When people think of phishing, they tend to think of poorly written emails promising a large inheritance in exchange for bank account information. Attackers are getting smarter though – they know exactly who their target is and put in the time to research them, scouring the internet for information that enables specifically tailored phishing emails known as spear phishing. Some of the information they look for includes employee personally identifiable information (PII), who the target reports to, their job responsibilities, their purchasing authorization, personal details from social media, etc. and, more often than not, that information is readily available online.
Phishing operations can take many different forms. Here is just a sampling of some examples I have seen in the real world and the lessons we can learn from them:
Example: The bad guys load up a PDF with malware. They spoof the sender’s email address to look like a legitimate contracting firm and then – and this is very smart – send that email to business development, whose job revolves around opening and responding to these types of PDFs (an RFP in this instance). Because business development sees these types of emails all the time, they open it without a second thought.
Posted by ThreatGeek at 10:00 AM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, cyber threat intelligence, cyber threat security, cybercrime , data breach prevention, data breaches , data leakage prevention, data loss prevention, data loss prevention tools, data theft prevention, extrusion prevention, malware, Michael Buratowski, network defense, PDF malware, situational awareness, threat assessment , threat intelligence | Permalink | Comments (0)
Tags: blackhat, cybersecurity, dark seoul, data breach, malware, phishing, shamoon, social engineering, spear phishing
Sophisticated malicious files entering today’s networks are not your grandma’s malware. Brick and mortar criminals of the past have moved onto the open range of the Internet, relying on the anonymity provided and safety of non-extradition countries to shield themselves from law enforcement. Nation states are also upping the game by constantly competing in this generation’s cold war, inserting back doors into critical infrastructures around the world. With so many parties focused on infection and owning networks, the prevalence of neigh undetectable malware, and push-button tools to craft malicious files and encrypted command and control tunnels has sky rocketed.
Posted by ThreatGeek at 09:00 AM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, APT prevention, APT protection, cyber threat intelligence, cyber threat security, data leakage prevention, data loss prevention, data theft prevention, insider threat , intrusion detection , intrusion detection and prevention systems , intrusion prevention appliance, PDF malware | Permalink | Comments (0)
If you’re a business running a web-service involving sensitive information of any kind, SSL is great for you. If you’re the average consumer utilizing such web-services, SSL is great for you too. But what does it mean for those trying to secure the enterprise?
SSL is the basis for the majority of VPN use, tunnels to business partners, the enabler for pure web-services like Salesforce.com, Google Apps and ones that can be hosted like Exchange and Sharepoint. In all of these cases, SSL’s security functions – authentication and encryption – are done at the endpoint, leaving all your monitoring equipment blind to the data that is being exchanged, and for the most part, who it’s being exchanged with.
The challenges around encryption are well understood. How do I know if PII is being uploaded to someone’s gmail account, the connection is actually botnet C&C traffic or even worse, a malware-infected PDF being uploaded to Sharepoint?
But what about the problems around authentication?
Things to consider:
So what is a CISO to do? When there’s a breach at a CA reported, you could wait for the browser vendors to update their CA list and then wait again for your users to update their browsers. You could issue scripts to scrub browser CA lists to remove the ones you don’t like. But from what I can tell, I have four separate applications with CA lists on my system, including my email and IM clients. How many scripts are going to make sure they’re all scrubbed? And then what about genuine business activities at sites signed by these CAs? Everything that looks suspicious isn’t malicious and can certainly be the real thing – your marketing department working with a translation company in India that happens to use certificates issued by a CA you’ve decided is no good. You’re going to hear from the business if you block that.
Thinking further out, you could wait for DNSSEC to replace the certificate distribution model. Or you could wait for the web to go away when all internet transactions move to apps, as the “inventor of SSL” seems to believe is going to happen. On the other hand, as long as there are multiple providers of Sharepoint-as-a-Service, I’d want to make sure that my users are connecting to the right one.
As is often the case in the real world, you really want visibility and control. And of course, that’s what we at Fidelis believe in, even in the gnarly world of SSL.
What do you think?
Posted by ThreatGeek at 01:23 PM in APT prevention, content monitoring, cybercrime , data breach prevention, data breaches , data theft prevention, Hardik Modi, information assurance , network surveillance , network visibility, packet capture , PDF malware, situational awareness, threat intelligence | Permalink | Comments (0)
What I have learned from my experience in helping customers deal with true advanced persistent threats (APTs) is that the key to understanding an APT is to stop thinking about it as an "attack". An attack is a discreet event. Dealing with an APT is more like a war - an ongoing, long-term conflict without a fixed timeline or predictable endpoint. So I like to think of APT defense as cyber warfare regardless of whether it meets the legal or political definitions of that term or not.
Cyber wars sometimes (though not always) involve frontal assaults, and you need front-line defenses (like firewalls, IPSs, and web and email security systems) to repel them. But your enemy will also employ intelligence, communications, and logistics - and many wars have been won by intercepting intelligence, disrupting communications, and destroying the enemy’s logistical capabilities. And in a cyber war, as in a physical war, planning is important, but so is flexibility. You must be able to adapt quickly as your enemy changes their weapons, strategy, and tactics. Many wars have been lost due to an inability to adapt.
Once you begin thinking about modern computer and network security threats as a war rather than as an attack, you’ll start to see that dealing with them is a continuous, ongoing, cyclical process - not an event - and that your success will depend on the speed and efficiency with which you can move through that cycle. At Fidelis we call this idea the "integrated threat management cycle", and we think of it as a process with three phases: a discovery phase, an investigation phase, and a remediation phase. (Having said that, it’s important to remember that you may be simultaneously dealing with multiple related or unrelated threats in different phases. For example, you could be investigating one threat while remediating another and discover a third).
When you don’t know about the threat, you are in the discovery phase. In a sense, you are always (and should always be) in this phase, because you will always be faced with new threats and variations on existing threats. In some cases you will have no specific primary intelligence to apply to the discovery process. In other cases you may have external indications - for example, you (and/or your security vendor) may be able to obtain intelligence about the tactics and techniques that your enemy has used against organizations in your industry segment from trade groups, peer organizations, or government agencies. And in some cases you may have specific, directly applicable intelligence. As an example, you may have information about the command and control communications behavior of endpoints that have been compromised by a threat successfully penetrating your organization in the past.
Once you feel you can accurately identify the threat, you are ready to move into the investigation phase. In this phase you need to be able to selectively capture, store, find, extract and analyze information about the threat. This requires an ability to identify the threat based on the attributes of its behavior (e.g. the network ports, protocols, applications and/or locations it uses) and/or the content that it contains, no matter how deeply or recursively encapsulated, encoded, embedded and/or compressed that content may be. It also requires an ability to automatically extract "forensic artifacts" such as transferred files and embedded content objects from network sessions for analysis (e.g. executable objects embedded in containers such as Microsoft Office documents, compressed archives and PDF documents). In many cases the biggest challenge during the investigation phase is identifying the threat, because the "signal to noise ratio" (the ratio between the amount of threat traffic and the total network traffic) is so low. The problem is not capturing or storing the packets; the problem is finding the network sessions that contain the threats.
Once you are confident you can identify the threat with high accuracy, you are ready to move into the remediation phase. You have to plan and execute your remediation campaign very carefully because, if your enemy senses that you are taking countermeasures, they will change their weapons and tactics to stay under the radar and maintain persistence. The key to this is collecting intelligence in a non-detectable way, and then moving swiftly and decisively to eradicate the threat.
One way or another, anyone dealing with an APT goes through this process, and it can be slow, painful, expensive, humbling and generally ugly: staring at firewall logs, proxy logs, IPS logs, DNS logs and DHCP logs; and trying to reassemble and extract useful information from a steaming pile of packets using long chains of forensic recovery and analysis tools.
Ultimately, the best practice is to use a tightly integrated set of visualization, analysis, and control capabilities to enable your security team to move through the phases of the threat management cycle more quickly, efficiently, and cost-effectively than they can do using traditional toolsets and techniques.
Posted by Kurt Bertone at 12:37 PM in advanced persistent threat protection, advanced threats, APT prevention, cyber threat intelligence, cyber threat security, cybercrime , data breach prevention, data loss prevention, incident response, information flow , information protection, intelligent network forensics, Kurt Bertone, network forensics, network monitoring , packet capture , PDF malware, situational awareness, threat intelligence | Permalink | Comments (0)
Let me rant for a second…
I can’t help but notice that while security threats are radically evolving—going several layers deep into the content seems radical to me—the security vendors keep selling same technologies from last decade. I guess adding a "next generation" prefix is all it takes to create a new security category. Or anything for that matter—there's a "Silver Diner" restaurant in my area that sells a "next generation” breakfast.
Let me explain:
Antivirus’ have been around since computers were essentially big calculators, sometimes connected into the local networks. After a while, Internet Protocol came along and revolutionized (mostly for nuclear scientists and military) the way we think about data exchange.
Next came application protocols, like SMTP and FTP, which created new ways to abuse networks, and almost immediately lead to firewalls. These firewalls were tasked to let some network packets go through and stop the malicious ones based on their source/destination. Then came the invention of WWW by CERN scientists. With so many people connecting through the internet, IPS appeared to protect the content provider's network from downtime caused by the bad guys.
Today, we take total and global connectivity for granted. With all the high availability and protection technologies deployed, it's almost impossible to bring an organization's network down or to destroy the data.
Do you feel secure? I don't.
Somehow I still don't feel like an antivirus can really protect me from botnets. The same goes for an IPS or some big box that writes all the traffic to the disk so somebody else can browse through it for the next 3 months.
I don't understand how putting an IPS and a FW together, and adding the "next generation" to the name, is going to help detect a malicious flash file embedded inside a Word Document.
Sure, everyone buys firewalls, IPS and antiviruses. Even I have an antivirus program, too, though I understand it probably won't catch 95% of modern threats.
I guess it just feels more secure this way. But does it really make me more secure?