AlienVault’s global open threat intelligence sharing community, the Open Threat Exchange (OTX). He said that although he hasn’t found too many malicious events yet, the information that OTX provides about USM alerts is very useful.“The information in OTX helps me to effectively prioritize threats from high to low. That in turn allows me to spend more time analyzing events that are deemed higher priority. It’s also educating me about what kind of threats security professionals are observing around the world. Many of th]]> 2016-06-07T13:00:00+00:00 http://feeds.feedblitz.com/~/157379226/0/alienvault-blogs~Bank-of-Marin-Gains-Detailed-Visibility-into-their-Network-with-AlienVault-USM www.secnews.physaphae.fr/article.php?IdArticle=2500 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Part 1 - we looked at Inventory of Authorized and Unauthorized Devices.Part 2 - we looked at Inventory of Authorized and Unauthorized Software.Part 3 - we looked at Secure Configurations.Part 4 - we looked at Continuous Vulnerability Assessment and Remediation.Part 5 - we looked at Malware Defenses.Part 6 - we looked at Application Security.Part 7 - we looked at Wireless Access Control.Part 8/9 – we looked at Data Recovery and Security Training.Part 10/11 - we looked at Secure Configurations for Network Devices such as Firewalls, Routers, and Switches and Limitation and Control of Network Ports, Protocols and Services.Part 12 - we looked at Controlled Use of Administrative PrivilegesPart 13 - we looked at Boundary DefensePart 14 - we looked at Maintenance, Monitoring and Analysis of Audit LogsNow we are taking on Controlled Access Based on the Need to Know.15-1 - Locate any sensitive information on separated VLANS with firewall filtering. All communication of sensitive information over less-trusted networks should be encrypted.Free ToolsKnow of any?Commercial ToolsVaronis - Shows where in file systems sensitiv]]> 2016-06-02T13:00:00+00:00 http://feeds.feedblitz.com/~/156720653/0/alienvault-blogs~Free-and-Commercial-Tools-to-Implement-the-Center-for-Internet-Security-CIS-Security-Controls-Part-Controlled-Access-Based-on-the-Need-to-Know www.secnews.physaphae.fr/article.php?IdArticle=2334 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault Unified Security Management (USM).In 2015 Patrick Collins, AVP IT/ISO, became one half of the Bank of New Glarus’ two man IT team when he was hired as the lead IT manager. After he started, one of his first responsibilities was to find and implement an intrusion detection tool that would help the Bank of New Glarus pass an impending Federal Deposit Insurance Corporation (FDIC) compliance audit.“Interestingly, the auditor’s strongest statement to us was that cybersecurity would be the number one area they were going to focus on to make sure we were in compliance with the regulations. They notified us in advance that we’d be graded on quite a few items we weren’t quite prepared for at the time,” said Collins.With less than four months to prepare for the audit, Collins began his search for security software that would help him achieve FDIC compliance. During his search, he considered GFI’s LanGaurd as well as SolarWinds Log & Event Manager (LEM). However, after evaluating both, Collins determined that GFI’s solution was not a strong enough offering while SolarWinds’ product lacked some important features such as Netflow analysis.During his research of SolarWinds, Collins found a review comparing SolarWinds LEM to AlienVault’s USM platform. From the article, Collins felt that AlienVault offered all the features that were included in SolarWinds LEM, but at a more reasonable price. After a few phone conversations and a demo with AlienVault, Collins decided that the product would be a perfect fit for the bank’s requirements.“After seeing AlienVault USM, I felt that it provided all the functionality we needed to help us prepare for and pass the upcoming audit. I also felt comfortable that the product’s capabilities would help us detect and respond to future cyber-attacks,” said Collins.In March of 2015, it was time for Bank of New Glarus’ compliance audit. Collins had to show the auditors how he was leveraging the AlienVault USM platform to scan their system for vulnerabilities, act on all the reports that came through, as well as track the intrusion alerts that were flowing through the OEM devices.“We had to prove to the auditors that we were tracking the traffic coming in and out and monitoring for denialof-service attacks. We also had to prove that we had rules in place that were customized. Nearly all of the information that we provided to them was obtained using AlienVault technology,” said Collins.After reviewing the Bank of New Glarus’ environment, Collins said the FDIC auditors were most impressed by the way AlienVault USM takes network data together with log information to generate alerts. They were also enthralled with the amount of reports AlienVault provides, along with the ability to create custom reports. “I actually think they were overwhelmed by all the reports that were provided for them,” said Collins. After a week of waiting, the audit report came back and the Bank of New Glarus was informed they had passed the compliance audit with flying colors.In addition to helping organizations like the Bank of New Glarus meet FDIC compliance, AlienVault USM provides hundreds of built-in compliance reports for managing PCI-DSS, ISO, SOX, HIPAA, GLBA, NERC CIP and GPG13 programs. These reports are automatically up]]> 2016-06-01T13:00:00+00:00 http://feeds.feedblitz.com/~/156563768/0/alienvault-blogs~AlienVault-USM-Helps-Community-Bank-Secure-its-Assets-and-Pass-FDIC-Audit www.secnews.physaphae.fr/article.php?IdArticle=2287 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC What is big data, anyway?If you haven’t been living in a cave the last five years, you have no doubt run across the phrase “big data” as an IT hot topic.  But like so many other terms — “cloud” comes to mind — basic definitions, much less useful discussions of big data security issues, are often missing from the media accounts.  So let’s begin with some context.What makes data big, fundamentally, is that we have far more opportunities to collect it, from far more sources, than ever before. Think of all the billions of devices that are now Internet-capable —  smartphones and Internet of Things sensors being only two instances. Now think of all the big data security issues that could generate!“Big data” emerges from this incredible escalation in the number of IP-equipped endpoints.  It is really just the term for all the available data in a given area that a business collects with the goal of finding hidden patterns or trends within it.  These, once revealed by analytics tools, can be leveraged to yield an improved outcome down the road (higher customer satisfaction, faster service delivery, more revenue, and so forth).The flip side of that coin is that the architecture used to store big data also represents a shiny new target of big data security issues for criminal activity and malware.  Should something happen to such a key business resource, the consequences could be devastating for the organization that gathered it.Unfortunately, many of the tools associated with big data and smart analytics are open source.  Often times they are not designed with security in mind as a primary function, leading to yet more big data security issues.The nine key big data security issuesSo, with that in mind, here’s a shortlist of some of the obvious big data security issues (or available tech) that should be considered.1. Distributed frameworks.  Most big data implementations actually distribute huge processing jobs across many systems for faster analysis.  Hadoop is a well-known instance of open source tech involved in this, and originally had no security of any sort. Distributed processing may mean less data processed by any one system, but it means a lot more systems where security issues can crop up.2. Non-relational data stores.  Think NoSQL databases, which by themselves usually lack security (which is instead provided, sort of, via middleware).3. Storage.  In big data architecture, the data is usually stored on multiple tiers, depending on business needs for performance vs. cost.  For instance, high-priority “hot” data will usually be stored on flash media.  So locking down storage will mean creating a tier-conscious strategy.4. Endpoints.  Security solutions that draw logs from endpoints will need to validate the authenticity of those endpoints, or the analysis isn’t going to do much good.5. Real-time security/compliance tools.  These generate a tremendous amount of information; the key is finding a way to ignore the false positives, so human talent can be focused on the true breaches.6. Data mining solutions.  These are the heart of many big data environments; they find the patterns that suggest business strategies.  For that very reason, it’s particularly important to ensure they’re secured against not just external threats, but insiders who abuse network privileges to obtain sensitive information – adding yet another layer of big data security issues.7. Access controls.  Just as with enterprise IT as a whole, it’s critically important to provide a system in which encrypted authentication/validation verifies that users are who they say they are, and determine who ca]]> 2016-05-31T13:00:00+00:00 http://feeds.feedblitz.com/~/156450525/0/alienvault-blogs~Key-Big-Data-Security-Issues www.secnews.physaphae.fr/article.php?IdArticle=2224 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 1 billion systems worldwide. Its long list of security vulnerabilities and huge market presence make it a ‘target-rich environment’ for attackers to exploit. According to Recorded Future, from January 1, 2015 to September 30, 2015, Adobe Flash Player comprised eight of the top 10 vulnerabilities leveraged by exploit kits.Here is an illustration of just how quickly bad actors can deploy an exploit:May 8 2016: FireEye discovers a new exploit targeting an unknown vulnerability in Flash and reports it to Adobe.May 10 , 2016: Adobe announces a new critical vulnerability (CVE-2016-4117) that affect Windows, Macintosh, Linux, and Chrome OSMay 12, 2016: Adobe issues a patch for the new vulnerability (APSB16-15)May 25, 2016: Malwarebytes Labs documents a 'malvertising' gang using this exploit to compromise your system via distribution of malware well-known websites and avoid detectionThe Malwarebytes blog is a good read, as it provides several examples of how sophisticated malware distribution schemes have become. For example, it breaks down the malicious elements of a rogue advertising banner that the Flash exploit allows attackers to use to push out malware. Among other things, it runs a series of checks to see if the targeted system is running packet analyzers and security technology, to ensure that it only directs legitimate vulnerable systems to the Angler Exploit Kit.“The ‘dirty’ version of an ad banner showing its real intent” Source: MalwarebytesImpact on youWith over 1 billion systems running Adobe Flash, it is likely that one or more systems under your control are vulnerable to this exploit. Fortunately, there is a fix to patch the vulnerability. Unfortunately, according to Adobe, it takes 6 weeks for more than 400 million systems to update to a new version of Flash Player. Six weeks (or however long it takes you to patch Flash) is a long time to be at risk of being compromised by ransomware via the Angler EK.How AlienVault HelpsThe AlienVault Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the the latest threats, and how to detect and respond to them. The Labs team regularly updates the rulesets that drive the threat detection, prioritization, and response capabilities of the AlienVault Unified Security Management (USM) platform, to keep you up to date with new and evolving threats.The AlienVault Labs]]> 2016-05-27T15:13:00+00:00 http://feeds.feedblitz.com/~/155992822/0/alienvault-blogs~How-Attackers-Use-a-Flash-Exploit-to-Distribute-Crimeware-and-Other-Malware www.secnews.physaphae.fr/article.php?IdArticle=2137 False None None 4.0000000000000000 AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault USM HIDSLog analysis based intrusion detectionFile integrity checkingRegistry keys integrity checking (Windows)Signature based malware/rootkits detectionReal-time alerting and active responseYou can learn more about HIDS by watching this webinar or test drive AlienVault USM with our free trial.  ]]> 2016-05-26T13:00:00+00:00 http://feeds.feedblitz.com/~/155841668/0/alienvault-blogs~Antivirus-or-Host-IDS-Your-Last-Line-of-Defense www.secnews.physaphae.fr/article.php?IdArticle=2081 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC short videos painting a humorous picture of a connected world, including a fraught parent turning off the iron remotely whilst driving away for a long weekend.Would you put such trust in this system? I am not so sure, and I certainly wouldn’t know how my insurance company would respond to a claim for a burnt down house as a result of an iron or cooker being turned on remotely by a hacker. There are already reports of the Nest smart thermostat turning the heating on at odd times of the day and night, but at least the worst this could lead to is an impromptu home sauna and outrageous energy bill.Or imagine the following scenario, where a series of actions is triggered as a result of a potential intrusion. What happens if the intruder is actually your son arriving home late after a party?Whichever way you think about home automation, one thing that is certain is that it is rapidly becoming mainstream. A search with Google for ‘Connected Home’, reveals the top of the list of participants to be well-known retailers such as Best Buy and John Lewis, who are now advertising and selling a wide range of home automation devices. In fact, they have a fast growing set of connected products, which I imagine are confusing to many people.Less than a year ago the market was a very different place, when home automation was more for early adopters and only available in hobbyist and electronic stores. Now it is targeting all types of users, especially those who might struggle to change a plug, never mind configure and manage a collection of automated home devices.This raises some serious concerns about the security of connected homes, and whether or not the manufacturers are considering cyber security with the same degree of concern that they would with physical security. For example, we all trust that our clothes dryer will not burst into flames, despite the high temperature that the clothes are subjected to. This allows us to leave the dryer on whilst we are away from home, and even program it to come on late at night when electricity is cheaper.One of the reasons why our everyday applian]]> 2016-05-25T13:00:00+00:00 http://feeds.feedblitz.com/~/155692998/0/alienvault-blogs~IoT-When-Will-Cyber-Security-Testing-be-Mandated www.secnews.physaphae.fr/article.php?IdArticle=2032 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Según Víctor, los atacantes son oportunistas y toman ventaja de errores simples que seres humanos tienden a cometer. Los ataques de Watering Hole son interesantes en el hecho de que pueden ser muy sigilosos por naturaleza y se pueden desarrollar en un periodo de tiempo largo. Implican comprometer un sitio de confianza existente o crear un sitio que parece legítimo, hasta una falta de ortografía para atrapar a algunos usuarios confiados puede ser el mecanismo utilizado en estos ataques- por ejemplo amricanexpress.com. Luego esperan a que una víctima entre al sitio, respondiendo a un correo electrónico de “phishing” o escribir mal una dirección URL válida como el ejemplo anterior.Pregunta: ¿Cómo se crean los atacantes de Watering Hole?Respuesta: Esta es una diapositiva que usamos para explicar el proceso:Pregunta: ¿Me puede dar un escenario de cómo podría funcionar esto?Respuesta: Por supuesto. Para empezar, estos ataques pueden ser muy difíciles de detectar debido al hecho de que podrían tener un aspecto parecido a una actividad legitima.En muchos casos, estos ataques tienen víctimas en ambos lados del ataque. La primera víctima es el que posee el sitio web comprometido utilizado para el ataque de Watering Hole. La segunda víctima es el real objetivo del atacante - en este caso, cualquier persona que tenga una necesidad legítima de acceder al sitio antes mencionado.Para ilustrar esto un poco mas, digamos que un atacante particular tiene en su mira a un fabricante de automóviles reconocido y está buscando formas de infiltrar esta organización. Entonces aquí viene Bob. Bob tiene una pequeña empresa de fabricación que produce pernos y tuercas para la industria automotriz. Se ha creado un sitio web para sus clientes donde ellos pueden obtener información sobre el estado de la producción y los detalles sobre las piezas que Bob fabrica.Este pequeño negocio ha tomado a la atención del atacante, debido al nivel de interacción que su víctima (el fabricante de automóviles) tiene con el sitio. Además, como muchas pequeñas empresas, Bob puede que no tenga una práctica fuerte de seguridad y / o la experiencia interna para implementar controles de seguridad adecuados. Bob podría decir: "Sólo estoy haciendo tuercas y tornillos" y no a priorizado la seguridad de su ambiente. Para el atacante comprometer un sitio de este tipo puede ser una tarea sencilla y el pobre Bob ni se dará cuenta de lo que esta sucediendo.El atacante encuentra una manera de inyectar un script de Java en el sitio web de Bob que redirigirá a sus víctimas a otro sitio que se ve muy simila]]> 2016-05-24T13:00:00+00:00 http://feeds.feedblitz.com/~/155564811/0/alienvault-blogs~Ataques-de-%e2%80%9cWatering-Hole%e2%80%9d-o-%e2%80%9cAguaderos%e2%80%9d-Detectando-usuarios-infectados-antes-de-que-sea-muy-tarde www.secnews.physaphae.fr/article.php?IdArticle=1980 False None Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC This site maintains a top ten list of web application security vulnerabilities, and it’s clear at a glance that hackers have found a wide variety of security shortfalls:Code injection: hackers find ways to insert malicious executable code into legitimate traffic sent to an endpointBroken authentication and session management: compromising user identities in a variety of waysCross-site scripting: similar to code injection, but involving scripts instead, drawn from inappropriate sourcesInsecure direct object references: obtaining file access when it’s not actually authorizedSecurity misconfiguration: a failure of the admin, sometimes as simple as leaving passwords as defaultsSensitive data exposure: failure to shield data in proportion to its business value or customer sensitivityMissing function level access control: failure to verify functions are actually limited by access rightsCross-site request forgery: compromising an unexpected web application by leveraging validated authentication informationComponents with known vulnerabilities: a vulnerable element, such as a Java class, hasn’t been patchedUnvalidated redirects and forwards: sending web users to unexpected sites that serve hacker interestsFrom this list, we can ferret out a few underlying patterns in web application security.Many vulnerabilities, quite simply, are the consequence of lousy programming in which exceptions, boundaries, credentials, etc., weren’t considered adequately. Sometimes administration issues — a failure to configure or update components properly — are at fault. Certain programming languages (C and C++, I’m looking at you) are designed in such a way as to be inherently harder to secure. A secure web application also requires a secure operational context (host servers, middleware, etc) but that’s not always the case.Moving toward improved web application securitySo what do security professionals recommend to deal with this already-dizzying-and-still-growing array of web application security vulnerabilities?Fortunately, there are many different web application security techniques. For organizations that roll their own web applications, it’s particularly important to dive into the root causes — the how and why vulnerabilities inadvertently get baked into the applications in the first place.Secure coding practices are certainly a logical first step, and this is an area that has been studied extensively for decades, in which there is no shortage of expert insight for improving web application security. Threat modeling, for instance, can be used to identify clearly what the app is meant to do, how it goes about that, and therefore, where vulnerabilities are likely to exist.Risk analysis empowers development teams not just to identify probable risks, but in some cases quantify the odds they will manifest and describe the possible outcomes if they do. Static analysis tracks the logic of code that isn’t actually executing, looking for shortfalls in data manipulation or algorithmic process before they get a chance to manifest in a production build. Obviously, the basic choice of programming language and development environment can go a long way toward improving security!Web app]]> 2016-05-23T13:00:00+00:00 http://feeds.feedblitz.com/~/155414840/0/alienvault-blogs~Web-Application-Security-Methods-and-Best-Practices www.secnews.physaphae.fr/article.php?IdArticle=1929 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Infy malware, identified by our friends at Palo Alto Networks’ threat research center as having been around since 2007 or earlier. PAN’s team has documented 40+ variants of a previously unpublished malware family, which it christened ‘Infy’.Malware, which is a broadly used term for software that is written specifically to ruin your day, is an unwelcome aspect of the internet bathwater we all share. In the case of Infy, the threat arrives via an email with an attachment that carries a Self-Extracting Executable Archive (SFX) within a MS Word or PowerPoint file. Infy appears to be purpose-built to conduct espionage against specific government organizations and citizens, and not part of a broader campaign.Infy tricks users into running the SFX by posing as a legitimate attachment. Once installed, Infy phones home to its Command and Control server, and then starts harvesting data (including running a key logger to steal everything the victim types, such as login credentials, and exifiltrating it).Impact on youMalware like Infy can stay undetected for years because of its specialized purpose and limited targets, which results in less exposure to threat detection technologies and researchers.  Malware that utilizes keyloggers can lead to the compromise of any system or application protected by static credentials, since it enables the attacker to impersonate a legitimate user regardless of where the data resides. And, as users update their credentials or are granted access to new applications or systems, the keylogger will keep collecting those credentials and exfiltrating them.How AlienVault HelpsThe AlienVault Labs threat research team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves. AlienVault Labs Threat Intelligence drive the USM platform’s threat detection and prioritization capabilities by identifying the latest threats and researching how to detect and respond to them. And, the integration between our Open Threat Exchange (OTX) and your USM deployment means that you get alerted whenever indicators of compromise (IOCs) being discussed in OTX are present in your network.  The result is that USM customers are up to date on the latest threat vectors, attacker techniques and defenses. AlienVault Labs regularly updates the USM platform rule sets, eliminating the need for you to spend precious time conducting your own research on emerging threats, or on alarms triggered by your security tools.New Detection Technique - InfyInfy is a trojan that is spread utilizing a spear-phishing email carrying a Word or PowerPoint document. The attached document file contains a multi-layer Self-Extracting Executable Archive (SFX), and content that attempts to socially engineer the recipient into activating the executable.We have added new IDS signatures and correlation rules to detect this activity:System Compromise, Trojan infection, InfyThese updates are included in the latest AlienVault Threat Intelligence update available now for USM users. Visit the ]]> 2016-05-19T13:00:00+00:00 http://feeds.feedblitz.com/~/154872492/0/alienvault-blogs~Infy-Malware-%e2%80%93-Almost-years-of-Espionage-One-Family-of-Malware www.secnews.physaphae.fr/article.php?IdArticle=1788 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Increasingly, the term “community” has been diluted further by its inclusion in the corporate jargon lexicon. Many companies have come to use it interchangeably with “people who use our stuff”.Personally speaking, I’m not sure if I like that.While our users and customers are the most important people in our world, many of them don’t consider themselves to be part of an “AlienVault community”. They see themselves as users and customers. We respect that.With that being said, I do think communities can organically spring up around technology products and companies. I generally define ‘community’ in this context to mean the users who go above-and-beyond to engage with a product or service. When this happens, it’s a beautiful thing,These users will go to events organized or sponsored by the community. They will attend meetups. They will attend talks given by the company’s employees. They’ll engage with the company on social media. Essentially, they do more than the minimum to use a product or service.By engaging with us, and offering feedback on our products, we’re able to improve them. Indeed, the AlienVault Open Threat Exchange (OTX), depends on community contribution to build its impressive threat intelligence library.One of the most productive ways in which we interact with our community is through our forums and social media. In the past, we’ve ran a number of successful Twitter Q&As which attracted a range of diverse and enlightening responses.Of course, community shouldn’t be a one-way street, and it isn’t. At AlienVault, we try to reciprocate by providing not only free products such as OSSIM, and the aforementioned OTX. But also through knowledge-sharing via webinars, whitepapers, and ebooks. We also offer our blog as a platform to experts within the community through which guest posts are shared.Our experts, and community managers frequently attend conferences, where they share what we’ve learned recently, and what we’ve been working on.To help and encourage our community to participate and partake more, we’re excited to announce some major improvements to our forum. At AlienVault, our community is one of our most valued assets. We believe that when we work together, we all benefit. And we do. Today we launched some major improvements to the forum to help encourage and reward users for their contributio]]> 2016-05-17T13:00:00+00:00 http://feeds.feedblitz.com/~/154562475/0/alienvault-blogs~The-Community-of-Extraordinary-Aliens www.secnews.physaphae.fr/article.php?IdArticle=1695 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC These instructions assume you have a working AlienVault USM setup and the HIDS agent deployed to the audited server.Step 1: Preparing group policy for file auditingIn order to track file system changes on a Microsoft Active Directory Domain, first you must set group policy to keep track of file system changes. In the following examples, we will be using the default domain controller policy, as we are tracking changes on a domain controller. Your actual policy may be different, depending on your particular domain configuration.First, from the Server Manager, open up Group Policy Management, and expand the domain to select the policy you wish to edit:Right click on the policy and choose edit.The first thing we need to change, is the option to allow the more granular advanced audit policy settings, instead of the general categories that are enabled by default:Then, further down in the security settings, locate “Advanced Audit Policy Configuration” and expand it as shown. We are primarily concerned with object auditing in this exercise, but you will need to make sure the other policies, such as account lockout, etc. are correct for your organization. Remember, these advanced policies are now taking precedence.See the settings in the screenshot. The highlighted setting is the critical item for our integrity monitoring:OK, now we’ve got the policy set, go ahead and close this out, and verify the Group Policy you just edited is enforced, and applied to the domain per your particular configuration.Step 2: Folder PreparationIn order for the policy to be effective, you need to enable auditing on the directories you want to monitor. You may be tempted to just enable the entire filesystem, and inherit throughout, and you could. This will be extremely detrimental to the operation of the server involved, creating hundreds or thousands of events per minute. It is also useful to consider how often you expect changes to the folder(s) you are auditing. It can get quite noisy.The following screenshots show how to enable auditing on a particular folder:Right click the folder and choose “Properties” then the”Security” tab. Click “Advanced”, then the “Auditing” tab. By default the “Auditing entries” section will be blank. Select “Edit”Select “Add:” and select the AD group(s) you wish to be subjected to auditing and click OK.You will then get]]> 2016-05-16T13:00:00+00:00 http://feeds.feedblitz.com/~/154436702/0/alienvault-blogs~File-Integrity-Monitoring-with-Microsoft-Group-Policy-and-AlienVault-USM www.secnews.physaphae.fr/article.php?IdArticle=1658 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC https://otx.alienvault.com/apiWe are excited to introduce this functionality and hope it is useful – as always please let us know if you have any ideas/comments/suggestions at otx-support@alienvault.com.     Related StoriesFree and Commercial Tools to Implement the Center for Internet Security (CIS) Security Controls, Part 14: Maintenance, Monitoring and Analysis of Audit LogsJIGSAW Ransomware: Deleting Files Instead of Encrypting Them]]> 2016-05-11T14:30:00+00:00 http://feeds.feedblitz.com/~/153820914/0/alienvault-blogs~New-features-in-OTX-enhance-collaboration-and-sharing-of-threat-intelligence www.secnews.physaphae.fr/article.php?IdArticle=1521 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Spiceworks community to tell me the worst "vendor words". I figured it would be good to know what ticks them off. As usual the IT community has definite opinions.I think "Cloud" was the most popular word of all.This was my personal favorite:Here's a pretty comprehensive list:Our own Javvad Malik chimed in with "disruptive" - he must have heard that word too many times when he was an industry analyst :)Here's the composite view from the Spiceworks results:ConclusionSo, vendors out there take note! The IT community prefers straight talk to a bunch of superlative, over-used buzzwords. They also like to do their own research and make their own decisions about what's the "best".      ]]> 2016-05-09T15:35:00+00:00 http://feeds.feedblitz.com/~/153494066/0/alienvault-blogs~Buzzwords-IT-Pros-Love-to-Hate www.secnews.physaphae.fr/article.php?IdArticle=1381 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC I head up cyber security for Lord Vader. I bet you didn’t think he had a security department. But after his plans for the first Death Star were stolen, he hired me as a DLP consultant. I subsequently conducted vulnerability assessments and red-team tests to ensure we didn’t have any other exposed weak spots that someone could fire a torpedo into to bring the whole house down.Lord Vader says he senses great potential and has bestowed upon me the title of Darth-CISO.But despite being an all-powerful intergalactic stakeholder, I still face my fair share of security challenges every day.Stormtrooper Security Awareness TrainingI usually host a breakfast and ask a battalion of storm troopers to come down for some basic training. All too often they end up falling victim to a social engineering trick – all the while making excuses that it was because of the work of some Jedi master.Stormtroopers are simple-minded and sometime truly infuriating to work with. Just last week, we conducted a test where we dressed up an Ewok in a stormtrooper outfit and sent it into the base. Can you believe that someone held a door open and let him in? I mean, come on! How difficult is it to identify and challenge an Ewok in a costume?System TuningDespite all the blinking lights, our systems can actually be pretty useless at providing critical data. For example, I generally have to spend at least 2 hours every day tuning our radar just so it can tell the difference between a small asteroid and a rebel ship.One time, when we had landed to burn down a small city, our JDS (Jedi Detection System) started throwing out alerts that it had detected Yoda.Everyone was all on edge, wondering how that Gremlins reject had found us. However, after a bit of digging, it transpired that it was actually just a large rat that was indigenous to the planet which the JDS had confused for Yoda!Asset InventoryOur assets are not static. We have ships, uniforms, blasters, force-fields, and a whole range of other items that need to be fully accounted for and maintained at all times. Prior to my joining, if a trooper lost his blaster in a battle, the paperwork was a nightmare. As a result, we were never sure what our inventory was. It made it easy for any rebel to walk into a base, help themselves to our blasters, armour or even small crafts, and launch an attack.Since coming on board, however, I’ve introduced a tagging process that helps us keep track of all our critical assets. This allows us to react quickly when an item goes missing, gets destroys or ends up in the wrong place at the wrong time.Threat Sharing AllianceI am the chair of the intergalactic threat sharing alliance. I convene and share data with my peers from across the galaxy so that we all have up-to-date information about the latest threats related to the rebels, their movements, their key players, and what kind of ships and technology they are using. This sharing of threat information is invaluable to help us better defend ourselves from the rebels.Board MeetingsAt the end of each day, Lord Vader holds a meeting with his direct reports. Frankly speaking, it’s the hardest hour of the day. He doesn’t care much about process and procedure or how much effort we’ve put in. All he cares about are results.There is one thing that I particularly don’t like: Lord Vader never listens to my sound reasoning when it comes to assessing risk. Instead, he just tells me to keep trusting my feelings and using the force. This is all well and good when you’re]]> 2016-05-04T13:00:00+00:00 http://feeds.feedblitz.com/~/152826672/0/alienvault-blogs~A-Day-in-the-Life-of-DarthCISO-Happy-Star-Wars-Day www.secnews.physaphae.fr/article.php?IdArticle=1203 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC By now, most businesses realize that the cloud is here to stay. Once considered little more than a fad, it’s become increasingly clear that businesses that fail to adopt the cloud in some form are missing out on opportunities for growth, increased productivity, and, in many ways, improved security.However, using the cloud is not without risk, and many organizations make mistakes that could lead to costly data breaches if they aren’t corrected. Following are 5 cloud security mistakes that could cost you:1. Storing Sensitive Data on Unsecured ServersAs more companies adopt cloud storage and application solutions and see the benefits that come with doing so, the temptation is great to move everything to the cloud. And there are some distinct advantages to doing so. Greater flexibility for your workers in terms of where and when they work, increased productivity, and improved business continuity in the event of a disaster are all compelling reasons to shift to a cloud-based environment. Unfortunately, though, many companies move data to the cloud without fully evaluating the security risks of doing so. Certain types of data, such as that protected by federal and industry regulations, legal documents, confidential business development data, and other identifying data (such as employee and customer records) must be kept as secure as possible.Because not all cloud servers are created equal in this regard, it’s important that such data only be stored on cloud servers that meet stringent security guidelines. In other words, using a free or rock-bottom cheap cloud service provider to store all of your company data is likely a recipe for disaster.2. Not Controlling Access to the CloudOne of the primary benefits of the cloud is also its greatest possible weakness. The fact that cloud servers can be accessed from virtually anywhere, by anyone with the proper credentials, makes it convenient - but it also makes it vulnerable.Controlling access to data stored on the cloud is often a difficult balancing act between giving people access to the tools and information they need to do their jobs and keeping data from falling into the wrong hands. Overly restrictive environments keep data safe, but at what cost?Effectively managing data requires a comprehensive policy that not only controls who can access what data and from where, but also includes monitoring to determine who accesses data, when, and from where to identify potential breaches or inappropriate access. At the very least, you must educate employees on how to secure their cloud sessions, which includes avoiding public networks and effective password management.3. Not Maintaining the Cloud Via Backups and PatchesBusiness continuity in the event of a disaster is one of the primary benefits of the cloud. For instance, if your network falls victim to a hacker, the backup data in the cloud allows you to remain operational while you undo the damage.However, if you don’t maintain your cloud servers with regular data backups, patches, and updates, you could be creating an entirely new vulnerability. Hackers often work by exploiting vulnerabilities, and if you don’t mitigate these vulnerabilities, you’re at risk of an attack. Often, not keeping the cloud updated stems from concerns about cost or downtime, but consider that the cost of such maintenance is far less than that of a breach. And given that many cloud service provid]]> 2016-05-03T13:00:00+00:00 http://feeds.feedblitz.com/~/152659934/0/alienvault-blogs~Cloud-Security-Mistakes-That-Could-Cost-You www.secnews.physaphae.fr/article.php?IdArticle=1155 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC was locked out of its electronic medical records (patient information is kind of important to running a hospital) until it forked over 40 bitcoins, worth then about $17K.This time, it’s JIGSAW. Our colleagues at Trend Micro have uncovered a new type of ransomware written by someone who appears to be a fan of that creepy puppet from the horror movie ‘Saw’ . What makes JIGSAW different from most other ransomware threats is that it will delete files, instead of just encrypting them.JIGSAW deletes files exponentially, starting 60 minutes after the program starts and deleting ‘some’ filesIt deletes more files and increases the ransom every hourIf you reboot your system or close the ransom window, JIGSAW will delete 1,000 files.After 72 hours it will delete all remaining filesSource: Trend MicroJIGSAW appears to have compromised systems when users downloaded files from a free storage site as well as it being bundled with other malware.As I (and others) have said, holding systems or entire networks hostage to extort payment will likely be a popular business model among cybercriminals. It’s a lot less work and an arguably better business model than going through the effort of harvesting valuable data and selling it on the secondary market.Impact on youRansomware is a growing threat: According to the new 2016 Verizon Data Breach Report, ransomware is the second-most common form of crimeware. Cybercriminals will continue to use it to extort money from victims for its ease of use and immediate return on investment.The FBI's Internet Crime Complaint Center reported between April 2014 and June 2015 it had received almost 1,000 "ransomware" complaints, costing victims more than $18 million in losses.How AlienVault HelpsThe AlienVault Labs team continues to research and update the ability of USM to detect ransomware-related activity. Last week, the Labs team updated the USM platform’s ability to detect JIGSAW and several other families of ransomware by adding IDS signatures to detect the malicious traffic on your network and correlation directives to link events from across your network that indicate systems compromised by ransomware.These ransomware updates are included in the latest AlienVault Threat Intelligence update available now:Emerging Threat - Jigsaw RansomwareJigsaw is a new ransomware that not only encrypts your files but also starts deleting them if you take too long to pay the ransom. Currently the distribution method of this ransomware is unknown. This ]]> 2016-04-28T13:00:00+00:00 http://feeds.feedblitz.com/~/151701816/0/alienvault-blogs~JIGSAW-Ransomware-Deleting-Files-Instead-of-Encrypting-Them www.secnews.physaphae.fr/article.php?IdArticle=890 False None None 2.0000000000000000 AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC According to Victor, attackers are opportunistic increasingly taking advantage of simple mistakes humans tend to make. Watering hole attacks are interesting in that they are very passive in nature and can develop over a long time frame. They involve compromising an existing trusted site or creating a site that looks legitimate, perhaps with a misspelling that will snare some unsuspecting users – perhaps amricanexpress.com. Then they wait until a victim comes to them by responding to a phishing email or mistyping a valid URL.Question: How do attackers create watering hole attacks?Answer: Here’s a slide we use to talk about this:Question: Can you give me a scenario of how this might work?Answer: Sure. To start with, these attacks can be very difficult to detect due to the fact that they might look just like usual business activity.In many cases these attacks have victims on both sides. The first victim is the one who owns the compromised website used for the watering hole attack. The second one is the actual targeted victim of the attacker - in this case anyone who has a legitimate need to access the previously mentioned site.To illustrate this a bit, let’s say a particular attacker is after a well-known car manufacturer and is looking for ways to infiltrate the organization. Then here comes Bob. Bob has a small manufacturing business that produces bolts and nuts for the car industry. He has set up a website for his customers where they can obtain information about production status and details about the parts he makes.This small business has come to the attacker’s attention due to the level of interactions his targeted victim (the car manufacturer) has with it. In addition, as a small business, Bob might not have a strong security practice and/or the internal expertise to implement security controls. Bob might say, “I’m just making nuts and bolts” and not invest in security, so compromising his site might be a simple task for the attacker and poor Bob might never even notice.The attacker then finds a way to inject a Java script into Bob’s website that will redirect his victims to another site that looks very similar to Bob’s where he can prepare more reliable exploitation kits and distribute malware.Once the attacker is done setting up Bob’s counterfeit website, all he needs to do is sit and wait. It’s just a matter of time until someone from the target car manufacturer with a system that’s not up-to-date on security updates to visit Bob’s website for information. As soon as they load the site they’ll be redirected to the malicious site, giving the attacker the opportunity to compromise the system.The ramifications of these attacks can be catastrophic. The targeted car manufacturer might have to spend millions of dollars recovering from such attack. If data was exfiltrated, the cost might even be higher, and even put the company’s reputation at risk. For Bob,]]> 2016-04-26T13:00:00+00:00 http://feeds.feedblitz.com/~/151359370/0/alienvault-blogs~Watering-Hole-Attacks-Detecting-EndUser-Compromise-before-the-Damage-is-Done www.secnews.physaphae.fr/article.php?IdArticle=805 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2016-04-25T13:00:00+00:00 http://feeds.feedblitz.com/~/151154222/0/alienvault-blogs~A-Newer-Variant-of-RawPOS-in-Depth www.secnews.physaphae.fr/article.php?IdArticle=776 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC OSX-Pirrit is an invasive application that targets Macs, one of the few but growing number of Mac threats. It is more malicious than the Windows version of Pirrit because it hijacks your web traffic by routing all web traffic through its proxy, thereby exposing your sensitive or regulated information to exfiltration (as well as giving the attacker the ability to install other software on your system). It appears to get on the system simply by users installing it, believing they are downloading an update to popular apps like Flash.Impact on YouOnce installed, OSX-Pirrit does two things:It intercepts web traffic via a proxy and injects ads into that trafficIt launches a daemon (which allows it to control apps and services) which enables it to maintain persistenceHow AlienVault HelpsAdware like OSX-Pirrit is difficult to prevent and remove. Preventive technologies like antimalware or sandboxing can help block the downloading and installation of the malware, but preventative tools never detect all versions of malware. And, since at least one version of the malware includes a signed Apple certificate, it appears benign to the Mac OSX once installed.AlienVault USM gives you the ability to detect the presence of new variants of malware like OSX-Pirrit that has evaded those preventive technologies and resides on your systems. The AlienVault Labs threat research team saves you a tremendous amount of time and effort--it continues to research and update the ability of the USM platform to detect new types of malware like OSX.Pirrit, as well as new variations on existing malware.The Labs team recently updated the USM platform’s ability to detect this new threat on your network by adding an IDS signature to detect the malicious traffic and a correlation directive to link events from across your network that indicate that Pirrit has compromised one or more Macs.These updates are included in the latest AlienVault Threat Intelligence update available now:New Detection Technique - OSX/PirritOSX/Pirrit is an invasive piece of OSX adware that is derived from the Windows version of the adware. The adware intercepts all HTTP traffic and injects ads into the proxied traffic and maintains persistence by installing a Launch Daemon.Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5707d68267db8c4b471bdacf/We've added IDS signatures and created the following correlation rule to detect OSX/Pirrit activity:System Compromise, Adware infection, OSX/PirritThe Notes from the Underground are a blog series that provides some background and conte]]> 2016-04-20T13:00:00+00:00 http://feeds.feedblitz.com/~/150284464/0/alienvault-blogs~OSXPirrit-Adware-Notes-from-the-Underground www.secnews.physaphae.fr/article.php?IdArticle=646 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Let's face it. False positives suck. On the other hand, while the subtitle of this post may sound funny, it isn't really that far from the truth. It’s true that many people experience a level of anger at false positives that could be used as a climax to a thriller movie. The reality, however, is that many of these results are not as bad as they seem, and can often actually be useful. This can be for a variety of reasons. Let's look at a few of them.Why Perfection Isn't PerfectIn a perfect world, the best of Intrusion Detection System (IDS) signatures would be an exact match for the file or behavior that they are looking for. This is impractical to create for a couple reasons, and is often not even desirable in practice.A perfect signature would need to be compared to literally millions of other files and/or sources to confirm it didn't match other files. This would add a tremendous cost, and more importantly time, to the development cycle before the signature is released on a new threat. In our industry, where seconds matter, the extra delay for such thorough testing before protection can be provided would be a serious drawback.A much more important point is that we often do not want the signature to be an exact match. Malicious Threats that were introduced 20 years ago were usually unchanging, with predictable signatures that could be rather reliably matched. Unfortunately, the modern threat landscape is far more fluid. With the accelerating growth of polymorphic, metamorphic, kit-based, and other advanced threat forms, IDS's need to be able to match a similar pattern to a signature, or to match behavioral traits of the traffic. By casting a wider net, the signature can capture the threat as it evolves, minimizing the chance that the variant can compromise a system before a sample is identified.The App Behind the MaskMost security best practices do not work in favor of detection systems. A core part of running a vulnerability scan is identifying the type and version of any OS or Application/Service scanned. This can have varying results, depending on what hardening has been implemented. In short, the vulnerability scan often has to approximate this information, or surmise it from the format of a response. A good example of why this can be difficult is that my own web server, a hosted Linux server, advertises itself as IIS5.5 instead of the service actually running.Some False Positives, Quite Simply, Are NotI once had an upset customer call, insisting that we immediately remove a false positive from our vulnerability scans because he had to fix everything that showed on the report. He insisted that marking something as a false positive was unacceptable.Here is the catch; it wasn't a false positive. The exploit could not be leveraged because the vulnerability required a folder in the document root that had a name of a minimum character length that began with the letter “a.” The security of his web server, and potentially the network it was on, was dependent on what folder name the web developers chose.Some of my most common cases are the results of “conditional” false positives. So what's in a word? In this case, our livelihood. Many incidents, or vulnerabilities, are dependent on secondary factors that the system is unable to review. When a threat is not currently present, but can become a threat via a configuration change, or a change in a third party package, the duty of the system is to pass a potential threa]]> 2016-04-19T13:00:00+00:00 http://feeds.feedblitz.com/~/150098694/0/alienvault-blogs~False-Positives-in-IDS-Irritating-But-Often-Necessary www.secnews.physaphae.fr/article.php?IdArticle=593 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Part 1 - we looked at Inventory of Authorized and Unauthorized Devices.Part 2 - we looked at Inventory of Authorized and Unauthorized Software.Part 3 - we looked at Secure Configurations.Part 4 - we looked at Continuous Vulnerability Assessment and Remediation.Part 5 - we looked at Malware Defenses.Part 6 - we looked at Application Security.Part 7 - we looked at Wireless Access Control.Part 8/9 – we looked at Data Recovery and Security Training.Part 10/11 - we looked at Secure Configurations for Network Devices such as Firewalls, Routers, and Switches and Limitation and Control of Network Ports, Protocols and Services.Part 12 - we looked at Controlled Use of Administrative PrivilegesNow we are taking on Boundary Defense.Boundary Defense13-1 - Deny communications with (or limit data flow to) known malicious IP addresses (black lists), or limit access only to trusted sites (whitelists).This is one of those, "Easy to say, hard to do, policies." But if you consider starting with things like public servers, internal servers, switches, VOIP phones, and other network device VLANs, really, those devices don't need much access to the internet, and whitelisting becomes a bit easier. For workstations...good luck, unless you're a military contractor.13-2 - On DMZ networks, configure monitoring systems (which may be built in to the IDS sensors or deployed as a separate technology) to record at least packet header information, and preferably full packet header and payloads of the traffic destined for or passing through the network border. This traffic should be sent to a properly configured Security Information Event Management (SIEM) or log analytics system so that events can be correlated from all devices on the network.]]> 2016-04-18T13:00:00+00:00 http://feeds.feedblitz.com/~/149840190/0/alienvault-blogs~Free-and-Commercial-Tools-to-Implement-the-Center-for-Internet-Security-CIS-Security-Controls-Part-Boundary-Defense www.secnews.physaphae.fr/article.php?IdArticle=554 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC I was at DefCon last year (as I am most years) and was struck by the wonderful, perhaps even familial nature of the proceedings. It was hot and crowded. Most people were jet-lagged and exhausted. Despite that, I still saw older, more seasoned members of the community enthusiastically showing newcomers the ropes. People were collaborating, and shared candidly what they had learned in the previous year. It was a beautiful sight.But what I love most about the security world is that the spirit of mutual cooperation doesn’t end when the conferences do. This manifests itself in the tools that we, as security professionals, depend upon in our day-to-day business.So much of our tool-belts consist of applications which were created by companies and individual members of the community, and subsequently released under open-source licenses without any expectation of payment.You probably know many of these - OpenVAS, the Metasploit Framework, and WireShark are three great examples of open source security products which most of us use.There are a number of reasons why InfoSec and open source are great bedfellows. Perhaps the biggest is that it’s completely democratized the security field. You can be working for a large consultancy firm with offices in all six continents, or you can be an independent researcher working from your bedroom, you’re still going to be working with the same kit. Unlike many other fields, money isn’t much of a barrier to entry when it comes to security.The adoption of Open Source has also meant that the tools we use are in a perpetual state of improvement. Pull requests are filed. Bugs are rapidly quashed. Performance issues are fixed. This happens because anyone who is so inclined can contribute to the tools they use.Given that this is an AlienVault blog, I’d be remiss if I didn’t mention some of the work we do with open source.Take our Open Threat Exchange (OTX), for example, where thousands of security researchers share information on emerging security threats through our cloud platform. Many of the tools associated with it, such as our SDKs (software development kits) and connectors, are available through our corporate Github page.Of course, perhaps our most well-known open source product is AlienVault OSSIM, which is available to download from our website, and is licensed under the permissive Gnu Public License (GPL) version 3.OSSIM, AlienVault’s Open Source Security Information and Event Management (SIEM) product, provides a feature-rich open source SIEM complete with event collection, normalization and correlation. Launched by security engineers because of the lack of available open source products, OSSIM was created specifically to address the reality many security professionals face: A SIEM, whether it is open source or commercial, is virtually useless without the basic security controls necessary for security visibility. OSSIM also leverages the power of OTX by allowing users to both contribute and receive real-time information about malicious hosts.We, continue to develop OSSIM because as a company, we see this as part of our social responsibility. We believe that people are ultimately more secure when they have the tools to defend themselves, and that everyone should have access to high-end security tools, regardless of their means.But it’s worth noting that, in creating OSSIM, we were totally dependent on t]]> 2016-04-12T13:00:00+00:00 http://feeds.feedblitz.com/~/148984040/0/alienvault-blogs~Open-Source-the-Community-and-Aliens www.secnews.physaphae.fr/article.php?IdArticle=300 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2016-04-11T13:00:00+00:00 http://feeds.feedblitz.com/~/148798492/0/alienvault-blogs~Brute-Force-Attack-Mitigation-Methods-amp-Best-Practices www.secnews.physaphae.fr/article.php?IdArticle=301 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC CapStar Forensics is an AlienVault Open Threat Exchange (OTX) participant. OTX is open to the public, and anyone can contribute to and download the threat data (which is called a “Pulse” in OTX).So how can security professionals use this threat intelligence to help an organization defend against potential cyberattacks? In this blog, we show an example where CapStar used an OTX threat intel feed as source information to search a packet capture (pcap) for possible malicious traffic.First, we downloaded all the OTX pulses and extracted the indicators of compromise (IoC) related to networking, to a file. There are 4 types: IPv4, hostname, domain and URL. In total, there are 19290 unique IoC's. Here is part of the file:domain qgqatfmbjrxwbk.ccdomain rilmcycxjujewr.sudomain lforanrwxevhyi.comdomain vhngseuwuygrxy.netdomain yhykhppwkxlfck.indomain lwvvefxffsiylo.medomain fqbassjbfsuthy.comdomain bsikfiribqcudf.twdomain eoksneimvitpwo.netEach line is a record in this file format. Each record has an IoC type followed by the IoC data.We discussed what tool we could use to apply this threat intel to find the presence of malicious traffic in a pcap file? Many network and security professionals’ favorite tool is Wireshark for this purpose. However, due to the large number of IP addresses and hostnames, it's not practical to use Wireshark. The other good choice is to use an Intrusion Detection System (IDS). The problem with this approach is, one would have to create many IDS rules based on the specific intel, causing the investigation to slow down when the number of rules begins to be too large.Fortunately, CapStar has a great tool for this scenario. A user can write a script that will read the threat intel in the above format and use it to match on packets very quickly.Here is a CapStar script for just this. It consists of a few sections, each under a label.The “init” section reads the threat intel line by line, and will add each item of threat intel to the right category.The “pkt” section processes the packets individually. It will match on source or destination IP against the blacklisted IP in the intel, and in the case of DNS transactions, match the hostname or domain in the query against the blacklisted hostnames and domains.The “data” section processes the packets at data level. CapStar feeds the data packets in the right order, with respect to its session, to the script/logic in this section. CapStar does port-independent identification of the HTTP transactions, so the user logic for matching against a list of blacklisted URLs is pretty simple.The “end” section just summarizes the stats and displays them to the user.One observation on the script is that it reuses the standard Wireshark display filter names, which are familiar to many network and security professionals. This is done to “extend” the Wireshark display filter so an investigator can implement arbitrary logic or expressions, and then perform a stateful pattern match that involves multiple packets.We ran this script against a 1126MB malware pcap. Here is the partial output:number of blacklistedIPs: 4219number of blacklistDomains: 3611number of blacklistHosts: 5815number of blacklistUrls: 4986contacted blacklisted IP:195.]]> 2016-04-07T13:17:00+00:00 http://feeds.feedblitz.com/~/148173942/0/alienvault-blogs~Using-OTX-Threat-Intelligence-to-Search-PCAPs-for-Malicious-Traffic www.secnews.physaphae.fr/article.php?IdArticle=302 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Dynamic DNS, and you complicate the mix even further.Tracking all of these elements might be difficult, but in all honesty, you don't need 10 years of experience in malware analysis and a bunch of certificates to help you win this battle. You just need to experiment. One great way to learn about malware is to build your own home lab and play with actual malware samples within this environment. This can be a fun and educational project even if you are not an InfoSec pro. If you do happen to be an InfoSec pro, the things you learn in your home lab just might help you do your job more effectively. So how do you set one up? A few simple guidelines will get you started.What Should Be In Your Lab?So what are the essential components of a home lab? There is no right or wrong answer here. You can setup a virtual machine and make that your lab. As long as you sandbox the malware you're analyzing, you should consider your set-up a laboratory environment in my opinion.However, I would also like to state that just because you are analyzing within a sandbox environment, it does not mean you are completely secure. There are vulnerabilities present in older versions of virtualization software that can allow escapes from virtual machines so you need to ensure that your virtualization environment is up-to-date and patched against such exploits. I would also recommend starting your virtual lab with multiple boxes, which increases security. Using the PFsense firewall is a fantastic start and having an IDS box (Snort/Suricata/Bro) is an additional bonus. I won’t go into too much detail about virtual network security because my good friend Tony Robinson (@da_667) already has this well documented in a blog: https://blindseeker.com/blahg/?p=375.Personally, I do not have an overly sophisticated lab setup. It is mostly boxes here and there, but each box has a specific purpose. My home lab currently consists of the following components:Windows 7 Virtual Machine (home network)Windows 10 Virtual Machine (home network)Ubuntu 15.10 Virtual Machine (home network)Ubuntu 14.04 SSH Honeypot (VPS)Windows Server 2012 R2 (VPS)Security Onion on an empty server which I’m still configuringVarious email spam traps for collecting macro malware & other specimens (such as phishing attempts or malware which may be hosted on a link in an email).I feel as though I cover a lot of ground with this setup. I have collectors to harvest malware automatically, which I can then pull down to my virtual machines on my home network for further analysis. I also have my Windows VPS to accomplish a 'Malware analysis in the cloud' kind of thing. My current setup allows me to analyze pretty much any piece of malware I come across. However, for the purpose of this post, I'll be discussing my toolset and my approach to analyzing malware on Windows systems.Figure out What You’re Looking ForBefore we run all of our tools and start clicking on malware links in spam hoping to see some results, we first need to answer some questions:What exactly are you are looking for?Why are you doing this?Once you have analyzed the m]]> 2016-04-06T13:00:00+00:00 http://feeds.feedblitz.com/~/147941952/0/alienvault-blogs~Building-a-Home-Lab-to-Become-a-Malware-Hunter-A-Beginner%e2%80%99s-Guide www.secnews.physaphae.fr/article.php?IdArticle=303 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC slide deck here.The chapter meeting, including Ernest’s talk, was recorded. It was a good crowd!Here are some highlights from the talk:What is Dev-Ops and how is it different from Dev | Ops?Previously, development and operations tended to be in silos, and development would "throw code over the wall to operations", pat themselves on the back, and figure it's their problem now. Ernest explained that DevOps breaks down that wall.Lean security talk by @ernestmueller Austin @owasp #devops pic.twitter.com/5vNCGs33AN— Kate Brew (@securitybrew) March 29, 2016Lean Security Learns Lessons From Lean ManufacturingFor those familiar with lean manufacturing principles, waste is the enemy to be eliminated. The Goal, a book written in a novel format back in he 1980s, covered lean manufacturing principles and the elimination of bottlenecks and waste in a very pleasant way. Gene Kim used the same style in writing The Phoenix Project about lean DevOps.— Kate Brew (@securitybrew) March 29, 2016Don’t Be “That Guy” in infosecErnest discussed procedural ways to implement security controls that de-personalize the topic, and make it more positively perceived in the organization. He presented the processes and methods that progressive companies use to build security into the software value chain, instead of relying on mass inspection post deployment. WhiteHat scans, while a good idea, aren't building security in from the start the way automation in the build pipeline will. For example, Netflix uses a variety of automated tools, including their Spinnaker AWS console and their Simian Army (which includes the Chaos Monkey, a tool which randomly disrupts servers) to force programmers to think proactively about security issues. In addition, he also advocated ways that professionals can see metrics around the security of their code and the results of their hard work. He termed this a "broadcast mentality," and it appears to be helpful in driving change. Ernest pointed out in a humorous way that nobody likes their "Compliance Officer." He prefers the term the penetration tester ]]> 2016-04-01T13:00:00+00:00 http://feeds.feedblitz.com/~/147114638/0/alienvault-blogs~Lean-Security-and-DevOps-OWASP-Presentation www.secnews.physaphae.fr/article.php?IdArticle=305 False Guideline None 2.0000000000000000 AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC three new ransomware attacks on mid-size hospitals and - according to the Department of Health and Human Services’ breach database -  13 such attacks in the past month alone. While not all of these DHSS breaches necessarily involved ransomware, these stats indicate the poor state of security as a whole in the healthcare industry.However, while the use of ransomware by cyber extortionists has been increasing, if you understand the threat and take certain precautions, then a major compromise of your organization is not inevitable.Ransomware, Step-by-StepBefore looking at specific ransomware cases and how to defeat them, it’s important to understand why ransomware is so successful. Ransomware is a form of malware which encrypts sensitive files on a target system, effectively holding them hostage until the ransom is paid.  While delivery methods are expanding, ransomware typically utilizes social engineering as the primary means of attack, disguising malicious emails as business-related correspondence.  Many such emails use malicious Word or PDF attachments, which often bypass typical AV scanners and appear legitimate, to target users.  Once executed, the malicious payload runs in the background and within seconds, the targeted files are encrypted and the private key sent back to the attacker’s server.  Soon a ‘helpful’ message will appear to walk the new victim through the Bitcoin payment process required to decrypt the files.What Makes Healthcare Such A Target?Healthcare firms struggle with many of the same security problems faced by other traditional industries.  In an industry where better technology doesn’t necessarily result in higher revenue – or better patient care – investing in technology is a low priority.  This lack of investment in technology often results in servers going unpatched, outdated technologies being used, and other security vulnerabilities remaining unresolved. Healthcare databases also typically contain a treasure-trove of patient information that is very valuable to attackers.This combination of high-value data and low-security protections makes the entire industry ripe for exploitation.PowerWareWhile there are a number of ransomware families to touch on here, PowerWare is a new addition which is generating buzz from its recent ‘fileless’ infection mechanism.  This malware was most-recently implicated by security researchers in the compromise of another healthcare institution just last week.Although the name of the hospital is unknown, the attack narrative is similar to other ransomware cases.  Targeted phishing emails were sent to a set of users, requesting them to download a malicious Word document and enable macros – a dangerous feature which is disabled by default.However, once enabled, rather than downloading a malicious file to perform the encryption routine, PowerWare takes another route – it uses functionality within Windows itself to accomplish its task.  Also known as a ‘fileless’ attack, this malware never writes a file to disk (which would potentially allow it to be detected by antivirus and other security tools),]]> 2016-03-31T13:00:00+00:00 http://feeds.feedblitz.com/~/146941502/0/alienvault-blogs~PowerWare-%e2%80%9cFileless-Infection%e2%80%9d-Deepens-Ransomware-Conundrum-for-Healthcare-Providers www.secnews.physaphae.fr/article.php?IdArticle=306 False None None 5.0000000000000000 AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC CVE-2012-0158) which installs the Cmstar downloader onto the compromised system. Cmstar then contacts the Command and Control (C&C) server for the BBSRAT remote access malware to download, and installs it on the compromised system. The attacker can now control the compromised system directly.Impact on YouHaving any type of malware (especially one designed to steal data) on your network puts your sensitive or regulated information at risk.Once installed, Cmstar has the ability to download malware that can infect other machines as well as pull down additional malware variants as neededThe data-stealing malware can reside inside a network for months or years before detection, giving an attacker virtually unlimited access to dataHow AlienVault HelpsAPTs are sophisticated attacks conducted by well-resourced teams. Preventive technologies like sandboxing can help block some attacks, but a dedicated, focused adversary will always find a way to penetrate a network.That’s why you need the ability to detect the presence of compromised systems, downloaders, remote access malware, and other malicious content in your network quickly. And, once you have detected it, you need to be able to minimize the damage that compromised systems can cause. That’s where the AlienVault Labs team can help—the threat research team continues to research and update the ability of the USM platform to detect new downloaders, remote access toolkits (RATs), as well as new variations on existing malware.The Labs team recently updated the USM platform’s ability to detect the latest version of the Cmstar downloader on your network by adding an IDS signature to detect the malicious traffic and a correlation directive to link events from across your network that indicate that Cmstar has compromised one or more systems.These updates are included in the latest AlienVault Threat Intelligence update available now:New Detection Technique - APT CmstarCmstar is a downloader that is similar to the Lurid and Enfal families of malware. Cmstar is typically delivered through phishing emails that contain malicious Microsoft documents and has recently been used to download BBSRAT. The group that utilizes Cmstar and BBSRAT appears to be targeting Russian victims and most r]]> 2016-03-30T07:00:00+00:00 http://feeds.feedblitz.com/~/146748586/0/alienvault-blogs~Cmstar-APT-Malware-Exploits-CVE www.secnews.physaphae.fr/article.php?IdArticle=307 False None APT 15 5.0000000000000000 AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Image courtesy of http://xkcd.com/Continuing my discussion of common classes of attacks, this time I’ll be covering rootkits and rootkit detection.What is a rootkit? You can see it right in the etymology of the word itself; it’s a combination (kit) of software that, once root access is achieved, can carry out stealthy activity of a sort that is usually, but not always, malicious in nature. Rootkit detection therefor can be fairly difficult.The advantage of having root access is that, as the initial (or root) user you have superuser privileges, giving you full rights to all files and programs on the system. When the host is compromised via this level of access, detection of the rootkit can be thwarted by sophisticated malware, because the tools an analyst might use to detect or resolve the problem might be manipulated by the malware, causing it to yield bogus or incomplete information.For instance, consider the infamous case of the 2005 Sony BMG rootkit. Initially, Sony authored a package of software for Windows operating systems that had the relatively benign goal of preventing users from copying CD content. To escape detection, the rootkit modified the operating system in such a way as to prevent all files beginning with a particular prefix from being revealed in searches. Its own files then, of course, were given that prefix.Today, rootkits are typically combined with malware and, as a rule, are much more sophisticated and much less benign than anything Sony imagined. You can classify them by the level of abstraction they occupy on a system:Rootkit detection: User mode. These operate as user-level tasks, usually by invading existing processes, overwriting application memory with their own contents, or both.Rootkit detection: Kernel mode. Moving down in abstraction, these rootkits modify the operating system itself (kernel and/or drivers) and are thus substantially harder to detect and eradicate because they can conceal themselves more comprehensively. If you’re using a compromised operating system to look for rootkits, it’s a tool whose results you can’t trust.Rootkit detection: Hypervisor. Still lower in abstraction are rootkits which modify or replace a hypervisor used to govern virtual machines, each of which is running its own operating system on a shared host. At present, rootkits of this type are not present in the wild, but proof-of-concept examples have been developed.Rootkit detection: Firmware. These are extraordinarily difficult to address because they are, in a practical sense, embedded in the hardware itself — for instance, a computer BIOS or router firmware — and hence cannot be eliminated even by replacing the operating system completely. In some cases, replacing hardware may be the only plausible solution.What rootkits all have in common is that they are used to disguise classic malware activity (logging keystrokes, sending credit card numbers to an offsite server, collecting and uploading banking credentials, establishing hidden backdoors for subsequent access by the attacker, etc.) to prevent rootkit detection. And once installed and running, rootkits can lead to disaster as attackers escalate from one application or system to another.A variety of investigative techniques for rootkit detectionFortunately, as usual in security, it’s more of an arms race than a one-sided victory. While rootkits have gotten more sophisticated and diverse in nature, so have the tactics and tools available to deal with them. Rootkit detection methods, for instance, include:A trusted analysis host. To bypass the problem of a compromised OS ]]> 2016-03-28T13:00:00+00:00 http://feeds.feedblitz.com/~/146411786/0/alienvault-blogs~Rootkit-Detection-Techniques-and-Best-Practices www.secnews.physaphae.fr/article.php?IdArticle=308 False Guideline None 4.0000000000000000 AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Pen testing is often done when you update your website, create or add an application, update an application, or make any material changes to your network or server. It consists of allowing security or pen testers to undertake mock attacks against your network to proactively identify vulnerabilities. These testers should get full permission from you before attacking your network.Once they do have your permission, they will utilize every tactic they can think of to try to bring down your system. This includes both external and internal attacks. Pen testers will use special hardware and software to initiate attacks externally.They will also use psychological “warfare,” or social engineering tactics, to try to gain access to your systems. ]]> 2016-03-23T13:00:00+00:00 http://feeds.feedblitz.com/~/145523810/0/alienvault-blogs~Security-Awareness-Top-Tips-for-Training-Your-Workers-to-Be-Safer-Online www.secnews.physaphae.fr/article.php?IdArticle=309 False None None 4.0000000000000000