Want a THREATtoon on your blog or website? Great! Simply cite the cartoons original Threat Geek URL under the image and you’re good to go.
Sophisticated malicious files entering today’s networks are not your grandma’s malware. Brick and mortar criminals of the past have moved onto the open range of the Internet, relying on the anonymity provided and safety of non-extradition countries to shield themselves from law enforcement. Nation states are also upping the game by constantly competing in this generation’s cold war, inserting back doors into critical infrastructures around the world. With so many parties focused on infection and owning networks, the prevalence of neigh undetectable malware, and push-button tools to craft malicious files and encrypted command and control tunnels has sky rocketed.
Posted by ThreatGeek at 09:00 AM in Advanced Persistent Threat, advanced persistent threat protection, advanced threats, cyber threat intelligence, cyber threat security, cybercrime , data breach prevention, data leakage prevention, data loss prevention, data loss prevention tools, deep session inspection, intelligent network forensics, network analysis and visibility , network forensics, network monitoring , network security monitoring , network surveillance , network visibility, threat assessment | Permalink | Comments (0)
Adobe and its customers experienced a bit of a jolt recently when one of its certificates was compromised. As you may know, certificates are what give some measure of “trust” to applications or other computer artifacts which are signed with those certificates. (If you would like to learn more about the fundamentals of digital certificates, there are a number of online resources.) People assume that assets that are signed with valid certificates from legitimate companies are safe. Once a certificate has been compromised, it can be used to sign some very unsafe items. That is exactly what has happened. What makes the story far more interesting is the time interval involved. The certificate was compromised on, or around, July 10, 2012, and this compromise was reported publicly by many sources on September 27, 2012. Adobe didn’t revoke the certificate until October 4, 2012. Two full months of having an invalid certificate in the hands of bad guys seems like an inordinately long time.
The compromised certificate was used for signing malicious code by way of a server compromise at Adobe. One of Adobe’s servers that had access to code signing services was not properly secured. This allowed malware authors to gain access to the Adobe server and use it to sign arbitrary files. It appears that only two pieces of malware were signed this way: pwdump7v7.1, a password hash stealer for Microsoft Windows and myGeeksmail.dll, an ISAPI filter to examine and modify data traversing IIS servers. According to Adobe’s disclosure, this malware comes in three pieces: an exe file and two DLL files. Their names, MD5 hashes with and without being signed by this certificate are shown here for convenience and are also available from the Adobe disclosure. There have been reports of other software signed by this certificate which has not been classified as malware but additional information on this code has not been released.
Malware component files signed by the compromised Adobe certificate
MD5 hash: 130F7543D2360C40F8703D3898AFAC22 (signed)
MD5 hash: D1337B9E8BAC0EE285492B89F895CADB (unsigned)
MD5 hash: 095AB1CCC827BE2F38620256A620F7A4 (signed)
MD5 hash: A7EFD09E5B963AF88CE2FC5B8EB7127C (unsigned)
MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A (signed)
MD4 hash: 8EA2420013090077EA875B97D7D1FF07 (unsigned)
The certificate being revoked is a SHA1 RSA certificate issued to Adobe Systems Incorporated, issued by VeriSign as a Class 3 Code Signing 2010 CA. The serial number of the certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 and it was issued valid from December 14, 2010 until December 14, 2012 (now revoked as of October 4, 2012).
Beyond cancelling that certificate, my hope is that Adobe will also retract any software that was legitimately signed using that certificate or provide an update to it to be signed with a new and valid certificate. This is no small list or task and includes Adobe Application Manager, Adobe Provisioning Toolkit, Report Builder, Site Catalyst Real-Time Dashboard, Adobe Update Server Setup tool, Flash Media Server 4.5.3, Cold Fusion 10, Flash Player, Adobe Reader, and three AIR applications: Adobe Muse, Adobe Story AIR and Acrobat.com desktop services. These are used by both Mac and Windows.
We have a few recommendations for you. Be sure to check any signed executables traversing your network for signatures based on this revoked certificate. Check to see if you have any of the affected software packages and make sure they are up to date. Make sure your AV signatures are up to date as most have these component MD5s in them, but don’t rely simply on AV. Should other things have been signed by this certificate as well, they too should be treated as malicious and unknown. In general, be aware that code signed with a certificate should be validated. Is it signed by the author or their company, or is it a third-party signature? Is the certificate valid for the period it was signed and is it still valid? Does the certificate exist on a known revocation list? Many of these are things that you need a deep session inspection engine like Fidelis XPS to examine for you at the network level to prevent having endpoint servers compromised.
1. http://www.spamfighter.com/News-17971-Hackers-Compromise-Adobes-Software-Endorsing-Certificate.htm, Retrieved Oct. 5, 2012.
2. http://www.networkworld.com/news/2012/092812-adobe-hack-262860.html, Retrieved Oct. 5, 2012.
3. http://www.adobe.com/support/security/advisories/apsa12-01.html, Retrieved Oct. 5, 2012.
4. http://computer.howstuffworks.com/digital-signature.htm, Retrieved Oct. 5, 2012.
5. https://www.symantec.com/products-solutions/families/?fid=code-signing, Retrieved Oct. 5, 2012.
Posted by ThreatGeek at 02:23 PM in advanced malware, Advanced Persistent Threat, advanced threats, content inspection, content monitoring, content protection, cyber threat intelligence, cyber threat security, cybercrime , data breaches , deep session inspection, network analysis and visibility , network forensics, network forensics tools | Permalink | Comments (0)
Your adversary is not some random piece of self-replicating software. Your adversary is a human being who—like you—is staring at a screen, mashing on a keyboard and working on a project of great importance. Does your defensive posture reflect this new reality?
Remember the good old days of Slammer, Blaster, Nimda and Code Red? They were the headline-grabbers of a bygone age in information security. In those days, our interest in the actual humans behind those big, noisy, opportunistic infections was ancillary: occasionally, months after an outbreak, we might have come across a minor news story about a pimply-faced teenager appearing in a courtroom somewhere to answer for his mischief.
Now consider today’s headline-grabbers: Aurora, Stuxnet, Flame and Gauss. What makes this a new era is not that any given piece of malware may be more sophisticated; it’s the “who” behind the malware that gives us pause. Credit for Aurora, a 2009 attack on Google and other high-profile companies, is generally given to the Chinese government. Then there’s Stuxnet, a mid-2010 state-sponsored attack against Iran’s uranium enrichment facilities. And Gauss and Flame, two notable 2012 attacks that may also have been carried out by state actors. And in parallel with this excitement about state-sponsored activity, we’ve seen an increase in grassroots hacking as well, with loose collectives like Anonymous and Lulzsec regularly making the news.
Maybe breathless headlines about cyberweapons and hacktivism are overblown and maybe they’re not. But what’s clear is that if you have a network to defend, fixation on detecting the latest malware will get you nowhere if you overlook the focused, smart, dedicated human (or humans) on the other end of the line. They’re not casting a wide net, trying random doorknobs; they’re targeting you, your employees and your partners. If the stakes are high enough, they’re even targeting your employees’ family members for backdoor access into your network. It’s perfectly likely that your adversary is probing (or has already breached) your defenses.
Are you ready? How would you know if a stealthy, focused team of adversaries quietly slipped into your network? How would you respond if you knew? Are you counting on your technologies alone to save you from the reconnaissance that leads to infection, or the infection that leads to escalation of privilege and propagation, or the expanded foothold that leads to exfiltration and/or sabotage? They won’t. And they can’t. Not without you at the helm, persistently involved in the defense of your assets.
Some of the stages in this simplified threat life cycle (reconnaissance, breach, propagation, exfiltration) certainly involve malware of some kind, but usually malware is but a small part of a much bigger picture. And while it is the case that when malware is used, it is only as sophisticated as it needs to be to get the job done (it being prudent to save the juiciest techniques for the hardest targets), your father’s antivirus, firewall, and IPS no longer pose even an interesting challenge to a talented and well-equipped adversary.
Fortunately, an array of younger companies (I work for one myself) offer updated technologies that approach the problem in any number of clever and interesting ways. Some of these new technologies are promising and exciting, but in a climate where we’re battling other humans in what amounts to real time for control over our networks, no completely automated defense will work.
People and processes are essential to augment the technologies you’re considering for your networks, sine qua non. You need hunters, actively probing for anomalous traffic using the best available network visibility and correlation technologies. You need robust detection and mitigation processes that take modern threat actors' tools, tactics and procedures into account. You need a robust and effective incident response regime to break you out of the constant whack-a-mole infection cycle. In fact, the most effective defenders regularly conduct exercises and simulations to test and continuously improve their own people, processes and technologies.
This comprehensive approach to network defense doesn’t come easy or cheaply. But if your aim involves protecting things of value from risk or harm, then you need to make sure you’re allocating scarce resources wisely. After all, your adversaries know how to focus on people and process. And your adversaries know better than to overestimate the importance of technology alone in fulfilling their mission. See that you do as well.
Posted by ThreatGeek at 12:25 PM in advanced malware, Advanced Persistent Threat, advanced threats, APT prevention, APT protection, cyber threat intelligence, cyber threat security, cybercrime , data breach prevention, data breaches , deep session inspection, incident response, network analysis and visibility | Permalink | Comments (0)
If you're responsible for securing your enterprise network, you regularly detect attempts from attackers trying to penetrate your perimeter defense. And, every so often, an attack succeeds. Now you know a system is compromised and while you can fix that system, you're now stuck with a few open items to resolve:
Once you know these answers, you'd ideally like to go back to your security tools to write rules to help prevent future breaches using the same techniques.
You could try to do this with tools that rely on netflow, which typically means you have a listing of the IP information for all flows in your environment. But, when the attack techniques involve the same malware from different servers, potentially geographically distributed, what point does netflow serve?
You could try to do this with tools that capture all packets, index them, and then present you with the ability to do high-level queries. The issue with this is now you're establishing a SAN at every monitoring point and the queries take far too long to run, especially when they involve content level searches. Plus, when you do find what you were looking for, you then need to decide what action to take on the network. Block communication at the firewall? And, how will that help when the adversary is using assets around the world?
Starting now, you can use Fidelis XPS™ Collector, in conjunction with Fidelis XPS CommandPost and sensors to store and query rich session metadata on all traffic at your monitoring points. The sensors decode sessions in real time, extracting information about all aspects of the session – including netflow SSL signing certificates, To, From and Subject field info from enterprise e-mail and Webmail, executable signing info with build times – and much more. Further, this information is readily queried and correlated in an enterprise-class database. When you've identified enough characteristics about the attacks - perhaps a unique User-Agent string or Referrer – you can easily create rules in Fidelis XPS to block those sessions on the network the next time the attacker is back. And, in case you're wondering, all these systems are either 1U rackmount appliances or virtual appliances, giving you a pain-free operational and deployment cycle.
Posted by ThreatGeek at 01:01 PM in Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, APT protection, content inspection, content monitoring, content protection, cyber threat intelligence, cyber threat security, data breach prevention, data leakage prevention, data loss prevention, data loss prevention tools, deep session inspection, Hardik Modi, intelligent network forensics, network analysis and visibility , network forensics, network forensics tools, network monitoring , network security appliance, network security monitoring , network surveillance , network visibility | Permalink | Comments (0)
Just a few minutes ago, General Dynamics announced a definitive agreement to acquire Fidelis. I wanted to share my thoughts about how this move creates an unparalleled partner for commercial CSOs who are working hard and fast to get their heads around advanced persistent threats that are in search of their organizations’ intellectual property.
In the not too distant past, CSOs were dealing with “the hacker down the street,” who was largely a nuisance and who typically made it pretty apparent what they were doing. Today, CSOs need to contend with advanced persistent threats – a “who,” not a “what,” from a nation state that is very stealthy and very patient, and who is intent on stealing something for financial gain. While this sophisticated threat is newer to the commercial sector in the U.S., our Federal Government has been battling these adversaries for a very long time.
The best way the commercial sector can combat this highly motivated and organized threat is to be given access to the very smart people who can share intelligence, tools and know-how they’ve amassed from protecting our nation’s most sacred intellectual property for decades. A very significant step forward in this kind of information-sharing is being taken with the acquisition of Fidelis by General Dynamics.
If you’ve been following Threat Geek, you know I have strong opinions on cybersecurity legislation. In particular I am a proponent of some sort of framework that facilitates collaboration between our government and the commercial sector. I firmly believe this would significantly improve our ability to uncover, study and stop these threats that are a risk to our critical infrastructure and economy, among other things. I was disappointed two weeks ago when Congress voted to essentially cease discussion about cybersecurity legislation. This lack of action effectively tells our adversaries we don’t see them as a big enough threat. I believe otherwise, which is why I’m looking forward to my new role as head of a new line of business within the Cyber Systems Division of General Dynamics Advanced Information Systems.
In the coming days and weeks, General Dynamics’ existing commercial incident and forensics business will be integrated under Fidelis. This will further enhance our advanced threat detection capability and add robust network forensics capability, which is supported by insight garnered from managing 2,500+ cyber-investigations and solving some of the world’s largest commercial network intrusions.
While the purpose of Threat Geek is to share actionable security insights on what’s going on in the industry (and to provide a little levity with THREATtoons), rather than talk about Fidelis and our products, I thought it was important to provide context for today’s news. Thank you for indulging me. I hope you share my excitement about the opportunity ahead.
Posted by ThreatGeek at 10:35 AM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, APT protection, content inspection, content monitoring, content protection, cyber threat intelligence, cyber threat security, data leakage prevention, data loss prevention, deep session inspection, extrusion prevention, incident response, information assurance , insider threat , intelligent network forensics, network analysis and visibility , network forensics tools, network monitoring , network visibility, Peter George, threat intelligence | Permalink | Comments (0)
Posted by ThreatGeek at 09:01 AM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, APT protection, content monitoring, content protection, cyber threat security, cybercrime , data breach prevention, data leakage prevention, data loss prevention, data loss prevention tools, deep session inspection, extrusion prevention, information protection, network security monitoring , situational awareness | Permalink | Comments (0)