Want a THREATtoon on your blog or website? Great! Simply cite the cartoons original Threat Geek URL under the image and you’re good to go.
Posted by ThreatGeek at 09:00 AM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, APT protection, content monitoring, cyber information protection, information protection, intelligent network forensics, network analysis and visibility , network forensics, network forensics tools, network monitoring , network security appliance, network security monitoring , THREATtoons | Permalink | Comments (0)
A priority for network defenders is to find a potential threat at the earliest possible stage. While it is important to identify a system has been infected by observing the outbound command and control communication, the real benefit both in remediation time and potential data and financial loss is to detect the malicious file entering the network prior to the infection. Better still is to detect the exploit vector attempting to compromise a system before the malicious file is downloaded. Defense-in-depth not only applies to maintaining multiple solutions, but also ensuring those solutions scan several steps of the campaign lifecycle.
Posted by ThreatGeek at 03:16 PM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, content monitoring, cybercrime , Michael Nichols, network analysis and visibility , network forensics, network forensics tools, network monitoring , threat intelligence , threat intelligence feed, XPS | Permalink | Comments (0)
Posted by ThreatGeek at 09:00 AM in advanced malware, Advanced Persistent Threat, advanced threats, cyber information protection, cyber threat intelligence, cyber threat security, cybercrime , data breaches , data loss prevention, data loss prevention products, data loss prevention tools, insider threat , intelligent network forensics, network analysis and visibility , network forensics, network forensics tools, network monitoring , network visibility, protect against APT, THREATtoons | Permalink | Comments (0)
Posted by ThreatGeek at 09:00 AM in advanced malware, Advanced Persistent Threat, advanced threats, cyber threat security, cybercrime , data breaches , insider threat , intelligent network forensics, network analysis and visibility , network forensics, network forensics tools, network monitoring , network security appliance, network security monitoring , network visibility, threat intelligence , THREATtoons | Permalink | Comments (0)
A recent cyber-attack reported within the South Korean broadcasting and banking infrastructure reportedly brought down over 35,000 systems. This attack has drawn comparisons in intent and method to the recent wiping attack against Saudi Aramco by the Shamoon malware. Shamoon has been covered extensively by the community, and was covered in Fidelis Threat Advisory #1007. Naturally our curiosity was peaked and we acquired samples of the malware and started analysis.
The initial analysis has been posted on the Fidelis Threat Geek blog and will be expanded upon in this advisory. This write-up will focus on the wiper malware used and the recovery techniques that are possible.
From preliminary analysis it is known that the malware will overwrite the Master Boot Record (MBR) and Volume Boot Record (VBR). The records and files overwritten by the malware so far have been wiped with patterns of 'HASTATI' or 'PR!NCPES’.
The malware samples that have been analyzed by our team are different in code and function from the Shamoon malware. However, by using the same recovery methods found in advisory #1007 the files and data are indeed recoverable.
Posted by ThreatGeek at 10:22 AM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, APT protection, content monitoring, content protection, cyber information protection, cyber threat security, cybercrime , data breaches , Fidelis Threat Advisories, insider threat , network analysis and visibility , network forensics, network monitoring , prevent cyber attacks, prevent data breaches, protect against APT, threat intelligence | Permalink | Comments (0)
Bored between cases? Check out this portal that shows real-time attacks hitting Deutsche Telekom honeypots (http://www.sicherheitstacho.eu/). According to Thomas Kremer (Board Member for Data Privacy, Legal Affairs and Compliance), Deutsche Telekom has taken a proactive approach to perform threat monitoring. The company has taken the lead in coordinating attack information from over 90 honeypots, 55 of which they own. The honeypots collect over 400,000 attacks per day (that’s 4-5 attacks per second). According to its news release, the company uses the data collected from the honey pots to create or enhance defensive capabilities. The website uses a view of the globe and when an attack occurs, a red dot on the source country is pinged. Around the map are statistics from last month for the top-15 source countries, top-5 attack types, types and distribution of attack targets and the total of both attacks and attackers per day.
I would expect nothing less from a telecommunication provider. What I did not expect was to find an online portal with real-time statistics of the attack vectors directly from their honeypots – at least not without some sort of login.
Another popular real-time and graphical honeypot reporting website is honeynet.org (http://map.honeynet.org/), which was also created by two Germans.
I can understand why academic researchers like Florian Weingarten and Mark Schloesser, both from HoneyMap, would create and publish such a webpage, but why would a company that sells to businesses, governments and consumers do the same? What would justify spending money and resources in publishing a graphical interface displaying attack sources as they happen? One could make an argument for corporate social responsibility (CSR) or business ethics, but I don’t want to waste brain power on the steganographic marketing scheme that is CSR. Instead, I would like to assume that a company like Deutsche Telekom would be motivated to create a gratuitous offering of information similar to why a company would place their corporate headquarters in sharp and professional-looking buildings with trimmed foliage exteriors and inviting interiors. The goal is to present to future customers and existing customers that the company is serious about business and will be around for a long time. Similarly, presenting a honeypot attack map demonstrates to existing and future customers that the company is committed to investing in what they see as being (potential) future costs in terms of breaches into its own network or customer networks. The bottom line is that, as with most everything in cybersecurity, the ROI on investing in threat analysis rarely ties directly to short-term and direct revenue lines. Instead, companies like Deutsche Telekom realize that investing in threat analysis affects long-term and indirect revenue lines.
The Deutsche Telekom website is a product of a partnership with the Allianz für Cyber-Sicherheit (Alliance for Cyber Security), a government-sponsored joint initiative between the German Federal Office for Information Security (BSI) and the German Association for Information Technology, Telecommunication and New Media (BITKOM).
T-Systems (an operational subsidiary of Deutsche Telekom) maintains the site and is Germany’s largest and one of the largest European IT services companies. Viewers will immediately recognize the letter “T” in the company’s logo because Deutsche Telekom also owns T-Mobile. T-Systems provides primarily B2B and B2G services with other operational arms of the company providing mobile, landline, broadband and TV services. According to its 2012 annual report, Deutsche Telekom reorganized its internal IT infrastructure by consolidating them into a new Telekom IT unit. Based on my experience in working with global organizations, consolidation not only saves cost but it can foster positive collaboration and information exchange, assuming leaders promote such collaboration and exchange within the newly consolidated environment. Without knowing the inner-workings of the new IT organization, the honeypot sensors and information output appear to be very encouraging effects of positive information sharing.
Posted by ThreatGeek at 04:49 PM in Advanced Persistent Threat, advanced persistent threat protection, advanced threats, content inspection, content monitoring, content protection, cyber information protection, cybercrime , network monitoring , network security monitoring , Ryan Vela, threat intelligence | Permalink | Comments (0)
I recently had a conversation with a friend who is now in charge of cybersecurity for a large company (100+ virtual and physical servers). He was prepared for the age-old cybersecurity problem of justifying a security budget from company leadership. All of us who work in the industry know the chicken and egg problem that has plagued security for years:
You: Boss, we need to spend $100,000 on security tools.
Boss: Why? What happened? Did we get hacked?!? Did we lose data?!?!!!
You: No, no, this is preventative and proactive so that we do not get hacked.
Boss: Have we ever been hacked? Why should we buy a tool if we’ve never been hacked?
You: We have no knowledge of ever being hacked, but we cannot tell if we are being hacked because we do not have these tools.
Boss: If we get hacked, are being hacked, or there’s a threat of being hacked, then we can buy the tools.
You: But... uh... if we do not have the tools, then we won’t know if we are hacked.
(Pre-2003) Boss: Not my problem.
(Post-2003) Boss: Okay, you can have $50,000.
After 2003, cybersecurity leaders found it easier to get that first set of annual funding for tools and resources to run their organization. My friend found this to be true as he went through his first fiscal budget process. However, he quickly ran into the newest problem for cyber security leaders. No longer is it good enough to simply get your budget and be content. Tools breed tools; resources breed resources.
He purchased his network security monitoring tool and found things on his network that require special attention. In other words, his investment was paying off, but, at what he would find, an expensive cost. The issues he found on the network required his staff to 1) figure out what was going on, 2) log the situations, 3) respond to the situations if nefarious activities were occurring and 4) prevent the situations from occurring in the future. He found that he needed more tools for steps 1, 3, and 4. His staff includes all cybersecurity people and they know how to work with very tight budgets. In the first step, when figuring out what was going on (i.e. what type of communication is occurring, from what applications, what are the sources and destinations, etc.), his team used open-source tools. Open-source is an indispensable avenue that remains a major part of any security team’s toolbox. However, he is anxious because he knows that as the organization grows, open-source may not remain a viable solution for monitoring his network.
Luckily, the tools that he purchased to perform monitoring also provide logging. So, his team has to keep a set of Word documents for each situation. He uses a unique numbering scheme to keep track of the situations for posterity. Each situation is stored in a Word document. More elegant systems (think helpdesk tickets) could be used, but that’s a software solution that costs more money. He thought about pushing for this but said, “I need more important software than a ticketing system.” He is right.
Then he came to the part in the incident response process of responding to a situation. His staff had nothing but open-source tools and they were not adequate to provide sufficient triage and information-gathering to respond appropriately. Therefore, he needed some type of forensic software. He has no idea how he’s going to ask for more money when it was such a hassle to get 50% of what he asked for last year.
And then there is the last part dealing with the prevention of the situation from occurring in the future, which is somewhat contingent on getting verification on the bad activity happening. He already requests his normal edge protection and internal data-layer protection, but specialty appliances? What a vexing situation.
So, the last time I talked to him he was faced with a quandary where he asked for a budget. Actually, he asked for double what he needed and received half. He bought his special monitoring software and found suspicious happenings on the network. Now, because he asked for the money and installed the software, he is forced to ask for more money to respond appropriately to the suspicious findings. He said, “If I had not asked for this in the beginning, then I wouldn’t have this problem. I wonder if they don’t want to know if bad things are happening.”
I think this problem is typical of how businesses operate in general, but applying so specifically to cybersecurity, it will plague leaders for years to come. For those up-and-coming professionals in leadership roles, you should be aware that once you get security tools, you’ll need more because tools breed tools. In my experience, the only organizations that have been given blank checks for cybersecurity are those who have been breached. Believe me; you don’t want that kind of blank check.
Posted by ThreatGeek at 10:00 AM in Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, APT protection, content monitoring, content protection, cyber threat intelligence, cyber threat security, cybercrime , data loss prevention, data loss prevention products, data loss prevention tools, incident response, information protection, intelligent network forensics, network analysis and visibility , network forensics tools, network monitoring , network visibility, prevent data breaches, protect against APT, Ryan Vela | Permalink | Comments (0)
There has been a lot of discussion about indicators of compromise lately (not to mention the seismic APT1 report released by Mandiant. Do you feel like the guy in the CarMax commercial where you have a vague idea of what you want to do but may not know where to begin? You may be suffering from information overload and wondering what to attack first and what to put on the back burner. While I cannot make risk-based decisions for everyone, my aim in this blog post is to let you know that you are not alone and provide you some information that might help you develop an attack plan.
This is a common issue for enterprise defenders. A majority of what passes for “threat intelligence” is a list of IP addresses, domain names and/or MD5 hash values. While these indicators can be useful for what is happening today, changing these values is very simple for adversaries and can often even be automated to some extent. I’m not suggesting that you ignore these types of indicators when they appear in your logs or SIEM solutions. It can indeed prove useful to identify any immediate infections based on these indicators. You may also want to consider what will cause the most headaches for your attackers when thinking about what indicators to implement in your controls.
A few days ago a guy named David Bianco wrote an article called The Pyramid of Pain. In this article he broke out the level of pain that each type of general indicator would cause an adversary if one were able to implement controls around those indicators. I would go one step further in suggesting that the pain pyramid should also show the level of difficultly it generally takes a team of defenders to obtain and/or implement such indicators.
In his article, Bianco mentioned that IP addresses and domain names are trivial for an adversary to change. This is evident in the case of malware samples that utilize fast flux, double flux or domain name generation algorithms built right into the code itself. These Techniques are not new. There are samples tracking back to the early 2000s. These indicators are trivial for the attackers to change and are therefore generally low on the pain scale for defense.
If you have been doing incident response for any government agency or larger private sector company in the past five years, you can probably relate to much of Mandiant’s APT1 report with a head nod and a mumble of “yup, seen that technique before”. The reason that a lot of APT groups have been using the same or similar techniques for a long time is that they still work! They only tend to change their tactics when they have to. For an interesting timeline of the change of the APT1 indicators, check out Mila Parkour’s awesome work over at this Contagio blog post.
The malware families listed in the Contagio post are the items that start to get into the upper part of the pain pyramid in the tools and start to get into the tactics, techniques and procedures (TTPs). They are high on the pain scale because of the pain it causes the adversaries if you find these items either by incident response or threat intelligence reports, and can alert on them or—better yet—stop the activities. The adversary now has to modify their modus operandi, which is indeed a lot of work for these groups. This could mean that they have to change the way they get into your environment, the way they write their tools, the way they maintain their access and/or the way they exfiltrate information from your network.
The challenge for enterprise defenders concerning these more painful indicators is, clearly, learning about these toolsets and TTPs. Some advanced adversary groups have continued to use commonly known tools and TTPs in government and private sector networks because they still work in those environments. Well-equipped defenders have learned about them long ago and have since put controls in place to stop or alert on signs of their use.
The other pain angle is actually finding controls that can track advanced techniques, as they tend to be wrapped in other protocols or obfuscated in some way that bypasses typical protections. Here is a good article by the Trend Micro lab team outlining some of the common toolsets used by Advanced Persistent Threats.
Many of the tools listed in that article, especially the ones used for command and control (C2), or lateral movement, can be caught using tools such as the Fidelis XPS Internal or Fidelis XPS Direct sensors. Devices such as the Fidelis XPS Mail Sensor can also catch some of the techniques involved in their TTPs. Some of these techniques include spear phishing e-mails containing suspicious links or attachments that appear to be documents such as PDFs that are actually executable files such as screen savers (.scr), general executable PE file types or XOR’d payloads. These techniques do not fool these systems because we decode the payloads to reveal their true file types and contents.
To conclude, there is no shortage of the “low pain” indicators available for defenders to use. They can be helpful for rapid identification and remediation of current infections. My suggestion is that defenders start implementing internal databases or utilize third party threat intelligence solutions that can provide context, tool identification and TTP correlation to implement controls to fight against the cutting-edge groups.
- Curt Shaffer
Posted by ThreatGeek at 09:00 AM in Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, APT protection, Curt Shaffer, insider threat , intelligent network forensics, network analysis and visibility , network forensics, network forensics tools, network monitoring , network visibility, threat intelligence , XPS | Permalink | Comments (0)
Posted by ThreatGeek at 09:34 AM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, APT protection, content monitoring, content protection, cyber information protection, data breaches , data loss prevention, data theft prevention, incident response, intelligent network forensics, network forensics, network monitoring , prevent cyber attacks, prevent data breaches, protect against APT, THREATtoons | Permalink | Comments (0)
Microsoft’s report (Special Edition Microsoft Security Intelligence Report: Linking Cybersecurity Policy and Performance, http://aka.ms/securityatlas) correlates malware infections with the level of cybersecurity policy involvement of a country. While this publication will undoubtedly receive a lot of press, readers must take the data as only a starting point. The authors, Aaron Kleiner, Paul Nicholas and Kevin Sullivan, present clear and repeatable statistical analysis, and while they state that their conclusions are based on correlation, they can easily be taken as causal. In other words, a country’s cybersecurity posture may not necessarily be a cause of their malware infection effect or vulnerability. Additionally, the report only speaks to Microsoft OS malware and not other operating systems or appliances that may be vulnerable.
Their statistics are sound and their conclusions will be debated as cybersecurity policy continues to make headlines. The statistics do not take into account the impact of one piece of malware versus another. What experience has shown me is that a person or company’s security posture is driven by industry standards, government regulation and revenue-influencing measures. Thus, when I consult, I always begin and end with a security-in-depth methodology. Starting with the self, a company has a responsibility to shareholders, employees, customers and the bottom line. Any perceived or actual impact to any of these stakeholders has an impact to revenue-generating numbers either in profit or in cost. Securing an infrastructure for the “self” is the first area. The second area is with industry, which is going to be less specific than a company’s “self.” Many industries have guidelines, standards or best practices that ensure good faith business-to-business interaction at a minimum and foundations for legal business requirements at its strictest. Then there are government regulations that could originate from either the government directly or from indirect sources via government mandates. Strengthening a company’s posture paying attention to the self, to the industry and to the regulations is the first place to start for cybersecurity posturing.
Microsoft’s report correlates country policies to malware infections on their operating systems within that country. The correlation is an interesting read, but to develop a foundation for more in-depth analysis other factors must be taken into consideration. Simply because a country does not have a lot of malware infections, then should they not worry about cybersecurity policies? Or, if a country has a very high number of infections, should they scrap their existing cybersecurity efforts? The answer to both of these is obviously no. Cybersecurity is a global landscape without country borders, without language barriers and without cultural walls. All countries whether they think they have a cybersecurity problem or not should be paying attention to cyber policies. A key in building safety in the cyberspace is to participate in policy strategy management where emphasis and effort is placed on securing their “self,” their people, their infrastructure and their ICT. Regional groups and global exchanges are also effective tactics in developing regional policies and increasing the overall awareness in the cybersecurity industry.
I commend Microsoft’s Global and Security Strategy and Diplomacy team in allowing the world to review their statistics. While it is a big drop in the bucket, Microsoft is only a portion of the larger picture. The most significant result of this paper is a reiteration that 1) we only have the potential smarts based on the information we have available, and 2) we only are as smart as how we use that information. We need to know what infected our computer yesterday, what is stealing our data today and what will hack into our network tomorrow. Only with this knowledge can we can determine how to protect our network, protect our country, and protect our world.
Posted by ThreatGeek at 06:51 PM in advanced malware, cyber information protection, cyber threat intelligence, cyber threat security, cybercrime , Cybersecurity legislation, data breaches , incident response, insider threat , intelligent network forensics, network monitoring , network security monitoring , prevent cyber attacks, prevent data breaches, Ryan Vela, threat intelligence , threat mitigation | Permalink | Comments (0)