Daily Archives: October 3, 2018

Top 5 Skills for a Career in Digital Forensics

Digital forensics is the field where technology meets criminal justice. Professionals in this field use their InfoSec skills to recover data and analyze information from devices (such as computers, USB drives, phones, etc.) to solve a various range of crimes and take down criminals. Interested in building your career around digital forensics? Here are some skills you will need to succeed in this field.

1. Analytical Talent

Just as in any investigative role, digital forensics professionals need to have analytical skills. You’ll be required to piece together information to solve a case, so analytical thinking might just come in handy sooner than later.

2. Tech Fundamentals

Since digital forensics is a technical field, it helps to have a solid computer science background. Some of the pre-requisite skills we suggest are a strong understanding of the fundamentals of modern operating systems and a least a basic understanding of networks, network protocols, and programming languages.

3. IT Security Practical Know-How

While it’s a good start to have theoretical knowledge, you will also need practical skills to solve crimes in real-life. Even better is knowing how to prevent such accident from happening in the first place. This skill will make you a valuable team member. The perfect candidate for a digital forensics role will not only have experience working in general IT, but also specifically in security.

4. Communication Skills

Whether you work with a team or as a consultant after a breach, the people you work for will need to understand what happened. Good communication skills are crucial. In the same way penetration testers are expected to create professional reports of their findings, digital forensics investigators need to be able to explain in terms that the rest of the team understands.

5. Desire to Learn

With new threats appearing every day, it’s no surprise that professionals in this field need to stay up-to-date. With a desire to learn new skills and techniques, you can only succeed as a Digital Forensics Investigator, or, at the very least, one can be a valuable asset to the team.

With security professionals in high demand and many jobs going unfilled, the future for anyone with these skills is very bright indeed. Add to that the fact that the average Digital Forensic Investigator salary is over $70,000 a year (according to PayScale.com) with the top earners making well into 6 figures, it’s a great paying career to boot (pun intended).

Source: Forbes

Curious about Digital Forensics? Learn how to investigate cyber intrusions and assist in cases of incident response with the Digital Forensics Professional (DFP) training course.
GET MY FREE TRIAL

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Cisco Remote PHY IPv4 Fragment Denial of Service Vulnerability

A vulnerability in certain IPv4 fragment-processing functions of Cisco Remote PHY Software could allow an unauthenticated, remote attacker to impact traffic passing through a device, potentially causing a denial of service (DoS) condition.

The vulnerability is due to the affected software not validating and calculating certain numerical values in IPv4 packets that are sent to an affected device. An attacker could exploit this vulnerability by sending malformed IPv4 traffic to an affected device. A successful exploit could allow the attacker to disrupt the flow of certain IPv4 traffic passing through an affected device, which could result in a DoS condition.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-phy-ipv4-dos


Security Impact Rating: Medium
CVE: CVE-2018-15391

Cisco Adaptive Security Appliance Access Control List Bypass Vulnerability

A vulnerability in the per-user-override feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass an access control list (ACL) that is configured for an interface of an affected device.

The vulnerability is due to errors that could occur when the affected software constructs and applies per-user-override rules. An attacker could exploit this vulnerability by connecting to a network through an affected device that has a vulnerable configuration. A successful exploit could allow the attacker to access resources that are behind the affected device and would typically be protected by the interface ACL.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-acl-bypass


Security Impact Rating: Medium
CVE: CVE-2018-15398

Cisco Adaptive Security Appliance TCP Syslog Denial of Service Vulnerability

A vulnerability in the TCP syslog module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust the 1550-byte buffers on an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to a missing boundary check in an internal function. An attacker could exploit this vulnerability by establishing a man-in-the-middle position between an affected device and its configured TCP syslog server and then maliciously modifying the TCP header in segments that are sent from the syslog server to the affected device. A successful exploit could allow the attacker to exhaust buffer on the affected device and cause all TCP-based features to stop functioning, resulting in a DoS condition. The affected TCP-based features include AnyConnect SSL VPN, clientless SSL VPN, and management connections such as Secure Shell (SSH), Telnet, and HTTPS.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-syslog-dos


Security Impact Rating: Medium
CVE: CVE-2018-15399

Cisco Small Business 300 Series Managed Switches Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Small Business 300 Series Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected system.

The vulnerability exists because the affected management interface performs insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or allow the attacker to access sensitive, browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-300-switch-xss


Security Impact Rating: Medium
CVE: CVE-2018-0465

Cisco Adaptive Security Appliance IPsec VPN Denial of Service Vulnerability

A vulnerability in the implementation of Traffic Flow Confidentiality (TFC) over IPsec functionality in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.

The vulnerability is due to an error that may occur if the affected software renegotiates the encryption key for an IPsec tunnel when certain TFC traffic is in flight. An attacker could exploit this vulnerability by sending a malicious stream of TFC traffic through an established IPsec tunnel on an affected device. A successful exploit could allow the attacker to cause a daemon process on the affected device to crash, which could cause the device to crash and result in a DoS condition.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-ipsec-dos


Security Impact Rating: Medium
CVE: CVE-2018-15397

The Future of Voice, Fraud, and the Impact to CX | A Recap

Voice is growing out of the call center, out of your telephone and is growing into the next interface. In previous years, we have released fraud reports revolving around the call center, but with the expansion of voice, and the fraud that follows, we have shifted our perspective to voice intelligence – after all, voice is everywhere: your digital assistant, your latest kitchen appliance, and even your car.

The eras of economies have passed us by, first characterized by digitalization, then the wave of mobile devices, and now by voice – paving the way to the conversational economy. These economies are accompanied by their own collection of problems – and fraudsters are not letting up. There has been a 350% increase from 2013 to 2017 in phone fraud, and a 47% increase from last year. Banks and the insurance industry are experiencing a higher level of fraud, with a 20% and 36% increase in fraud year over year respectively.

So how did we get to these increased fraud rates?

There have been an increasing amount of data breaches year over year; last year, there were 1,300 data breaches. These breaches make it easy for criminals to commit fraud – ultimately feeding into the $1.5 trillion cybercrime market. Additionally, a lot of enterprises rely heavily on KBAs, or knowledge-based authentication questions, which function as secrets for security. These “secrets” can be easily hacked through social engineering or through the black market.

The arrival of the omnichannel has not helped with containing fraud – consumers want to be able to contact a business through any channel, with the expectations for the experience to remain consistent. However, there are consequences for the omnichannel – it allows fraudsters to use resources from one channel to access an individual’s details in another channel. Lastly, as we build more tools to stop fraud, fraudsters are evolving quickly and learning how to combat these security measures.

Overall, fraud is the ultimate impact to customer experience – your customers have expectations for who they do business with, and if they expect their data to be safe with you, this should be upheld. We’re living in a world where consumers are likely to switch who they do business with if their customer experience expectations are fulfilled.

For more information on the future of voice, fraud in the voice channel, and the impact it has on customer experience, tune into our on-demand webinar here.

The post The Future of Voice, Fraud, and the Impact to CX | A Recap appeared first on Pindrop.

CVE-2018-17053 (sitefinity_cms)

Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17054.

CVE-2018-17054 (sitefinity_cms)

Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17053.

NIST Privacy Framework Under Development to Complement NIST CSF

The upcoming NIST Privacy Framework will help enterprises manage privacy risks Citing the success of its cybersecurity framework and the advent of IoT devices, artificial intelligence, and other technologies that are making it more challenging than ever for enterprises to protect their customers’ privacy, NIST has launched a collaborative project to develop a voluntary privacy… Read More

The post NIST Privacy Framework Under Development to Complement NIST CSF appeared first on .

Plan for potential incidents and breach scenarios, cybersecurity conference hears

Businesses should prepare an incident plan for security breaches in advance to know what resources they’ll need to deal with it. Speaking at the Technology Ireland ICT Skillnet Cybercrime Conference earlier today, Brian Honan said that running different scenarios can help businesses identify whether they’ll need assistance from IT, legal, HR or public relations.

Research from the Institute of Directors in Ireland has found that 69 per cent of SMBs claim they’re prepared for a data breach. Brian flipped that statistic to point out that this means almost one third of business owners have no such plan.

Never mind cyber; it’s crime

He also encouraged companies to report incidents like ransomware, CEO fraud or a website infection. “Don’t forget you’re the victim of a crime. In most cases, a cybersecurity incident is treated as an IT problem, not even a business issue or a crime. It’s a mindset change. It’s not separate to your business, it’s integral to it.” To help make that change, he suggested: “we should drop the name ‘cyber’.”

When businesses have to disclose an incident, Brian called on them not to use the phrase ‘we suffered a sophisticated breach’ – because most times, it’s not true. In many cases, incidents are due human error, or to bad practices like poor passwords. “If you’re using cloud email, enable two-factor authentication and educate people in using secure passwords. Encourage them not to click on suspicious links,” he said.

Other attacks exploit platforms like WordPress and Joomla. Businesses using those tools to run their websites need to continuously manage and update them, Brian said. “Many web vulnerabilities and threats like attack types like SQL injection are known about for over 10 years,” he said.

Steps to better security

Companies can take several steps to improve their security, such as establishing policies. “They’re very important – they set the strategy for the business and help everybody to meet it,” said Brian. Having systems to monitor and respond to suspicious activity is also essential. “Look at the physical world: you can’t guarantee your business won’t be burgled. It’s the same in online world, but we need to be able to detect when it happens,” he said.

The best security investment a business can make is in awareness training for employees, Brian added. These programmes educate staff about how to identify potential attacks, and how to handle information in a secure way.

He also encouraged businesses to disclose when they have suffered an incident, to help improve overall security. “Everybody will have a breach, there’s no shame in that, so let’s get over that and share information to help each other,” he said.

Tackling the cybersecurity skills gap

Research shows a high proportion of security breaches take months to recover from, which is partly due to an industry skills shortage. “The biggest problem we have is a lack of skilled staff in cybersecurity,” Brian said. The conference saw the launch of a new programme to train 5,000 people in cybersecurity over the next three years. The Cybersecurity Skills Initiative aims to address the shortage in skilled security personnel.

It’s worth asking whether the industry is open to candidates without formal degrees in cybersecurity or computer science. Brian said some companies may need to relax restrictive HR policies such as requiring formal degrees in security or computer science to attract the right people into security roles. Otherwise, they could be missing out on enthusiastic, experienced and skilled people.

 

 

The post Plan for potential incidents and breach scenarios, cybersecurity conference hears appeared first on BH Consulting.

IDG Contributor Network: Will your company be valued by its price-to-data ratio?

Anyone who watches the stock market knows that typically investors track a company’s price-to-earnings ratio, which is the company’s value divided by its net income. Investors of various asset classes may also value companies based on sales, free cash flow or EBITDA (Earnings Before Interest Taxes Depreciation and Amortization) multiples. All of these methods consider the current financial snapshot of the company’s performance, and then, in theory, try to estimate a future risk-adjusted growth rate to create an accurate valuation. But would it make more sense to measure future value of certain companies by applying a price-to-data ratio?

AI changes everything

For many companies, their future product or service success will be tied to the performance of their AI algorithms. And these algorithms are only as good as the data – in particular, large quantities of proprietary data – that trains them. Thus, in theory, the companies with the greatest quantity of proprietary data should have the best performing businesses, to the extent that algorithms are core to the business success. This may make sense for companies like Google, Facebook and Amazon, whose user experience and business models are closely tied to machine intelligence and proprietary data. It may also make sense for big pharma companies, like Johnson and Johnson, Novartis or Celgene, who all rely on cutting-edge drug discovery techniques to maintain and grow their market-leading positions.  The list of industry verticals and companies is vast, if one considers how data and AI will influence the future of many, if not all, industries.

To read this article in full, please click here

How to Protect Your Connected Devices from Common Cyberattacks

When it comes to internet security, we all suffer from a condition known as optimism bias. It’s the simple idea that we, individually, won’t be affected negatively by an externality compared to others. The same mental distortion happens in the digital world. We read a lot about cybercrime and assume the consequences of those attacks won’t reach or affect us. The problem is, that’s optimism bias at work — and it is what fuels a cybercriminal’s success.

No one expects to lose control over their digital lives, but it does happen, and it can happen to you. And securing your information after a cyberattack is becoming less tenable. In fact, the total number of malware samples has grown almost 34%, more than 774 million, over the past four quarters according to the latest McAfee Labs Threats Report, hitting all-time highs in the second quarter of 2018. Fortunately, there are proactive steps you can take to secure yourself from the most active cyberattack methods.

Phishing Attacks

Cybercriminals use phishing attacks try to and trick you into clicking on a malicious link or download a malicious file. And they have pretty good odds of succeeding if they’re persistent. That’s because phishing attacks try to come across as trustworthy, appearing from a source a victim knows or trusts, like authoritative organization. It’s a common and powerful technique.

A few simple steps can protect you. Examine an email’s sending address if you suspect anything. If you don’t know the sender, or the email’s content doesn’t seem familiar, remain wary and avoid interacting with the message. If you’re unsure, simply reach out to the apparent sender through a different channel, like a phone call or a different email account, that you found through your own research.

Unpatched Software

Unpatched, un-updated, and old software is one the most exploited attack avenues by far. That’s because new software vulnerabilities or bugs are found all of the time, and cybercriminals can use them to compromise a device. The longer software goes without an update, the long cybercriminals have to find these vulnerabilities and exploit them.

The best way to stay a step ahead of active cybercriminals is to update your device’s software as often as possible. Updates often contain security patches blocking newly discovered attack avenues. Getting into a good update habit, too, is becoming increasingly critical as more and more devices connect to the internet. Speaking of which…

The Internet of Things

The Internet of Things, or IoT, is officially here — and we’re not just talking about internet-connected refrigerators or television sets. IoT devices encompass toys and cars to watches and even clothing. All this available computing means cybercriminals have more opportunities than ever before to find and exploit vulnerabilities in everyday objects.

But, again, there are reliable, proactive defenses. First, make sure that, if your smart device or service requires an account, you use a complex and unique password. This means using numbers, symbols and upper and lower case letters. A password manager can help you create strong and unique passwords. Second, typically, if there’s software, there’s an update. Make sure you’re aware of any and all updates to your IoT devices and apply them as soon as you can. If you have an IoT device where updating is difficult, such as a thermostat, you’ll need a more holistic approach. Look for security services, like McAfee Secure Home Platform, designed for a home connected through a protected router that’s enhanced with advanced security analytics.

Finally, and this is a good rule in general, use a comprehensive security solution to protect your technology landscape. It’s a lot bigger than you think and growing every day with each new user account, IoT device or computer you use.

To learn more about securing your personal devices from cyberattacks, be sure to follow us at @McAfee and @McAfee_Home.

The post How to Protect Your Connected Devices from Common Cyberattacks appeared first on McAfee Blogs.

Securing Data Together

At McAfee, we value keeping customers at the core of our business. We deeply care about serving our clients and partners with excellence and we actively work to implement changes based on their suggestions. One of the ways we receive this feedback is through The Channel Company’s Annual Report Card survey.

The Annual Report Card summarizes results from a comprehensive survey that exhibits solution provider satisfaction across product innovation, support, and partnership for the hardware services and software vendors they team up with. More than 3,000 solution providers evaluate their satisfaction using this survey with over 65 vendor partners in 24 major product categories. The results help us understand how the market views McAfee, validate that we are doing the right things, and make changes as needed.

On behalf of McAfee, I am honored to announce that McAfee tied for the top spot in the Data Security category, receiving an overall score of 79.7. Within this category, McAfee scored highest in partnership (80.9) and managed and cloud services (76.3). Additionally, we took second place in Endpoint Security with an overall score of 80.3.

The cybersecurity landscape is constantly transforming with new threats targeting the data and systems of businesses everywhere. The main way McAfee protects data in this evolving environment is through McAfee Data Loss Prevention (McAfee DLP). This is a comprehensive solution that safeguards intellectual property and ensures compliance to internal policies by protecting sensitive data wherever it lives—on premises, in the cloud, or at endpoints. With McAfee DLP, users are empowered with data protection manual classification along with real-time pop-ups and a self-remediation tool to help increase employee data protection awareness.

We’re proud to provide a Data Loss Prevention solution that has earned the respect and trust of the partner community. Ultimately, we could not have accomplished this without our partners. We greatly appreciate partner loyalty and recognize the importance of the vital role they play in our business. We are excited to continue developing our partnerships and celebrate shared success along the way. Together with channel partners and distributors around the world, we are working to keep our customers and their data safe.

The post Securing Data Together appeared first on McAfee Blogs.

APT38: Details on New North Korean Regime-Backed Threat Group

Today, we are releasing details on the threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. The group is particularly aggressive; they regularly use destructive malware to render victim networks inoperable following theft. More importantly, diplomatic efforts, including the recent Department of Justice (DOJ) complaint that outlined attribution to North Korea, have thus far failed to put an end to their activity. We are calling this group APT38.

We are releasing a special report, APT38: Un-usual Suspects, to expose the methods used by this active and serious threat, and to complement earlier efforts by others to expose these operations, using FireEye’s unique insight into the attacker lifecycle.

We believe APT38’s financial motivation, unique toolset, and tactics, techniques and procedures (TTPs) observed during their carefully executed operations are distinct enough to be tracked separately from other North Korean cyber activity. There are many overlapping characteristics with other operations, known as “Lazarus” and the actor we call TEMP.Hermit; however, we believe separating this group will provide defenders with a more focused understanding of the adversary and allow them to prioritize resources and enable defense. The following are some of the ways APT38 is different from other North Korean actors, and some of the ways they are similar:

  • We find there are clear distinctions between APT38 activity and the activity of other North Korean actors, including the actor we call TEMP.Hermit. Our investigation indicates they are disparate operations against different targets and reliance on distinct TTPs; however, the malware tools being used either overlap or exhibit shared characteristics, indicating a shared developer or access to the same code repositories. As evident in the DOJ complaint, there are other shared resources, such as personnel who may be assisting multiple efforts.
  • A 2016 Novetta report detailed the work of security vendors attempting to unveil tools and infrastructure related to the 2014 destructive attack against Sony Pictures Entertainment. This report detailed malware and TTPs related to a set of developers and operators they dubbed “Lazarus,” a name that has become synonymous with aggressive North Korean cyber operations.
    • Since then, public reporting attributed additional activity to the “Lazarus” group with varying levels of confidence primarily based on malware similarities being leveraged in identified operations. Over time, these malware similarities diverged, as did targeting, intended outcomes and TTPs, almost certainly indicating that this activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship.

Since at least 2014, APT38 has conducted operations in more than 16 organizations in at least 13 countries, sometimes simultaneously, indicating that the group is a large, prolific operation with extensive resources. The following are some details about APT38 targeting:

  • The total number of organizations targeted by APT38 may be even higher when considering the probable low incident reporting rate from affected organizations.
  • APT38 is characterized by long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards.
  • The group is careful, calculated, and has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, required permissions, and system technologies to achieve its goals.
  • On average, we have observed APT38 remain within a victim network for approximately 155 days, with the longest time within a compromised environment believed to be almost two years.
  • In just the publicly reported heists alone, APT38 has attempted to steal over $1.1 billion dollars from financial institutions.

Investigating intrusions of many victimized organizations has provided us with a unique perspective into APT38’s entire attack lifecycle. Figure 1 contains a breakdown of observed malware families used by APT38 during the different stages of their operations. At a high-level, their targeting of financial organizations and subsequent heists have followed the same general pattern:

  1. Information Gathering: Conducted research into an organization’s personnel and targeted third party vendors with likely access to SWIFT transaction systems to understand the mechanics of SWIFT transactions on victim networks (Please note: The systems in question are those used by the victim to conduct SWIFT transactions. At no point did we observe these actors breach the integrity of the SWIFT system itself.).
  2. Initial Compromise: Relied on watering holes and exploited an insecure out-of-date version of Apache Struts2 to execute code on a system.
  3. Internal Reconnaissance: Deployed malware to gather credentials, mapped the victim’s network topology, and used tools already present in the victim environment to scan systems.
  4. Pivot to Victim Servers Used for SWIFT Transactions: Installed reconnaissance malware and internal network monitoring tools on systems used for SWIFT to further understand how they are configured and being used. Deployed both active and passive backdoors on these systems to access segmented internal systems at a victim organization and avoid detection.
  5. Transfer funds: Deployed and executed malware to insert fraudulent SWIFT transactions and alter transaction history. Transferred funds via multiple transactions to accounts set up in other banks, usually located in separate countries to enable money laundering.
  6. Destroy Evidence: Securely deleted logs, as well as deployed and executed disk-wiping malware, to cover tracks and disrupt forensic analysis.


Figure 1: APT38 Attack Lifecycle

APT38 is unique in that it is not afraid to aggressively destroy evidence or victim networks as part of its operations. This attitude toward destruction is probably a result of the group trying to not only cover its tracks, but also to provide cover for money laundering operations.

In addition to cyber operations, public reporting has detailed recruitment and cooperation of individuals in-country to support with the tail end of APT38’s thefts, including persons responsible for laundering funds and interacting with recipient banks of stolen funds. This adds to the complexity and necessary coordination amongst multiple components supporting APT38 operations.

Despite recent efforts to curtail their activity, APT38 remains active and dangerous to financial institutions worldwide. By conservative estimates, this actor has stolen over a hundred million dollars, which would be a major return on the likely investment necessary to orchestrate these operations. Furthermore, given the sheer scale of the thefts they attempt, and their penchant for destroying targeted networks, APT38 should be considered a serious risk to the sector.

TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service Providers

Original release date: October 03, 2018

Systems Affected

Network Systems

Overview

The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.

This Technical Alert (TA) provides information and guidance to assist MSP customer network and system administrators with the detection of malicious activity on their networks and systems and the mitigation of associated risks. This TA includes an overview of TTPs used by APT actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents.

Description

MSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.

Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors. By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks.

Note: NCCIC previously released information related to this activity in Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors published on April 27, 2017, which includes indicators of compromise, signatures, suggested detection methods, and recommended mitigation techniques.

Technical Details

APT

APT actors use a range of “living off the land” techniques to maintain anonymity while conducting their attacks. These techniques include using legitimate credentials and trusted off-the-shelf applications and pre-installed system tools present in MSP customer networks.

Pre-installed system tools, such as command line scripts, are very common and used by system administrators for legitimate processes. Command line scripts are used to discover accounts and remote systems.

PowerSploit is a repository of Microsoft PowerShell and Visual Basic scripts and uses system commands such as netsh. PowerSploit, originally developed as a legitimate penetration testing tool, is widely misused by APT actors. These scripts often cannot be blocked because they are legitimate tools, so APT actors can use them and remain undetected on victim networks. Although network defenders can generate log files, APT actors’ use of legitimate scripts makes it difficult to identify system anomalies and other malicious activity.

When APT actors use system tools and common cloud services, it can also be difficult for network defenders to detect data exfiltration. APT actors have been observed using Robocopy—a Microsoft command line tool—to transfer exfiltrated and archived data from MSP client networks back through MSP network environments. Additionally, APT actors have been observed using legitimate PuTTY Secure Copy Client functions, allowing them to transfer stolen data securely and directly to third-party systems.

Impact

A successful network intrusion can have severe impacts to the affected organization, particularly if the compromise becomes public. Possible impacts include

  • Temporary or permanent loss of sensitive or proprietary information,
  • Disruption to regular operations,
  • Financial losses to restore systems and files, and
  • Potential harm to the organization’s reputation.

Solution

Detection

Organizations should configure system logs to detect incidents and to identify the type and scope of malicious activity. Properly configured logs enable rapid containment and appropriate response.

Response

An organization’s ability to rapidly respond to and recover from an incident begins with the development of an incident response capability. An organization’s response capability should focus on being prepared to handle the most common attack vectors (e.g., spearphishing, malicious web content, credential theft). In general, organizations should prepare by

  • Establishing and periodically updating an incident response plan.
  • Establishing written guidelines that prioritize incidents based on mission impact, so that an appropriate response can be initiated.
  • Developing procedures and out-of-band lines of communication to handle incident reporting for internal and external relationships.
  • Exercising incident response measures for various intrusion scenarios regularly, as part of a training regime.
  • Committing to an effort that secures the endpoint and network infrastructure: prevention is less costly and more effective than reacting after an incident.

Mitigation

Manage Supply Chain Risk

MSP clients that do not conduct the majority of their own network defense should work with their MSP to determine what they can expect in terms of security. MSP clients should understand the supply chain risk associated with their MSP. Organizations should manage risk equally across their security, legal, and procurement groups. MSP clients should also refer to cloud security guidance from the National Institute of Standards and Technology to learn about MSP terms of service, architecture, security controls, and risks associated with cloud computing and data protection.[1] [2] [3]

Architecture

Restricting access to networks and systems is critical to containing an APT actor’s movement. Provided below are key items that organizations should implement and periodically audit to ensure their network environment’s physical and logical architecture limits an APT actor’s visibility and access.

Virtual Private Network Connection Recommendations

  • Use a dedicated Virtual Private Network (VPN) for MSP connection. The organization’s local network should connect to the MSP via a dedicated VPN. The VPN should use certificate-based authentication and be hosted on its own device.
  • Terminate VPN within a demilitarized zone (DMZ). The VPN should terminate within a DMZ that is isolated from the internal network. Physical systems used within the DMZ should not be used on or for the internal network.
  • Restrict VPN traffic to and from MSP. Access to and from the VPN should be confined to only those networks and protocols needed for service. All other internal networks and protocols should be blocked. At a minimum, all failed attempts should be logged.
  • Update VPN authentication certificates annually. Update the certificates used to establish the VPN connection no less than annually. Consider rotating VPN authentication certificates every six months.
  • Ensure VPN connections are logged, centrally managed, and reviewed. All VPN connection attempts should be logged in a central location. Investigate connections using dedicated certificates to confirm they are legitimate.

Network Architecture Recommendations

  • Ensure internet-facing networks reside on separate physical systems. All internet-accessible network zones (e.g., perimeter network, DMZ) should reside on their own physical systems, including the security devices used to protect the network environment.
  • Separate internal networks by function, location, and risk profile. Internal networks should be segmented by function, location, and/or enterprise workgroup. All communication between networks should use Access Control Lists and security groups to implement restrictions.
  • Use firewalls to protect server(s) and designated high-risk networks. Firewalls should reside at the perimeter of high-risk networks, including those hosting servers. Access to these networks should be properly restricted. Organizations should enable logging, using a centrally managed logging system.
  • Configure and enable private Virtual Local Area Networks (VLANs). Enable private VLANs and group them according to system function or user workgroup.
  • Implement host firewalls. In addition to the physical firewalls in place at network boundaries, hosts should also be equipped and configured with host-level firewalls to restrict communications from other workstations (this decreases workstation-to-workstation communication).

Network Service Restriction Recommendations

  • Only permit authorized network services outbound from the internal network. Restrict outbound network traffic to only well-known web browsing services (e.g., Transmission Control Protocol [TCP]/80, TCP/443). In addition, monitor outbound traffic to ensure the ports associated with encrypted traffic are not sending unencrypted traffic.
  • Ensure internal and external Domain Name System (DNS) queries are performed by dedicated servers. All systems should leverage dedicated internal DNS servers for their queries. Ensure that DNS queries for external hosts using User Datagram Protocol (UDP)/53 are permitted for only these hosts and are filtered through a DNS reputation service, and that outbound UDP/53 network traffic by all other systems is denied. Ensure that TCP/53 is not permitted by any system within the network environment. All attempts to use TCP/53 and UDP/53 should be centrally logged and investigated.
  • Restrict access to unauthorized public file shares. Access to public file shares that are not used by the organization—such as Dropbox, Google Drive, and OneDrive—should be denied. Attempts to access public file share sites should be centrally logged and investigated. Recommended additional action: monitor all egress traffic for possible exfiltration of data.
  • Disable or block all network services that are not required at network boundary. Only those services needed to operate should be enabled and/or authorized at network boundaries. These services are typically limited to TCP/137, TCP/139, and TCP/445. Additional services may be needed, depending on the network environment, these should be tightly controlled to only send and receive from certain whitelisted Internet Protocol addresses, if possible.
Authentication, Authorization, and Accounting

Compromised account credentials continue to be the number one way threat actors are able to penetrate a network environment. The accounts organizations create for MSPs increase the risk of credential compromise, as MSP accounts typically require elevated access. It is important organizations’ adhere to best practices for password and permission management, as this can severely limit a threat actor’s ability to access and move laterally across a network. Provided below are key items organizations should implement and routinely audit to ensure these risks are mitigated.

Account Configuration Recommendations

  • Ensure MSP accounts are not assigned to administrator groups. MSP accounts should not be assigned to the Enterprise Administrator (EA) or Domain Administrator (DA) groups.
  • Restrict MSP accounts to only the systems they manage. Place systems in security groups and only grant MSP account access as required. Administrator access to these systems should be avoided when possible.
  • Ensure MSP account passwords adhere to organizational policies. Organizational password policies should be applied to MSP accounts. These policies include complexity, life, lockout, and logging.
  • Use service accounts for MSP agents and services. If an MSP requires the installation of an agent or other local service, create service accounts for this purpose. Disable interactive logon for these accounts.
  • Restrict MSP accounts by time and/or date. Set expiration dates reflecting the end of the contract on accounts used by MSPs when those accounts are created or renewed. Additionally, if MSP services are only required during business hours, time restrictions should also be enabled and set accordingly. Consider keeping MSP accounts disabled until they are needed and disabling them once the work is completed.
  • Use a network architecture that includes account tiering. By using an account tiering structure, higher privileged accounts will never have access or be found on lower privileged layers of the network. This keeps EA and DA level accounts on the higher, more protected tiers of the network. Ensure that EA and DA accounts are removed from local administrator groups on workstations.

Logging Configuration Recommendations

  • Enable logging on all network systems and devices and send logs to a central location. All network systems and devices should have their logging features enabled. Logs should be stored both locally and centrally to ensure they are preserved in the event of a network failure. Logs should also be backed up regularly and stored in a safe location.
  • Ensure central log servers reside in an enclave separate from other servers and workstations. Log servers should be isolated from the internet and network environment to further protect them from compromise. The firewall at the internal network boundary should only permit necessary services (e.g., UDP/514).
  • Configure local logs to store no less than seven days of log data. The default threshold for local logging is typically three days or a certain file size (e.g., 5 MB). Configure local logs to store no less than seven days of log data. Seven days of logs will cover the additional time in which problems may not be identified, such as holidays. In the event that only size thresholds are available, NCCIC recommends that this parameter be set to a large value (e.g., 512MB to1024MB) to ensure that events requiring a high amount of log data, such as brute force attacks, can be adequately captured.
  • Configure central logs to store no less than one year of log data. Central log servers should store no less than a year’s worth of data prior to being rolled off. Consider increasing this capacity to two years, if possible.
  • Install and properly configure a Security Information and Event Management (SIEM) appliance. Install a SIEM appliance within the log server enclave. Configure the SIEM appliance to alert on anomalous activity identified by specific events and on significant derivations from baselined activity.
  • Enable PowerShell logging. Organizations that use Microsoft PowerShell should ensure it is upgraded the latest version (minimum version 5) to use the added security of advanced logging and to ensure these logs are being captured and analyzed. PowerShell’s features include advanced logging, interaction with application whitelisting (if using Microsoft’s AppLocker), constrained language mode, and advanced malicious detection with Antimalware Scan Interface. These features will help protect an organization’s network by limiting what scripts can be run, logging all executed commands, and scanning all scripts for known malicious behaviors.
  • Establish and implement a log review process. Logs that go unanalyzed are useless. It is critical to network defense that organizations establish a regular cycle for reviewing logs and developing analytics to identify patterns.
Operational Controls

Building a sound architecture supported by strong technical controls is only the first part to protecting a network environment. It is just as critical that organizations continuously monitor their systems, update configurations to reflect changes in their network environment, and maintain relationships with MSPs. Listed below are key operational controls organizations should incorporate for protection from threats.

Operational Control Recommendations

  • Create a baseline for system and network behavior. System, network, and account behavior should be baselined to make it easier to track anomalies within the collected logs. Without this baseline, network administrators will not be able to identify the “normal” behaviors for systems, network traffic, and accounts.
  • Review network device configurations every six months. No less than every six months, review the active configurations of network devices for unauthorized settings (consider reviewing more frequently). Baseline configurations and their checksums should be stored in a secure location and be used to validate files.
  • Review network environment Group Policy Objects (GPOs) every six months. No less than every six months, review GPOs for unauthorized settings (consider reviewing more frequently). Baseline configurations and their checksums should be stored in a secure location and be used to validate files.
  • Continuously monitor and investigate SIEM appliance alerts. The SIEM appliance should be continuously monitored for alerts. All events should be investigated and documented for future reference.
  • Periodically review SIEM alert thresholds. Review SIEM appliance alert thresholds no less than every three months. Thresholds should be updated to reflect changes, such as new systems, activity variations, and new or old services being used within the network environment.
  • Review privileged account groups weekly. Review privileged account groups—such as DAs and EAs—no less than weekly to identify any unauthorized modifications. Consider implementing automated monitoring for these groups.
  • Disable or remove inactive accounts. Periodically monitor accounts for activity and disable or remove accounts that have not been active within a certain period, not to exceed 30 days. Consider including account management into the employee onboarding and offboarding processes.
  • Regularly update software and operating systems. Ensuring that operating systems and software is up-to-date is critical for taking advantage of a vendor’s latest security offerings. These offerings can include mitigating known vulnerabilities and offering new protections (e.g., credential protections, increased logging, forcing signed software).

It is important to note that—while the recommendations provided in this TA aim at preventing the initial attack vectors and the spread of any malicious activity—there is no single solution to protecting and defending a network. NCCIC recommends network defenders use a defense-in-depth strategy to increase the odds of successfully identifying an intrusion, stopping malware, and disrupting threat actor activity. The goal is to make it as difficult as possible for an attacker to be successful and to force them to use methods that are easier to detect with higher operational costs.

Report Unauthorized Network Access

Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact NCCIC at (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).

References

Revision History

  • October, 3 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.


TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation

Original release date: October 03, 2018

Systems Affected

Network Systems

Overview

This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover.

Description

APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access.

Impact

APT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth.

Solution

Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response.

Using a defense-in-depth strategy is likely to increase the odds of successfully disrupting adversarial objectives long enough to allow network defenders to detect and respond before the successful completion of a threat actor’s objectives.

Any organization that uses an MSP to provide services should monitor the MSP's interactions within their organization’s enterprise networks, such as account use, privileges, and access to confidential or proprietary information. Organizations should also ensure that they have the ability to review their security and monitor their information hosted on MSP networks.

APT TTPs and Corresponding Mitigations

The following table displays the TTPs employed by APT actors and pairs them with mitigations that network defenders can implement.

Table 1: APT TTPs and Mitigations

APT TTPsMitigations
Preparation
  • Allocate operational infrastructure, such as Internet Protocol addresses (IPs).
  • Gather target credentials to use for legitimate access.

Protect:

  • Educate users to never click unsolicited links or open unsolicited attachments in emails.
  • Implement an awareness and training program.

Detect:

  • Leverage multi-sourced threat-reputation services for files, Domain Name System (DNS), Uniform Resource Locators (URLs), IPs, and email addresses.
Engagement
  • Use legitimate remote access, such as virtual private networks (VPNs) and Remote Desktop Protocol (RDP).
  • Leverage a trusted relationship between networks.

Protect:

  • Enable strong spam filters to prevent phishing emails from reaching end users.
  • Authenticate inbound email using Sender Policy Framework; Domain-Based Message Authentication, Reporting and Conformance; and DomainKeys Identified Mail to prevent email spoofing.
  • Prevent external access via RDP sessions and require VPN access.
  • Enforce multi-factor authentication and account-lockout policies to defend against brute force attacks.

Detect:

  • Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses.
  • Scan all incoming and outgoing emails to detect threats and filter out executables.
  • Audit all remote authentications from trusted networks or service providers for anomalous activity.

Respond and Recover:

  • Reset credentials, including system accounts.
  • Transition to multifactor authentication and reduce use of password-based systems, which are susceptible to credential theft, forgery, and reuse across multiple systems.
Presence

Execution and Internal Reconnaissance:

  • Write to disk and execute malware and tools on hosts.
  • Use interpreted scripts and run commands in shell to enumerate accounts, local network, operating system, software, and processes for internal reconnaissance.
  • Map accessible networks and scan connected targets.

Lateral Movement:

  • Use remote services and log on remotely.
  • Use legitimate credentials to move laterally onto hosts, domain controllers, and servers.
  • Write to remote file shares, such as Windows administrative shares.

Credential Access:

  • Locate credentials, dump credentials, and crack passwords.

Protect:

  • Deploy an anti-malware solution, which also aims to prevent spyware and adware.
  • Prevent the execution of unauthorized software, such as Mimikatz, by using application whitelisting.
  • Deploy PowerShell mitigations and, in the more current versions of PowerShell, enable monitoring and security features.
  • Prevent unauthorized external access via RDP sessions. Restrict workstations from communicating directly with other workstations.
  • Separate administrative privileges between internal administrator accounts and accounts used by trusted service providers.
  • Enable detailed session-auditing and session-logging.

Detect:

  • Audit all remote authentications from trusted networks or service providers.
  • Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems.
  • Log use of system administrator commands, such as net, ipconfig, and ping.
  • Audit logs for suspicious behavior.
  • Use whitelist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system.
  • Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses.

Respond and Recover:

  • Reset credentials.
  • Monitor accounts associated with a compromise for abnormal behaviors, including unusual connections to nonstandard resources or attempts to elevate privileges, enumerate, or execute unexpected programs or applications.
Effect
  • Maintain access to trusted networks while gathering data from victim networks.
  • Compress and position data for future exfiltration in archives or in unconventional locations to avoid detection.
  • Send over command and control channel using data-transfer tools (e.g., PuTTY secure copy client [PSCP], Robocopy).

Protect:

  • Prevent the execution of unauthorized software, such as PSCP and Robocopy.

Detect:

  • Monitor for use of archive and compression tools.
  • Monitor egress traffic for anomalous behaviors, such as irregular outbound connections, malformed or abnormally large packets, or bursts of data to detect beaconing and exfiltration.

 

Detailed Mitigation Guidance

Manage Credentials and Control Privileged Access

Compromising the credentials of legitimate users automatically provides a threat actor access to the network resources available to those users and helps that threat actor move more covertly through the network. Adopting and enforcing a strong-password policy can reduce a threat actor’s ability to compromise legitimate accounts; transitioning to multifactor authentication solutions increases the difficulty even further. Additionally, monitoring user account logins—whether failed or successful—and deploying tools and services to detect illicit use of credentials can help network defenders identify potentially malicious activity.

Threat actors regularly target privileged accounts because they not only grant increased access to high-value assets in the network, but also more easily enable lateral movement, and often provide mechanisms for the actors to hide their activities. Privileged access can be controlled by ensuring that only those users requiring elevated privileges are granted those accesses and, in accordance with the principle of least privilege, by restricting the use of those privileged accounts to instances where elevated privileges are required for specific tasks. It is also important to carefully manage and monitor local-administrator and MSP accounts because they inherently function with elevated privileges and are often ignored after initial configuration.

A key way to control privileged accounts is to segregate and control administrator (admin) privileges. All administrative credentials should be tightly controlled, restricted to a function, or even limited to a specific amount of time. For example, only dedicated workstation administrator accounts should be able to administer workstations. Server accounts, such as general, Structured Query Language, or email admins, should not have administrative access to workstations. The only place domain administrator (DA) or enterprise administrator (EA) credentials should ever be used is on a domain controller. Both EA and DA accounts should be removed from the local-administrators group on all other devices. On UNIX devices, sudo (or root) access should be tightly restricted in the same manner. Employing a multifactor authentication solution for admin accounts adds another layer of security and can significantly reduce the impact of a password compromise because the threat actor needs the other factor—that is, a smartcard or a token—for authentication.

Additionally, administrators should disable unencrypted remote-administrative protocols and services, which are often enabled by default. Protocols required for operations must be authorized, and the most secure version must be implemented. All other protocols must be disabled, particularly unencrypted remote-administrative protocols used to manage network infrastructure devices, such as Telnet, Hypertext Transfer Protocol, File Transfer Protocol, Trivial File Transfer Protocol, and Simple Network Management Protocol versions 1 and 2.

Control Remote Access and Audit Remote Logins

  • Control legitimate remote access by trusted service providers. Similar to other administrative accounts, MSP accounts should be given the least privileges needed to operate. In addition, it is recommended that MSP accounts either be limited to work hours, when they can be monitored, or disabled until work needs to be done. MSP accounts should also be held to the same or higher levels of security for credential use, such as multifactor authentication or more complex passwords subject to shorter expiration timeframes.
  • Establish a baseline on the network. Network administrators should work with network owners or MSPs to establish what normal baseline behavior and traffic look like on the network. It is also advisable to discuss what accesses are needed when the network is not being actively managed. This will allow local network personnel to know what acceptable cross-network or MSP traffic looks like in terms of ports, protocols, and credential use.
  • Monitor system event logs for anomalous activity. Network logs should be captured to help detect and identify anomalous and potentially malicious activity. In addition to the application whitelisting logs, administrators should ensure that other critical event logs are being captured and stored, such as service installation, account usage, pass-the-hash detection, and RDP detection logs. Event logs can help identify the use of tools like Mimikatz and the anomalous use of legitimate credentials or hashes. Baselining is critical for effective event log analysis, especially in the cases of MSP account behavior.
  • Control Microsoft RDP. Adversaries with valid credentials can use RDP to move laterally and access information on other, more sensitive systems. These techniques can help protect against the malicious use of RDP:
    • Assess the need to have RDP enabled on systems and, if required, limit connections to specific, trusted hosts.
    • Verify that cloud environments adhere to best practices, as defined by the cloud service provider. After the cloud environment setup is complete, ensure that RDP ports are not enabled unless required for a business purpose.
    • Place any system with an open RDP port behind a firewall and require users to communicate via a VPN through a firewall.
    • Perform regular checks to ensure RDP port 3389 is not open to the public internet. Enforce strong-password and account-lockout policies to defend against brute force attacks.
    • Enable the restricted-administrator option available in Windows 8.1 and Server 2012 R2 to ensure that reusable credentials are neither sent in plaintext during authentication nor cached.
  • Restrict Secure Shell (SSH) trusts. It is important that SSH trusts be carefully managed and secured because improperly configured and overly permissive trusts can provide adversaries with initial access opportunities and the means for lateral movement within a network. Access lists should be configured to limit which users are able to log in via SSH, and root login via SSH should be disabled. Additionally, the system should be configured to only allow connections from specific workstations, preferably administrative workstations used only for the purpose of administering systems.

Report Unauthorized Network Access

Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact NCCIC at (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).

References

Revision History

  • October, 3 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.