As 2018 commences, cyberspace remains in constant flux, a dynamic landscape that still favors hostile actors’ freedom of movement over the efforts of network defenders. Nation states continue to leverage the anonymity afforded to them in the digital sphere to conduct an array of offensive operations. Indeed, much attention has been focused on nation-state cyber activity by security vendors and news sites tracking suspected government or government-sponsored actors as they steal information and money, and conduct aggressive attacks on infrastructure, and influence national elections. Perhaps unsurprisingly, the increased international attention on these events has not served to deter these actors, but in some instances, have reaffirmed the need for all governments to be able to conduct similar operations to support their own national interests. In a recent United Kingdom intelligence report, Russian security services demonstrated a “go and see what happens” attitude towards conducting offensive cyber activities. Such an assessment certainly suggests there is little cause to fear any serious repercussion for such actions.
The past few years have seen governments actively pursuing offensive cyber capabilities, despite efforts from leading governments and recognized cyber “powers” trying to reel in the development of such skills and tools. No-hack pacts have been established between countries and international organizations, agreeing that cyber espionage should not be conducted for commercial advantage (Note: This intimates that cyber espionage for traditional espionage practices is acceptable). In January 2017, U.S. intelligence officials testified that more than 30 governments were actively seeking to acquire offensive cyber capabilities, and in 2013, there was reporting that European countries were doing likewise.
While the progression toward this end-goal may seem logical for developed and well-connected states, there is evidence suggesting that developing countries want to get into the mix as well. According to recent statements made by a former top Israeli intelligence official, inexpensive costs and ease with which to acquire technologies have created an attractive opportunity for these governments to become an immediate offensive presence in cyberspace. According to the Surveillance Industry Index, as of late 2016, there were 525 companies supplying these technologies to governments around the world. Some of these technologies are reputed to be able to bypass protection systems, monitor and analyze communications in real time, and send fake software updates to targets. Several developing countries have been recipients of these technologies.
There is no set definitions or criteria as to what constitutes “offensive” capabilities in cyberspace. These may include some or any of the following capabilities: attack tools, network exploitation tools, surveillance, or activities to combat online propaganda and influence operations. Indeed, recently, Vietnam has revealed its intent to recruit and train individuals to staff a cyber warfare unit to combat “wrong” views being spread online.
What’s potentially disconcerting about these events is that there seems to be an emphasis on offensive rather than defensive activities from developing countries, who are often a prime source and target of hostile cyber activities , and whose poor infrastructures serve as intermediaries to attack other countries. Compounding matters further is the fundamental lack of understanding with regards to bolstering a cyber security posture. Establishing organizations with cyber defense missions, enacting security policies, drafting and passing strong legislation, and aggressively arresting and prosecuting individuals involved in cyber criminal activities are areas where developing nations are grossly lacking.
Defense is hard, especially when trying to create a security apparatus from nothing. But there is evidence indicating that developed countries are leveraging the vulnerabilities in their cyberspace for authoritarian reasons, rather than trying to increase defense initiatives. One reason is the lack of incentive to do so. As developed nations look up to their more connected and cyber capable siblings, there is little forward progress when it comes to finding consensus and framing common rules on cyber issues such as state behavior norms, Internet governance, or cyber deterrence. While governments continue to hash these out, suspected state cyber activity continues without significant consequence, a fact that hasn’t got lost on developing countries. As long as this perseveres, there is more reason to adopt offensive capabilities than defensive ones, which doesn’t bode well for the global cyber security environment in 2018.
This is a guest post written by Emilio Iasiello
The post Developing Countries Want a Seat at the Offensive Cyber Capability Table appeared first on cyberdb.co.
In mid-December 2017, the White House signed the $700 billion National Defense Authorization Act (NDAA). The law sets policies and budget guidelines for the U.S. military for the next fiscal year, including cyber-related projects and initiatives. While established cyber programs are bolstered by the Act, the 2018 NDAA proscribes some new efforts. For example, all Kaspsersky products and services (including from company subsidiaries) are prohibited across the Department of Defense (DoD), an initiative working in tandem with the Department of Homeland Security’s (DHS) push to ban Kaspersky from federal government offices. Similarly, in an effort to safeguard U.S. communications channels from cyber risks, the NDAA forbids the acquisition of satellite technology from a foreign country or any company affiliated with one. These mandates are important as they acknowledge the potential threats that exist when acquiring technologies and/or services from sources outside a secure chain.
Of particular note, is a provision that could force the federal government to upgrade its out-of-date IT systems. The Modernizing Government Technology Act (MGTA), which was enacted in tandem with the NDAA, creates a $500 million fund over the course of two years to be used for modernizing legacy IT systems. Trying to secure old and outdated legacy systems has been thorn in the side of government cyber security efforts. In 2016, 71 percent of federal IT system administrators used old operating system to run important applications. The MGTA will provide necessary funding to address these technical shortcomings.
From an offensive cyber capability standpoint, the DoD Secretary will provide a plan to Congress that highlights a strategy of how the military will deter, counter, and mitigate information operations targeting U.S. citizens. Coming on the heels of the 2016 U.S. presidential election where fake news and disinformation gained so much prominence, and whose impacts on the voter calculus are still being determined, a strategic plan forward is an important initiative particularly as social media and Internet media sources are now viewed as potential potent influencing agents.
The White House is still expected to develop a national policy for the United States that addresses “all things cyber” (ie, cyber security, cyber warfare, cyberspace). According to reporting, the policy should clearly define what plans, policies, and roles that federal agencies have when reacting to a significant cyber attack, a necessary implementation particularly as national level cyber security roles, responsibilities, and missions remain muddied and overlapping. While this is a promising development, particularly as early indications are that such a policy will likely be multi-pronged rather than being one-dimensional, there is concern that there is no deadline for the creation of this policy. The United States succeeds in developing broad strategic cyber plans, but is challenged when it comes to successfully implementing these plans. This is worrisome especially when global competitors like China are passing necessary cyber-related legislation and enforcing punitive measures for compliance failure to bolster their security profiles. China has already implemented a national-level plan to respond to serious cyber attacks, a move to increasingly fortify defenses from internal and external cyber threats. Primary competitors seem to moving forward while the United States appears stuck in bureaucratic limbo.
When it comes to establishing a cyber warfare strategy, the White House appears hesitant to commit to any particular direction. The president objected to this course of action as it inhibits the Executive Office’s ability to negotiate on its terms, and not be held “hostage” by Congress. While the president did implement Executive Order 13800 in May 2017 intended to set guidance on strengthen the cyber security of federal networks and critical infrastructure, there have been few updates as to where this effort stands and what progress has been made. Among the most notable cyber security advancements since the new Administration took over have been the potential renaming of DHS’ National Protection and Programs Directorate (NPPD) to the Cyber Security Agency, and the elimination of the Department of State’s Office of the Coordinator for Cyber Issues. Passed in the House, the bill to rename NPPD would command a “Director of National Cybersecurity and Infrastructure Security to lead national efforts to protect and enhance the security and resilience of US cyber-security, emergency communications, and critical infrastructure.” Currently, cyber authorities remain across several federal agencies.
Addressing the complex nature of cyber space and all that it entails remains a puzzling endeavor for the United States. While there is a consensus that the United States is a cyber force from an offensive operations perspective, cyber security and network defense remains an elusive goal, a troublesome reality for a government and country that relies on technology for its continued economic, military, and social advancement and global standing. The President in the recently released national security strategy acknowledged cyber security as an imperative. This is promising, but one major hurdle facing national level efforts is that by the time strategies are developed and enacted, they are already outdated for the period in which they go into force. And this lies the problem with cyber strategies – they are generally positioned to address the cyber landscape of the present, rather than poised to address the future. The is part of the equation that must be fixed with concrete steps that can be measured and accountability enforced for any setbacks. Otherwise, we will find ourselves repeating what we already know without any real understanding of how to correct our mistakes.
This is a guest post written by Emilio Iasiello
The post National Defense Authorization Act – Cyber Security is Important, But What’s the Plan? appeared first on cyberdb.co.
Breaches and ransomware attacks are more prevalent than ever, and concern for protecting data is mounting on a global scale.
Toward that end, the EU has put forth its General Data Protection Regulation (GDPR), but no legislation can be implemented without having some consequences on the businesses that must comply with the laws. Given that GDPR aims to standardize data privacy laws and mechanisms across industries, there are few sectors that will not be greatly impacted.
Any company that directly or indirectly controls or processes the personally identifiable information (PII) of EU citizens will be affected by GDPR changes. Both terms ‘data controller’ and ‘data processor’ are broadly defined, which means that virtually every company will be impacted by these changes. For small businesses, dealing with these data collection and processing regulations will be overwhelming, if not crippling.
The deadline for compliance is swiftly approaching, yet many organizations are not ready. The individual’s right to data erasure is sure to influence the ways that organizations collect data moving forward, which will require additional resources of both time and money.
Proper preparation or poor performance?
Overwhelmed is a common description of many security practitioners. As the deadline of May 2018 approaches, those in governance, risk, and compliance are joining the ranks of SOC analysts as they rush and scramble to prepare for GDPR.
Few companies–only 27 percent of those who participated in an Alert Logic survey-reported that they were confident they will be ready when the GDPR becomes enforceable in May 2018.
One in four businesses is unprepared to meet the new law that replaces the Data Protection Directive. Despite the stated intention of wanting to streamline regulations regardless of the type of business that is collecting data, most firms will have to re-evaluate their data collection systems and modify their privacy and client consent policies in order to be in compliance.
General counsel across financial and industrial organizations will be burdened with the obvious (but perhaps overlooked) responsibility of ensuring strict compliance without sacrificing an organization’s ability to innovate or respond to market fluctuations.
What’s the hold up?
At issue for most companies is the very point at which they should start to implement changes, particularly because the legislation is the largest ever change to data collection policies across all sectors. GDPR crosses over geographical boundaries into the activities of digital enterprises.
Though it might seem that the greatest impact will be to healthcare, financial, and retail industries, for marketing firms, it is most likely that traditional marketing campaigns will be breaking the law come late May 2018.
The GDPRs broad scope requires any business to obtain client consent in order to collect personal information. As a result, pressure is mounting for human resources and recruiting firms, who will need to increase efforts to protect applicant privacy.
What organizations will likely need is help with putting in the right controls and implementing the proper protocols to defend against cyber threats. Though virtually all sectors will be challenged by these changes, financial institutions face greater obstacles when it comes to the consequences of a breach.
This is a guest post by Kacy Zurkus.
A set of security #Vulnerabilities known as #Meltdown& #Spectre that affect modern computer processors has been discovered - Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. We Call Upon users to Apply appropriate patches.— YUSUPH KILEO (@YUSUPHKILEO) January 5, 2018
Itakumbukwa – Mwaka Jana Kulikua na ugunduzi wa mapungufu yaliyo athiri program za Microsoft na baadae watumiaji wakashindwa kusahihisha mapungufu hayo kama yalivyokua yamesahihishwa na Microsoft, tukio ambalo lilisababisha uhalifu mkubwa wa kimtandao aina ya “WanaCry” ambapo mataifa Zaidi ya miamoja hamsini yaliathiriwa na mabilioni ya fedha kuingia katika mikono ya wahalifu mtandao.
As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.
This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!
I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.
Active Directory Security Goes Mainstream Cyber Security
Here are the 10 notable events in Active Directory Security that helped it get mainstream cyber security attention this year -
- Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.
- On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?" From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.
- On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.
- On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!
- On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access.
- On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.
- Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.
- On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.
- On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.
- From January 26, 2017 through December 27, 2017, Paramount Defenses' CEO conducted Active Directory Security School for Microsoft, so that in turn Microsoft could help not just every entity mentioned in points 1- 9 above, but the whole world realize that in fact the key and the only correct way to mitigate each one of the security risks and challenges identified in points 1 - 9 above, lies in Active Directory Effective Permissions and Active Directory Effective Access.
Helping Defend Microsoft's Global Customer Base
( i.e. 85% of Organizations Worldwide )
Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...
...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctly secure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.
This year, I ( / we) ...
- conducted 30-days of advanced Active Directory Security School for the $ 650+ Billion Microsoft Corporation
- showed thousands of organizations worldwide How to Render Mimikatz DCSync Useless in their Active Directory
- helped millions of pros (like Mr. Metcalf) worldwide learn How to Correctly Identify Privileged Users in Active Directory
- helped the developers of BloodHound understand How to Easily Identify Sneaky Persistence in Active Directory
- helped Microsoft's ATA Team learn advanced stuff About Active Directory ACLs - Actual Attack and Defense
- showed CyberArk, trusted by 50% of Fortune 100 CISOs, How to Correctly Identify Shadow Admins in Active Directory
- helped cyber security startup Preempt's experts learn How to Correctly Identify Stealthy Admins in Active Directory
- helped the presenters of The Active Directory Botnet learn How to Easily Solve the Problem of Active Directory Botnets
- helped millions of cyber security folks worldwide understand and illustrate Active Directory Privilege Escalation
- Most importantly, I helped thousands of organizations worldwide, including Microsoft, understand the paramount importance of Active Directory Effective Permissions and Active Directory Effective Access to Active Directory Security
In fact, we're not just providing guidance, we're uniquely empowering organizations worldwide to easily solve these challenges.
All in all, its been quite an eventful year for Active Directory Security (, and one that I saw coming over ten years ago.)
In 2017, the mainstream cyber security community finally seem to have realized the importance of Active Directory Security.
Perhaps, in 2018, they'll realize that the key to Active Directory Security lies in being able to accurately determine this.
PS: Why I do, What I Do.