Author Archives: Mikayla Townsend

Protection via Deception: How Honeypots Confuse – and Defeat – Hackers

To tweak a traditional saying, you can do a better job catching flies with honey than vinegar.

In this case, I’m talking about the “honeypot,” set up to catch the hacker “fly.” To summarize and elaborate upon various definitions over the years, honeypots are computer systems that lure attackers by simulating real systems within a network. The systems appear to be authentic, but the data and additional cyber resources within bear little-to-no actual value to the organization behind the effort. In many instances, the honeypot entirely fabricates email accounts, ports, or even an “active” website. In others, contained data is authentic, but it’s relatively inconsequential information that the organization is willing to “give up” to the adversary.

Various incarnations of the concept have been around since the mid-1980s. Then, cybersecurity legend Fred Cohen – who, among his many achievements, first defined the term “computer virus” – created the first publicly-available honeypot with his Deception ToolKit (DTK) in 1998. “If (DTK) increases uncertainty for the attackers, it can do a lot to reduce attacks – both inside and outside,” Cohen wrote in an FAQ about his toolkit. “DTK does not have to fool all the people all the time. It is doing great if it fools some of the people some of the time and scares some of the people some of the time.” (Not surprisingly, Cohen is fond of the Sun Tzu quote, “All warfare is based on deception.”)

Despite its established history and fascinating capacity for discovery, enterprises have been slow to adopt honeypots. According to a SANS survey, less than one-quarter deploy them in their networks today. Yet, of those that have honeypots deployed, 45 percent have triggered at least 10 honeypot-enabled events within the last year, and 38 percent have done so more than 15 times during the same period. And there’s building promise for increased deployments as the global deception technology market is expected to grow to $2.09 billion by 2021, up from $1.04 billion in 2016, according to a forecast from MarketsandMarkets.

For the projected spike in adoption to take hold, chief information security officers (CISOs) and their teams will need to overcome the following challenges:

  • Scale. If your goal is to create an illusion that overwhelms attackers with numbers, it requires the fabrication of perhaps 100 hosts – all of which the cybersecurity team must manage. This requires significant commitment from the team.
  • Authenticity. Numbers alone aren’t enough; the honeypot system needs to look and “feel” real to attackers or they won’t take the bait. Cybersecurity professionals must do this manually, as there are currently no automated solutions that do this for them. A non-active honeypot – like a port – doesn’t involve an extensive effort. But a more ambitious invention – like a fully-functioning, but fake, website with working apps – demands considerable planning, delivery, and oversight. In addition, everything must be updated periodically, again, in the interest of realism and relevancy. When the previously mentioned scale and manual processes are taken into account, all of this can require a significant amount of time and effort.

Once these challenges are addressed, organizations can benefit on multiple levels:

  • Threat Trend Analysis. CISOs and their teams get a front-row seat to what hackers are after and the tools/methods they use – deploying open source or customized products, exploiting publicly disclosed vulnerabilities or unknown ones, etc. As a result, honeypots present teams with the opportunity to learn about intrusion techniques and the potential vulnerabilities of their own, actual systems.
  • Elimination of False Positives. There is no legitimate reason to enter a honeypot – anyone who interacts with one is a suspect. Thus, the honeypot triggers fewer alerts, but those alerts are of a much higher quality. That’s why it is an especially effective way to identify insider threats – because if employees snoop around outside of their authorized areas and manage to access a honeypot, it’s fair to conclude that they are up to no good.
  • Depletion of the Adversary’s Resources – and Patience. If the scale challenge is successfully addressed, then organizations “invent” dozens or even hundreds of false doors for hackers to break into. They are forced to use more of their capabilities, all while showing more of their hand. Hackers are traditionally “Davids” attempting to take down large corporations, or “Goliaths.” If you make it that much more difficult for enemies to get to their intended targets, they’ll give up and move on to victims that offer an easier path.
  • Confusing the Adversary. As Sun Tzu stated, warfare is about deception. The deception results in calculated confusion, designed to degrade the accuracy and effectiveness of an attack. Hackers can’t tell the difference between what’s real and fake because everything looks like a system they’re trying to access. To further muddle the picture, cybersecurity teams may, for example, “disguise” a Windows server as a Linux one, so the threat actors use the wrong tools, leading them to conclude (for the moment) that their job is done. In his FAQ, Cohen described this as “(attacking) the weakest link of the attackers. Their fears of being caught, their uncertainty about whether they are being detected and watched, and the bursting of their egos when they find out they have been fooled.”

At LookingGlass, we’re intrigued by deception technologies, and are immersing ourselves into developing next-generation solutions to camouflage and defend our customers’ real systems and cyber assets while exposing, confusing, and exhausting the capabilities of their adversaries. If you’d like to know more about how we are leveraging deception capabilities, contact us.

 

The post Protection via Deception: How Honeypots Confuse – and Defeat – Hackers appeared first on LookingGlass Cyber Solutions Inc..

Name That Risk: 8 Types of Third Party Risks You Should Know

There’s a lot of talk in the industry about protecting your company from third party risk, especially with the implementation of new regulations that hold organizations accountable for third party cybersecurity. While the OCC, FDIC, and the Federal Reserve all agree that vigorous due diligence and on-going third party monitoring are crucial to reducing your third party risk, it’s the wild west when it comes to agreement in practice.

Compounding this matter is the fact that the term ‘risk’ is quite broad. So broad in fact, that no two regulators categorize risk in precisely the same way. So how can organizations solve for ‘X’ risk if we have no clear definition of risk.

The key is to develop and implement a third party risk management program with processes and metrics to assess and manage risk expectations.

When starting this process, it is good to outline the categories of risk. Here are some types of risk that are good to know due to frequency of occurrence:

  • Reputational risk—Whether a third party provider deals directly with customers or offers a service that can indirectly impact customers, it’s your reputation on the line if the third party drops the ball.
  • Operational risk—When a third party provider is integrated into internal processes, such as through the use of a cloud-based, customer relationship management solution, it increases operational complexity and risk.
  • Transactional risk—From insufficient capacity that prevents transactions from being completed to security lapses that lead to unauthorized access and misuse of data, transaction risk is one of the most commonly encountered—and highly publicized— risks a financial institute faces.
  • Credit risk—While credit risk is most frequently considered in terms of a third party’s own financial condition, credit risk also stems from the use of third parties for loan origination, underwriting, or business solicitation.
  • Compliance risk—As more laws, rules, and regulations are put into place to protect consumers, the level of compliance risk also increases. Non-compliance due to lapses by a third party provider does not indemnify a financial organization against penalties.
  • Strategic risk—If a third party provider fails to meet the terms of a contract or return on investment.
  • Country risk—Whenever a financial institution engages a third-party provider based in a foreign country, it is exposed to potential economic, social and political conditions related to the provider location.
  • Legal risk—The activities of a third party provider can expose a financial institution to legal expenses and possible lawsuits.

Staying ahead of all these types of risk requires more than a scorecard. Organizations need to partner with a company that provides relevant intelligence – properly aggregated, contextualized, and correlated – to your organization. It also wouldn’t hurt to have access to an analyst who can discuss the implications and potential for multiple risks on your business.

With LookingGlass’ Third Party Risk Management solution, organizations receive a 360-degree view into your vendors’ risk profile, which establishes a baseline of risk for each of your vendors, and then offers continuous third party risk monitoring so you are prepared for any kind of third party risk.

Want to learn more about our Third Party Risk Management Solution? Contact Us.

 

The post Name That Risk: 8 Types of Third Party Risks You Should Know appeared first on LookingGlass Cyber Solutions Inc..

Weekly Threat Intelligence Brief: July 10, 2018

Threat Intelligence Briefs

This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.

Information Security Risk

“Adidas AG is the latest company to come under attack from cyber-thieves looking to steal personal information, with millions of customers potentially at risk. The athletic-wear company alerted customers about a possible data breach on its U.S. website. A preliminary investigation found the leaked data includes contact information, usernames and encrypted passwords, the company said in a statement. Adidas said it does not believe any credit card or health and fitness information was compromised. The company said it found out about the problem when “an unauthorized party” claimed to have acquired some of its consumer data. Adidas is in the process of conducting a forensic review and is alerting customers it believes could be affected.”

 –Bloomberg

Technology

“A Spain-based software-as-a-service (SaaS) company that specializes in online forms and surveys, has suffered a security breach that resulted in the data collected by its customers getting stolen. According to a notice posted on its website, Typeform identified the breach on June 27 and addressed its cause roughly half an hour later. The company says an attacker has managed to download a backup file dated May 3 from one of its servers. The compromised file stored names, email addresses and other pieces of information submitted by users through Typeform forms. Data collected after May 3, payment information, and passwords are not impacted, Typeform said. UK-based mobile banking service Monzo is one of the impacted organizations. Monzo says the breach affects roughly 20,000 individuals, a vast majority of which only had their email address exposed. However, in some cases, information such as postcode, name of the old bank, Twitter username, university, city, age and salary range, and employer was also compromised. The Tasmanian Electoral Commission was also hit by this breach. The organization notes that while some of the stolen data is already public, the attacker may have also obtained names, addresses, email addresses, and dates of birth submitted by electors when applying for an express vote at recent elections. The list of organizations that has notified customers of the Typeform breach also includes Thriva, Birdseye, HackUPC, and Ocean Protocol.”

SecurityWeek

Reputational Risk

“A Danish bank’s Estonian operations may have been used to launder as much as 53 billion kroner ($8.3 billion), according to a recent report by a Danish newspaper. That’s considerably more than the 25 billion kroner previously estimated, the newspaper said. The revised figure was based on documents from a further 20 firms that had accounts at the bank’s Estonian office between 2007 and 2015. The bank expects to release the findings of an internal investigation of the money laundering breaches by September. A Danish government official said he bank’s internal probe won’t be enough to satisfy the government, and said he was awaiting the findings of other investigations. The bank was reprimanded in May by the Financial Supervisory Authority in Copenhagen and ordered to hold an additional 5 billion kroner in regulatory capital, among other disciplinary measures.”

The Globe and Mail

Legal, Litigation, & Regulatory Risk

“Many U.K. financial firms don’t have a Plan B to fall back on if they’re hit by a cyber-attack. The Bank of England wants to change that. Financial regulators told firms to come up with a detailed plan for restoring services such as payments, lending and insurance after a disruption, and to invest in the staff and technology to make it work. The plan should include time limits on how long an outage could last. “Boards and senior management should assume that individual systems and processes that support business services will be disrupted, and increase the focus on back-up plans, responses and recovery options,” the Bank of England and the Financial Conduct Authority said. The discussion paper is part of the regulators’ effort to bolster the resilience of financial firms in response to a rising number of operational failures.”


The post Weekly Threat Intelligence Brief: July 10, 2018 appeared first on LookingGlass Cyber Solutions Inc..