Advanced Persistent Threat Archives - Page 2 of 26

Threats Evolve - Your Security Should Too

2017/03/23 by admin

Threats evolve. One of the first companies I was working for was hit by a ‘denial of service’ attack, an email was sent to a friend of mine which had a script that made sheep dance all over your screen. It was pretty amusing so she decided to send it to the distribution list in the office. Let’s just say that the system administrators were not amused, as it brought the network down completely, and took the afternoon to bring everyone back up. This was in 1995. Now security did evolve to a certain extent, this type of attack would have been caught by either your UTM, email security appliance or end point solution. Over the course of several years, security solutions did evolve - firewalls, end point, network access control and logging. In the early 2000’s, the terms SIM, SEM and SIEM were the rage, and the next best thing for organizations to battle against threat actors, as it was a great solution to review all of the events from your network in one centralized location. That was also when you could back up your logs to a CD.

Fast forward to today, we have embraced BYOD, Cloud technology, IoT devices, and no one actually picks up the phone any more - email or texting is the communication tool providing immediate gratification. (anyone remember what a telex machine is). This explosion of technology, and reliance on said technology, has completely altered the threat landscape. Organizations are subject to ransomware, trojans, APT’s, insider threats and more - which ‘can’ make it through your defenses, and be hard to detect and remediate.

In a recent article from Dark Reading by Kelly Sheridan, it identifies that the current SIEM systems have flaws, and while reading this, I was not surprised. Almost any product that collects event logs identifies themselves as an SIEM, and some SIEM’s now promote the security analytics more than logging portion of the product. In addition, the introduction of a new acronym - SOAPA - which stands for security operations and analytics platform architecture (Network World, November 29, 2016), was created to distinguish themselves from SIEM.

Advances for the SIEM is not moving at the same speed as the threats, or taking into account different threat vectors. Typically event data is sent from the host devices, using either standard syslog or through the use of an agent, to a repository of some sort. This event data is then queried using a set of correlation rules, that will then initiate an alert or a response of some sort. While most SIEM’s identify that they have huge libraries of pre-built reporting, they need to be refined to accommodate your organization AND they need to be regularly reviewed to ensure that any new “threats” will be discovered, and alerted on or have a response of some sort created.

While for some attacks the SIEM will most definitely be advantageous to the organization, and of course, if you are required to collect and monitor logs for a compliance requirement it is a necessity, however the threats today take into account how these platforms work. The threat actors are meticulous; and look at ways to evade the traditional security platforms.

The growth in products that are deemed to include security analytics/behavioural analysis can assist organizations in determining if network activity is malicious. The products look at the typical activity of a network over time, baseline it, and then can provide a relatively good assumption when the activity deviates that there is a potential issue at hand.

By combining behavioural analysis/security analytics, machine learning and threat intelligence, an organization will be provided a more comprehensive review of activity on your network. Using a system that is not based on rules, but rather looking holistically at all of the users, devices, applications and how they all interact, running it through algorithms and machine learning techniques - this will provide a more accurate detection of a threat.

To find out more, contact us.

Threats Converge: IoT Meets Ransomware

2017/03/06 by admin

March 6, 2017 - Dark Reading - Javvad Malik

Ransomware is already a problem. The Internet of Things has had a number of security issues. What happens when the two combine?

Ransomware had a breakout year in 2016, making headlines as it affected everything from hospitals to police stations. At the same time, attacks against Internet of things (IoT) devices — home appliances, toys, cars, and more, all brimming with newly exploitable connectivity — have continued to proliferate.

Most information security professionals agree that ransomware and IoT hacks will continue to increase in frequency, but one less obvious development that could be on the horizon is a convergence of both of these attack methods. So, what could the implications of an IoT ransomware attack be?

To answer this question, we first need to consider the potential target of an IoT ransomware attack. Ransomware usually goes after computers and networks that house the mission-critical data necessary to maintain the day-to-day operations of a business. Such targeting ensures that once this data has been encrypted and rendered useless, the organization has adequate incentive to purchase the cryptocurrency (typically Bitcoin) being demanded by the hacker to release its data.

Luckily for us, many IoT devices don’t qualify as mission critical, as I doubt any parent is going to fork over a ransom to unlock their child’s Hello Barbie. But there are certain devices that perform critical functions and therefore could meet this criterion. As IoT becomes more widespread and increases in sophistication, the number of potentially lucrative targets will only increase. Unlike with traditional ransomware, attackers that hijack IoT devices can not only compromise the data collected through a device’s sensors, but could also render a critical device’s physical functions inaccessible — greatly increasing the chances that a victim will pay up.

One device that is currently ripe for exploitation is the connected thermostat. Products like Nest and Ecobee remotely monitor and regulate the temperatures of homes. If compromised by hackers, they could be used to blast the air conditioning during a blizzard or crank up the heat in the middle of a July heatwave. Although this may seem like an inconvenience rather than a catastrophe for a typical homeowner, when applied to business environments, the stakes are raised. For example, an attacker who gains control of the HVAC systems of a large building could theoretically increase an organization’s electricity bill to the point where paying a ransom becomes a practical and cost-effective alternative.

The same reasoning behind the thermostat example can be applied to a wide range of other IoT devices. It wouldn’t be difficult to imagine a hijacked smart lock taking on a mind of its own or a connected lightbulb refusing to illuminate. However, one can also imagine more disturbing scenarios arising from advanced IoT use cases, such as connected cars and smart cities. In such cases, a successful ransomware attack could extend well beyond a minor inconvenience, exposing affected victims to potentially dangerous or even life-threatening consequences.

However, IoT isn’t a lost cause altogether. As with any emerging technology, IoT device vendors need to work out the security bugs in their products, and they’re already beginning to do so. For every snooping Barbie discovered and connected car hacked, the industry moves one step closer to achieving the level of security that enterprise customers need. Similar to how the Target breach was a wake-up call for retailers, the IoT industry will inevitably be hit with an attack of a similar scope, whose repercussions will in turn serve as a major catalyst for industry-wide change.

Until we see this change, though, IT teams tasked with deploying connected devices must become more aware of the issues around IoT security and keep these in mind when deciding which devices to buy and deploy in their organizations. If your business can survive the next couple of years without going all in on IoT, it might be worth postponing purchases until the technology, especially the security, of these devices has evolved.

But if you absolutely can’t wait, there are several considerations that are critical when purchasing a new device. These include:

Assess how easy it is to change default credentials. Many IoT-enabled devices, such as the Internet-enabled cameras that made up the Mirai botnet, are insecure because their owners never think to change the password. You wouldn’t do that with your new laptop, would you?
Disable any insecure protocols. Not all devices are created equally, and device makers that fail to invest in secure protocols must be avoided. Right now, there is a lack of standards for what makes an IoT device secure, so it’s up to buyers to assess what makes the device tick. For example, many vulnerable webcams were reported in 2016, due to a Real Time Streaming Protocol that enabled video sharing but didn’t require a password for authentication.
Evaluate the recovery process. Many devices can have factory settings reset with one click, while others may require manufacturer involvement. Worse yet, in some cases, recovery may be impossible, forcing users to pay the ransom as a last resort. It’s up to buyers to understand the recovery process for the devices they own, and to create a contingency plan should one of them be compromised.

Whether you end up making the plunge into IoT or waiting until the kinks are worked out, the threats posed by Internet-connected devices are real. That being said, IoT is here to stay, so it’s up to us to ensure it isn’t allowed to compromise the security of our future.

Source: https://mnubo.com/listing-insights/industrial-iot/.

‘Insider Sabotage’ among Top 3 Threats CISOs Can’t yet Handle

2017/03/01 by admin

From BitDefender Perspective - Dark Reading -Luana Pascu

These five steps can help your organizations limit the risks from disgruntled employees and user errors.

Although insider sabotage is among the top three security threats companies face, 35% of chief information security officers in the US still lack the best practices to handle it properly, according to a Bitdefender study.

Insider sabotage - whether by a former employee who still has network access and is bent on sabotage or a careless staff member who clicks on phishing links when using company devices, or even a contractor or associate - can be particularly devastating because it’s usually not detected until the damage is done.

As the bring-your-own-device (BYOD) to work trend becomes even more widespread, CISOs should conduct regular security trainings to make current employees vigilant toward cyber hacks and schemes. Did they receive a suspicious email? Then they shouldn’t click on any URL or download attachments. Because hackers can expertly impersonate company email addresses and templates, employees need to be trained about address typos that could signal a scam.

Increasing cloud adoption raises other concerns about cloud security for a growing number of companies that have lost proprietary data across a longer timeframe by disgruntled former or current employees, who should have to think twice about acting out against their employers.

If caught, those who deliberately harm a business may be in for some tedious prison time. A sysadmin from Baton Rouge, for example, was sentenced to 34 months in federal prison for causing substantial damage to his former employer, a Georgia-Pacific paper mill, by remotely accessing its computer systems and messing with commands. Obviously, access from all systems and networks associated with the company should have been revoked when the man was fired.

“To limit the risks of insider sabotage and user error, companies must establish strong policies and protocols, and restrict the ways employees use equipment and infrastructure or privileges inside the company network,” recommends Bogdan Botezatu, senior e-threat specialist at Bitdefender. “The IT department must create policies for proper use of the equipment, and ensure they are implemented.”

Here are five steps CISOs can take to avoid insider sabotage:

Enforce a strict information security policy, and run regular training sessions with employees to prevent malware infection of company networks.
Immediately revoke all access and suspend certificates for former employees to prevent them from leaving the company with backups and confidential data, or from making administrative changes before leaving the company.
Keep a close eye on internal systems and processes, and set up notifications for any changes that should occur.
Implement role-based access control to restrict access to unauthorized employees.
Never rely solely on usernames and passwords to safeguard confidential company data. Instead, implement multiple authentication methods such as two-factor, two-person or even biometric authentication.

Ransomware Is A Repeat Offender: How To Protect Your Business

2017/03/01 by admin

From Forbes - Ryan Barrett

If there is one major cybersecurity lesson we learned last year it was this: Ransomware is here, and it isn’t going away anytime soon.

Ransomware is a type of malware that severely restricts access to a computer, mobile device, or file until the demanded fee is paid by the victim. Often, it arrives in the form a phishing email or message and begins its foul work as soon as it reaches your system. Regardless, victims are presented with a hefty ransom to regain access or you can kiss it all goodbye.

The first option is unpleasant. The second is unrealistic. So many organizations wind up paying the ransom. But, consider the consequence of doing so. If an organization coughs up the money, it’s not only funding cybercrime, but it’s also sending a signal to cyber-criminals: “hey, we’ve got money, we’ve got important data, and our systems aren’t equipped to combat such an attack, so we’re willing to pay what is demanded to get access to our stuff.”

In addition, we’ve learned from the past that ransomware isn’t a one-time deal. Take, for example, a Kansas hospital that was extorted twice. After succumbing to the initial ransom, the attacker demanded a second payment to unlock all files. In another instance, a Michigan radio station suffered from being hit with ransomware twice in two weeks.

Ransomware halts your business, halts productivity and, potentially, sets your organization up for failure. And those who’ve been affected by ransomware stand a good chance of being re-infected this year. For this, you can thank the number of digital entry points in an organization that a cybercriminal can exploit.

First on their list is email, the most common medium for ransomware and the easiest for cybercriminals to abuse. Even victims that take the necessary precautions to detect and remove suspicious files from their email – sometimes going so far as to undergo phishing detection training – are still at risk. This is because phishing attacks, which are messages that trick people into downloading or opening corrupted files, are difficult to detect by nature. If someone has been tricked once, they could very easily be tricked again.

Another tool called a “backdoor.” It’s just like it sounds: cybercriminals build backdoors into networks for prolonged spying and re-infection. A backdoor is a technique in which a system’s security mechanism is bypassed undetectably to access a computer or its data. This means a cybercriminal can re-infect a network if a company does not perfectly clean and remove malware from its devices. All the cybercriminal has to do is wait for the right opportunity. Ransomware variants that install backdoors for later use are uncommon now, but they do exist and cybercriminals are actively testing them.

Cybercriminals can also use backdoors to monitor a network for sensitive data, such as login information, financial records, product development roadmaps and more. This data can be either sold or used to inform a second ransomware attack, one reliant on a phishing email, to re-infect a previously compromised system.

Finally, thanks to the Bring Your Own Device (BYOD) movement where employees are using their own devices, they may inadvertently introduce malware into a company’s network. This can be a frighteningly easy thing to do, especially if the company in question lacks sophisticated data monitoring security solutions.

So how can companies fight against this threat of ransomware? Well, there are a few possibilities. First is to implement a comprehensive email security solution capable of detecting and isolating potentially dangerous phishing emails. Companies will need to look for solutions that take on a multi-layered security strategy, such as sandboxing, behavior-based antivirus and construct a business continuity plan in the event a ransomware attack is successful.

That last part it is particularly important. Business continuity plans are a normal part of operations, usually constructed around worst-case and natural disaster scenarios. Companies need to start preparing for cyberattacks and investing in two major areas: real-time file backups and employee education.

Real-time file backups can help organization maintain a “clean slate” of files free from ransomware. These clean files offer a “get out of ransomware free card” since all you have to do is merely restore a clean version of a file and access it on another device. This also has the added benefit of eliminating one of ransomware’s more damaging aspects: employee downtime. In fact, a study on ransomware found that 72 percent of employees were locked out of their files for at least two days.

Finally, take the time to educate and test your employees on the latest cybersecurity threats on the market today. That means investing in cybersecurity training that tests your employees on how to detect phishing attacks and how to respond to them.

Ransomware’s rise can be attributed to two factors: the increased processing power found in our computers (which are now so powerful that they can encrypt their own files in a matter of hours, giving the user little chance of detecting it before its too late) and the appearance of the best decentralized exchange with pseudo-anonymized (thus hard to track) payment systems like Bitcoin. The result is the sum of a dark formula: easy to use malware plus anonymized communications plus a massive halt to a busy workforce plus hard to trace currency equaling an easily-replicated and profitable cybercrime.

And it is profitable. In 2015, the FBI’s Internet Crime Complaint Center reported cybercriminals were able to extract $1.6 million in ransoms during 2015. In 2016, that figure was nearly $1 billion. How’d it grow so fast? Well, once cybercriminals began to realize ransomware’s power, they began asking for more in their ransoms. Today, the FBI reports cybercriminals can demand anywhere from $200 to $5,000 per user.

Cybercriminals are going to attack your business. You cannot control that. What your organization can control, however, is how prepared it is when it encounters an attack. Better preparation means your business suffers less downtime. It also means your employees maintain productivity even if the business is dealing with a threat like ransomware. And that’s the best defense against a second round of ransomware, not letting it hit you— again.

Stolen Health Record Databases Sell For $500,000 In The Deep Web

2017/02/22 by admin

From Dark Reading - February 21, 2017 - Ericka Chhickowski

Electronic health record databases proving to be some of the most lucrative stolen data sets in cybercrime underground.

Medical insurance identification, medical profiles, and even complete electronic health record (EHR) databases have attracted the eyes of enterprising black hats, who increasingly see EHR-related documents as some of the hottest commodities peddled in the criminal underground. A new report today shows that complete EHR databases can fetch as much as $500,000 on the Deep Web, and attackers are also making their money off of smaller caches of farmed medical identities, medical insurance ID card information, and personal medical profiles.

The data comes by way of a report from Trend Micro’s TrendLabs Forward-Looking Threat Research (FTR) Team, which took a comprehensive look at how attackers are taking advantage of healthcare organizations’ weaknesses to devastating effect. Cybercriminals always have their eyes open for new profitable revenue streams, and the poor security around increasingly data-rich EHR systems pose a huge opportunity for the bad guys.

“Monetizing raw data such as PII is nothing new in the underground. What makes EHR in the underground so different is that some of the data can be used to create a whole new list of offerings,” says Mayra Rosario Fuentes, the author of the TrendLabs report. “These wares include fraudulent documents like tax returns or fake IDs, fake driver’s licenses or birth certificates, but also stolen prescriptions with which the buyer can buy drugs. This gives them access to controlled substances such as Ambien, a popular sleep disorder medication known to be abused by many users.”

Fuentes and her FTR team combed through the Deep Web to understand pricing models used by the criminals to sell EHR data. Complete databases may be the most highly coveted items for sale, but other wares based on raw and processed stolen health data were well within the price ranges of even petty crooks.

Medical insurance IDs with valid prescriptions were selling for $0.50 US, and complete profiles of US victims including medical and health insurance data were selling for under $1. Meanwhile, fraudulent tax returns based on stolen medical records were marketed for $13.50 and fake birth certificates based on data stolen from medical records were selling for $500.

Attackers are practically printing money when it comes to this new line of stolen goods, considering how poorly healthcare organizations are protecting their key assets. According to a a separate report out today featuring a survey conducted by 451 Research on behalf of Thales, 69% of US healthcare organizations report their biggest spend is on perimeter defenses.

Meanwhile, they’re leaving holes in the network big enough to drive monster trucks through them, by way of Internet of Things (IoT) medical devices and other poorly secured systems. The TrendLabs report detailed research conducted through Shodan that showed how many of these systems were left accessible to the public internet with minimal to no access controls. Not only did these systems exposing the network to further lateral attacks, but in many instances they provided direct access to the EHR systems themselves, as was the case from exposed interfaces to Polycom conference systems that researchers found in one case.