Many -- and I do mean MANY -- companies are playing chess every day and don’t even realize it. They’re not playing a fun game where win-or-lose, nothing happens. They are playing a game where the stakes are high and the cost to win may not be quantifiable. You are probably thinking, “What is she talking about…?” Well, I’m talking about cybersecurity.
When your opponent gets in your network, they take over. They watch your every move and every time you see a glimpse of their moves, they change their plans and adjust their tactics. Just like a chess match, they are watching you and adjusting their strategy based on your reactions to their moves.
Here’s where things start to change: they are not necessarily looking for checkmate; in fact oftentimes, they are actively avoiding it. They want to ensure the game continues, so they can keep moving around silently and evade detection so valuable information like intellectual property and customer information can continue to be absconded.
I just got done reading the DTCC’s White Paper entitled Cyber Risk – A Global Systemic Threat (PDF). The white paper outlines seven recommendations for policymakers that they state will further an “aggressive agenda to combat cyber threats.” Four of the seven recommendations refer to information sharing between and among governments and businesses.
Information sharing is a fabulous idea, but is easier said than done. Everyone in my field of cybersecurity agrees that information sharing is a good thing. If you show me your signatures, then I’ll show you mine. If my NG firewall finds a new 0-day CryptoWall variant, then it would be helpful to share this with other companies so they don’t get hit by the same variant. Obviously, reciprocation of sharing is expected, or in actuality, hoped for with the myriad of SLAs and annual maintenance contracts organizations have with cloud-enabled security tools.
It has been a very busy couple of months in the world of network breaches and incident response! The news has reported on a very complex and large attack against U.S. Bank JPMorgan. Most recently, retail giant Home Depot has been the victim of a breach that various news sources are saying could be larger than the Target breach. Once under the radar events that were only important to network security and IT professionals, network breaches are now seen and felt by tens of millions of consumers.
While cyber-attacks against Federal entities like the Department of Defense and the White House have been occurring for years, recently the target list has expanded to include corporations. This has in turn led to large amounts of intellectual property being compromised. The attackers have even begun targeting research and technological advancements under development at educational institutes. To combat this, the Defense Industrial Base joined together in 2011 and started sharing information to better protect themselves from these threats.
In 2008, we saw cyber-attacks used as a critical part of the war between Russia and Georgia. This was one of the first times the world saw a nation-state opening up a cyber-front in a physical war. Since then cyber-attacks occurring between feuding nations have become commonplace. While these cyber-attacks do not put the average citizen at risk for physical injury, they are none the less still becoming collateral damage on the front lines.
I have a friend who is an executive in a small to medium sized company that operates in the technology sector and has a great deal of intellectual property invested in their software. They are very good at what they do and have an international presence. We have spoken at length about their IT security posture and what precautions they have taken to safeguard their network and software. This company is now in the process of being acquired. While most of the work through this acquisition is likely to focus on employee retention and payouts, this is a perilous time for both companies. As soon as they issue the inevitable press release, threat actors will start probing their networks -if they are not already there- looking for vulnerabilities to get in.
We have seen time and again during mergers and acquisitions, little to no thought is given to network security. Things like connectivity, email servers, file shares, etc. are all given priority over installing the proper safeguards. Given the great number of unknowns when bringing two companies together, it is imperative to slow down and ask some basic questions:
Have both networks gone through a breach assessment?
Do both companies have documentation showing assets, approved software programs, network diagrams, change management processes and other policies?
Is there a detailed and organized plan to bring the different networks online together?
Have the CISO and the CRO/CRMO talked about the specific cyber risks involved?
This is not a simple, get our IT guys together and figure it out exercise. There are likely two different sets of policies and organizational cultures coming together. It will take time to sort out these differences and unify the organizations. This is the perfect time for both IT teams to identify security gaps in their networks.
Since becoming part of the Fidelis Network Defense & Forensics Team a year ago, I’ve had the opportunity to have some great discussions with our customers. We’ve talked about their pain points and how the various vendors offer to help them increase their cybersecurity posture. One of the main buzz words that I kept hearing was “industry best practices.” This sounds so professional and exactly like the thing that would interest anyone looking for help in defending their network. What amazed me though is that when I asked what standard the vendor was using for their security assessment I would often get the response “I don’t know.”
We all know that each customer will have a unique environment based on infrastructure architecture, various equipment, legacy systems that must be maintained, and many other variables. However, there are some baselines that everyone should be following in order to ensure they are defending themselves. Having worked at an International Organization for Standardization (ISO) accredited laboratory, I’ve had the opportunity to see the value of working from a community wide accepted standard. While it does take some work to meet those standards, using a standards tool as the basis for an assessment is invaluable. Standards allow you to methodically and efficiently help your customer assess where they stand in defending their network. They also allow you to branch off to additional lines of questions when coming across those unique environments.
There are many organizations that have published standards on cybersecurity such as NIST, ISO, ANSI, IASME, and IETF. Here at Fidelis we use the Consensus Audit Guidelines (CAG 20) (PDF), also known as the “Twenty Critical Security Controls for Effective Cyber Defense” for those who prefer the proper name. The twenty critical security controls is a bit misleading though as there are 184 sub-controls in the current standard. We use this standard as the basis for the proactive assessments that we do for our customers as well as keeping it in mind as we help customers remediate from a breach.
The CAG 20 is a subset of the very in-depth NIST SP 800-53 (PDF) document and is intended to be immediate high-value actions that an entity can accomplish to increase their security posture. It was developed by a consensus of government and commercial entities. Some of the agencies that were involved in the initial development of the CAG 20 are US-CERT, DC3, Department of Energy, the banking industry as well as the various ISACs. It is now maintained by the Council on Cybersecurity which is an international non-profit organization.
I would be remiss without including the CAG 20 as a point of reference for everyone.
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4: Continuous Vulnerability Assessment and Remediation
5: Malware Defenses
6: Application Software Security
7: Wireless Access Control
8: Data Recovery Capability
9: Security Skills Assessment and Appropriate Training to Fill Gaps
10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11: Limitation and Control of Network Ports, Protocols, and Services
12: Controlled Use of Administrative Privileges
13: Boundary Defense
14: Maintenance, Monitoring, and Analysis of Audit Logs
15: Controlled Access Based on the Need to Know
16: Account Monitoring and Control
17: Data Protection
18: Incident Response and Management
19: Secure Network Engineering
20: Penetration Tests and Red Team Exercises
If you get a proposal from a vendor offering to use “industry best practices” make sure that you ask questions so you know what you are getting. If they don’t have an answer or seem to be uncomfortable with discussing the details, you should start to wonder…they may be talking the talk but can they walk the walk?
Update: This post has been updated with a new date for the webinar
On Tuesday, August 12 at 1:00 PM EDT a Fidelis customer will be interviewed for a SANS WhatWorks webinar discussing their experience evaluating, selecting and implementing a solution designed to protect their network from nation-state threats. You can register for the webinar here but I wanted to provide a quick preview of the differences between nation-state threats and those posed by other actors such as cybercriminals targeting financial gain or hactivists promoting a political agenda.
Nation-state actors have a degree of funding that allows them to conduct highly targeted, long-running campaigns, while other actors typically have short-lived or “shotgun style” campaigns that cast a wide net or hope to catch the low-hanging fruit.
In addition to the different attack styles, nation-state actors are typically after intellectual property or other trade secrets as opposed to purely financial gain. This leads to a difference in tactics and behavior when they gain access to target networks. Recognizing these unique behaviors and tactics will allow security teams to build strategies that take nation-state threats into account.
Yesterday, we posted Fidelis Threat Advisory #1013 detailing a phishing campaign utilizing a remote access trojan (RAT) known as Unrecom. Over the past two weeks, we have observed an increase in attack activity against the U.S. state and local government, technology, advisory services, health, and financial sectors associated with this campaign. Attacks have also been observed against the financial sector in Saudi Arabia and Russia.
We consider this phishing campaign important because:
The targets we have observed are in the U.S. state and local government, technology, advisory services, health and financial sectors.
The attached malware is known as Unrecom, a comprehensive multi-platform Java-based RAT.
Unrecom has evolved from previous high-profile RATs such as Adwind and Frutas. Both of these have been observed in threat activity in the Middle East.
The Unrecom samples that we have analyzed are detected by a very small set of AntiVirus and antimalware products.
The samples that we have analyzed clearly share command-and-control infrastructure with malware such as DarkComet and Arcom RAT, observed in other campaigns. Significantly, these malware families have been observed in large volumes in the Middle East.