threat geek Feed

Thursday, March 21, 2013

ON YESTERDAY'S CYBER ATTACKS IN SOUTH KOREA

Yesterday brought news that a cyber attack caused widespread data destruction in the South Korean banking and media sectors. Researchers at General Dynamics Fidelis Cybersecurity Solutions obtained a copy of the malware involved in the attack and have some preliminary results to share. Our compliments to the talented folks at Alien Vault Labs, whose research on this subject can be viewed on their blog.

For purposes of our research, we’ll call this specimen “239ed75323.exe." It’s a malicious file capable of wiping data in disk drives. One of the areas it targets is the disk’s Master Boot Record (MBR), without which a computer cannot load its operating system. Multiple variants of this malware were observed in the community.

The malware writes a 512 bytes pattern to the disk. This pattern contains a repeating pattern of the word “HASTATI."

It was observed that the malware didn’t overwrite this pattern over the whole disk, so there is still data that can be recovered. We will release further information on a recovery process in an advisory to follow shortly.

The malware also tries to shut down security tools from the following two South Korean companies:

     - AhnLab, Inc. (AhnLab Policy Agent process)

     - HAURI Inc. (ViRobot ISMS process)

The file we examined has the following attributes:

         File Size:  24576 bytes
         MD5: 5fcd6e1dace6b0599429d913850f0364
         SHA1: 9f69da40dda6367789041aaff01cf61d562b7c21
         PE Time: 0x510A4706 [Thu Jan 31 10:27:18 2013 UTC]
         Sections (3):
           Name      Entropy MD5
           .text     5.42    0dcfb44a4e0fe644774322087d904c8e
           .rdata   2.97     95998eb10fd4f37dae63af28f22e1c97
           .data    0.58    0962d66235e80031b7bcfcbdb4335546

         At time of analysis, antivirus tools identified the file as follows:

 AV Tool

 Common Name

 Malwarebytes

 Trojan.MBR.Killer

 Symantec

 Trojan.Jokra

 TrendMicro

 TROJ_INJECTO.BDE

 Sophos

 Mal/EncPk-ACE

 ViRobot

 Trojan.Win32.U.KillMBR.24576.A

 AhnLab-V3

 Win-Trojan/Agent.24576.JPG

 PCTools

 Trojan.Jokra

Reversing the file revealed some of the following code responsible for writing the wiping pattern to the disk:

SK_1

General Dynamics Fidelis Cybersecurity Solutions researchers detonated the malware in a controlled environment and confirmed it does indeed overwrite the disk with a repeating “HASTATI” pattern. The following will show the area in the VMDK disk before and after it was overwritten with the pattern:

First area at disk offset 0x3D0000 (location of MBR in virtual disk):

(before)

SK_code 1
(after)

SK_code 2
Second area at disk offset 0x3D7000 (location of VBR in virtual disk):

(before)

SK_code 3
(after)

SK-code 4
According to Wikipedia, the word “HASTATI” refers to “a class of infantry in the armies of the early Roman Republic who originally fought as spearmen, and later as swordsmen. They were originally some of the poorest men in the legion, and could afford only modest equipment, light amour and a large shield, in their service as the lighter infantry of the legion. Later, the Hastati contained the younger men rather than just the poorer, though most men of their age were relatively poor. Their usual position was the front battle line of the legion. They fought in a quincunx formation, supported by light troops.” J. Rickard, writing in a December 2002 article on HistoryOfWar.org, adds “the Hastati were expected to take the first clash of battle and blunt the enemy attack before the second line, the Principes took over and won the battle.”

The following are the two processes the malware tries to shutdown/kill:

“pasvc.exe”

  • Command executed: “taskkill /F /IM pasvc.exe”
  • Online research associates the “pasvc.exe” with a process from a company called AhnLab, Inc.
  • AhnLab, Inc. is a security software company in South Korea. The company sells antivirus software.
  • In specific, online research suggests that this process is associated with the AhnLab Policy Agent process.

“Clisvc.exe”

  • Command executed: “taskkill /F /IM Clisvc.exe”
  • Online research associates the “Clisvc.exe” with a process from a company called HAURI Inc.
  • HAURI Inc. is a security software company in South Korea.
  • In specific, online research suggests that this process is associated with the HAURI Inc. ViRobot ISMS security tool.

Researchers from the General Dynamics Fidelis Cybersecurity Solutions Network Defense and Forensics and Threat Research teams continue to monitor and study this event. Results of our research into a process for recovering a system infected by this attack will be released shortly.

Further Reading:

Alien Vault Labs:  Information about the South Korean banks and media systems attacks
http://labs.alienvault.com/labs/index.php/2013/information-about-the-south-korean-banks-and-media-systems-attacks/

Dark Reading: 'Loud' Data-Annihilation Cyberattacks Hit South Korean Banks, Media Outlets
http://www.darkreading.com/database-security/167901020/security/attacks-breaches/240151292/loud-data-annihilation-cyberattacks-hit-south-korean-banks-media-outlets.html

Naked Security: DarkSeoul: SophosLabs identifies malware used in South Korean internet attack
http://nakedsecurity.sophos.com/2013/03/20/south-korea-cyber-attack/

SecureList: South Korean 'Whois Team' attacks
http://www.securelist.com/en/blog/208194183/South_Korean_Whois_Team_attacks

Posted by at 11:16 AM in advanced malware, Advanced Persistent Threat, advanced threats, cyber threat intelligence, cyber threat security, cybercrime , data breaches , incident response, intelligent network forensics, network forensics, network surveillance , network visibility, prevent cyber attacks, prevent data breaches, protect against APT, threat geek, threat intelligence | | Comments (0)

| |

Thursday, March 14, 2013

THREAT GEEK WEEKLY UPDATE - MARCH 14, 2013

Threatgeek_newspaper_blogpost1

1. BYOD Security: Do You Really Need MDM?

Article Introduction: “IT pros can be excused for feeling besieged by the influx of user-owned smartphones and tablets that are linking up to corporate WLANs, email systems and Web apps. But employees are only one source of IT's stress. The other is vendors. Companies large and small are stampeding IT into buying MDM software and services as the wonder app to fix all their BYOD security problems. But MDM isn't a silver bullet, nor necessarily needed for all situations, particularly at SMBs.”

2. Overprivileged, Well-Meaning, And Dangerous

Article Introduction: “Let's face it: Everybody makes dumb mistakes at work. But these days, employee ignorance about the impact of certain IT technologies, a lack of controls around critical infrastructure and data, and a legion of employees armed with way too many system privileges are drowning enterprises in a potent cocktail of risk factors.”

3. Eight creative strategies to address the sophisticated adversary

Article Introduction: “Advanced cybersecurity threats, whether they are posed by cyber criminals, hacktivists or nation-states, have been damaging organizations for years. Leveraging social engineering, spear phishing, custom malware, and stolen credentials, they have been evading detection and stealing intellectual property and customer data seemingly at will.”

Ryan Vela's commentary:  Cumulatively, the eight creative tactics presented by Joe Goldberg are very beneficial for any company in which its revenue lines rely on an integrated IT environment. I would recommend that such companies incorporate all of these tactics into its security posture,  with the exception of honeypots. The implementation of these tactics should be measured as a part of the whole and its individual benefit to mitigate risk. For some companies, each item will be tailored higher or lower depending on its business need and risk requirements. When weighing the necessity of each tactic individually and all cumulatively, a company should engage outside consultants. Outside consultants are able to view the forest for the trees or see the whole picture without feeling stuck in the business tunnel. These consultants offer a valuable guide that will see things that may be overlooked and could save the company significant costs in the long term.

4. Adobe Reader Zero-Day Exploit Targets Activists In Spearphishing Attacks

Article Introduction: “An Adobe (NSDQ:ADBE) Reader zero-day exploit has surfaced in a new wave of attacks targeting activist groups and is dropping an advanced piece of malware, according to researchers analyzing the new threat.”

5. Java's security problems unlikely to be resolved soon, researchers say

Article Introduction: “Since the start of the year, hackers have been exploiting vulnerabilities in Java to carry out a string of attacks against companies including Microsoft, Apple, Facebook and Twitter, as well as home users. Oracle has made an effort to respond faster to the threats and to strengthen its Java software, but security experts say the attacks are unlikely to let up any time soon.”

The ThreatGeek Top 5 is a weekly post that identifies relevant industry news and stories. Check in to stay up to date with the latest happenings throughout the industry

Posted by at 05:00 PM in Ryan Vela, threat geek | | Comments (0)

| |

Thursday, June 21, 2012

THREAT GEEK WEEKLY UPDATE - June 21, 2012

Threatgeek_newspaper_blogpost1

1. Senate debate over cyber security bill fails to address privacy concerns

Passage of the cybersecurity bill has stalled in the Senate as Democrats and Republicans show few signs of compromise over the scale of governmental provisions for infrastructural protection.

2. Stuxnet, Duqu, Flame Targeted Illegal Windows Systems In Iran

An oft-overlooked detail about Stuxnet, Duqu, and Flame is that the attacks all targeted Windows machines in Iran even though Windows isn't allowed to be sold there under U.S. export restriction laws. Software smuggling and pirating are commonplace there, including for Windows.

3. Increase in cyber threats and sabotage on critical infrastructure

The Pacific Northwest National Laboratory (PNNL), in conjunction with McAfee, revealed a report that fully examines the current challenges facing critical infrastructure and key resources as well as identifying specific risks and vulnerabilities in the evolving cyber threat landscape.

4. Data Breach? Virtual Bounty Hunters Will Hunt It Down

Security expert Dan Clements is building a virtual "lost and found" box for data, a concept he hopes companies suffering from data breaches will embrace to find out just how bad the damage is.

5. New Android Malware is Disguised as a Security App

Google's Android mobile platform is the target of a new variant of a widely used malware capable of stealing personal information. The latest Zeus malware masquerades as a premium security app to lure people into downloading the Trojan, Kaspersky Lab reported Monday. The fake security app, called the Android Security Suite Premium, first appeared in early June with newer versions released since then.

The ThreatGeek Top 5 is a weekly post that identifies relevant industry news and stories. Check in to stay up to date with the latest happenings throughout the industry.

Posted by at 09:00 AM in threat geek | | Comments (0)

| |

Wednesday, June 06, 2012

FANNING THE FLAME

The initial infection vector of Flame is known and a patch is available to prevent it from happening.  Furthermore, Kaspersky Labs reports the botnet used for Command and Control (CnC) went down shortly after they began investigating it.  Like any fire, which needs air, fuel and heat to exist, removal of one component promptly puts the fire out.  In this case, removing its communication network has stopped the Flame, at least for now. 

It has been observed that Flame attacks a potential victim by waiting until a user connects to Microsoft Windows Update and then redirects that request, using a fake security certificate linked to Microsoft’s trust, to get the user to install a malicious Windows Update.  Even fully patched Windows operating system computers can be infected.  Microsoft has cancelled the bad certificate and posted security advisory 2718704 on how this security certificate compromise is being performed and a Knowledge Base article under the same number with a patch you can run to remove it now.  The patch is also being done through Microsoft Update, which as described, may or may not be the best option for the update.  With the communication network and now the initial infection vector closed, you’d think the Flame was out.

That has not stopped the marketing engine from throwing more fuel to fire in order to keep the Flame alive.  Headlines such as, “Security researchers: Flame malware is a “nightmare scenario” and “Meet Flame, the Nastiest Computer Malware Yet” continue to add hype in order to “Fan the Flame” and keep the hysteria going. 

Bit9 of Waltham, Mass. had this to say: "Have you heard of Flame – the latest high-profile cyber-attack – and are you concerned that you are vulnerable to attacks like it? Gartner released a report on Flame and recommended using ‘whitelisting’ approaches for critical servers whenever possible and to “go beyond simple signature or pattern detection.'"

Whitelisting is an increasingly complex task with tremendous overhead and like anything in security, it isn’t a magic bullet nor will any of the other solutions being presented as a cure for Flame. 

Bit9’s report goes on to say, “The attack began in the fall of 2011 and stretched into spring 2012. During that eight-month period, the Bit9 customer was consistently attacked by Flame, but Bit9 stopped the malware from executing on any of the customer’s servers, laptops or PCs."

Eight-months of ongoing attacks and log entries which resulted in no exfiltration, but was a pleasure for the analysts involved I am sure.

Even the infographic folks want some of this action.

Flame

Personally, I’ve seen malware using hundreds of domains on botnets with thousands of nodes and hundreds of IPs that span the globe.  So where is the truth in the hype?  How bad is Flame?  Is it over?

The truth is that Flame, while nasty, isn’t the end of the world as we know it.  It’s another piece of malware you need to know about and need to know how to defend against.  It has been spotted around the globe but featured prominently in the Middle East, which indicates the initial release point.  Kaspersky Labs, CrySyS Lab and the Iranian CERT team have investigated this malware and found it to do all of the same things existing malware could already do and took many of those features and stitched them together.  The initial infection vector is known and a patch is available.  The CnC network has been quiet for days since it was investigated by Kaspersky Labs.   As to whether the Flame threat is over, it seems that for the moment it is at least quieting down.  Whether the malware creators will make some changes and give it another go remains to be seen.  What we have now is time to apply the appropriate patches, clean infected machines, set up our detection and wait to see what happens next.  Oh, and not fall for all the hype-- the sky isn’t falling.

Fidelis Security Systems has released a policy update for Fidelis XPS customers to detect the Flame malware on the network in three ways: signature based (already updated) on the MD5 signatures of the malware components to detect them traversing your network, IP based on the CnC communication servers which are known and finally protocol based on indicators present within the CnC communication itself.  If you have applied the Microsoft patch as stated in Knowledge Base article 2718704 and have Fidelis XPS in place, you are already protected from Flame, without any additional fanning needed.

- Darian Lewis

Sources:

http://venturebeat.com/2012/06/05/security-researchers-flame-malware-is-a-nightmare-scenario/, Retrieved June 6, 2012

http://mashable.com/2012/06/04/flame-malware/, Retrieved June 6, 2012

http://blogs.technet.com/b/msrc/archive/2012/06/04/security-advisory-2718704-update-to-phased-mitigation-strategy.aspx, Retrieved June 6, 2012

https://www.bit9.com/files/Press_Release_Flame_FINAL.pdf, Retrieved June 6, 2012

Posted by at 12:00 PM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, cybercrime , Darian Lewis, data breach prevention, data breach prevention solution, data breaches , NAV, network analysis and visibility , prevent cyber attacks, protect against APT, situational awareness, threat assessment , threat geek | | Comments (0)

| |

Friday, May 11, 2012

THREATtoons: Is your C.S.O. an ostrich?

Ostrich
Want a THREATtoon on your blog or website? Great! Simply cite the cartoons original Threat Geek URL under the image and you’re good to go.

Posted by at 10:22 AM in advanced threats, cyber threat security, cybercrime , data breaches , prevent cyber attacks, prevent data breaches, situational awareness, threat geek, THREATtoons | | Comments (0)

| |

Monday, March 19, 2012

Ready or Not, BYOD is Here!

The annual RSA Conference—held just a few weeks ago in San Francisco—is usually a good place to gauge the state of the security industry. While I agree with Peter George’s observation that nation state-sponsored cyber attacks dominated the majority of attendee’s attention spans this year, there was something else that also caught my attention.

Going into the conference, I was fully prepared for mobile security to be a dominant theme—though I thought it would center more on mobile device management (MDM), which seemed to be where people are focusing today. What really struck me was the huge tilt toward BYOD, or “Bring Your Own Device”—specifically, the leniency of security measures and willingness of companies to allow employees to deploy any device they please on their network. IPad

In hearing some of the leaders speak at various sessions, I was shocked to learn that we are past the point of conversation with BYOD; it’s a foregone conclusion. This is not a “how do we want to deal with this” discussion anymore, it’s a “this is here, there is no stopping it, so make it work and (oh, by the way…) provide security” issue. It was apparent that CISOs and CSOs are scrambling to figure out how to deal with this. It’s really like the Wild West out there.

From a security perspective, my first reaction is: FORGET IT. I don’t care how productive it can make a workforce. I might let your iPhone on our network, but I’m not even discussing an iPad or any other tablet you might have without the appropriate controls in place. I try to put myself in the shoes of CISOs and I think I’d be pounding on someone’s desk saying no way. Let’s let them chose their own device, phone or tablet—more of a move towards CYOB—but with BYOD, I don’t see a way to do it right now. This takes borderless security to a whole different level.

While some companies use an employee access agreement (and possibly a software agent) to control and monitor what devices are permitted to access the network, there seems to be a movement away from making that the standard. The focus seems to be on trying to figure out a way to allow personal devices on networks without imposing an agent of some kind, which is potentially disastrous. The false sense of comfort that mobile devices are secure reminds me of the way Mac users perceived their devices a few years ago: “I don’t need antivirus protection for a Mac, there aren’t any Mac viruses”.

Well, in the past year you have seen a significant rise in threats from a Mac perspective, and the same can be predicted for new waves of personal devices.

I sat in on one particular session at RSA that really conveyed the uncertainty behind managing this problem. Towards the end, the floor opened up for a Q&A, and the discussion was dominated by attendees who stood up and talked about how they are struggling with the legal implications of BYOD.

“Does anyone here have any tips or precedents they can share? someone asked.

Essentially, with a free-range BYOD mentality, companies are bringing in unnecessary risks just to boost morale and/or productivity. You’re just opening up yourself to a bevy of threats that you wouldn’t have otherwise. I’m still trying to figure out the justification of the upside.

And let’s not forget about the legal implications here. Imagine if something catastrophic happened inside a network—and it came from an employee’s corporate-issued device. The company has the right to seize that device and forensically discover what happened.

In many cases with personal devices, the company is forfeiting its ability to grab that device. The employee can walk out the door with it because, after all, it’s their device. You can bet the bad actors and nation states know about this trend and are looking to exploit any weak spot they can find.

Recently I got caught up watching the “Secret Service Files” on the National Geographic channel, and one of the agents was quoted as saying something along the lines of, “If it were up to me, the President would never leave the White House.”

How does this relate to BYOD management? Well, if you ask those in charge of any type of security—network or presidential—what their ideal situation would be, of course they would want all potential vulnerability eliminated from the equation. But we know that’s not possible.

So what we need to do is find a compromise and eliminate the grey area surrounding BYOD. Companies are knowingly inviting new risks with personal devices, but most already have made up their minds to do it anyway. We need to strike a balance.

So what do you think? How can we even out the risk-scales?

It’s not that this train has left the station; it’s at full speed barreling out of control. Let’s get this BYOD issue back on track before it’s too late.

- Tom Lyons 

Posted by at 12:52 PM in advanced threats, content inspection, content monitoring, content protection, cybercrime , data breach prevention, data breaches , information flow , network forensics, network surveillance , network visibility, protect against APT, situational awareness, threat geek, threat intelligence , Tom Lyons | | Comments (0)

| |

Monday, March 12, 2012

Nation States Have Crowds Buzzing at RSA 2012

The first event of RSA week for me is the America's Growth Capital Conference where I’ve been a featured presenter on security topics for the past eight years. A few Mondays ago, which was security day at AGC, I was impressed to see that the number of participating companies had risen to a new high of 114 and would cover the spectrum of topics from advanced persistent threats (APTs) to mobile devices to security in the cloud.

I was asked to participate on a panel discussion around the issue of nation states and state sponsored cyber attacks, which is an area of great interest to me and a topic that Fidelis has been front and center on for the last several years.

PeterWhile dealing with viruses and other malicious attacks from hackers has been under the purview of the CISO and CSO since the advent of the network, in speaking with my peers at RSA, many of them are now feeling overwhelmed by the increase in attacks emanating from nation states.

In our conversations it was clear to me that mitigating everyday threats in the form of a virus, worm, or botnet was one thing; taking on an adversary with a level of sophistication and unlimited resources made possible through private government funding was another. Simply put, they are being outgunned by the likes of China and Russia and are in desperate need of assistance.

Complicating matters were the other topics driving discussion at this year’s RSA conference that followed AGC: cloud, mobility, and big data. Enterprises are making a big push into these areas for the purpose of increasing productivity and streamlining operations. However, in the process, these are areas that are going to open more opportunities for state sponsored attacks and will certainly be exploited by those looking for financial or political gain.

Our corporate value in this country is largely based on intellectual property (IP) and for that reason, many enterprise level security officers are pacing the floors at night wondering what they can do to combat this level of threat. Unlike physical assets, once IP is stolen, it is gone for good and can severely weaken the value of a company. As an example, pharmaceutical companies spend billions on researching and developing drugs every year (95+ percent which will never make it to market) in the hope of finding a few successes. These successes fund the research and sustain company value. If the formula for one of these drugs was to be stolen and end up in Beijing, years of discovery will be meaningless as the market will be flooded with counterfeit options at a fraction of the price.

People are worried about security in this country and they have a right to be. The development of new business tools is also opening new channels to be exploited. The buzz at RSA was palpable and it was one the most well attended shows in years. Despite the wishes of some in an enterprise, the role of security is not going away. In fact, one could argue that it is really just beginning.

- Peter George

Posted by at 12:11 PM in advanced malware, APT prevention, cyber threat intelligence, cyber threat security, cybercrime , data breach prevention, data breaches , Peter George, prevent cyber attacks, prevent data breaches, protect against APT, situational awareness, threat geek | | Comments (0)

| |

Thursday, February 23, 2012

Reflections on Hactivism and Online Violence

Does the rise of Anonymous and LulzSec herald a new online era? Does it represent a fundamental shift in the landscape that suddenly changes everything? Let's take a fresh, clearheaded look at what's been happening lately.

Online protest is a perfectly natural and predictable phenomenon. Just as a continuum exists in real life ("IRL," as my kids are saying) between nonviolent protest and destructive, violent rage, the same continuum exists online between mainstream websites going dark to peacefully protest SOPA/PIPA last month, and people who feel that nonviolent protest is inadequate to spur necessary change. When it comes to protest, a well-worn set of philosophical and political arguments apply to violence and nonviolence, regardless of whether one chooses the digital or the analog world as a venue for protest. (Further reading: Henry David Thoreau, Martin Luther King, Jr., and Leo Tolstoy, contrasted with Leon Trotsky, Malcolm X, and George Orwell.) 

The potential for an innocent bystander to be harmed by online protesters, however, may exceed the potential in the real world, where it is more risky to commit violence. After all, in physical space you can be seen, you can be tracked, you can be arrested, you can be jailed. These risks are more easily mitigated online than they are IRL. If the risk of being caught factors into a protester's calculus about whether to use violence, then online violence is simply a more logical choice than physical violence. While international authorities have recently engaged in conspicuous enforcement activities, these actions may have little impact on the mindset of groups and individuals that make up hacker collectives. Online violence is still an option for those who choose to employ it, and changing this fact without ruining the Internet will be monumentally difficult.

This leaves enterprises in a sort of "wild west" state, as I argued in my "Lawless" blog post last year. Society's real-world defenses don't map very effectively to the online world, leaving us to try to defend ourselves as best we can. And against a potential infinity of attackers, that is a very difficult task indeed.

My recommendation for enterprises is to expand their security thinking. Guns, guards and gates (real and virtual) will always be a part of the picture, but there's much more to do:

  • Be a good citizen. If you see yourself as a target, examine whether communicating more effectively about your mission and the reason you are targeted could reduce your prominence as a target. If you are in an industry typically seen as hostile to online activists--for example nonrenewable energy, certain governments, defense contractors, the financial sector, old media and so on--this may be impractical. Call it capitulation if you wish; I call it pragmatism.
  • Concentrate on what works. Understand how you use the Internet, and do as much as you can to enumerate and whitelist approved activity. Use technology to prevent what isn't permitted, and keep your eyes peeled for anomalies. This reminds me of Winston Churchill's observation about democracy: it's the worst possible approach to securing a network…except for all of the others. It's hard work that requires planning and diligence, but in a complicated world it's the most predictable, reliable way to limit your attack surface and reduce risk.
  • Train and trust your people! Social engineering isn't a new phenomenon, but human beings are more important than ever to the infection process. If you can help them to improve their habits when it comes to opening e-mail attachments, using mobile devices, responding to unsolicited communication or keeping their systems patched, that will produce security benefits that extend well beyond your borders.

Josh Corman and Brian Martin are looking at this topic quite closely, having participated in a panel discussion about Anonymous at DEFCON last year. They're gradually releasing installments of a 7-part series called "Building a Better Anonymous" that is quite insightful.

How do you see Anonymous? Is online activism prompting you to adopt new strategies? We invite your comments.

-Will Irace 

Posted by at 04:23 PM in advanced malware, advanced threats, APT prevention, cyber threat security, cybercrime , data breaches , prevent cyber attacks, prevent data breaches, protect against APT, threat assessment , threat geek, threat intelligence , wikileak , Will Irace | | Comments (1)

| |

Wednesday, February 22, 2012

Open Heart Security

Ever hear or say, “…we need to do things differently”?

I hear it quite often, and it’s true—speaking in the context of fighting advanced threats. What usually ends up happening?  The same old thing, but with new tools.

What needs to be done differently in our business is to lean forward into the problem and be more suspect of all content, especially in new ways. Capture as much data about this suspect content, automate its analysis and provide results along with the session and objects to first level responders.

This is the difference. This is open–heart surgery, not an autopsy. Tg

Many environments have a SOC, which in turn work on alerts fed in from products. Often times they may not know why the alert came in or what it is about, and then forward upstream. It eventually ends up with the Incident Response team, who needs to gather data from other systems to try and piece together what happened. They have many tools they use to dissect, analyze and try to figure it out, but in the end 80%-90% of the results are benign. This is the business process and it takes time and money to vet. 

My question to you is: what can be done differently? 

  1. Inspect all traffic and its content - content should be judged based on risk (if not known), complete information collected up front (session, objects, artifacts, etc), and automated analysis. The benefit to the SOC is that it has all the information up front. If automated analysis shows its bad, then remediation can occur. This means faster resolution, money savings, and risk exposure minimized.
  2. Go on the hunt – use intelligent-community based information, etc.—and look for activity in real-time. Do not be a victim.

Build a better business process by compressing the workflow through automation, better information and response time. Put forensics up front as opposed to at the end—just like open heart surgery.

- David Chirico

Posted by at 12:51 PM in advanced threats, APT prevention, cybercrime , David Chirico, incident response, prevent cyber attacks, prevent data breaches, situational awareness, threat geek, threat intelligence , threat intelligence feed, threat mitigation | | Comments (0)

| |

Friday, February 17, 2012

What the Candidates Aren’t Talking About

I consider myself somewhat of a political junkie, and as such, I frequently find myself tuning into the Sunday morning Washington insider shows or taking in one of the seemingly endless debates during the election season. 

Given my involvement in the IT security industry, I have a heightened awareness for discussions Peterg on issues in this arena and have often found it odd that none of the candidates or the journalists charged with asking the tough questions have hit on the issue of cybersecurity.  In conversations with colleagues I was encouraged that I was not the only one who felt this way, but was willing to chalk it up to perhaps a little over sensitivity given my chosen profession.

However, that line of thinking all changed a short time ago when I tuned into the evening news and heard Robert Mueller, Director of the FBI, make the following proclamation:

“I do not think today it is necessarily [the] number one threat, but it will be tomorrow…Counterterrorism — stopping terrorist attacks — with the FBI is the present number one priority. But down the road, the cyberthreat, which cuts across all [FBI] programs, will be the number one threat to the country.”

Mueller was not alone in his observations either, as he was joined by National Intelligence Director James Clapper, who went on to add:

“The cyberthreat is one of the most challenging ones we face...Among state actors, we’re particularly concerned about entities within China and Russia conducting intrusions into U.S. computer networks and stealing U.S. data.  And the growing role that nonstate actors are playing in cyberspace is a great example of the easy access to potentially disruptive and even lethal technology and know-how by such groups.”

Let that sink in for a moment.

The Director of the FBI and the National Intelligence Director just stated for the world to hear that in a very short period of time, cyberthreats will be our country’s biggest threat, yet none of the major candidates are talking about it and to my knowledge, the media hasn’t been asking.  Given the process candidates go through in order to secure their party’s nomination where they are asked for their position on seemingly everything, one would think this issue would be more talked about.

Personally, while I don’t necessarily expect the candidate to be an expert on cyber security themselves, I would like to know that they have given the issue some thought and they recognize the potential hazards.  I’d also like to know how they would address the issue; do they view it as a law enforcement issue or would it fall under the domain of homeland security?

I recently saw that U.S. officials estimate there are 60,000 new malicious computer programs identified each day. I think that qualifies as a significant threat and one that the voters deserve some answers on before they go into the booths come November. I for one will be on the lookout to see what kind of attention this issue gets paid in the weeks and months ahead, and which candidate has a plan to deal with it.

- Peter George

Posted by at 10:29 AM in advanced threats, cybercrime , Peter George, prevent cyber attacks, prevent data breaches, protect against APT, threat assessment , threat geek, threat intelligence | | Comments (0)

| |

Next »

Search

Categories

Archives

Related Posts Plugin for WordPress, Blogger...
Related Posts Plugin for WordPress, Blogger...